Bug 64282
| Summary: | addLayers, Element::recalcStyle, RenderObject::removeLayers infinite recursion | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Berend-Jan Wever <skylined> |
| Component: | HTML Editing | Assignee: | Nobody <webkit-unassigned> |
| Status: | NEW | ||
| Severity: | Normal | CC: | rniwa |
| Priority: | P1 | ||
| Version: | 528+ (Nightly build) | ||
| Hardware: | PC | ||
| OS: | Windows Vista | ||
Berend-Jan Wever
Chromium: https://code.google.com/p/chromium/issues/detail?id=88924
Repro:
<body onload="go()"><pre style="word-wrap: break-word; white-space: pre-wrap;">x</pre></body>
<script>
function go() {
document.execCommand("SelectAll", false);
document.designMode="on";
document.execCommand("Underline");
document.execCommand("InsertHorizontalRule", false);
document.execCommand("InsertOrderedList");
document.execCommand("insertimage", false);
document.execCommand("insertimage", false);
document.execCommand("JustifyRight");
document.execCommand("InsertHorizontalRule", false);
document.execCommand("SelectAll", false);
document.execCommand("insertorderedlist", false);
}
</script>
The repro will cause very deeply (infinitely?) nested tags. It's obvious that this should not happend. This deep nesting leads to stack overflow in one of these three locations:
http://codesearch.google.com/codesearch#OAMlx_jo-ck/src/third_party/WebKit/Source/WebCore/rendering/RenderObject.cpp&q=RenderObject::removeLayers&exact_package=chromium&l=466
http://codesearch.google.com/codesearch#OAMlx_jo-ck/src/third_party/WebKit/Source/WebCore/dom/Element.cpp&q=Element::recalcStyle&exact_package=chromium&l=1176
http://codesearch.google.com/codesearch#OAMlx_jo-ck/src/third_party/WebKit/Source/WebCore/rendering/RenderObject.cpp&q=addLayers&exact_package=chromium&l=442
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |