150431 - crash (stack overflow) with <p><font><p><font>... [@ nsGenericHTMLElement::GetAttr ] [@ StyleSetImpl::QueryInterface ] [@ nsCOMTypeInfo<nsIStyleSet>::GetIID ]

Status: RESOLVED WORKSFORME

(Core :: Layout, defect, P2)

Description

[Nathan Silva]

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.1a) Gecko/20020608
BuildID:    2002060808

Mozilla crashes when accessing the above URL. The referenced page contains a
line of HTML that is more than 240K long consisting of repeated <p><font
size=1><p><font size=1>...

While the HTML is nasty it should not cause a crash, and it does work in IE6.

Reproducible: Always
Steps to Reproduce:
1. Visit http://www.pdxradio.com/discus/index.html.
2. Click "Portland Radio".

Actual Results:  Mozilla hangs, no screen updates for a long time, computer
became very slow until finally the program died and a Talkback window appeared.

Expected Results:  Display the discussion board index.

Comment 1

[Matthias Versen [:Matti]]

Can you please add the TB ID to this bug ?
(run mozilla/components/talkback to get the ID)

Comment 2

[Nathan Silva]

Talkback ID is TB7161113G.

Comment 3

[Olivier Cahagne]

confirming crash using build 2002060904 on Win2k (trunk).
Same behaviour: Mozilla seems to hang for a few seconds, then crashes.

Comment 4

[Olivier Cahagne]

Attachment: Testcase that crashes Mozilla 2002060904 Win2k, hang on Linux

Comment 5

[Mats Palmgren (inactive)]

Confirming bug, hang on 2002-06-07-04 (trunk) on Windows 98 SE.

Comment 6

[Mats Palmgren (inactive)]

Dupe of bug 81993 or bug 61684?

Comment 7

[Nathan Silva]

Attachment: Testcase, tags closed, crashes Mozilla 2002060908 on WinXP

One thing to note, closing the font tags does not fix the problem, it has to do
with the level of nesting. Could be the same bug.

Comment 8

[Matthias Versen [:Matti]]

got my debug build working again :-) (Sorry Doron)

we are looping in nsCSSFrameConstructo:

