Bug 83479

Summary: Infinite loop in SVGTextLayoutEngine::currentLogicalCharacterMetrics
Product: WebKit Reporter: Stephen Chenney <schenney>
Component: SVGAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: thorton, zimmermann
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   

Stephen Chenney
Reported 2012-04-09 09:39:10 PDT
A Chrome user reports an infinite loop in SVGTextLayoutEngine::currentLogicalCharacterMetrics in Chrome 18, which is probably a result of the change in http://trac.webkit.org/changeset/105143. We have a dump that I can look at sometime soon, but otherwise not much info ... http://code.google.com/p/chromium/issues/detail?id=122620 Chrome Version : 18.0.1025.142 (Official Build 129054) m URLs (if applicable) : Other browsers tested: Add OK or FAIL after other browsers where you have tested this issue: Chrome 17.x: OK Firefox 11.0: OK IE 8: OK What steps will reproduce the problem? Chrome is running under Windows XP. The page causing the problem is being served by an industrial device on a local intranet. The page is created using Mootools. It is multi-paned displaying line graphs. The data is originating in .CSV files being served from the device. The code was written by a third-party so I can't give much details as to how the page is being rendered at this time. What is the expected result? A trace can be selected in the left pane and graphs are drawn in the right pane. Points on the graph can be selected to display pertinent data. You can select any trace in the left pane and it is rendered in the right pane. What happens instead? After a few seconds to a few minutes, the screen locks. Process Explorer shows 50% CPU usage. Debugging with Visual Sudio shows the process in an infinite loop. Details are shown below. A minidump is also attached. Please provide any additional information below. Attach a screenshot if possible. chrome-debug is a screen shot of the code in the loop. In this code at the start of the loop: 026F8B0E mov eax,dword ptr [ebx+0C8h] 026F8B14 cmp eax,dword ptr [this] Both the pointer at [ebx+0C8h] and [this] are NULL. The loop is completed at the JMP at 026F8B34. The web page worked with version 17.x of Chrome and broke in a recent update to 18.
Attachments
Tim Horton
Comment 1 2012-04-09 12:30:42 PDT
Stephen Chenney
Comment 2 2012-04-09 13:29:34 PDT
Yes, duplicate. *** This bug has been marked as a duplicate of bug 83405 ***
Note You need to log in before you can comment on or make changes to this bug.