Closed Bug 361226 Opened 19 years ago Closed 18 years ago

Crash due to too much recursion in *::BindToTree (cycle in DOM tree?)

Categories

(Core :: DOM: Core & HTML, defect, P1)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: jruderman, Assigned: sicking)

References

Details

(Keywords: crash, testcase)

Attachments

(1 file)

testcase (crashes Firefox after a few seconds)
997 bytes, application/xhtml+xml
Details
This testcase causes a crash due to too much recursion after a few seconds. Here's part of the stack trace (Mac debug, gdb): #11499 0x06a7df48 in nsHTMLInputElement::BindToTree (this=0x2816a7e0, aDocument=0x0, aParent=0x28169650, aBindingParent=0x0, aCompileEventHandlers=1) at /Users/admin/trunk/mozilla/content/html/content/src/nsHTMLInputElement.cpp:1778 #11500 0x069b2a64 in nsGenericElement::BindToTree (this=0x28169650, aDocument=0x0, aParent=0x28165900, aBindingParent=0x0, aCompileEventHandlers=1) at /Users/admin/trunk/mozilla/content/base/src/nsGenericElement.cpp:1834 #11501 0x06a52440 in nsGenericHTMLElement::BindToTree (this=0x28169650, aDocument=0x0, aParent=0x28165900, aBindingParent=0x0, aCompileEventHandlers=1) at /Users/admin/trunk/mozilla/content/html/content/src/nsGenericHTMLElement.cpp:1358 #11502 0x069b2a64 in nsGenericElement::BindToTree (this=0x28165900, aDocument=0x0, aParent=0x2816a7e0, aBindingParent=0x0, aCompileEventHandlers=1) at /Users/admin/trunk/mozilla/content/base/src/nsGenericElement.cpp:1834 #11503 0x06a52440 in nsGenericHTMLElement::BindToTree (this=0x28165900, aDocument=0x0, aParent=0x2816a7e0, aBindingParent=0x0, aCompileEventHandlers=1) at /Users/admin/trunk/mozilla/content/html/content/src/nsGenericHTMLElement.cpp:1358 #11504 0x069b2a64 in nsGenericElement::BindToTree (this=0x2816a7e0, aDocument=0x0, aParent=0x28169650, aBindingParent=0x0, aCompileEventHandlers=1) at /Users/admin/trunk/mozilla/content/base/src/nsGenericElement.cpp:1834 #11505 0x06a52440 in nsGenericHTMLElement::BindToTree (this=0x2816a7e0, aDocument=0x0, aParent=0x28169650, aBindingParent=0x0, aCompileEventHandlers=1) at /Users/admin/trunk/mozilla/content/html/content/src/nsGenericHTMLElement.cpp:1358 #11506 0x06a54c3c in nsGenericHTMLFormElement::BindToTree (this=0x2816a7e0, aDocument=0x0, aParent=0x28169650, aBindingParent=0x0, aCompileEventHandlers=1) at /Users/admin/trunk/mozilla/content/html/content/src/nsGenericHTMLElement.cpp:3112 #11507 0x06a7df48 in nsHTMLInputElement::BindToTree (this=0x2816a7e0, aDocument=0x0, aParent=0x28169650, aBindingParent=0x0, aCompileEventHandlers=1) at /Users/admin/trunk/mozilla/content/html/content/src/nsHTMLInputElement.cpp:1778
Humm, seems to be not MacOS X specific. The Testcase crashes SeaMonkey Trunk Build 2006111909 on Windows too: TB26229429G, TB26229391K
OS: Mac OS X 10.4 → All
Hardware: Macintosh → All
(In reply to comment #2) > Humm, seems to be not MacOS X specific. The Testcase crashes SeaMonkey Trunk > Build 2006111909 on Windows too: TB26229429G, TB26229391K Looks like a different stack trace for SM: Stack Signature nsAttrAndChildArray::GetAttr a1eb15b2 Product ID MozillaTrunk Build ID 2006111909 Trigger Time 2006-11-19 13:50:38.0 Platform Win32 Operating System Windows NT 5.1 build 2600 Module gklayout.dll + (001037eb) URL visited User Comments Since Last Crash 367 sec Total Uptime 6643 sec Trigger Reason Stack overflow Source File, Line No. d:\builds\tinderbox\seamonkeytrunk\winnt_5.2_clobber\mozilla\content\base\src\nsattrandchildarray.cpp, line 303 Stack Trace nsAttrAndChildArray::GetAttr [mozilla\content\base\src\nsattrandchildarray.cpp, line 303] nsGenericHTMLElement::ReparseStyleAttribute [mozilla\content\html\content\src\nsgenerichtmlelement.cpp, line 2380] Really seems to be trunk related. No crash with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1) Gecko/20061010 Firefox/2.0 after waiting over a minute.
> Looks like a different stack trace for SM: > ... > Trigger Reason Stack overflow For any given stack overflow bug, you can get crashes with several different functions at the *top* of the stack. You have to look at the *middle* of the stack -- the part that repeats -- to determine whether it's the same functions going through infinite- or too-much-recursion.
Yeah, so this is another manifestation of the problem where destroying a document partly but not completely removes nodes from its childlist. The call to try { aC(document.body, iframe); } catch(e) { } blows away the old document in the iframe, so the call to try { aC(div, iframeDocElem); } catch(e) { } doesn't remove the node from the iframe document's child list. Then at some point that document gets GCed and the parent of the iframeDocElem suddenly gets nulled out again. The next call to try { aC(textbox, div); } catch(e) { } doesn't detect a loop (since the parent of the iframeDocElem is null, while the iframeDocElem is actually a child of the div). So we end up with a loop in the content tree and then the recursion crash observed. We really need to fix bug 348156.
Depends on: 348156
This needs to be resolved in order to find other security issues via fuzz testing per discussion in Security triage.
Flags: blocking1.9+
Assignee: general → Olli.Pettay
Sorry, wasn't going to take this (yet)
Assignee: Olli.Pettay → nobody
QA Contact: ian → general
Taking this since it'll get fixed with my fix for bug 348156
Assignee: nobody → jonas
Target Milestone: --- → mozilla1.9alpha6
Target Milestone: mozilla1.9alpha6 → mozilla1.9beta1
Target Milestone: mozilla1.9 M8 → ---
Should be fixed by patch in bug 348156
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Flags: in-testsuite?
no crash with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9b4pre) Gecko/2008020717 Firefox/3.0b4pre and Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b3) Gecko/2008020514 Firefox/3.0b3 on the testcase -> Verified fixed
Status: RESOLVED → VERIFIED
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: