New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 835795 link

Starred by 3 users
Status: Verified
Owner: ----
Closed: Nov 15
Cc:
brajkumar@chromium.org
futhark@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Chrome , Mac
Pri: 3
Type: Bug



Sign in to add a comment

FindPlaceForCounter recursive for DOM siblings

Project Member Reported by futhark@chromium.org, Apr 23 2018 
FindPlaceForCounter (in layout_counter.cc) causes stack overflows because it's recursive in the sibling direction. We should consider rewriting it to make it harder to hit that stack limit.

Case from fuzzer which shows the recursiveness for 2000 added siblings:

<p>
  </p>
  <script>
            function __f_0() {
                var __v_1 = document.createElement("div");
                return __v_1;
            }
            for (var __v_0 = 0; __v_0 < 2000; ++__v_0)
                document.body.appendChild(__f_0());
</script>
  <style>
  div { counter-reset: c }
  #two:before { content: counter(c) }
  </style>
   <span id="two">

Comment 1 by futhark@chromium.org, Apr 23 2018

Cc: futhark@chromium.org brajkumar@chromium.org
 Issue 833796  has been merged into this issue.
Project Member

Comment 2 by ClusterFuzz, Apr 23 2018

Labels: OS-Linux
Project Member

Comment 3 by ClusterFuzz, Jun 1 2018

Labels: OS-Mac
Project Member

Comment 4 by ClusterFuzz, Jun 10 2018

Labels: OS-Chrome
Project Member

Comment 5 by ClusterFuzz, Nov 15

Labels: ClusterFuzz-Verified
Status: Verified (was: Available)
ClusterFuzz testcase 6664004173561856 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment