105928 - Crash on startup if userContent.css has "* { overflow: auto }" or "* { overflow: scroll }"

Status: RESOLVED DUPLICATE of bug 164617

(Core :: Layout, defect, P1)

Description

[Boris Zbarsky [:bzbarsky]]

Linux build 2001-10-19 from cvs.

Steps to reproduce:

1)  edit chrome/userContent.css in your profile directory
2)  add "* { overflow: auto }"
3)  Save and exit
4)  Start the browser ('mozilla about:blank' will do, but it does not seem to
    matter what the start page is)

Expected results:
  Browser starts fine

Actual results:
  Browser opens profile manager, lets you choose a profile, then goes into
  infinite loop, blows the stack, and crashes.

The same results happen if "overflow: scroll" is used.

The sidebar is closed, so what's being rendered here?  about:blank?

The loop is being spawned by StyleSetImpl::ConstructRootFrame (that's the last
non-loop function on the stack).

Adding the same style rule to a page's style sheet, btw, does not lead to
behavior like this.

end of trace (showing loop):

#14 0x41c1943a in nsCSSFrameConstructor::ConstructFrameInternal (this=0x889f5a8, 
    aPresShell=0x889f660, aPresContext=0x889ee30, aState=@0xbfffe900, 
    aContent=0x8bdc668, aParentFrame=0x8bd4898, aTag=0x81ee4d8, aNameSpaceID=7, 
    aStyleContext=0x8bdb6dc, aFrameItems=@0xbfe03104, aXBLBaseTag=0)
    at nsCSSFrameConstructor.cpp:6979
#15 0x41c192e8 in nsCSSFrameConstructor::ConstructFrame (this=0x889f5a8, 
    aPresShell=0x889f660, aPresContext=0x889ee30, aState=@0xbfffe900, 
    aContent=0x8bdc668, aParentFrame=0x8bd4898, aFrameItems=@0xbfe03104)
    at nsCSSFrameConstructor.cpp:6942
#16 0x41c1485c in nsCSSFrameConstructor::CreateAnonymousFrames (this=0x889f5a8, 
    aPresShell=0x889f660, aPresContext=0x889ee30, aState=@0xbfffe900,
aParent=0x8bdb3b8, 
    aDocument=0x8884570, aParentFrame=0x8bd4898, aChildItems=@0xbfe03104)
    at nsCSSFrameConstructor.cpp:5004
#17 0x41c16719 in nsCSSFrameConstructor::BuildGfxScrollFrame (this=0x889f5a8, 
    aPresShell=0x889f660, aPresContext=0x889ee30, aState=@0xbfffe900, 
    aContent=0x8bdb3b8, aDocument=0x8884570, aParentFrame=0x8bd4718, 
    aStyleContext=0x8bd47d0, aIsRoot=0, aNewFrame=@0xbfe0310c, 
    aAnonymousFrames=@0xbfe03104, aScrollPortFrame=0x8bdb620)
    at nsCSSFrameConstructor.cpp:5924
#18 0x41c162fd in nsCSSFrameConstructor::BeginBuildingScrollFrame
(this=0x889f5a8, 
    aPresShell=0x889f660, aPresContext=0x889ee30, aState=@0xbfffe900, 
    aContent=0x8bdb3b8, aContentStyle=0x8bd47d0, aParentFrame=0x8bd4718, 
    aScrolledPseudo=0x81eb370, aDocument=0x8884570, aIsRoot=0,
aNewFrame=@0xbfe033d0, 
    aScrolledChildStyle=@0xbfe03170, aScrollableFrame=@0xbfe03174,
aScrollPortFrame=0x0)
    at nsCSSFrameConstructor.cpp:5721
#19 0x41c1659d in nsCSSFrameConstructor::BuildScrollFrame (this=0x889f5a8, 
    aPresShell=0x889f660, aPresContext=0x889ee30, aState=@0xbfffe900, 
    aContent=0x8bdb3b8, aContentStyle=0x8bd47d0, aScrolledFrame=0x8bd4804, 
    aParentFrame=0x8bd4718, aNewFrame=@0xbfe033d0,
aScrolledContentStyle=@0xbfe03424, 
    aScrollPortFrame=0x0) at nsCSSFrameConstructor.cpp:5869
#20 0x41c15528 in nsCSSFrameConstructor::ConstructXULFrame (this=0x889f5a8, 
    aPresShell=0x889f660, aPresContext=0x889ee30, aState=@0xbfffe900, 
    aContent=0x8bdb3b8, aParentFrame=0x8bd4718, aTag=0x81ef938, aNameSpaceID=7, 
    aStyleContext=0x8bd47d0, aFrameItems=@0xbfe03734, aXBLBaseTag=0, 
    aHaltProcessing=@0xbfe034d0) at nsCSSFrameConstructor.cpp:5336
#21 0x41c19838 in nsCSSFrameConstructor::ConstructFrameInternal (this=0x889f5a8, 
    aPresShell=0x889f660, aPresContext=0x889ee30, aState=@0xbfffe900, 
    aContent=0x8bdb3b8, aParentFrame=0x8bd4718, aTag=0x81ef938, aNameSpaceID=7, 
    aStyleContext=0x8bd47d0, aFrameItems=@0xbfe03734, aXBLBaseTag=0)
    at nsCSSFrameConstructor.cpp:7037
#22 0x41c192e8 in nsCSSFrameConstructor::ConstructFrame (this=0x889f5a8, 
    aPresShell=0x889f660, aPresContext=0x889ee30, aState=@0xbfffe900, 
    aContent=0x8bdb3b8, aParentFrame=0x8bd4718, aFrameItems=@0xbfe03734)
    at nsCSSFrameConstructor.cpp:6942
#23 0x41c28acf in nsCSSFrameConstructor::ProcessChildren (this=0x889f5a8, 
    aPresShell=0x889f660, aPresContext=0x889ee30, aState=@0xbfffe900, 
    aContent=0x8bda898, aFrame=0x8bd4718, aCanHaveGeneratedContent=0, 
    aFrameItems=@0xbfe03734, aParentIsBlock=0, aTableCreator=0x0)
    at nsCSSFrameConstructor.cpp:11480
#24 0x41c15ec8 in nsCSSFrameConstructor::ConstructXULFrame (this=0x889f5a8, 
    aPresShell=0x889f660, aPresContext=0x889ee30, aState=@0xbfffe900, 
    aContent=0x8bda898, aParentFrame=0x8bd4650, aTag=0x81efec8, aNameSpaceID=7, 
    aStyleContext=0x8bd461c, aFrameItems=@0xbfe03be8, aXBLBaseTag=0, 
    aHaltProcessing=@0xbfe03984) at nsCSSFrameConstructor.cpp:5623
#25 0x41c19838 in nsCSSFrameConstructor::ConstructFrameInternal (this=0x889f5a8, 
    aPresShell=0x889f660, aPresContext=0x889ee30, aState=@0xbfffe900, 
    aContent=0x8bda898, aParentFrame=0x8bd4650, aTag=0x81efec8, aNameSpaceID=7, 
    aStyleContext=0x8bd461c, aFrameItems=@0xbfe03be8, aXBLBaseTag=0)
    at nsCSSFrameConstructor.cpp:7037
#26 0x41c192e8 in nsCSSFrameConstructor::ConstructFrame (this=0x889f5a8, 
    aPresShell=0x889f660, aPresContext=0x889ee30, aState=@0xbfffe900, 
    aContent=0x8bda898, aParentFrame=0x8bd4650, aFrameItems=@0xbfe03be8)
    at nsCSSFrameConstructor.cpp:6942
#27 0x41c28acf in nsCSSFrameConstructor::ProcessChildren (this=0x889f5a8, 
    aPresShell=0x889f660, aPresContext=0x889ee30, aState=@0xbfffe900, 
    aContent=0x8bda628, aFrame=0x8bd4650, aCanHaveGeneratedContent=0, 
    aFrameItems=@0xbfe03be8, aParentIsBlock=0, aTableCreator=0x0)
    at nsCSSFrameConstructor.cpp:11480
#28 0x41c15ec8 in nsCSSFrameConstructor::ConstructXULFrame (this=0x889f5a8, 
    aPresShell=0x889f660, aPresContext=0x889ee30, aState=@0xbfffe900, 
    aContent=0x8bda628, aParentFrame=0x8bd4460, aTag=0x81ee4d8, aNameSpaceID=7, 
    aStyleContext=0x8bd45e8, aFrameItems=@0xbfe04038, aXBLBaseTag=0, 
    aHaltProcessing=@0xbfe03e38) at nsCSSFrameConstructor.cpp:5623
#29 0x41c19838 in nsCSSFrameConstructor::ConstructFrameInternal (this=0x889f5a8, 
    aPresShell=0x889f660, aPresContext=0x889ee30, aState=@0xbfffe900, 
    aContent=0x8bda628, aParentFrame=0x8bd4460, aTag=0x81ee4d8, aNameSpaceID=7, 
    aStyleContext=0x8bd45e8, aFrameItems=@0xbfe04038, aXBLBaseTag=0)
    at nsCSSFrameConstructor.cpp:7037
#30 0x41c192e8 in nsCSSFrameConstructor::ConstructFrame (this=0x889f5a8, 
    aPresShell=0x889f660, aPresContext=0x889ee30, aState=@0xbfffe900, 
    aContent=0x8bda628, aParentFrame=0x8bd4460, aFrameItems=@0xbfe04038)
    at nsCSSFrameConstructor.cpp:6942
#31 0x41c1485c in nsCSSFrameConstructor::CreateAnonymousFrames (this=0x889f5a8, 
    aPresShell=0x889f660, aPresContext=0x889ee30, aState=@0xbfffe900,
aParent=0x8bda390, 
    aDocument=0x8884570, aParentFrame=0x8bd4460, aChildItems=@0xbfe04038)
    at nsCSSFrameConstructor.cpp:5004
#32 0x41c16719 in nsCSSFrameConstructor::BuildGfxScrollFrame (this=0x889f5a8, 
    aPresShell=0x889f660, aPresContext=0x889ee30, aState=@0xbfffe900, 
    aContent=0x8bda390, aDocument=0x8884570, aParentFrame=0x8bd42e0, 
    aStyleContext=0x8bd4398, aIsRoot=0, aNewFrame=@0xbfe04040, 
    aAnonymousFrames=@0xbfe04038, aScrollPortFrame=0x8bd452c)
    at nsCSSFrameConstructor.cpp:5924

Comment 1

[Marc Attinasi]

Ech. So we want a scrollframe around everything? I don't think the
GfxScrollFrame can handle that... cc'ing evaughan for his scrolling insights. 

Clearly, we need to at least be robust enough to handle this perfectly
legitimate and superficially harmless CSS.

Comment 2

[Boris Zbarsky [:bzbarsky]]

Again, the interesting thing is that the same rule in an author sheet does not
lead to a crash.  It's just the user sheet that's a problem.

Comment 3

[Marc Attinasi]

Moving Mozilla 1.01 bugs to 'future' milestone with priority P1

I will be pulling bugs from 'future' milestones when scheduling later work.

Comment 4

[Simon Montagu :smontagu]

I can prevent the crash by adding 

scrollbar * {
  overflow: hidden !important;
}

in xul.css, so I guess the first question is, why is the rule in userContent.css
being applied to scrollbars?

Comment 5

[Boris Zbarsky [:bzbarsky]]

That's bug 164617   

Comment 6

[Simon Montagu :smontagu]

So is this a dupe of bug 164617? If universal selectors apply to scrollbars then 
 * { overflow: auto }
will inevitably cause an infinite regress.

Comment 7

[Boris Zbarsky [:bzbarsky]]

probably...

Comment 8

[Brant Gurganus]

By the definitions on <http://bugzilla.mozilla.org/bug_status.html#severity> and
<http://bugzilla.mozilla.org/enter_bug.cgi?format=guided>, crashing and dataloss
bugs are of critical or possibly higher severity.  Only changing open bugs to
minimize unnecessary spam.  Keywords to trigger this would be crash, topcrash,
topcrash+, zt4newcrash, dataloss.

Comment 9

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

bug 164617 says userContent.css but this bug's summary says userChrome.css.

Comment 10

[Simon Montagu :smontagu]

The summary says userChrome.css, but comment 0 says chrome/userContent.css. Can
the reporter clarify?

Comment 11

[Boris Zbarsky [:bzbarsky]]

Yeah, this was userContent.css.  If userChrome.css blows things up, I don't 
think we care that much....

Comment 12

[Daniel Sevcik]

Attachment: CSS property "overflow: auto" in XUL app crashes my browser

I extracted the minimum code from my application that crashes my browser

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6

Reproducible always.