Closed
Bug 413842
Opened 17 years ago
Closed 2 years ago
OOM crash in nsHtml5TreeBuilder::accumulateCharacters while recursive reading/modification of firstChild
Categories
(Core :: DOM: HTML Parser, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: rbeitra, Unassigned)
References
()
Details
(Keywords: crash, testcase)
Crash Data
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en) AppleWebKit/523.12.2 (KHTML, like Gecko) Version/3.0.4 Safari/523.12.2 Build Identifier: 2.0.0.11 Running this code causes problems: for(var c in document.firstChild){ document.write(document.firstChild[c]); } browser becomes unresponsive, memory usage skyrockets, browser uses up 100% cpu. Reproducible: Always Steps to Reproduce: 1. run this script for(var c in document.firstChild){ document.write(document.firstChild[c]); } Actual Results: browser becomes unresponsive, memory usage skyrockets, browser uses up 100% cpu. Expected Results: observe results in Opera 9 should print out object contents maybe
Comment 1•17 years ago
|
||
WFM with Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
Comment 2•14 years ago
|
||
This bug was reported on Firefox 2.x or older, which is no longer supported and will not be receiving any more updates. I strongly suggest that you update to Firefox 3.6.3 or later, update your plugins (flash, adobe, etc.), and retest in a new profile. If you still see the issue with the updated Firefox, please post here. Also give a stacktrace. Otherwise, please close as RESOLVED > WORKSFORME http://www.mozilla.com http://support.mozilla.com/kb/Managing+profiles http://support.mozilla.com/kb/Safe+mode https://developer.mozilla.org/En/How_to_get_a_stacktrace_for_a_bug_report
Version: unspecified → 2.0 Branch
Updated•14 years ago
|
Whiteboard: [CLOSEME 2010-09-15]
Comment 3•14 years ago
|
||
Reporter, are you still seeing this issue with Firefox 3.6.10 or later in safe mode? If not, please close. These links can help you in your testing. http://support.mozilla.com/kb/Safe+Mode http://support.mozilla.com/kb/Managing+profiles
Whiteboard: [CLOSEME 2010-09-15] → [CLOSEME 2010-10-15]
Thankyou but this still occurs. I have tested in Firefox 4.0b6 in safe mode. It still crashes :*( I have uploaded the test case again here: http://murderdeathkitty.net/****/killall.html Here is the offending code again: for(var c in document.firstChild)document.write(document.firstChild[c]);
Updated•14 years ago
|
Comment 5•14 years ago
|
||
I get a hang and script not responding errors with Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b7pre) Gecko/20101004 Firefox/4.0b7pre, but no crash. Can you post crash reports? https://developer.mozilla.org/En/How_to_get_a_stacktrace_for_a_bug_report
Comment 6•14 years ago
|
||
Reporter, were you able to get a stacktrace for us? https://developer.mozilla.org/En/How_to_get_a_stacktrace_for_a_bug_report
Updated•13 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → INCOMPLETE
Comment 7•13 years ago
|
||
see also bug 588205 bp-37459dba-95bd-4279-98e5-71e282110208 0 libmozalloc.dylib mozalloc_abort memory/mozalloc/mozalloc_abort.cpp:64 1 libmozalloc.dylib mozalloc_handle_oom memory/mozalloc/mozalloc_oom.cpp:54 2 libmozalloc.dylib moz_xmalloc memory/mozalloc/mozalloc.cpp:100 3 XUL nsHtml5TreeBuilder::accumulateCharacters c.h:241 4 XUL nsHtml5Tokenizer::stateLoop parser/html/nsHtml5Tokenizer.cpp:277 5 XUL nsHtml5Tokenizer::tokenizeBuffer parser/html/nsHtml5Tokenizer.cpp:391
Status: RESOLVED → REOPENED
Ever confirmed: true
Resolution: INCOMPLETE → ---
