132582 - ccidnet.com - Accessing this site crashes Mozilla [@ do_GetTextDimensions ]

Status: RESOLVED WORKSFORME

(Tech Evangelism Graveyard :: Chinese-Simplified, defect)

Description

[Katsuhiko Momoi]

** Observed with 2002-03-18 Win32 build **

The above Chinese site crashes Mozilla while loading -- every time.
The CPU consumption goes up to about 100% immediately and after a short
while, a crash occurs.
In comparison, IE 5.5 stays up for a fairly long time -- it does not
crash though the CPU consumption constantly stays between 60 - 95%.

I have 2 talkback reports and both contain almost identical lines
except for the first few lines in one report.

Comment 1

[Katsuhiko Momoi]

I've CC'ed people who worked on  nsInlineFrame.cpp recently.
Here's the crash dump:

do_GetTextDimensions
[d:\builds\seamonkey\mozilla\gfx\src\windows\nsRenderingContextWin.cpp, line 2183]
nsFontMetricsWin::ResolveForwards
[d:\builds\seamonkey\mozilla\gfx\src\windows\nsFontMetricsWin.cpp, line 3551]
nsRenderingContextWin::GetTextDimensions
[d:\builds\seamonkey\mozilla\gfx\src\windows\nsRenderingContextWin.cpp, line 2211]
nsTextFrame::MeasureText
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsTextFrame.cpp, line 4767]
nsTextFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsTextFrame.cpp, line 5295]
nsLineLayout::ReflowFrame
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsLineLayout.cpp, line 1087]
nsInlineFrame::ReflowInlineFrame
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsInlineFrame.cpp, line 713]
nsInlineFrame::ReflowFrames
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsInlineFrame.cpp, line 522]
nsInlineFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsInlineFrame.cpp, line 438]
nsLineLayout::ReflowFrame
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsLineLayout.cpp, line 1087]
nsInlineFrame::ReflowInlineFrame
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsInlineFrame.cpp, line 713]
nsInlineFrame::ReflowFrames
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsInlineFrame.cpp, line 522]
nsInlineFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsInlineFrame.cpp, line 438]
nsLineLayout::ReflowFrame
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsLineLayout.cpp, line 1087]
nsInlineFrame::ReflowInlineFrame
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsInlineFrame.cpp, line 713]
nsInlineFrame::ReflowFrames
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsInlineFrame.cpp, line 522]
nsInlineFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsInlineFrame.cpp, line 438]
nsLineLayout::ReflowFrame
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsLineLayout.cpp, line 1087]
nsInlineFrame::ReflowInlineFrame
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsInlineFrame.cpp, line 713]
nsInlineFrame::ReflowFrames
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsInlineFrame.cpp, line 522]
nsInlineFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsInlineFrame.cpp, line 438]
nsLineLayout::ReflowFrame
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsLineLayout.cpp, line 1087]
nsInlineFrame::ReflowInlineFrame
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsInlineFrame.cpp, line 713]
nsInlineFrame::ReflowFrames
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsInlineFrame.cpp, line 522]
nsInlineFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsInlineFrame.cpp, line 438]
nsLineLayout::ReflowFrame
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsLineLayout.cpp, line 1087]
nsInlineFrame::ReflowInlineFrame
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsInlineFrame.cpp, line 713]
nsInlineFrame::ReflowFrames
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsInlineFrame.cpp, line 522]
nsInlineFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsInlineFrame.cpp, line 438]
nsLineLayout::ReflowFrame
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsLineLayout.cpp, line 1087]
nsBlockFrame::ReflowInlineFrame
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 3695]
nsBlockFrame::DoReflowInlineFrames
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 3576]
nsBlockFrame::DoReflowInlineFramesAuto
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 3501]
nsBlockFrame::ReflowInlineFrames
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 3446]
nsBlockFrame::ReflowLine
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 2612]
nsBlockFrame::ReflowDirtyLines
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 2251]
nsBlockFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 846]
nsBlockReflowContext::DoReflowBlock
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockReflowContext.cpp, line
581]
nsBlockReflowContext::ReflowBlock
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockReflowContext.cpp, line
359]
nsBlockFrame::ReflowBlockFrame
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 3202]
nsBlockFrame::ReflowLine
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 2478]
nsBlockFrame::ReflowDirtyLines
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 2251]
nsBlockFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 846]
nsContainerFrame::ReflowChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line 805]
nsTableCellFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableCellFrame.cpp, line 946]
nsContainerFrame::ReflowChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line 805]
nsTableRowFrame::ReflowChildren
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowFrame.cpp, line 1031]
nsTableRowFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowFrame.cpp, line 1434]
nsContainerFrame::ReflowChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line 805]
nsTableRowGroupFrame::ReflowChildren
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowGroupFrame.cpp,
line 450]
nsTableRowGroupFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableRowGroupFrame.cpp,
line 1170]
nsContainerFrame::ReflowChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line 805]
nsTableFrame::ReflowChildren
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableFrame.cpp, line 3297]
nsTableFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableFrame.cpp, line 1947]
nsContainerFrame::ReflowChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line 805]
nsTableOuterFrame::OuterReflowChild
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableOuterFrame.cpp, line 1009]
nsTableOuterFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\table\src\nsTableOuterFrame.cpp, line 1592]
nsBlockReflowContext::DoReflowBlock
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockReflowContext.cpp, line
581]
nsBlockReflowContext::ReflowBlock
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockReflowContext.cpp, line
359]
nsBlockFrame::ReflowBlockFrame
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 3202]
nsBlockFrame::ReflowLine
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 2478]
nsBlockFrame::ReflowDirtyLines
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 2251]
nsBlockFrame::Reflow
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsBlockFrame.cpp, line 846]
nsContainerFrame::ReflowChild
[d:\builds\seamonkey\mozilla\layout\html\base\src\nsContainerFrame.cpp, line 805] 

Comment 2

[Olivier Cahagne]

I'm not crashing using build 2002032003 on Win2k, therefore I think there's a
memory leak because memory usage went up to 120MB when loading this site as a
single window, I went back to this bug report, memory went back to 65MB.
While loading, CPU was at 80% and nearly unusable.

Comment 3

[Katsuhiko Momoi]

It takes me about 30-40 seconds after accessing this site but
it crashed with 2002-03-20 Win 32 trunk build running on a 850Mhz
processor machine with 374MB RAM.

Comment 4

[Boris Zbarsky [:bzbarsky]]

On linux I see this page do the following:

1)  Create 95-some iframes
2)  Stick a flash objet in each one
3)  Crash inside gtk_widget_destroy() called from ns4xPluginInstance::SetWindow

Comment 5

[Katsuhiko Momoi]

This is the same bug as Bug 126466. The bug was fixed by capping
the number of webshells created through endless recusrive iframe
loops. As I explain in the original bug report, no browser is immune
from this kind of crazy coding practice. Bug 126466 caps this type
of recusrion by arbitrary limit -- though by a reasonable number. 
I am keeping this bug open for now because I suspect that there is
still an evangelism issue left. The code on this site is extremely bad,
no browser can be immune from this type of effect. As I report above,
IE becomes totally unusable if left alone for a few minutes. 

Comment 6

[Katsuhiko Momoi]

Performing various re-assignments as this bug moves to Evangelism product.

Comment 7

[Adam Lock]

I also opened bug 136580 to explore other ways to catch runaway recursion earlier. 

Comment 8

[Olivier Cahagne]

wfm using build 20030124 on Linux.

Comment 9

[Frankie]

If we were to evangelize every site with badly written code, bugzilla would need
to add a terabyte raid for the database. ccidnet works in recent builds. that's
good enough.

Comment 10

[Katsuhiko Momoi]

Moving to Chinese-Simplified.