Closed
Bug 86293
Opened 23 years ago
Closed 22 years ago
'colspan'-Tags with large 'span' Values crash the browser.
Categories
(Core :: Layout: Tables, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: dr.khong, Assigned: bernd_mozilla)
References
()
Details
(Keywords: crash, memory-leak)
Attachments
(2 files, 1 obsolete file)
145 bytes,
text/html
|
Details | |
957 bytes,
patch
|
karnaze
:
review+
bzbarsky
:
superreview+
|
Details | Diff | Splinter Review |
From Bugzilla Helper: User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) BuildID: 2001050515 Large 'span' values in 'colspan'-Tags create Memory-Leaks and crash Mozilla or even the System. See Sample-Site for details. Other Browsers don't have this Problem. Reproducible: Always Steps to Reproduce: Open http://home.t-online.de/home/hoellengott/moz/kill_mozilla.html or create a .html-File containing <table> <colgroup width=200 span=100000000> </colgroup> </table> and open it. Actual Results: Browser allocated lots of memory (>300 MB) and stopped responding. The system started lots of paging, soon a "out of virtual memory"- error almost crashed it. Had to kill Mozilla with strg-alt-del. Expected Results: It should not crash and it should not allocate that much memory. See http://home.t-online.de/home/hoellengott/moz/kill_mozilla.html for further deatils.
Comment 3•23 years ago
|
||
confirming WinXP/2001061504
Comment 4•23 years ago
|
||
Comment 5•23 years ago
|
||
confirming on Linux (mandrake 7.2 kernel 2.2.19-4.1mdksmp), w/ moz 0.9.1 build 2001060713. Moz got killed after eating all remaining RAM+swap (602 MB).
Keywords: nsenterprise
The idea behind the patch is if we have really to handle a table with colspan with more than 1000 columns I guess we will not survive BasicTableLayoutStrategy.cpp, so we could clip it at 1000 columns while parsing. Another patch could incorporate the use of GetEffectiveCols(). But I would expect that implementing this would be the shortest way to the pole position on the topcrash list.
Comment 9•23 years ago
|
||
bernd, is the value 1000 arbitrary or meaningful? Either way, your patch with a nice comment explaining why we have to limit the span would be very good indeed. [s]r=attinasi Also, we should probably open a bug about handling more than 1000 spans correctly instead of just dropping it on the floor, no?
Comment 10•23 years ago
|
||
WORKS FOR ME. no crash, no hang, no excesive memory usage, WORKS FOR ME. (used with the URL above that has a colspan of 100000.... tested with ns6.1b1 and one of the latest pull_all on W2K, W98SE EN and DE lang packs.) can anyone reproduce this? is it already patched?
Comment 11•23 years ago
|
||
marking WORKS FOR ME since no one claims the contrary
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → WORKSFORME
Reporter | ||
Comment 12•22 years ago
|
||
Bug's back again (or still not fixed). DOSing the browser is still possible. Confirming 1.0 and 1.0.1: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.0) Gecko/20020530 Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.1) Gecko/20020826 Looking at http://lxr.mozilla.org/seamonkey/source/content/html/content/src/nsHTMLTableColElement.cpp it seems like the patch above http://bugzilla.mozilla.org/attachment.cgi?id=39722&action=view hasn't been applied.
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
Assignee | ||
Comment 13•22 years ago
|
||
we had that a very long time ago http://lxr.mozilla.org/classic/source/lib/layout/laytable.c#46
Comment 14•22 years ago
|
||
*** Bug 160816 has been marked as a duplicate of this bug. ***
Comment 15•22 years ago
|
||
Are there any real pages that are a problem?
Comment 16•22 years ago
|
||
Dup bug 160816 has one url in real world.
Comment 17•22 years ago
|
||
Bernd, could you add a #define with the max value. I'm not sure when I would get around to comming up with a better patch.
Assignee: karnaze → bernd.mielke
Status: REOPENED → NEW
Comment 18•22 years ago
|
||
See also bug 141818, hang with large rowspan (rather than colspan).
Assignee | ||
Comment 19•22 years ago
|
||
Attachment #39722 -
Attachment is obsolete: true
Comment 20•22 years ago
|
||
Comment on attachment 106483 [details] [diff] [review] patch r=karnaze
Attachment #106483 -
Flags: review+
Attachment #106483 -
Flags: superreview?(bzbarsky)
Comment 21•22 years ago
|
||
Comment on attachment 106483 [details] [diff] [review] patch What am I missing? Comment 9 asked for a clear comment on this hack. Please add that. While you're at it, comment the identical hack in nsHTMLTableCellElement.cpp sr=bzbarsky with that
Attachment #106483 -
Flags: superreview?(bzbarsky) → superreview+
Assignee | ||
Comment 22•22 years ago
|
||
fix checked in
Status: NEW → RESOLVED
Closed: 23 years ago → 22 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•