search.brave.com - Infinite recursion in reflow that will lead to OOM
Categories
(Core :: Layout, defect, P2)
Tracking
()
People
(Reporter: mozbugs, Unassigned)
References
Details
Attachments
(1 file)
|
45.65 KB,
text/plain
|
Details |
Crash report: https://crash-stats.mozilla.org/report/index/657b6bdc-ad7a-408c-8829-a69070240608
MOZ_CRASH Reason: MOZ_CRASH(OOM)
Top 10 frames:
0 XUL NS_ABORT_OOM(unsigned long) xpcom/base/nsDebugImpl.cpp:673
1 XUL nsTArrayInfallibleAllocator::SizeTooBig(unsigned long) xpcom/ds/nsTArray.h:262
2 XUL nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_RelocateUsingMemutils>::E... xpcom/ds/nsTArray-inl.h:165
3 XUL nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_RelocateUsingMemutils>::E... xpcom/ds/nsTArray.h:430
3 XUL nsTArray_Impl<nsCOMPtr<nsIContent>, nsTArrayInfallibleAllocator>::AppendEleme... xpcom/ds/nsTArray.h:2688
4 XUL nsTArray<nsCOMPtr<nsIContent> >::AppendElement<nsIContent*&>(nsIContent*&) xpcom/ds/nsTArray.h:2832
4 XUL mozilla::a11y::NotificationController::ScheduleTextUpdate(nsIContent*) accessible/base/NotificationController.h:145
4 XUL mozilla::a11y::DocAccessible::UpdateText(nsIContent*) accessible/generic/DocAccessible-inl.h:79
4 XUL nsAccessibilityService::UpdateText(mozilla::PresShell*, nsIContent*) accessible/base/nsAccessibilityService.cpp:789
5 XUL ReflowTextA11yNotifier::~ReflowTextA11yNotifier() layout/generic/nsTextFrame.cpp:9295
|
Reporter | |
Comment 1•5 months ago
|
||
Steps to reproduce:
- open new tab
- enter https://search.brave.com/
- search for: cmake add
Page is partially rendered, but not interaction possible.
After all available memory is used, the tab crashes with OOM
See also:
I'm unable to reproduce this on my end are you only able to reproduce this only on nightly?
|
||
Comment 3•5 months ago
•
|
||
Can confirm the STR (and a11y is force disabled for me). The trick to repro may be to click on the sub-text of the search results to sort of "activate" the results page.
https://share.firefox.dev/4c9sorY
Bisection: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b21fa00b5f33285a66719754a22d59e0307fbe93&tochange=d8719ea92f148a8b1821cfb48c3b2236f862421b
Suspect: bug 1754598
|
|
||
Updated•5 months ago
|
|
|
||
Comment 4•5 months ago
|
||
|
|
||
Updated•5 months ago
|
|
||
Comment 6•5 months ago
|
||
I can trivially reproduce. The stack in comment 0 is irrelevant, and a11y as well. We should get to the bottom of this and understand what is going on at least.
|
||
Comment 7•5 months ago
|
||
I think this may be essentially the same as bug 1901624, which appears to be unexpected fallout from bug 1731120. I suspect we're somehow getting into a loop generating an endless succession of empty textframes.
|
||
Comment 8•5 months ago
|
||
Brave Search now has workaround to not trigger this condition where this issue occurs. See bug 1901624 for reproduction HTML.
|
|
||
Comment 9•5 months ago
|
||
Thanks! I'm going to dupe this to bug 1901624 as that has the reduced testcase; obviously even though it's great that Brave Search has a workaround, we still need to fix the issue in Firefox.
|
||
Updated•5 months ago
|
Description
•