URL has markup like this: <big><big><big><big>a</big></big></big></big>b See http://software.hixie.ch/utilities/js/live-dom-viewer/saved/1757 In Firefox the "b" is a child of body, in Opera/WebKit it's a child of the first <big> element (so the text gets bigger and bigger for each section on the page). In Opera we concluded that this was a spec violation and we have fixed it.
Isn't this just the noah's ark condition in action?
I think a misimplementation of Noah is the cause here. When you see the fourth <big>, you add it to the stack but not the list, and when you see the first </big> you end up popping both of the last two <big>s. The third and fourth </big>s get rid of the last two, and the last </big> ends up ignored. No? Maybe we should increase the count to four per family...
Oh, did we goof up implementing the Noah's ark condition? If so, we're happy to fix it.
In Opera's case, we had missed to implement this part of AAA: "If there is no such node, then abort these steps and instead act as described in the "any other end tag" entry below." Hixie's comment doesn't quite match my understanding of the spec, but then again I don't quite follow AAA. My understanding is that when seeing the fourth <big>, it gets added to the stack and the list but the oldest <big> gets dropped off the list (which I guess is equivalent to not adding the new one to the list). The first three </big>s run the AAA as normal, and the fourth hits the clause quoted above and gets treated as "any other end tag". Since this page doesn't cause any elements to be reconstructed, what the limit is isn't supposed to make any difference here.
Uh, right, zcorpan is right. I forgot the order in which Noah lopped things off the list. Ignore comment 2.
I added a few tests for the various limits to html5lib: https://code.google.com/p/html5lib/source/detail?r=5e044c0cfc8334f866d7a00b2cf90a935bd9a906
I think Eric is going to take a look at this bug.
Created attachment 163694 [details] Patch
This only fixes one of our two AA bugs. I'm looking at the second one now.
Created attachment 163697 [details] Patch
Comment on attachment 163697 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=163697&action=review > Source/WebCore/html/parser/HTMLTreeBuilder.cpp:1429 > + processAnyOtherEndTagForInBody(token); Bad indent
Created attachment 163705 [details] Patch for landing
Comment on attachment 163705 [details] Patch for landing Clearing flags on attachment: 163705 Committed r128373: <http://trac.webkit.org/changeset/128373>
All reviewed patches have been landed. Closing bug.
*** Bug 91509 has been marked as a duplicate of this bug. ***