StyleSetImpl::QueryInterface(StyleSetImpl * const 0x03af5220, const nsID & 
{...}, void * * 0x00033034) line 416 + 60 bytes
nsQueryInterface::operator()(const nsID & {...}, void * * 0x00033034) line 47 + 
25 bytes
nsCOMPtr<nsIStyleSet>::assign_from_helper(const nsCOMPtr_helper & {...}, const 
nsID & {...}) line 922 + 18 bytes
nsCOMPtr<nsIStyleSet>::nsCOMPtr<nsIStyleSet>(const nsQueryInterface & {...}) 
line 566
nsCOMPtr<nsIStyleSet>::Assert_NoQueryNeeded() line 501
nsGetterAddRefs<nsIStyleSet>::~nsGetterAddRefs<nsIStyleSet>() line 1006
nsPresContext::ProbePseudoStyleContextFor(nsPresContext * const 0x03a9a618, 
nsIContent * 0x07771d70, nsIAtom * 0x01024350, nsIStyleContext * 0x0779ee50, 
nsIStyleContext * * 0x000330f8) line 1001
nsCSSFrameConstructor::CreateGeneratedContentFrame(nsIPresShell * 0x03e84d20, 
nsIPresContext * 0x03a9a618, nsFrameConstructorState & {...}, nsIFrame * 
0x0779eea4, nsIContent * 0x07771d70, nsIStyleContext * 0x0779ee50, nsIAtom * 
0x01024350, int 0, nsIFrame * * 0x0003314c) line 1525 + 48 bytes
nsCSSFrameConstructor::ProcessInlineChildren(nsIPresShell * 0x03e84d20, 
nsIPresContext * 0x03a9a618, nsFrameConstructorState & {...}, nsIContent * 
0x07771d70, nsIFrame * 0x0779eea4, int 1, nsFrameItems & {...}, int * 
0x00033268) line 13839 + 59 bytes
nsCSSFrameConstructor::ConstructInline(nsIPresShell * 0x03e84d20, nsIPresContext 
* 0x03a9a618, nsFrameConstructorState & {...}, const nsStyleDisplay * 
0x03dcb8c8, nsIContent * 0x07771d70, nsIFrame * 0x0779ee18, nsIStyleContext * 
0x0779ee50, int 0, nsIFrame * 0x0779eea4, nsIFrame * * 0x000336b0, nsIFrame * * 
0x00033680) line 13631 + 47 bytes
nsCSSFrameConstructor::ConstructFrameByDisplayType(nsIPresShell * 0x03e84d20, 
nsIPresContext * 0x03a9a618, nsFrameConstructorState & {...}, const 
nsStyleDisplay * 0x03dcb8c8, nsIContent * 0x07771d70, nsIFrame * 0x0779ee18, 
nsIStyleContext * 0x0779ee50, nsFrameItems & {...}) line 6480 + 53 bytes
nsCSSFrameConstructor::ConstructFrameInternal(nsIPresShell * 0x03e84d20, 
nsIPresContext * 0x03a9a618, nsFrameConstructorState & {...}, nsIContent * 
0x07771d70, nsIFrame * 0x0779ee18, nsIAtom * 0x0104dc78, int 3, nsIStyleContext 
* 0x0779ee50, nsFrameItems & {...}, int 0) line 7348 + 45 bytes
nsCSSFrameConstructor::ConstructFrame(nsIPresShell * 0x03e84d20, nsIPresContext 
* 0x03a9a618, nsFrameConstructorState & {...}, nsIContent * 0x07771d70, nsIFrame 
* 0x0779ee18, nsFrameItems & {...}) line 7200 + 56 bytes
nsCSSFrameConstructor::ProcessInlineChildren(nsIPresShell * 0x03e84d20, 
nsIPresContext * 0x03a9a618, nsFrameConstructorState & {...}, nsIContent * 
0x07771cb0, nsIFrame * 0x0779ee18, int 1, nsFrameItems & {...}, int * 
0x00033928) line 13854 + 69 bytes
nsCSSFrameConstructor::ConstructInline(nsIPresShell * 0x03e84d20, nsIPresContext 
* 0x03a9a618, nsFrameConstructorState & {...}, const nsStyleDisplay * 
0x03dcb8c8, nsIContent * 0x07771cb0, nsIFrame * 0x0779ede0, nsIStyleContext * 
0x07796858, int 0, nsIFrame * 0x0779ee18, nsIFrame * * 0x00033d70, nsIFrame * * 
0x00033d40) line 13631 + 47 bytes
nsCSSFrameConstructor::ConstructFrameByDisplayType(nsIPresShell * 0x03e84d20, 
nsIPresContext * 0x03a9a618, nsFrameConstructorState & {...}, const 
nsStyleDisplay * 0x03dcb8c8, nsIContent * 0x07771cb0, nsIFrame * 0x0779ede0, 
nsIStyleContext * 0x07796858, nsFrameItems & {...}) line 6480 + 53 bytes
nsCSSFrameConstructor::ConstructFrameInternal(nsIPresShell * 0x03e84d20, 
nsIPresContext * 0x03a9a618, nsFrameConstructorState & {...}, nsIContent * 
0x07771cb0, nsIFrame * 0x0779ede0, nsIAtom * 0x0104dc78, int 3, nsIStyleContext 
* 0x07796858, nsFrameItems & {...}, int 0) line 7348 + 45 bytes
nsCSSFrameConstructor::ConstructFrame(nsIPresShell * 0x03e84d20, nsIPresContext 
* 0x03a9a618, nsFrameConstructorState & {...}, nsIContent * 0x07771cb0, nsIFrame 
* 0x0779ede0, nsFrameItems & {...}) line 7200 + 56 bytes
nsCSSFrameConstructor::ProcessInlineChildren(nsIPresShell * 0x03e84d20, 
nsIPresContext * 0x03a9a618, nsFrameConstructorState & {...}, nsIContent * 
0x07771bf0, nsIFrame * 0x0779ede0, int 1, nsFrameItems & {...}, int * 
0x00033fe8) line 13854 + 69 bytes
nsCSSFrameConstructor::ConstructInline(nsIPresShell * 0x03e84d20, nsIPresContext 
* 0x03a9a618, nsFrameConstructorState & {...}, const nsStyleDisplay * 
0x03dcb8c8, nsIContent * 0x07771bf0, nsIFrame * 0x0779eda8, nsIStyleContext * 
0x077399c0, int 0, nsIFrame * 0x0779ede0, nsIFrame * * 0x00034430, nsIFrame * * 
0x00034400) line 13631 + 47 bytes
....

