NEW52143
Freeze (infinite loop) with execCommand 
https://bugs.webkit.org/show_bug.cgi?id=52143
Summary Freeze (infinite loop) with execCommand
Berend-Jan Wever
Reported 2011-01-10 02:32:56 PST
Created attachment 78385 [details] Repro Chromium bug: http://code.google.com/p/chromium/issues/detail?id=69042 Repro: <script> function go() { var iInterval = setInterval(repro, 100); setTimeout(function() { clearTimeout(iInterval); document.body.innerHTML = 'PASS'; }, 1000); } function repro() { document.designMode="on"; document.execCommand("selectall",false); document.execCommand("InsertImage",false); document.execCommand("SelectAll"); document.execCommand("insertorderedlist"); document.execCommand("Outdent"); document.execCommand("justifyleft",false); document.execCommand("Underline",false); document.execCommand("insertorderedlist",false); document.execCommand("InsertHorizontalRule"); document.execCommand("Indent"); document.execCommand("SelectAll",false); document.execCommand("justifycenter"); document.execCommand("InsertHorizontalRule",false); document.execCommand("insertorderedlist",false); document.execCommand("selectall",false); document.execCommand("RemoveFormat"); document.execCommand("justifyright",false); document.execCommand("insertorderedlist"); document.execCommand("indent"); document.execCommand("justifycenter"); document.execCommand("Indent"); document.execCommand("insertunorderedlist",false); document.execCommand("Indent",false); document.execCommand("InsertImage",false); document.execCommand("InsertParagraph",false); document.execCommand("delete",false); document.execCommand("selectall",false); document.execCommand("justifyright"); document.execCommand("Outdent"); document.execCommand("underline"); document.execCommand("InsertParagraph"); document.execCommand("inserthorizontalrule",false); document.execCommand("Outdent"); document.execCommand("insertorderedlist"); document.execCommand("selectall",false); document.execCommand("Outdent",false); document.execCommand("Outdent",false); } </script> <body onload="go();"></body> The repro can probably be reduced a lot further. It should show "PASS" after running for 1 second, but it ends up in an infinite loop and uses 100% CPU forever.
Attachments
Repro (1.89 KB, text/html)
2011-01-10 02:32 PST, Berend-Jan Wever 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Eric Seidel (no email)
Comment 1 2011-01-10 02:33:47 PST
Ryosuke knows as much or more than I do about Editing these days. :)
Berend-Jan Wever
Comment 2 2011-01-10 02:40:52 PST
(In reply to comment #1) > Ryosuke knows as much or more than I do about Editing these days. :) I set it up to auto cc you years ago; should I change that to auto cc Ryosuke instead?
Eric Seidel (no email)
Comment 3 2011-01-10 02:45:26 PST
I'm happy to look at security bugs from you, but if all your bugs are Editing, Ryosuke is more likely to be the one to fix them than I am. At least given his and my current focus areas.
Berend-Jan Wever
Comment 4 2011-01-10 02:56:59 PST
I use separate templates for SVG, HTML and HTML editing, so I'll change the later to cc Ryosuke instead of you if that makes more sense.
Eric Seidel (no email)
Comment 5 2011-01-10 03:00:59 PST
Sounds good. Thanks.
Andrey Petrov
Comment 6 2011-05-21 10:27:00 PDT
What an interesting problem. From top of my head it looks like 100ms timer events are flooding the event queue. At the same time the 1sec timer never gets to fire because these repro events are added in front of it in the timer queue. If this is the case then the problem is not specific to editor and probably can have tons of other manifestations. I will try to look into the code to figure out the root cause.
Andrey Petrov
Comment 7 2011-05-21 10:46:34 PDT
does not reproduce on linux/gtk and on win on the current nightly. Is it specific to windows vista?
Note You need to log in before you can comment on or make changes to this bug.