NEW 54734
chrome.dll!WebCore..ApplyStyleCommand..pushDownInlineStyleAroundNode OOM (93871a71195a4feb563917607f83aaa6) 
https://bugs.webkit.org/show_bug.cgi?id=54734
Summary chrome.dll!WebCore..ApplyStyleCommand..pushDownInlineStyleAroundNode OOM (938...
Berend-Jan Wever
Reported 2011-02-18 02:10:11 PST
Created attachment 82936 [details] Repro Chromium: http://code.google.com/p/chromium/issues/detail?id=73384 It appears that ApplyStyleCommand::pushDownInlineStyleAroundNode can go into an infinite loop and push elements into a Vector until all memory is consumed: http://codesearch.google.com/codesearch/p?hl=en#OAMlx_jo-ck/src/third_party/WebKit/Source/WebCore/editing/ApplyStyleCommand.cpp&q=pushDownInlineStyleAroundNode&exact_package=chromium&sa=N&cd=1&ct=rc&l=1420 void ApplyStyleCommand::pushDownInlineStyleAroundNode(CSSMutableStyleDeclaration* style, Node* targetNode) { <snip> Vector<RefPtr<Element> > elementsToPushDown; while (current != targetNode) { // BJW: This can be an infinite loop <snip> if (current->isStyledElement() && isStyledInlineElementToRemove(static_cast<Element*>(current))) { styledElement = static_cast<StyledElement*>(current); elementsToPushDown.append(styledElement); // This causes OOM in infinite loops <snip> Repro: <html> <head> <script> function go() { document.designMode="on"; document.execCommand("SelectAll"); document.execCommand("delete"); document.execCommand("delete",false); document.execCommand("insertimage",false);; document.execCommand("selectall"); document.execCommand("strikethrough"); document.execCommand("insertimage", false); document.execCommand("justifycenter"); document.execCommand("InsertOrderedList"); document.execCommand("insertimage",false); document.execCommand("insertorderedlist"); document.execCommand("InsertHorizontalRule",false); document.execCommand("justifyright",false); document.execCommand("insertparagraph"); document.execCommand("indent"); document.execCommand("delete"); document.execCommand("Undo"); document.execCommand("underline"); document.execCommand("removeformat",false); } </script> </head> <body onload="go()"> </body> </html> id: chrome.dll!WebCore::ApplyStyleCommand::pushDownInlineStyleAroundNode OOM (93871a71195a4feb563917607f83aaa6) description: Cannot allocate enough memory in chrome.dll!WebCore::ApplyStyleCommand::pushDownInlineStyleAroundNode application: Chromium 11.0.671.0 stack: chrome.dll!WebCore::ApplyStyleCommand::pushDownInlineStyleAroundNode chrome.dll!WebCore::ApplyStyleCommand::removeInlineStyle chrome.dll!WebCore::ApplyStyleCommand::applyInlineStyle chrome.dll!WebCore::ApplyStyleCommand::doApply chrome.dll!WebCore::EditCommand::apply chrome.dll!WebCore::CompositeEditCommand::applyCommandToComposite chrome.dll!WebCore::RemoveFormatCommand::doApply chrome.dll!WebCore::EditCommand::apply chrome.dll!WebCore::applyCommand chrome.dll!WebCore::Editor::removeFormattingAndStyle chrome.dll!WebCore::executeRemoveFormat chrome.dll!WebCore::Editor::Command::execute chrome.dll!WebCore::Document::execCommand chrome.dll!WebCore::DocumentInternal::execCommandCallback chrome.dll!v8::internal::HandleApiCallHelper<...> chrome.dll!v8::internal::Builtin_HandleApiCall chrome.dll!v8::internal::Invoke chrome.dll!v8::internal::Execution::Call ...
Attachments
Repro (1.03 KB, text/html)
2011-02-18 02:10 PST, Berend-Jan Wever 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1 2011-03-10 11:31:57 PST
This hang didn't reproduce with WebKit r80641 on Mac. Could you try obtaining the DOM & selection on Chrome / WebKit that reproduce the issue right before you run the last document.execCommand("removeformat",false); ? We might still be able to reproduce the hang if we ran RemoveFormat on that DOM.
Berend-Jan Wever
Comment 2 2011-03-28 04:02:25 PDT
Sorry for the slow response, this one slipped through. "Could you try obtaining the DOM & selection on Chrome / WebKit" - sure, but what exactly do you mean with that?
Note You need to log in before you can comment on or make changes to this bug.