Comment 9

[Matthias Versen [:Matti]]

Attachment: Full Stack

Comment 10

[Nathan Silva]

Configuration: Windows XP, 512 MB RAM, Mozilla 2002060908
In examples, tags are repeated 4096 times.

1. <p><font size=1><p><font size=1>...</font></p></font></p>  crashes
2. <p><font size=1><p><font size=1>...</font></font>          crashes
3. <p><font size=1><p><font size=1>...(no closing tags)       crashes
4. <font size=1><font size=1>...</font></font>                does not crash
5. <font size=1><font size=1>...(no closing tags)             does not crash
6. <p><p>...</p></p> (weird nesting of p tags)                does not crash
7. <p><p>...(no closing tags)                                 does not crash
8. <p><font size=1></font></p><p><font size=1></font></p>...  does not crash

Only occurs when <p> and <font> tags are used together and not properly nested.

Comment 11

[joakim_46]

Confirming it with build 2002052306 under Windows ME. Talkback ID TB7168265H

Comment 12

[Doron Rosenberg (IBM)]

Incident ID 7168265
Stack Signature nsGenericHTMLElement::GetAttr d7f6c91e
Email Address
Product ID Gecko1.0
Build ID 2002052308
Trigger Time 2002-06-09 15:06:13
Platform Win32
Operating System Windows 98 4.90 build 73010104
Module GKCONTENT.DLL
URL visited http://www.pdxradio.com/discus/index.html
User Comments I clicked on the Portland Radio link. Mozilla became slow and
finally crashed.
Trigger Reason Stack overflow
Source File Name
d:\builds\seamonkey\mozilla\content\html\content\src\nsGenericHTMLElement.cpp
Trigger Line No. 2097
Stack Trace
nsGenericHTMLElement::GetAttr
[d:\builds\seamonkey\mozilla\content\html\content\src\nsGenericHTMLElement.cpp,
line 2097]
nsGenericHTMLElement::GetAttr
[d:\builds\seamonkey\mozilla\content\html\content\src\nsGenericHTMLElement.cpp,
line 2090]
nsCSSFrameConstructor::ConstructXULFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 5839]
nsCSSFrameConstructor::ConstructFrameInternal
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7331]
nsCSSFrameConstructor::ConstructFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7215]
nsCSSFrameConstructor::ProcessInlineChildren
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 13770]
nsCSSFrameConstructor::ConstructInline
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 13546]
nsCSSFrameConstructor::ConstructFrameByDisplayType
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 6490]
nsCSSFrameConstructor::ConstructFrameInternal
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7366]
nsCSSFrameConstructor::ConstructFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7215]
nsCSSFrameConstructor::ProcessInlineChildren
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 13770]
nsCSSFrameConstructor::ConstructInline
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 13546]
nsCSSFrameConstructor::ConstructFrameByDisplayType
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 6490]
nsCSSFrameConstructor::ConstructFrameInternal
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7366]
nsCSSFrameConstructor::ConstructFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7215]
nsCSSFrameConstructor::ProcessInlineChildren
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 13770]
nsCSSFrameConstructor::ConstructInline
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 13546]
nsCSSFrameConstructor::ConstructFrameByDisplayType
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 6490]
nsCSSFrameConstructor::ConstructFrameInternal
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7366]
nsCSSFrameConstructor::ConstructFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7215]
nsCSSFrameConstructor::ProcessInlineChildren
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 13770]
nsCSSFrameConstructor::ConstructInline
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 13546]
nsCSSFrameConstructor::ConstructFrameByDisplayType
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 6490]
nsCSSFrameConstructor::ConstructFrameInternal
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7366]
nsCSSFrameConstructor::ConstructFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7215]
nsCSSFrameConstructor::ProcessInlineChildren
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 13770]
nsCSSFrameConstructor::ConstructInline
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 13546]
nsCSSFrameConstructor::ConstructFrameByDisplayType
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 6490]
nsCSSFrameConstructor::ConstructFrameInternal
