Closed Bug 1444615 Opened 6 years ago Closed 2 years ago

Hit MOZ_CRASH(IPC message size is too large) with overly long title in XML document

Categories

(Core :: IPC, defect, P3)

Product:
Core
Component:
IPC
Version:
59 Branch
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: bc, Unassigned)

References

(
URL
)

Details

(Keywords: assertion, crash)

Crash Data

Attachments

(1 file)

Partial test file
3.04 KB, text/plain
Details
Attached file Partial test file 
1. https://www.yipandbeep.com/test_acutrack.php

This returns a document with a table element followed by a partial xml document that contains an infinite series of error messages from the site which result in an attempt to set an overly large title.

2. Hit MOZ_CRASH(IPC message size is too large) at /builds/worker/workspace/build/src/ipc/glue/MessageLink.cpp:164
#01: mozilla::ipc::MessageChannel::SendMessageToLink(IPC::Message*) (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)
#02: mozilla::ipc::MessageChannel::Send(IPC::Message*) (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)
#03: mozilla::dom::PContentChild::SendSetURITitle(mozilla::ipc::URIParams const&, nsTString<char16_t> const&) (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)
#04: mozilla::places::History::SetURITitle(nsIURI*, nsTSubstring<char16_t> const&) (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)
#05: nsDocShell::UpdateGlobalHistoryTitle(nsIURI*) (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)
#06: nsDocShell::SetTitle(nsTSubstring<char16_t> const&) (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)
#07: nsDocument::DoNotifyPossibleTitleChange() (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)
#08: mozilla::detail::RunnableMethodImpl<nsDocument*, void (nsDocument::*)(), false, (mozilla::RunnableKind)0>::Run() (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)
#09: mozilla::SchedulerGroup::Runnable::Run() (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)
#10: nsThread::ProcessNextEvent(bool, bool*) [clone .part.297] (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)
#11: NS_ProcessNextEvent(nsIThread*, bool) (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)
#12: mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)
#13: MessageLoop::RunInternal() (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)
#14: MessageLoop::Run() (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)
#15: nsBaseAppShell::Run() (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)
#16: XRE_RunAppShell() (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)
#17: mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)
#18: MessageLoop::RunInternal() (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)
#19: MessageLoop::Run() (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)
#20: XRE_InitChildProcess(int, char**, XREChildData const*) (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/libxul.so)
#21: content_process_main(mozilla::Bootstrap*, int, char**) (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/firefox)
#22: main (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/firefox)
#23: __libc_start_main (/lib64/libc.so.6)
#24: _start (/mozilla/builds/nightly/mozilla/firefox-debug/dist/bin/firefox)

Linux x86_64 opt/debug

We should either limit the size of the title or chunk it.
Priority: -- → P3
See Also: → 1707642

Still reproducible fwiw.

Closing because no crashes reported for 12 weeks.

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WORKSFORME

bp-dd49dbd3-aa0d-44dc-a5d3-92c760220624

The original url no longer reproduces since it no longer generates the infinite list of errors.

I can still reproduce with an edited version of the attached test file which crashes at mozilla::ipc::IProtocol::ChannelSend | mozilla::layers::PWebRenderBridgeChild::SendSetDisplayList | IPC_Message_Name=PWebRenderBridge::Msg_SetDisplayList

I saved the test file to disk, then edited to add copies of the last 2 lines so that the entire file was almost 400,000 lines. Loading it crashed immediately. Don't do this with your active profile since if you restore your session firefox will crash immediately after the session is restored.

I'll defer on whether to reopen or not.

That's a different crash than the original one, which involved PContentChild::SendSetURITitle(). I guess it isn't too surprising that a gigantic XML file might crash in different ways depending.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: