| Summary: | mangleme(0x58c22e11): Random crashes | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Alexey Proskuryakov <ap> | ||||||||||
| Component: | New Bugs | Assignee: | Nobody <webkit-unassigned> | ||||||||||
| Status: | RESOLVED FIXED | ||||||||||||
| Severity: | Normal | CC: | mitz | ||||||||||
| Priority: | P1 | Keywords: | NeedsReduction | ||||||||||
| Version: | 420+ | ||||||||||||
| Hardware: | Mac | ||||||||||||
| OS: | OS X 10.4 | ||||||||||||
| Attachments: |
|
||||||||||||
|
Description
Alexey Proskuryakov
2006-04-17 22:07:27 PDT
Created attachment 7793 [details]
test case
Created attachment 7802 [details]
Reduced test case
Memory smashing happens at render_frames.cpp:303 when the column- (or row-)length array is empty:
gridLayout[gridLen - 1] += remainingLen[k];
Created attachment 7804 [details]
One way to fix this
Comment on attachment 7804 [details]
One way to fix this
Seems to me that for an empty length array we should return len of 0, not 1. But returning 0 from toLengthArray does seem like a good idea when the string is empty.
On the other hand, we could just change if (grid) to if (grid && gridLen) and leave toLengthArray alone, I think.
(In reply to comment #4) > Seems to me that for an empty length array we should return len of 0, not 1. Returning 1 makes WebKit match Firefox and WinIE's behavior when the cols (rows) attribute is an empty string, which is to make one column (row), and leaves everything in the state it would be if the attribute wasn't specified at all. > On the other hand, we could just change if (grid) to if (grid && gridLen) and > leave toLengthArray alone, I think. That alone would not fix the compatibility issue. Created attachment 7942 [details]
Patch, including layout test and change log
Please see also my previous comment. I don't think you can test for the memory smasher.
Comment on attachment 7942 [details]
Patch, including layout test and change log
OK. I'm convinced. r=me
|