Summary: recursive reading/modification of firstChild crashes browser → Crash [@ mozalloc_abort ] recursive reading/modification of firstChild crashes browser
Version: 3.6 Branch → Trunk
Assignee | ||
Updated•13 years ago
|
Crash Signature: [@ mozalloc_abort ]
Comment 8•12 years ago
|
||
More reports at: https://crash-stats.mozilla.com/report/list?signature=TouchBadMemory+|+mozalloc_abort+|+mozalloc_handle_oom+|+moz_xmalloc+|+nsHtml5TreeBuilder%3A%3AaccumulateCharacters
Crash Signature: [@ mozalloc_abort ] → [@ mozalloc_abort | mozalloc_handle_oom | nsHtml5TreeBuilder::accumulateCharacters ]
[@ TouchBadMemory | mozalloc_abort | mozalloc_handle_oom | moz_xmalloc | nsHtml5TreeBuilder::accumulateCharacters ]
Component: General → HTML: Parser
OS: All → Mac OS X
Product: Firefox → Core
QA Contact: general → parser
Hardware: All → x86
Summary: Crash [@ mozalloc_abort ] recursive reading/modification of firstChild crashes browser → OOM crash in nsHtml5TreeBuilder::accumulateCharacters while recursive reading/modification of firstChild
Updated•8 years ago
|
Crash Signature: [@ mozalloc_abort | mozalloc_handle_oom | nsHtml5TreeBuilder::accumulateCharacters ]
[@ TouchBadMemory | mozalloc_abort | mozalloc_handle_oom | moz_xmalloc | nsHtml5TreeBuilder::accumulateCharacters ] → [@ mozalloc_abort | mozalloc_handle_oom | nsHtml5TreeBuilder::accumulateCharacters ]
[@ TouchBadMemory | mozalloc_abort | mozalloc_handle_oom | moz_xmalloc | nsHtml5TreeBuilder::accumulateCharacters ]
[@ nsHtml5TreeBuilder::accumulateCharacters ]
Comment 9•8 years ago
|
||
Fwiw, [@ nsHtml5TreeBuilder::accumulateCharacters ] has fairly high volume in v50(beta) currently at #26 in the Top Crash list.
Comment 10•8 years ago
|
||
(In reply to Mats Palmgren (:mats) from comment #9) > Fwiw, [@ nsHtml5TreeBuilder::accumulateCharacters ] has fairly high volume > in v50(beta) > currently at #26 in the Top Crash list. That's a newer thing (to be fixed in 51), not this one.
Crash Signature: [@ mozalloc_abort | mozalloc_handle_oom | nsHtml5TreeBuilder::accumulateCharacters ]
[@ TouchBadMemory | mozalloc_abort | mozalloc_handle_oom | moz_xmalloc | nsHtml5TreeBuilder::accumulateCharacters ]
[@ nsHtml5TreeBuilder::accumulateCharacters ] → [@ mozalloc_abort | mozalloc_handle_oom | nsHtml5TreeBuilder::accumulateCharacters ]
[@ TouchBadMemory | mozalloc_abort | mozalloc_handle_oom | moz_xmalloc | nsHtml5TreeBuilder::accumulateCharacters ]
Comment 11•6 years ago
|
||
Closing because no crash reported since 12 weeks.
Status: REOPENED → RESOLVED
Closed: 13 years ago → 6 years ago
Resolution: --- → WONTFIX
Reopening because crash bugs **with testcases** should not be resolved **as WONTFIX** based on queries of crash-stats. Other resolutions may be appropriate for other reasons. (Crash signatures are not the same as bug identity; they're merely a search aid to find and group similar crashes. The bug may still be present, but the signature may have changed slightly, or the bug may even still be present with the same signature but there are simply no recent reports of crashes in that function.)
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
Updated•2 years ago
|
Severity: critical → S2
Comment 13•2 years ago
|
||
Just tested the testcase in the URL field - no crash; there's a warning saying this page is slowing down your browser, but it was eventually loaded.
Going to close this as WORKSFORME due to the test result as well as no crash reports for a long time.
Status: REOPENED → RESOLVED
Closed: 6 years ago → 2 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•