Bug 54740

Summary: chrome.dll!WebCore::RenderBlock::addFocusRingRects OOM (404d82428bd920c896c411920eae1898)
Product: WebKit Reporter: Berend-Jan Wever <skylined>
Component: HTML EditingAssignee: Nobody <webkit-unassigned>
Status: NEW    
Severity: Normal CC: aboxhall, alice.barraclough, cfleizach, harrison, jhoneycutt, justin.garcia, rniwa
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Windows Vista   
Attachments:
Description Flags
Repro none

Berend-Jan Wever
Reported 2011-02-18 04:21:33 PST
Created attachment 82942 [details] Repro Chromium: http://code.google.com/p/chromium/issues/detail?id=73400 This looks very much like a dup of issue 54734, in that it is also an OOM that appears to be caused by a loop in the node tree. http://codesearch.google.com/codesearch/p?hl=en#OAMlx_jo-ck/src/third_party/WebKit/Source/WebCore/rendering/RenderInline.cpp&q=addFocusRingRects&exact_package=chromium&sa=N&cd=1&ct=rc void RenderInline::addFocusRingRects(Vector<IntRect>& rects, int tx, int ty) { for (InlineFlowBox* curr = firstLineBox(); curr; curr = curr->nextLineBox()) { RootInlineBox* root = curr->root(); int top = max(root->lineTop(), curr->y()); int bottom = min(root->lineBottom(), curr->y() + curr->logicalHeight()); IntRect rect(tx + curr->x(), ty + top, curr->logicalWidth(), bottom - top); if (!rect.isEmpty()) rects.append(rect); } for (RenderObject* curr = firstChild(); curr; curr = curr->nextSibling()) { if (!curr->isText() && !curr->isListMarker()) { FloatPoint pos(tx, ty); // FIXME: This doesn't work correctly with transforms. if (curr->hasLayer()) pos = curr->localToAbsolute(); else if (curr->isBox()) pos.move(toRenderBox(curr)->x(), toRenderBox(curr)->y()); curr->addFocusRingRects(rects, pos.x(), pos.y()); <snip> id: chrome.dll!WebCore::RenderBlock::addFocusRingRects OOM (404d82428bd920c896c411920eae1898) description: Cannot allocate enough memory in chrome.dll!WebCore::RenderBlock::addFocusRingRects application: Chromium 11.0.671.0 stack: chrome.dll!WebCore::RenderBlock::addFocusRingRects chrome.dll!WebCore::RenderBlock::addFocusRingRects chrome.dll!WebCore::RenderBlock::addFocusRingRects chrome.dll!WebCore::RenderBlock::addFocusRingRects chrome.dll!WebCore::RenderBlock::addFocusRingRects chrome.dll!WebCore::RenderInline::addFocusRingRects chrome.dll!WebCore::RenderInline::addFocusRingRects chrome.dll!WebCore::RenderInline::addFocusRingRects chrome.dll!WebCore::RenderInline::addFocusRingRects chrome.dll!WebCore::RenderInline::addFocusRingRects chrome.dll!WebCore::RenderInline::addFocusRingRects chrome.dll!WebCore::RenderInline::addFocusRingRects chrome.dll!WebCore::RenderInline::addFocusRingRects chrome.dll!WebCore::RenderInline::addFocusRingRects chrome.dll!WebCore::RenderInline::addFocusRingRects chrome.dll!WebCore::RenderInline::addFocusRingRects chrome.dll!WebCore::RenderInline::addFocusRingRects chrome.dll!WebCore::RenderInline::addFocusRingRects chrome.dll!WebCore::RenderInline::addFocusRingRects chrome.dll!WebCore::RenderInline::addFocusRingRects chrome.dll!WebCore::RenderInline::addFocusRingRects chrome.dll!WebCore::RenderInline::addFocusRingRects chrome.dll!WebCore::RenderInline::addFocusRingRects chrome.dll!WebCore::RenderInline::addFocusRingRects chrome.dll!WebCore::RenderInline::addFocusRingRects chrome.dll!WebCore::RenderInline::addFocusRingRects chrome.dll!WebCore::RenderInline::addFocusRingRects chrome.dll!WebCore::RenderInline::addFocusRingRects chrome.dll!WebCore::RenderInline::addFocusRingRects chrome.dll!WebCore::RenderInline::addFocusRingRects chrome.dll!WebCore::RenderInline::addFocusRingRects chrome.dll!WebCore::RenderInline::addFocusRingRects chrome.dll!WebCore::RenderInline::addFocusRingRects chrome.dll!WebCore::RenderInline::addFocusRingRects chrome.dll!WebCore::RenderInline::addFocusRingRects chrome.dll!WebCore::RenderInline::addFocusRingRects chrome.dll!WebCore::RenderInline::addFocusRingRects chrome.dll!WebCore::RenderInline::addFocusRingRects chrome.dll!WebCore::RenderInline::addFocusRingRects chrome.dll!WebCore::RenderInline::addFocusRingRects chrome.dll!WebCore::RenderInline::addFocusRingRects chrome.dll!WebCore::RenderBlock::addFocusRingRects chrome.dll!WebCore::RenderBlock::addFocusRingRects chrome.dll!WebCore::RenderObject::absoluteFocusRingQuads chrome.dll!WebCore::AccessibilityRenderObject::boundingBoxRect chrome.dll!WebKit::WebAccessibilityObject::boundingBoxRect chrome.dll!webkit_glue::WebAccessibility::Init chrome.dll!webkit_glue::WebAccessibility::WebAccessibility chrome.dll!RenderView::SendPendingAccessibilityNotifications chrome.dll!MessageLoop::RunTask chrome.dll!MessageLoop::DoWork chrome.dll!base::MessagePumpDefault::Run chrome.dll!MessageLoop::RunInternal ...
Attachments
Repro (943 bytes, text/html)
2011-02-18 04:21 PST, Berend-Jan Wever 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1 2011-02-21 03:10:09 PST
I can't reproduce this bug on r78685. On which revision are you reproducing this bug?
Berend-Jan Wever
Comment 2 2011-02-22 04:58:13 PST
r73335 - maybe it got fixed?
Ryosuke Niwa
Comment 3 2011-02-22 05:16:31 PST
(In reply to comment #2) > r73335 - maybe it got fixed? I tried both r73316 and r73340 on my Mac (10.6) but opening the attachment document didn't crash / hang WebKit. Did you reproduce it on Windows?
Berend-Jan Wever
Comment 4 2011-02-22 06:21:03 PST
Yes.
Berend-Jan Wever
Comment 5 2011-03-04 10:20:19 PST
Ryosuke: I found out that you need to start Chromium with "--force-renderer-accessibility" for this to trigger.
Berend-Jan Wever
Comment 6 2011-06-20 04:20:13 PDT
*** Bug 61055 has been marked as a duplicate of this bug. ***
Ryosuke Niwa
Comment 7 2011-06-20 10:34:51 PDT
(In reply to comment #5) > Ryosuke: I found out that you need to start Chromium with "--force-renderer-accessibility" for this to trigger. Mn... this is probably accessibility related then. Maybe Alice would know what's happening?
Ryosuke Niwa
Comment 8 2011-06-20 14:58:16 PDT
Adding more accessibility folks.
chris fleizach
Comment 9 2011-06-20 15:06:14 PDT
(In reply to comment #8) > Adding more accessibility folks. When an accessibility element tries to calculate it's bounding rectangle, it starts calling focusRingRects. I don't know what OOM means, but the problem likely lies in Render code, unless Chrome is not calling updateBackingStore at some point in these methods chrome.dll!webkit_glue::WebAccessibility::Init chrome.dll!webkit_glue::WebAccessibility::WebAccessibility chrome.dll!RenderView::SendPendingAccessibilityNotifications to ensure that the render tree is in a valid state
Berend-Jan Wever
Comment 10 2011-06-20 15:13:40 PDT
Out Of Memory (I work at Google, we have an internal app to find these things :)
chris fleizach
Comment 11 2011-06-20 15:14:52 PDT
(In reply to comment #10) > Out Of Memory (I work at Google, we have an internal app to find these things :) On certain webpages, the focusRing method to find the bounding box is very slow. I would love to see a better implementation that is just as accurate. It's probably because it's taking either a lot of time, or as you mentioned, a lot of memory
Ryosuke Niwa
Comment 12 2011-06-20 15:43:30 PDT
(In reply to comment #9) > (In reply to comment #8) > > Adding more accessibility folks. > > When an accessibility element tries to calculate it's bounding rectangle, it starts calling focusRingRects. What is bounding rectangle used for? There are quite few functions that finds the rect of inline box, etc...
chris fleizach
Comment 13 2011-06-20 16:17:13 PDT
(In reply to comment #12) > (In reply to comment #9) > > (In reply to comment #8) > > > Adding more accessibility folks. > > > > When an accessibility element tries to calculate it's bounding rectangle, it starts calling focusRingRects. > > What is bounding rectangle used for? There are quite few functions that finds the rect of inline box, etc... Part of any accessibility API is the ability to return the onscreen rectangle of an object
Note You need to log in before you can comment on or make changes to this bug.