136944 – Crash in WebCore::RenderGrid::populateExplicitGridAndOrderIterator when trying to allocate huge vector

Bug 136944 - Crash in WebCore::RenderGrid::populateExplicitGridAndOrderIterator when trying to allocate huge vector

Summary: Crash in WebCore::RenderGrid::populateExplicitGridAndOrderIterator when tryin...

Status:	RESOLVED DUPLICATE of bug 136217

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Layout and Rendering (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:	116980
	Show dependency tree / graph

Reported:	2014-09-19 01:52 PDT by Renata Hodovan
Modified:	2014-09-23 07:19 PDT (History)
CC List:	3 users (show)

See Also:

Attachments
Test case (115 bytes, text/html) 2014-09-19 01:52 PDT, Renata Hodovan	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Renata Hodovan 2014-09-19 01:52:42 PDT

Created attachment 238358 [details]
Test case

The failing test:

<!DOCTYPE html>
<style>   
*{
    display:-webkit-inline-grid;
    -webkit-grid-row-start:  87500000000;
}
</style>

This is probably the same issue as http://crbug.com/402006.


The backtrace:


0x00007fffedbf5e7f in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:329
329	    *(int *)(uintptr_t)0xbbadbeef = 0;
#0  0x00007fffedbf5e7f in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:329
#1  0x00007ffff3a01336 in WTF::VectorBufferBase<WTF::Vector<WTF::Vector<WebCore::RenderBox*, 1ul, WTF::CrashOnOverflow>, 0ul, WTF::CrashOnOverflow> >::allocateBuffer (this=0x8a1978, newCapacity=0x7fffffff) at ../../Source/WTF/wtf/Vector.h:262
#2  0x00007ffff3a00d29 in WTF::Vector<WTF::Vector<WTF::Vector<WebCore::RenderBox*, 1ul, WTF::CrashOnOverflow>, 0ul, WTF::CrashOnOverflow>, 0ul, WTF::CrashOnOverflow>::reserveCapacity (this=0x8a1978, newCapacity=0x7fffffff) at ../../Source/WTF/wtf/Vector.h:967
#3  0x00007ffff39ff96c in WTF::Vector<WTF::Vector<WTF::Vector<WebCore::RenderBox*, 1ul, WTF::CrashOnOverflow>, 0ul, WTF::CrashOnOverflow>, 0ul, WTF::CrashOnOverflow>::expandCapacity (this=0x8a1978, newMinCapacity=0x7fffffff) at ../../Source/WTF/wtf/Vector.h:877
#4  0x00007ffff39fe3c4 in WTF::Vector<WTF::Vector<WTF::Vector<WebCore::RenderBox*, 1ul, WTF::CrashOnOverflow>, 0ul, WTF::CrashOnOverflow>, 0ul, WTF::CrashOnOverflow>::grow (this=0x8a1978, size=0x7fffffff) at ../../Source/WTF/wtf/Vector.h:954
#5  0x00007ffff39fa319 in WebCore::RenderGrid::populateExplicitGridAndOrderIterator (this=0x8a18e0) at ../../Source/WebCore/rendering/RenderGrid.cpp:730
#6  0x00007ffff39f9bff in WebCore::RenderGrid::placeItemsOnGrid (this=0x8a18e0) at ../../Source/WebCore/rendering/RenderGrid.cpp:664
#7  0x00007ffff39faf6a in WebCore::RenderGrid::layoutGridItems (this=0x8a18e0) at ../../Source/WebCore/rendering/RenderGrid.cpp:845
#8  0x00007ffff39f7258 in WebCore::RenderGrid::layoutBlock (this=0x8a18e0, relayoutChildren=0x0) at ../../Source/WebCore/rendering/RenderGrid.cpp:218
#9  0x00007ffff391540f in WebCore::RenderBlock::layout (this=0x8a18e0) at ../../Source/WebCore/rendering/RenderBlock.cpp:1019
#10 0x00007ffff3941312 in WebCore::RenderBlockFlow::layoutBlockChild (this=0x7df8b0, child=..., marginInfo=..., previousFloatLogicalBottom=..., maxFloatLogicalBottom=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:712
#11 0x00007ffff3940e33 in WebCore::RenderBlockFlow::layoutBlockChildren (this=0x7df8b0, relayoutChildren=0x1, maxFloatLogicalBottom=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:633
#12 0x00007ffff3940250 in WebCore::RenderBlockFlow::layoutBlock (this=0x7df8b0, relayoutChildren=0x1, pageLogicalHeight=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:486
#13 0x00007ffff391540f in WebCore::RenderBlock::layout (this=0x7df8b0) at ../../Source/WebCore/rendering/RenderBlock.cpp:1019
#14 0x00007ffff3b0a689 in WebCore::RenderView::layoutContent (this=0x7df8b0, state=...) at ../../Source/WebCore/rendering/RenderView.cpp:230
#15 0x00007ffff3b0ad59 in WebCore::RenderView::layout (this=0x7df8b0) at ../../Source/WebCore/rendering/RenderView.cpp:355
#16 0x00007ffff368536f in WebCore::FrameView::layout (this=0x8a0a20, allowSubtree=0x1) at ../../Source/WebCore/page/FrameView.cpp:1301
#17 0x00007ffff3053485 in WebCore::Document::implicitClose (this=0x80e840) at ../../Source/WebCore/dom/Document.cpp:2440
#18 0x00007ffff35339c3 in WebCore::FrameLoader::checkCallImplicitClose (this=0x98f538) at ../../Source/WebCore/loader/FrameLoader.cpp:898
