Infinite recursion crash [@ nsRuleNode::GetSVGData] again with nested marquees

RESOLVED WORKSFORME

Status

()

Core
CSS Parsing and Computation
--
critical
RESOLVED WORKSFORME
9 years ago
6 years ago

People

(Reporter: Martijn Wargers (dead), Unassigned)

Tracking

(Blocks: 1 bug, {crash, regression, testcase})

Trunk
x86
Windows XP
crash, regression, testcase
Points:
---
Bug Flags:
wanted1.9.1 +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:dos] stack overflow, crash signature, URL)

(Reporter)

Description

9 years ago
This is a follow-up from bug 454434.

I thought this was fixed by bug 425253 and that the crashtest that was attached to that bug made it sure new crashers would be noticed.
But it seems like the crashtest is the wrong one, afaict:
http://mxr.mozilla.org/mozilla-central/source/layout/generic/crashtests/425253-1.html

So now nested marquees are crashing again.
I can look for a regression range, if wanted.

http://crash-stats.mozilla.com/report/index/c5a96c4f-7ead-11dd-8817-0013211cbf8a
0  	xul.dll  	nsRuleNode::GetSVGData  	
1 	xul.dll 	nsRuleNode::GetStyleData 	
2 	xul.dll 	nsRuleNode::WalkRuleTree 	
3 	xul.dll 	nsRuleNode::GetSVGData 	
4 	xul.dll 	nsRuleNode::GetStyleData 	
5 	xul.dll 	nsRuleNode::WalkRuleTree 	
6 	xul.dll 	nsRuleNode::GetSVGData 	
7 	xul.dll 	nsRuleNode::GetStyleData 	
8 	xul.dll 	nsRuleNode::WalkRuleTree 	
9 	xul.dll 	nsRuleNode::GetSVGData 	
10 	xul.dll 	nsRuleNode::GetStyleData 	
11 	xul.dll 	nsRuleNode::WalkRuleTree
etc...
(Reporter)

Comment 1

9 years ago
Ok, I guess the crash test as checked in also showed the crash.
The nested marquee one was still suffering from bug 239840, I guess.
(Reporter)

Updated

9 years ago
Flags: blocking1.9.1?
Component: Layout → Style System (CSS)
QA Contact: layout → style-system
I don't see a crash; I just see a hang in deeply nested ReResolveStyleContext.
Flags: blocking1.9.1? → wanted1.9.1+

Comment 3

9 years ago
I got a slightly different stack clicking attachment details of bug 454434 
bp-e7422a0d-d465-4cbf-80f6-82d952090131
nsRuleNode::GetTextData	layout/style/nsRuleNode.cpp:1326
nsRuleNode::GetStyleText	layout/style/nsStyleStructList.h:89
nsRuleNode::ComputeTextData	layout/style/nsRuleNode.cpp:2926
@0x9bc69c7	
nsRuleNode::GetStyleData	layout/style/nsStyleStructList.h:89
nsRuleNode::WalkRuleTree	layout/style/nsRuleNode.cpp:1764
nsRuleNode::GetStyleData	layout/style/nsStyleStructList.h:89
nsRuleNode::WalkRuleTree	layout/style/nsRuleNode.cpp:1764
nsRuleNode::GetStyleData	layout/style/nsStyleStructList.h:89
nsRuleNode::WalkRuleTree	layout/style/nsRuleNode.cpp:1764
nsRuleNode::GetTextData	layout/style/nsRuleNode.cpp:1331
nsRuleNode::GetStyleText	layout/style/nsStyleStructList.h:89
Blocks: 454434
Whiteboard: [sg:dos] stack overflow
No longer blocks: 454434

Comment 4

7 years ago
Should this be a dupe of bug 363722 ?

Comment 5

7 years ago
http://www.kossolax.be/scripts/je_veux_crasher_mon_navigateur.php appears to be this same bug which crashes Firefox 4 on Windows XP and 7 with a variety of stacks that either begin with or contain:

nsRuleNode::GetSVGData(nsStyleContext*)
nsRuleNode::GetStyleData(nsStyleStructID, nsStyleContext*, int)
nsStyleContext::GetStyleData(nsStyleStructID)
nsRuleNode::WalkRuleTree(nsStyleStructID, nsStyleContext*, nsRuleData*, nsCSSStruct*)
nsRuleNode::GetSVGData(nsStyleContext*)
Blocks: 532972
(Assignee)

Updated

7 years ago
Crash Signature: [@ nsRuleNode::GetSVGData]

Comment 6

6 years ago
Nothing in a version beyond 3.0 and 3.6. Even then there is a single instance in the past 4 weeks. Resolving as Works For Me.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.