Bug 9806

Summary: REGRESSION: Large rowspan causes WebKit to call abort()
Product: WebKit Reporter: jonathanjohnsson
Component: TablesAssignee: Darin Adler <darin>
Status: RESOLVED FIXED    
Severity: Normal CC: ap
Priority: P1 Keywords: HasReduction, InRadar, Regression
Version: 420+   
Hardware: Mac   
OS: OS X 10.4   
Attachments:
Description Flags
Test case (will crash!)
none
patch, including change log and a layout test mjs: review+

jonathanjohnsson
Reported 2006-07-09 06:34:46 PDT
A table with a large rowspan crashes WebKit. The test case is simply <TABLE><TD ROWSPAN=674227123>. This bug was found using the cgi-script at http://lcamtuf.coredump.cx/mangleme/mangle.cgi , found in the sidebar at http://browserfun.blogspot.com/ . Looking through the nightlies, this crash doesn't occur before and including revision 14807.
Attachments
Test case (will crash!) (29 bytes, text/html)
2006-07-09 06:36 PDT, jonathanjohnsson 		no flags
Details
patch, including change log and a layout test (3.17 KB, patch)
2006-07-10 20:09 PDT, Darin Adler 		mjs: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
jonathanjohnsson
Comment 1 2006-07-09 06:36:03 PDT
Created attachment 9295 [details] Test case (will crash!)
jonathanjohnsson
Comment 2 2006-07-09 06:38:13 PDT
I forgot to say that the crash reporter isn't invoked, so there is no crash log to attach. WebKit simply quits.
Alexey Proskuryakov
Comment 3 2006-07-09 11:36:43 PDT
Stack trace (from gdb): #1 0x9012dfb4 in abort () #2 0x01cdbb7c in WTF::VectorBuffer<WebCore::RenderTableSection::RowStruct, 0ul>::allocateBuffer (this=0x18a31c50, newCapacity=674227123) at /Users/ap/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/PrivateHeaders/Vector.h:251 #3 0x01cdbd20 in WTF::Vector<WebCore::RenderTableSection::RowStruct, 0ul>::reserveCapacity (this=0x18a31c4c, newCapacity=674227123) at /Users/ap/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/PrivateHeaders/Vector.h:536 #4 0x01cdbde8 in WTF::Vector<WebCore::RenderTableSection::RowStruct, 0ul>::expandCapacity (this=0x18a31c4c, newMinCapacity=674227123) at /Users/ap/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/PrivateHeaders/Vector.h:493 #5 0x01cdbe90 in WTF::Vector<WebCore::RenderTableSection::RowStruct, 0ul>::resize (this=0x18a31c4c, size=674227123) at /Users/ap/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/PrivateHeaders/Vector.h:522 #6 0x01a07788 in WebCore::RenderTableSection::ensureRows (this=0x18a31bec, numRows=674227123) at /Users/ap/WebKit/WebCore/rendering/RenderTableSection.cpp:150 BTW, we have mangleme and iExploder tests in WebKitTools/Scripts: run-mangleme-tests and run-iexploder-tests,
Darin Adler
Comment 4 2006-07-10 20:08:39 PDT
I'm sure mangleme can find another problem with rowspans, since all this does is prevent the abort that checks for numeric overflow.
Darin Adler
Comment 5 2006-07-10 20:09:04 PDT
Created attachment 9350 [details] patch, including change log and a layout test
Alice Liu
Comment 6 2006-07-11 09:39:18 PDT
<rdar://problem/4622622>
Maciej Stachowiak
Comment 7 2006-07-12 05:11:27 PDT
Comment on attachment 9350 [details] patch, including change log and a layout test r=me
Darin Adler
Comment 8 2006-07-12 08:25:14 PDT
Committed revision 15390.
David Kilzer (:ddkilzer)
Comment 9 2006-07-12 09:04:48 PDT
Also committed revision 15392 to fix LayoutTest files with property information in them.  (See Bug 9875.)
Note You need to log in before you can comment on or make changes to this bug.