#19 0x00007ffff353372b in WebCore::FrameLoader::checkCompleted (this=0x98f538) at ../../Source/WebCore/loader/FrameLoader.cpp:844
#20 0x00007ffff3533494 in WebCore::FrameLoader::finishedParsing (this=0x98f538) at ../../Source/WebCore/loader/FrameLoader.cpp:764
#21 0x00007ffff305bf07 in WebCore::Document::finishedParsing (this=0x80e840) at ../../Source/WebCore/dom/Document.cpp:4523
#22 0x00007ffff33b00f5 in WebCore::HTMLConstructionSite::finishedParsing (this=0xa1fc88) at ../../Source/WebCore/html/parser/HTMLConstructionSite.cpp:395
#23 0x00007ffff33edd8d in WebCore::HTMLTreeBuilder::finished (this=0xa1fc70) at ../../Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2997
#24 0x00007ffff33b8c56 in WebCore::HTMLDocumentParser::end (this=0xa26ab0) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:451
#25 0x00007ffff33b8d41 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd (this=0xa26ab0) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:462
#26 0x00007ffff33b76f7 in WebCore::HTMLDocumentParser::prepareToStopParsing (this=0xa26ab0) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:165
#27 0x00007ffff33b8d84 in WebCore::HTMLDocumentParser::attemptToEnd (this=0xa26ab0) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:474
#28 0x00007ffff33b8e3b in WebCore::HTMLDocumentParser::finish (this=0xa26ab0) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:502
#29 0x00007ffff3525131 in WebCore::DocumentWriter::end (this=0x7b3120) at ../../Source/WebCore/loader/DocumentWriter.cpp:246
#30 0x00007ffff35107e9 in WebCore::DocumentLoader::finishedLoading (this=0x7b3080, finishTime=0) at ../../Source/WebCore/loader/DocumentLoader.cpp:441
#31 0x00007ffff3510552 in WebCore::DocumentLoader::notifyFinished (this=0x7b3080, resource=0x91e7c0) at ../../Source/WebCore/loader/DocumentLoader.cpp:375
#32 0x00007ffff35c7814 in WebCore::CachedResource::checkNotify (this=0x91e7c0) at ../../Source/WebCore/loader/cache/CachedResource.cpp:347
#33 0x00007ffff35c791e in WebCore::CachedResource::finishLoading (this=0x91e7c0) at ../../Source/WebCore/loader/cache/CachedResource.cpp:363
#34 0x00007ffff35c41ac in WebCore::CachedRawResource::finishLoading (this=0x91e7c0, data=0x9beda0) at ../../Source/WebCore/loader/cache/CachedRawResource.cpp:101
#35 0x00007ffff3573a3a in WebCore::SubresourceLoader::didFinishLoading (this=0x91ed20, finishTime=0) at ../../Source/WebCore/loader/SubresourceLoader.cpp:306
#36 0x00007ffff356f75f in WebCore::ResourceLoader::didFinishLoading (this=0x91ed20, finishTime=0) at ../../Source/WebCore/loader/ResourceLoader.cpp:512
#37 0x00007ffff3edb101 in WebCore::readCallback (asyncResult=0x7e91a0, data=0x85e960) at ../../Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:1302
#38 0x00007fffebaf12ea in async_ready_callback_wrapper (source_object=0x98cb30, res=0x7e91a0, user_data=0x85e960) at ginputstream.c:519
#39 0x00007fffebb10ceb in g_task_return_now (task=0x7e91a0) at gtask.c:1108
#40 0x00007fffebb10d09 in complete_in_idle_cb (task=0x7e91a0) at gtask.c:1117
#41 0x00007fffead672e6 in g_main_dispatch (context=0x677bb0) at gmain.c:3065
#42 g_main_context_dispatch (context=context@entry=0x677bb0) at gmain.c:3641
#43 0x00007fffead67638 in g_main_context_iterate (context=0x677bb0, block=block@entry=0x1, dispatch=dispatch@entry=0x1, self=<optimized out>) at gmain.c:3712
#44 0x00007fffead67a3a in g_main_loop_run (loop=0x6f42e0) at gmain.c:3906
#45 0x00007ffff45cf042 in WTF::RunLoop::run () at ../../Source/WTF/wtf/gtk/RunLoopGtk.cpp:59
#46 0x00007ffff2b0b624 in WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain> (argc=0x2, argv=0x7fffffffd9b8) at ../../Source/WebKit2/Shared/unix/ChildProcessMain.h:61
#47 0x00007ffff2b0b489 in WebKit::WebProcessMainUnix (argc=0x2, argv=0x7fffffffd9b8) at ../../Source/WebKit2/WebProcess/gtk/WebProcessMainGtk.cpp:73
#48 0x000000000040080d in main (argc=0x2, argv=0x7fffffffd9b8) at ../../Source/WebKit2/WebProcess/EntryPoint/unix/WebProcessMain.cpp:32

Comment 1 Sergio Villar Senin 2014-09-19 08:16:45 PDT

Right, the specs have been modified so that we can now limit the sizes of the explicit and implicit grids.

Comment 2 Sergio Villar Senin 2014-09-23 07:19:44 PDT

Already addressed in some other bug.

*** This bug has been marked as a duplicate of bug 136217 ***