RESOLVED FIXED 12066
Crash due to runaway recursion when fieldset has display: table-row 
https://bugs.webkit.org/show_bug.cgi?id=12066
Summary Crash due to runaway recursion when fieldset has display: table-row
Mark Rowe (bdash)
Reported 2007-01-01 23:50:25 PST
<html> <head> <title>Test HTML Page</title> <style type="text/css"> fieldset { display: table-row; } </style> </head> <body> <fieldset>fieldset</fieldset> </body> </html> results in a crash after quite some delay: Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0xbf7fff7c 0x9000297e in szone_malloc () (gdb) bt #0 0x9000297e in szone_malloc () #1 0x9000268f in malloc () #2 0x005293ef in WTF::fastMalloc (n=256) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/JavaScriptCore/wtf/FastMalloc.cpp:87 #3 0x01515f86 in WTF::VectorBuffer<WebCore::RenderTableSection::RowStruct, 0ul>::allocateBuffer (this=0x1dbdcd90, newCapacity=16) at Vector.h:248 #4 0x015161a0 in WTF::Vector<WebCore::RenderTableSection::RowStruct, 0ul>::reserveCapacity (this=0x1dbdcd8c, newCapacity=16) at Vector.h:574 #5 0x01516234 in WTF::Vector<WebCore::RenderTableSection::RowStruct, 0ul>::expandCapacity (this=0x1dbdcd8c, newMinCapacity=1) at Vector.h:531 #6 0x015162a5 in WTF::Vector<WebCore::RenderTableSection::RowStruct, 0ul>::resize (this=0x1dbdcd8c, size=1) at Vector.h:560 #7 0x011b1618 in WebCore::RenderTableSection::ensureRows (this=0x1dbdcd2c, numRows=1) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderTableSection.cpp:154 #8 0x011b20ae in WebCore::RenderTableSection::addChild (this=0x1dbdcd2c, child=0x1dbdce3c, beforeChild=0x0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderTableSection.cpp:131 #9 0x011b203d in WebCore::RenderTableSection::addChild (this=0x1dbdcd2c, child=0x189386ac, beforeChild=0x0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderTableSection.cpp:120 #10 0x011ac6a2 in WebCore::RenderTable::addChild (this=0x1dbdcaec, child=0x189386ac, beforeChild=0x0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderTable.cpp:200 #11 0x011686a5 in WebCore::RenderContainer::addChild (this=0x1dbdca1c, newChild=0x189386ac, beforeChild=0x0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderContainer.cpp:148 #12 0x0114c25f in WebCore::RenderBlock::addChildToFlow (this=0x1dbdca1c, newChild=0x189386ac, beforeChild=0x0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderBlock.cpp:206 #13 0x0116d420 in WebCore::RenderFlow::addChild (this=0x1dbdca1c, newChild=0x189386ac, beforeChild=0x0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderFlow.cpp:112 #14 0x011b2f6b in WebCore::RenderTableRow::addChild (this=0x1dbdc75c, child=0x189386ac, beforeChild=0x0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderTableRow.cpp:93 #15 0x011b205e in WebCore::RenderTableSection::addChild (this=0x1dbdc64c, child=0x189386ac, beforeChild=0x0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderTableSection.cpp:121 #16 0x011ac6a2 in WebCore::RenderTable::addChild (this=0x1dbdc40c, child=0x189386ac, beforeChild=0x0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderTable.cpp:200 #17 0x011686a5 in WebCore::RenderContainer::addChild (this=0x1dbdc2dc, newChild=0x189386ac, beforeChild=0x0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderContainer.cpp:148 #18 0x0114c25f in WebCore::RenderBlock::addChildToFlow (this=0x1dbdc2dc, newChild=0x189386ac, beforeChild=0x0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderBlock.cpp:206 #19 0x0116d420 in WebCore::RenderFlow::addChild (this=0x1dbdc2dc, newChild=0x189386ac, beforeChild=0x0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderFlow.cpp:112 #20 0x011b2f6b in WebCore::RenderTableRow::addChild (this=0x1dbdc07c, child=0x189386ac, beforeChild=0x0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderTableRow.cpp:93 #21 0x011b205e in WebCore::RenderTableSection::addChild (this=0x1dbdbf6c, child=0x189386ac, beforeChild=0x0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderTableSection.cpp:121 #22 0x011ac6a2 in WebCore::RenderTable::addChild (this=0x1dbdbd2c, child=0x189386ac, beforeChild=0x0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderTable.cpp:200 #23 0x011686a5 in WebCore::RenderContainer::addChild (this=0x1dbdbbfc, newChild=0x189386ac, beforeChild=0x0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderContainer.cpp:148 #24 0x0114c25f in WebCore::RenderBlock::addChildToFlow (this=0x1dbdbbfc, newChild=0x189386ac, beforeChild=0x0) at /Users/mrowe/Documents/Source/SVN/WebKit-Nightlies/WebCore/rendering/RenderBlock.cpp:206 [and so on for many thousand frames]
Attachments
Add attachment proposed patch, testcase, etc.
Mark Rowe (bdash)
Comment 1 2007-01-02 20:57:30 PST
This also occurs with WebKit 418.9.1.
Mark Rowe (bdash)
Comment 2 2007-01-16 19:30:50 PST
<rdar://problem/4928671>
Maciej Stachowiak
Comment 3 2007-02-07 03:16:43 PST
Downgrading since this is not a regression and does not affect a known real-world site.
Darin Adler
Comment 4 2007-05-16 13:38:51 PDT
Sending LayoutTests/ChangeLog Adding LayoutTests/fast/css/fieldset-display-row-expected.checksum Adding (bin) LayoutTests/fast/css/fieldset-display-row-expected.png Adding LayoutTests/fast/css/fieldset-display-row-expected.txt Adding LayoutTests/fast/css/fieldset-display-row.html Sending WebCore/ChangeLog Sending WebCore/rendering/RenderContainer.cpp Sending WebCore/rendering/RenderTable.cpp Transmitting file data ........ Committed revision 21520.
Note You need to log in before you can comment on or make changes to this bug.