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7366]
nsCSSFrameConstructor::ConstructFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7215]
nsCSSFrameConstructor::ProcessInlineChildren
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 13770]
nsCSSFrameConstructor::ConstructInline
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 13546]
nsCSSFrameConstructor::ConstructFrameByDisplayType
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 6490]
nsCSSFrameConstructor::ConstructFrameInternal
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7366]
nsCSSFrameConstructor::ConstructFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7215]
nsCSSFrameConstructor::ProcessInlineChildren
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 13770]
nsCSSFrameConstructor::ConstructInline
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 13546]
nsCSSFrameConstructor::ConstructFrameByDisplayType
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 6490]
nsCSSFrameConstructor::ConstructFrameInternal
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7366]
nsCSSFrameConstructor::ConstructFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7215]
nsCSSFrameConstructor::ProcessInlineChildren
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 13770]
nsCSSFrameConstructor::ConstructInline
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 13546]
nsCSSFrameConstructor::ConstructFrameByDisplayType
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 6490]
nsCSSFrameConstructor::ConstructFrameInternal
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7366]
nsCSSFrameConstructor::ConstructFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7215]
nsCSSFrameConstructor::ProcessInlineChildren
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 13770]
nsCSSFrameConstructor::ConstructInline
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 13546]
nsCSSFrameConstructor::ConstructFrameByDisplayType
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 6490]
nsCSSFrameConstructor::ConstructFrameInternal
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7366]
nsCSSFrameConstructor::ConstructFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7215]
nsCSSFrameConstructor::ProcessInlineChildren
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 13770]
nsCSSFrameConstructor::ConstructInline
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 13546]
nsCSSFrameConstructor::ConstructFrameByDisplayType
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 6490]
nsCSSFrameConstructor::ConstructFrameInternal
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7366]
nsCSSFrameConstructor::ConstructFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7215]
nsCSSFrameConstructor::ProcessInlineChildren
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 13770]
nsCSSFrameConstructor::ConstructInline
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 13546]
nsCSSFrameConstructor::ConstructFrameByDisplayType
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 6490]
nsCSSFrameConstructor::ConstructFrameInternal
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7366]
nsCSSFrameConstructor::ConstructFrame
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7215]
nsCSSFrameConstructor::ProcessInlineChildren
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 13770]
nsCSSFrameConstructor::ConstructInline
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 13546]
nsCSSFrameConstructor::ConstructFrameByDisplayType
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 6490]
nsCSSFrameConstructor::ConstructFrameInternal
[d:\builds\seamonkey\mozilla\layout\html\style\src\nsCSSFrameConstructor.cpp,
line 7366]

Comment 13

[Olivier Cahagne]

Attachment: Stace trace Linux build 20021130

Comment 14

[Adam Hauner]

-> Default owner

Comment 15

[zug_treno]

The first attachment/testcase still crashes Mozilla 1.7b, the second
attachment/testcase displays an empty page after several minutes of 100% cpu usage. 

Comment 16

[Ronald Tilby]

Using Mozilla Nightly 2005020504 on Windows XP
Both testcases WFM.

Comment 17

[Bernd]

wfm winxp current trunk

Comment 18

[Adam Guthrie]

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a1) Gecko/20051207 Firefox/1.6a1

This crash isn't happening anymore. -> WFM

Comment 19

[Jesse Ruderman]

Crashtest added as part of http://hg.mozilla.org/mozilla-central/rev/54417ebbaea2

Comment 20

[Jesse Ruderman]

I had to disable the test due to slowness.