Bug 54730 - chrome.dll!WebCore::findPlaceForCounter+1 RecursionSOV (a5da9b73c78c638758c4402f7beabe57)
Summary: chrome.dll!WebCore::findPlaceForCounter+1 RecursionSOV (a5da9b73c78c638758c44...
Status: RESOLVED DUPLICATE of bug 60323
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Windows Vista
: P1 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-02-18 01:02 PST by Berend-Jan Wever
Modified: 2011-05-06 09:09 PDT (History)
2 users (show)

See Also:

Attachments
Repro (220 bytes, text/html)
2011-02-18 01:02 PST, Berend-Jan Wever 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Berend-Jan Wever 2011-02-18 01:02:45 PST 
Created attachment 82932 [details]
Repro

Chromium: http://code.google.com/p/chromium/issues/detail?id=73379
findPlaceForCounter & makeCounterNode can call eachother recursively:

static bool findPlaceForCounter(RenderObject* counterOwner, const AtomicString& identifier, bool isReset, CounterNode*& parent, CounterNode*& previousSibling)
<snip>
    RenderObject* currentRenderer = previousInPreOrder(counterOwner);
    previousSibling = 0;
    while (currentRenderer) {
        CounterNode* currentCounter = makeCounterNode(currentRenderer, identifier, false);
<snip>

static CounterNode* makeCounterNode(RenderObject* object, const AtomicString& identifier, bool alwaysCreateCounter)
<snip>
    CounterNode* newParent = 0;
    CounterNode* newPreviousSibling = 0;
    RefPtr<CounterNode> newNode = CounterNode::create(object, isReset, value);
    if (findPlaceForCounter(object, identifier, isReset, newParent, newPreviousSibling))
<snip>

id:             chrome.dll!WebCore::findPlaceForCounter+1 RecursionSOV (a5da9b73c78c638758c4402f7beabe57)
description:    Recursive function calls in chrome.dll!WebCore::findPlaceForCounter and chrome.dll!WebCore::makeCounterNode: 9205 loops
application:    Chromium 11.0.671.0

Repro:
<html>
  <head>
    <script>
      function go() {
        document.write('x<dd><strike style="counter-increment:r"></dd>x');
        document.open();
      }
    </script>
  </head>
  <body onload="go()"></body>
</html>
Comment 1 Adam Barth 2011-05-06 09:09:54 PDT 

*** This bug has been marked as a duplicate of bug 60323 ***