Open Bug 1464210 Opened 2 years ago Updated 2 years ago

Hit MOZ_CRASH(OOM) at src/xpcom/base/nsDebugImpl.cpp:614

Categories

(Core :: Layout: Tables, defect, P3)

defect

Tracking

()

Tracking Status
firefox62 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Attachments

(1 file)

Attached file testcase.html
Reproduced with m-c:
BuildID=20180523220103
SourceStamp=47e81ea1ef10189ef210867934bf36e14cf223dc

Hit MOZ_CRASH(OOM) at src/xpcom/base/nsDebugImpl.cpp:614

#0 NS_ABORT_OOM(unsigned long) src/xpcom/base/nsDebugImpl.cpp:614:3
#1 PLDHashTable::Add(void const*) src/xpcom/ds/PLDHashTable.cpp:619:7
#2 nsIPresShell::AllocateByObjectID(mozilla::ArenaObjectID, unsigned long) src/layout/base/nsIPresShell.h:228:5
#3 nsCellMap::AllocCellData(nsTableCellFrame*) src/layout/tables/nsCellMap.cpp:2607:7
#4 nsCellMap::AppendCell(nsTableCellMap&, nsTableCellFrame*, int, bool, int, mozilla::TableArea&, int*) src/layout/tables/nsCellMap.cpp:1547:22
#5 nsCellMap::RebuildConsideringCells(nsTableCellMap&, int, nsTArray<nsTableCellFrame*>*, int, int, bool) src/layout/tables/nsCellMap.cpp:2261:15
#6 nsTableCellMap::RebuildConsideringCells(nsCellMap*, nsTArray<nsTableCellFrame*>*, int, int, bool, mozilla::TableArea&) src/layout/tables/nsCellMap.cpp
#7 nsCellMap::InsertCells(nsTableCellMap&, nsTArray<nsTableCellFrame*>&, int, int, int, mozilla::TableArea&) src/layout/tables/nsCellMap.cpp:1710:10
#8 nsTableCellMap::InsertCells(nsTArray<nsTableCellFrame*>&, int, int, mozilla::TableArea&) src/layout/tables/nsCellMap.cpp:592:16
#9 nsTableFrame::InsertCells(nsTArray<nsTableCellFrame*>&, int, int) src/layout/tables/nsTableFrame.cpp:821:14
#10 nsTableFrame::RowOrColSpanChanged(nsTableCellFrame*) src/layout/tables/nsTableFrame.cpp:367:7
#11 nsCSSFrameConstructor::UpdateTableCellSpans(nsIContent*) src/layout/base/nsCSSFrameConstructor.cpp:9090:33
#12 mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) src/layout/base/RestyleManager.cpp:1715:27
#13 mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) src/layout/base/RestyleManager.cpp:2993:9
#14 mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4282:41
#15 nsIDocument::FlushPendingNotifications(mozilla::ChangesToFlush) src/dom/base/nsDocument.cpp:7501:12
#16 nsIDocument::FlushPendingNotifications(mozilla::FlushType) src/dom/base/nsDocument.cpp:7440:3
#17 nsDocLoader::DocLoaderIsEmpty(bool) src/uriloader/base/nsDocLoader.cpp:694:14
#18 nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp:627:5
#19 non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp
#20 mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:629:28
#21 nsIDocument::DoUnblockOnload() src/dom/base/nsDocument.cpp:8340:18
#22 nsDocument::UnblockOnload(bool) src/dom/base/nsDocument.cpp:8262:9
#23 nsIDocument::DispatchContentLoadedEvents() src/dom/base/nsDocument.cpp:5224:3
#24 mozilla::detail::RunnableMethodImpl<nsIDocument*, void (nsIDocument::*)(), true, (mozilla::RunnableKind)0>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:1216:13
#25 mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:337:32
#26 nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1090:14
#27 NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10
#28 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
#29 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:326:10
#30 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299:3
#31 nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:157:27
#32 XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:893:22
#33 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:269:9
#34 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:326:10
#35 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299:3
#36 XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:719:34
#37 content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
#38 main src/browser/app/nsBrowserApp.cpp:282:18
#39 __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#40 _start (firefox+0x423434)
Flags: in-testsuite?
We should probably try harder to make the cell map use fallible allocations.  Here this is a single, small allocation via the pres arena, and that API doesn't support fallible allocation, and I'm not sure it would end up freeing memory if we detect this small allocation failure and decide to throw away the cell map or something entirely.  There are various comments in nsCellMap.cpp about not handling fallible allocation failures correctly.

Or we could redesign the cell map so that it doesn't need to allocate memory for rowspan/colspan values that go past the number of rows and columns we actually have in the DOM.
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.