Created attachment 93917 [details] Repro Chromium: https://code.google.com/p/chromium/issues/detail?id=83057 Repro: <script> function f() { document.designMode="on"; document.execCommand("SelectAll", false); document.execCommand("inserthorizontalrule", false); document.execCommand("InsertOrderedList"); document.execCommand("InsertOrderedList", false); document.execCommand("selectall"); document.execCommand("insertimage", false); document.execCommand("SelectAll"); document.execCommand("outdent", false); document.execCommand("insertparagraph"); document.execCommand("SelectAll", false); document.execCommand("removeformat", false); document.execCommand("insertimage", false); document.execCommand("insertorderedlist", false); } </script> <body onload="f()"><u><li>x</li></u></body> This seems to create a loop somewhere that causes addFocusRingRects to call itself over and over, consuming memory each time until the process hits OOM.
Here's a variation that causes chrome.dll!WebCore::RenderObject::absoluteFocusRingQuads to use a lot of memory, but not so much as the previous and without a loop. On systems with sufficient RAM, this will not cause a crash. In low memory situations, it will: Repro: <script> function f() { document.designMode="on"; document.execCommand("SelectAll", false); document.execCommand("Underline"); document.execCommand("InsertHorizontalRule", false); document.execCommand("InsertUnorderedList", false); document.execCommand("insertunorderedlist"); document.execCommand("undo"); document.execCommand("inserthorizontalrule", false); document.execCommand("InsertOrderedList"); document.execCommand("InsertOrderedList", false); document.execCommand("selectall"); document.execCommand("insertimage", false); document.execCommand("outdent", false); document.execCommand("insertparagraph"); document.execCommand("SelectAll", false); document.execCommand("removeformat", false); document.execCommand("insertimage", false); document.execCommand("insertorderedlist", false); } </script> <body onload="f()"><pre>x</pre></body> id: chrome.dll!WebCore::RenderObject::absoluteFocusRingQuads OOM (df4e2984520457194fecc131e9fbd804) description: Cannot allocate enough memory in chrome.dll!WebCore::RenderObject::absoluteFocusRingQuads stack: chrome.dll!WebCore::RenderObject::absoluteFocusRingQuads chrome.dll!WebCore::AccessibilityRenderObject::boundingBoxRect chrome.dll!WebKit::WebAccessibilityObject::boundingBoxRect chrome.dll!webkit_glue::WebAccessibility::Init chrome.dll!webkit_glue::WebAccessibility::WebAccessibility chrome.dll!webkit_glue::WebAccessibility::Init chrome.dll!webkit_glue::WebAccessibility::WebAccessibility chrome.dll!RenderView::SendPendingAccessibilityNotifications chrome.dll!`anonymous namespace'::TaskClosureAdapter::Run chrome.dll!MessageLoop::RunTask chrome.dll!MessageLoop::DoWork chrome.dll!base::MessagePumpDefault::Run chrome.dll!MessageLoop::RunInternal chrome.dll!MessageLoop::Run chrome.dll!RendererMain chrome.dll!`anonymous namespace'::RunNamedProcessTypeMain chrome.dll!ChromeMain chrome.exe!MainDllLoader::Launch chrome.exe!wWinMain chrome.exe!__tmainCRTStartup kernel32.dll!BaseProcessStart Source: void RenderObject::absoluteFocusRingQuads(Vector<FloatQuad>& quads) { Vector<IntRect> rects; // FIXME: addFocusRingRects() needs to be passed this transform-unaware // localToAbsolute() offset here because RenderInline::addFocusRingRects() // implicitly assumes that. This doesn't work correctly with transformed // descendants. FloatPoint absolutePoint = localToAbsolute(); addFocusRingRects(rects, absolutePoint.x(), absolutePoint.y()); size_t count = rects.size(); for (size_t i = 0; i < count; ++i) { IntRect rect = rects[i]; rect.move(-absolutePoint.x(), -absolutePoint.y()); quads.append(localToAbsoluteQuad(FloatQuad(rect))); } } I'm assuming "count" gets very large, which causes the large allocation.
*** This bug has been marked as a duplicate of bug 54740 ***