27173 - crash on page with >16000 FONT tags and no \FONT

Status: VERIFIED DUPLICATE of bug 1070

(Core :: Layout, defect, P3)

Description

[macmahon]

From Bug Helper:
User-Agent: Mozilla/5.0 [en-US] (Linux; I)
BuildID:    2000012520
		If I load the about page in M13, the system load pegs at 1 and the browser
eventually crashes.  Running under gdb gives:
Program received signal SIGSEGV, Segmentation fault.
0x40c611f9 in NSGetModule () from
/usr/local/space/package/components/libraptorhtml.so
If I d/l the source under N4.71(wherein the page works), add the \FONT tags, and
load the local file, M13 loads the page happy as a clam.

Reproducible: Always
Steps to Reproduce:
1.  Load page
2.  Wait
3.  restart mozilla, try to work around known focus bugs to use bugzilla.

Actual Results:  crash, then hopefully a bug posted that is of interest
Expected Results:  Page loading quickly and efficiently, as it does if the HTML
is proper.

Comment 1

[rickg]

Pierre: the app crashes in style resolution code. Here's the top of the stack, 
which repeats seemingly forever:

SelectorMatches(nsIPresContext * 0x02119f10, nsCSSSelector * 0x01ba8590, 
nsIContent * 0x02abf50c, int 1) line 2304 + 3 bytes
PseudoEnumFunc(nsICSSStyleRule * 0x01babc7c, void * 0x0003319c) line 2747 + 24 
bytes
RuleHash::EnumerateTagRules(nsIAtom * 0x0068dd80, void (nsICSSStyleRule *, void 
*)* 0x01d55070 PseudoEnumFunc(nsICSSStyleRule *, void *), void * 0x0003319c) 
line 352 + 13 bytes
CSSRuleProcessor::RulesMatching(CSSRuleProcessor * const 0x020d5c10, 
nsIPresContext * 0x02119f10, nsIAtom * 0x006c6e20, nsIContent * 0x02abf50c, 
nsIAtom * 0x0068dd80, nsIStyleContext * 0x03f64260, nsISupportsArray * 
0x03f63040) line 2815
EnumPseudoRulesMatching(nsISupports * 0x020d5c10, void * 0x00033224) line 703
nsSupportsArray::EnumerateForwards(nsSupportsArray * const 0x020d5c30, int 
(nsISupports *, void *)* 0x01c59510 EnumPseudoRulesMatching(nsISupports *, void 
*), void * 0x00033224) line 357 + 20 bytes
StyleSetImpl::ProbePseudoStyleFor(nsIPresContext * 0x02119f10, nsIContent * 
0x02abf50c, nsIAtom * 0x0068dd80, nsIStyleContext * 0x03f64260, int 0) line 789
nsPresContext::ProbePseudoStyleContextFor(nsPresContext * const 0x02119f10, 
nsIContent * 0x02abf50c, nsIAtom * 0x0068dd80, nsIStyleContext * 0x03f64260, int 
0, nsIStyleContext * * 0x00033338) line 484 + 42 bytes
nsCSSFrameConstructor::CreateGeneratedContentFrame(nsIPresShell * 0x020d2960, 
nsIPresContext * 0x02119f10, nsFrameConstructorState & {...}, nsIFrame * 
0x01ab6eb4, nsIContent * 0x02abf50c, nsIStyleContext * 0x03f64260, nsIAtom * 
0x0068dd80, int 0, nsIFrame * * 0x00033390) line 799
nsCSSFrameConstructor::ProcessInlineChildren(nsIPresShell * 0x020d2960, 
nsIPresContext * 0x02119f10, nsFrameConstructorState & {...}, nsIContent * 
0x02abf50c, nsIFrame * 0x01ab6eb4, int 1, nsFrameItems & {...}, int * 
0x000333f8) line 10232 + 49 bytes
nsCSSFrameConstructor::ConstructInline(nsIPresShell * 0x020d2960, nsIPresContext 
* 0x02119f10, nsFrameConstructorState & {...}, const nsStyleDisplay * 
0x03f644a4, nsIContent * 0x02abf50c, nsIFrame * 0x01ab6e40, nsIStyleContext * 
0x03f64260, nsIFrame * 0x01ab6eb4, nsIFrame * * 0x000335e8, nsIFrame * * 
0x000335c0) line 10107 + 38 bytes
nsCSSFrameConstructor::ConstructFrameByDisplayType(nsIPresShell * 0x020d2960, 
nsIPresContext * 0x02119f10, nsFrameConstructorState & {...}, const 
nsStyleDisplay * 0x03f644a4, nsIContent * 0x02abf50c, nsIFrame * 0x01ab6e40, 
nsIStyleContext * 0x03f64260, nsFrameItems & {...}) line 4954 + 51 bytes
nsCSSFrameConstructor::Constru

Comment 2

[Pierre Saslawsky]

This is goddamm cool penguin! I'm really bummed we crash with it but it's 
nevertheless a dup of bug 1070.

I'll copy the URL of this testcase over to 1070.


*** This bug has been marked as a duplicate of 1070 ***

Comment 3

[Christian Mattar]

Verified dup.

Comment 4

[Heikki Toivonen (remove -bugzilla when emailing directly)]

SPAM. HTML Element component deprecated, changing component to Layout. See bug
88132 for details.