Bug 54740 - chrome.dll!WebCore::RenderBlock::addFocusRingRects OOM (404d82428bd920c896c411920eae1898)
Summary: chrome.dll!WebCore::RenderBlock::addFocusRingRects OOM (404d82428bd920c896c41...
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: HTML Editing (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Windows Vista
: P1 Normal
Assignee: Nobody
URL:
Keywords:
: 61055 (view as bug list)
Depends on:
Blocks:
 
Reported: 2011-02-18 04:21 PST by Berend-Jan Wever
Modified: 2011-06-20 16:17 PDT (History)
7 users (show)

See Also:

Attachments
Repro (943 bytes, text/html)
2011-02-18 04:21 PST, Berend-Jan Wever 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Berend-Jan Wever 2011-02-18 04:21:33 PST 
Created attachment 82942 [details]
Repro

Chromium: http://code.google.com/p/chromium/issues/detail?id=73400
This looks very much like a dup of issue 54734, in that it is also an OOM that appears to be caused by a loop in the node tree.

http://codesearch.google.com/codesearch/p?hl=en#OAMlx_jo-ck/src/third_party/WebKit/Source/WebCore/rendering/RenderInline.cpp&q=addFocusRingRects&exact_package=chromium&sa=N&cd=1&ct=rc
void RenderInline::addFocusRingRects(Vector<IntRect>& rects, int tx, int ty)
{
    for (InlineFlowBox* curr = firstLineBox(); curr; curr = curr->nextLineBox()) {
        RootInlineBox* root = curr->root();
        int top = max(root->lineTop(), curr->y());
        int bottom = min(root->lineBottom(), curr->y() + curr->logicalHeight());
        IntRect rect(tx + curr->x(), ty + top, curr->logicalWidth(), bottom - top);
        if (!rect.isEmpty())
            rects.append(rect);
    }

    for (RenderObject* curr = firstChild(); curr; curr = curr->nextSibling()) {
        if (!curr->isText() && !curr->isListMarker()) {
            FloatPoint pos(tx, ty);
            // FIXME: This doesn't work correctly with transforms.
            if (curr->hasLayer())
                pos = curr->localToAbsolute();
            else if (curr->isBox())
                pos.move(toRenderBox(curr)->x(), toRenderBox(curr)->y());
           curr->addFocusRingRects(rects, pos.x(), pos.y());
<snip>

id:             chrome.dll!WebCore::RenderBlock::addFocusRingRects OOM (404d82428bd920c896c411920eae1898)
description:    Cannot allocate enough memory in chrome.dll!WebCore::RenderBlock::addFocusRingRects
application:    Chromium 11.0.671.0
stack:          chrome.dll!WebCore::RenderBlock::addFocusRingRects
                chrome.dll!WebCore::RenderBlock::addFocusRingRects
                chrome.dll!WebCore::RenderBlock::addFocusRingRects
                chrome.dll!WebCore::RenderBlock::addFocusRingRects
                chrome.dll!WebCore::RenderBlock::addFocusRingRects
                chrome.dll!WebCore::RenderInline::addFocusRingRects
                chrome.dll!WebCore::RenderInline::addFocusRingRects
                chrome.dll!WebCore::RenderInline::addFocusRingRects
                chrome.dll!WebCore::RenderInline::addFocusRingRects
                chrome.dll!WebCore::RenderInline::addFocusRingRects
                chrome.dll!WebCore::RenderInline::addFocusRingRects
                chrome.dll!WebCore::RenderInline::addFocusRingRects
                chrome.dll!WebCore::RenderInline::addFocusRingRects
                chrome.dll!WebCore::RenderInline::addFocusRingRects
                chrome.dll!WebCore::RenderInline::addFocusRingRects
                chrome.dll!WebCore::RenderInline::addFocusRingRects
                chrome.dll!WebCore::RenderInline::addFocusRingRects
                chrome.dll!WebCore::RenderInline::addFocusRingRects
                chrome.dll!WebCore::RenderInline::addFocusRingRects
                chrome.dll!WebCore::RenderInline::addFocusRingRects
                chrome.dll!WebCore::RenderInline::addFocusRingRects
                chrome.dll!WebCore::RenderInline::addFocusRingRects
                chrome.dll!WebCore::RenderInline::addFocusRingRects
                chrome.dll!WebCore::RenderInline::addFocusRingRects
                chrome.dll!WebCore::RenderInline::addFocusRingRects
                chrome.dll!WebCore::RenderInline::addFocusRingRects
                chrome.dll!WebCore::RenderInline::addFocusRingRects
                chrome.dll!WebCore::RenderInline::addFocusRingRects
                chrome.dll!WebCore::RenderInline::addFocusRingRects
                chrome.dll!WebCore::RenderInline::addFocusRingRects
                chrome.dll!WebCore::RenderInline::addFocusRingRects
                chrome.dll!WebCore::RenderInline::addFocusRingRects
                chrome.dll!WebCore::RenderInline::addFocusRingRects
                chrome.dll!WebCore::RenderInline::addFocusRingRects
                chrome.dll!WebCore::RenderInline::addFocusRingRects
                chrome.dll!WebCore::RenderInline::addFocusRingRects
                chrome.dll!WebCore::RenderInline::addFocusRingRects
                chrome.dll!WebCore::RenderInline::addFocusRingRects
                chrome.dll!WebCore::RenderInline::addFocusRingRects
                chrome.dll!WebCore::RenderInline::addFocusRingRects
                chrome.dll!WebCore::RenderInline::addFocusRingRects
                chrome.dll!WebCore::RenderBlock::addFocusRingRects
                chrome.dll!WebCore::RenderBlock::addFocusRingRects
                chrome.dll!WebCore::RenderObject::absoluteFocusRingQuads
                chrome.dll!WebCore::AccessibilityRenderObject::boundingBoxRect
                chrome.dll!WebKit::WebAccessibilityObject::boundingBoxRect
                chrome.dll!webkit_glue::WebAccessibility::Init
                chrome.dll!webkit_glue::WebAccessibility::WebAccessibility
                chrome.dll!RenderView::SendPendingAccessibilityNotifications
                chrome.dll!MessageLoop::RunTask
                chrome.dll!MessageLoop::DoWork
                chrome.dll!base::MessagePumpDefault::Run
                chrome.dll!MessageLoop::RunInternal
                ...
Comment 1 Ryosuke Niwa 2011-02-21 03:10:09 PST 
I can't reproduce this bug on r78685.  On which revision are you reproducing this bug?
Comment 2 Berend-Jan Wever 2011-02-22 04:58:13 PST 
r73335 - maybe it got fixed?
Comment 3 Ryosuke Niwa 2011-02-22 05:16:31 PST 
(In reply to comment #2)
> r73335 - maybe it got fixed?

I tried both r73316 and r73340 on my Mac (10.6) but opening the attachment document didn't crash / hang WebKit.  Did you reproduce it on Windows?
Comment 4 Berend-Jan Wever 2011-02-22 06:21:03 PST 
Yes.
Comment 5 Berend-Jan Wever 2011-03-04 10:20:19 PST 
Ryosuke: I found out that you need to start Chromium with "--force-renderer-accessibility" for this to trigger.
Comment 6 Berend-Jan Wever 2011-06-20 04:20:13 PDT 
*** Bug 61055 has been marked as a duplicate of this bug. ***
Comment 7 Ryosuke Niwa 2011-06-20 10:34:51 PDT 
(In reply to comment #5)
> Ryosuke: I found out that you need to start Chromium with "--force-renderer-accessibility" for this to trigger.

Mn... this is probably accessibility related then.  Maybe Alice would know what's happening?
Comment 8 Ryosuke Niwa 2011-06-20 14:58:16 PDT 
Adding more accessibility folks.
Comment 9 chris fleizach 2011-06-20 15:06:14 PDT 
(In reply to comment #8)
> Adding more accessibility folks.

When an accessibility element tries to calculate it's bounding rectangle, it starts calling focusRingRects.

I don't know what OOM means, but the problem likely lies in Render code, unless Chrome is not calling updateBackingStore at some point in these methods

               chrome.dll!webkit_glue::WebAccessibility::Init
                chrome.dll!webkit_glue::WebAccessibility::WebAccessibility
                chrome.dll!RenderView::SendPendingAccessibilityNotifications

to ensure that the render tree is in a valid state
Comment 10 Berend-Jan Wever 2011-06-20 15:13:40 PDT 
Out Of Memory (I work at Google, we have an internal app to find these things :)
Comment 11 chris fleizach 2011-06-20 15:14:52 PDT 
(In reply to comment #10)
> Out Of Memory (I work at Google, we have an internal app to find these things :)

On certain webpages, the focusRing method to find the bounding box is very slow. I would love to see a better implementation that is just as accurate. It's probably because it's taking either a lot of time, or as you mentioned, a lot of memory
Comment 12 Ryosuke Niwa 2011-06-20 15:43:30 PDT 
(In reply to comment #9)
> (In reply to comment #8)
> > Adding more accessibility folks.
> 
> When an accessibility element tries to calculate it's bounding rectangle, it starts calling focusRingRects.

What is bounding rectangle used for?  There are quite few functions that finds the rect of inline box, etc...
Comment 13 chris fleizach 2011-06-20 16:17:13 PDT 
(In reply to comment #12)
> (In reply to comment #9)
> > (In reply to comment #8)
> > > Adding more accessibility folks.
> > 
> > When an accessibility element tries to calculate it's bounding rectangle, it starts calling focusRingRects.
> 
> What is bounding rectangle used for?  There are quite few functions that finds the rect of inline box, etc...

Part of any accessibility API is the ability to return the onscreen rectangle of an object