9806 – REGRESSION: Large rowspan causes WebKit to call abort()

Bug 9806 - REGRESSION: Large rowspan causes WebKit to call abort()

Summary: REGRESSION: Large rowspan causes WebKit to call abort()

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Tables (show other bugs)
Version:	420+
Hardware:	Mac OS X 10.4

Importance:	P1 Normal
Assignee:	Darin Adler

URL:
Keywords:	HasReduction, InRadar, Regression

Depends on:
Blocks:

Reported:	2006-07-09 06:34 PDT by jonathanjohnsson
Modified:	2006-07-12 09:04 PDT (History)
CC List:	1 user (show)

See Also:

Attachments
Test case (will crash!) (29 bytes, text/html) 2006-07-09 06:36 PDT, jonathanjohnsson	no flags	Details
patch, including change log and a layout test (3.17 KB, patch) 2006-07-10 20:09 PDT, Darin Adler	mjs: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description jonathanjohnsson 2006-07-09 06:34:46 PDT

A table with a large rowspan crashes WebKit. The test case is simply <TABLE><TD ROWSPAN=674227123>. This bug was found using the cgi-script at http://lcamtuf.coredump.cx/mangleme/mangle.cgi , found in the sidebar at http://browserfun.blogspot.com/ .

Looking through the nightlies, this crash doesn't occur before and including revision 14807.

Comment 1 jonathanjohnsson 2006-07-09 06:36:03 PDT

Created attachment 9295 [details]
Test case (will crash!)

Comment 2 jonathanjohnsson 2006-07-09 06:38:13 PDT

I forgot to say that the crash reporter isn't invoked, so there is no crash log to attach. WebKit simply quits.

Comment 3 Alexey Proskuryakov 2006-07-09 11:36:43 PDT

Stack trace (from gdb):

#1  0x9012dfb4 in abort ()
#2  0x01cdbb7c in WTF::VectorBuffer<WebCore::RenderTableSection::RowStruct, 0ul>::allocateBuffer (this=0x18a31c50, newCapacity=674227123) at /Users/ap/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/PrivateHeaders/Vector.h:251
#3  0x01cdbd20 in WTF::Vector<WebCore::RenderTableSection::RowStruct, 0ul>::reserveCapacity (this=0x18a31c4c, newCapacity=674227123) at /Users/ap/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/PrivateHeaders/Vector.h:536
#4  0x01cdbde8 in WTF::Vector<WebCore::RenderTableSection::RowStruct, 0ul>::expandCapacity (this=0x18a31c4c, newMinCapacity=674227123) at /Users/ap/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/PrivateHeaders/Vector.h:493
#5  0x01cdbe90 in WTF::Vector<WebCore::RenderTableSection::RowStruct, 0ul>::resize (this=0x18a31c4c, size=674227123) at /Users/ap/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/PrivateHeaders/Vector.h:522
#6  0x01a07788 in WebCore::RenderTableSection::ensureRows (this=0x18a31bec, numRows=674227123) at /Users/ap/WebKit/WebCore/rendering/RenderTableSection.cpp:150

BTW, we have mangleme and iExploder tests in WebKitTools/Scripts: run-mangleme-tests and run-iexploder-tests,

Comment 4 Darin Adler 2006-07-10 20:08:39 PDT

I'm sure mangleme can find another problem with rowspans, since all this does is prevent the abort that checks for numeric overflow.

Comment 5 Darin Adler 2006-07-10 20:09:04 PDT

Created attachment 9350 [details]
patch, including change log and a layout test

Comment 6 Alice Liu 2006-07-11 09:39:18 PDT

<rdar://problem/4622622>

Comment 7 Maciej Stachowiak 2006-07-12 05:11:27 PDT

Comment on attachment 9350 [details]
patch, including change log and a layout test

r=me

Comment 8 Darin Adler 2006-07-12 08:25:14 PDT

Committed revision 15390.

Comment 9 David Kilzer (:ddkilzer) 2006-07-12 09:04:48 PDT

Also committed revision 15392 to fix LayoutTest files with property information in them.  (See Bug 9875.)