Closed Bug 492978 Opened 15 years ago Closed 15 years ago

Stack-exhaustion crash with binding, float, overflow:scroll and generated content

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
status1.9.1 --- wanted

People

(Reporter: martijn.martijn, Unassigned)

References

Details

(Keywords: crash, testcase)

Attachments

(1 file)

testcase
459 bytes, application/vnd.mozilla.xul+xml
Details
Attached file testcase 
See testcase, which crashes current trunk build after 1s or so after using 100% cpu.
It also crashes Firefox 3.0.x.

http://crash-stats.mozilla.com/report/index/55801f7f-d272-42bb-8a4e-e10212090513?p=1
0  	xul.dll  	_chkstk  	 chkstk.asm:99 

Firefox 3 crash report.
http://crash-stats.mozilla.com/report/index/c4973ac1-fe8f-4584-a45a-c99e32090513?p=1
0  	xul.dll  	nsAttrValue::Equals  	 mozilla/content/base/src/nsAttrValue.cpp:629
1 	xul.dll 	SelectorMatches 	mozilla/layout/style/nsCSSRuleProcessor.cpp:1462
2 	xul.dll 	RuleProcessorData::RuleProcessorData 	mozilla/layout/style/nsCSSRuleProcessor.cpp:862
3 	xul.dll 	RuleHash::EnumerateAllRules 	mozilla/layout/style/nsCSSRuleProcessor.cpp:621
4 	xul.dll 	nsElementMap::Compare 	
5 		@0x2d0742f 

In a a debug build, I only seem to hang:
>	gkwidget.dll!nsNativeDragTarget::nsNativeDragTarget(nsIWidget * aWnd=0x09684f84)  Line 92	C++
 	gkwidget.dll!nsWindow::EnableDragDrop(int aEnable=1)  Line 2942 + 0x3d bytes	C++
 	gklayout.dll!nsIView::CreateWidget(const nsID & aWindowIID={...}, nsWidgetInitData * aWidgetInitData=0x000d3dec, void * aNative=0x00000000, int aEnableDragDrop=1, int aResetVisibility=1, nsContentType aContentType=eContentTypeInherit, nsIWidget * aParentWidget=0x00000000)  Line 696	C++
 	gklayout.dll!nsScrollPortView::CreateScrollControls(void * aNative=0x00000000)  Line 155	C++
 	gklayout.dll!nsGfxScrollFrameInner::CreateScrollableView()  Line 1416	C++
 	gklayout.dll!nsXULScrollFrame::SetInitialChildList(nsIAtom * aListName=0x00000000, nsIFrame * aChildList=0x010a89bc)  Line 1034	C++
 	gklayout.dll!nsCSSFrameConstructor::BeginBuildingScrollFrame(nsFrameConstructorState & aState={...}, nsIContent * aContent=0x09101980, nsStyleContext * aContentStyle=0x085affc0, nsIFrame * aParentFrame=0x085ae360, nsIAtom * aScrolledPseudo=0x010b2d70, int aIsRoot=0, nsIFrame * & aNewFrame=0x085afa20)  Line 4423	C++
 	gklayout.dll!nsCSSFrameConstructor::BuildScrollFrame(nsFrameConstructorState & aState={...}, nsIContent * aContent=0x09101980, nsStyleContext * aContentStyle=0x085affc0, nsIFrame * aScrolledFrame=0x085af9b4, nsIFrame * aParentFrame=0x085ae360, nsIFrame * & aNewFrame=0x085afa20)  Line 4486 + 0x29 bytes	C++
 	gklayout.dll!nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem & aItem={...}, nsFrameConstructorState & aState={...}, nsIFrame * aParentFrame=0x085ae360, nsFrameItems & aFrameItems={...})  Line 3917	C++
 	gklayout.dll!nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState & aState={...}, nsCSSFrameConstructor::FrameConstructionItem & aItem={...}, nsIFrame * aParentFrame=0x085ae360, nsFrameItems & aFrameItems={...})  Line 5464 + 0x18 bytes	C++
 	gklayout.dll!nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState & aState={...}, nsCSSFrameConstructor::FrameConstructionItemList & aItems={...}, nsIFrame * aParentFrame=0x085ae360, nsFrameItems & aFrameItems={...})  Line 9326 + 0x1d bytes	C++
 	gklayout.dll!nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState & aState={...}, nsIContent * aContent=0x086902c0, nsStyleContext * aStyleContext=0x083b7f70, nsIFrame * aFrame=0x085ae360, const int aCanHaveGeneratedContent=1, nsFrameItems & aFrameItems={...}, const int aAllowBlockStyles=0)  Line 9430 + 0x1b bytes	C++
 	gklayout.dll!nsCSSFrameConstructor::ConstructDocElementFrame(nsFrameConstructorState & aState={...}, nsIContent * aDocElement=0x086902c0, nsIFrame * aParentFrame=0x083b7e2c, nsIFrame * * aNewFrame=0x000d43b4)  Line 2709	C++
 	gklayout.dll!nsCSSFrameConstructor::ReconstructDocElementHierarchyInternal()  Line 5589 + 0x24 bytes	C++
 	gklayout.dll!nsCSSFrameConstructor::ReframeContainingBlock(nsIFrame * aFrame=0x085aef80)  Line 11149	C++
 	gklayout.dll!nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval(nsIFrame * aFrame=0x085aef80, unsigned int * aResult=0x000d44a0)  Line 8808 + 0xc bytes	C++
 	gklayout.dll!nsCSSFrameConstructor::RecreateFramesForContent(nsIContent * aContent=0x090ea048)  Line 8933 + 0x16 bytes	C++
 	gklayout.dll!nsCSSFrameConstructor::ProcessRestyledFrames(nsStyleChangeList & aChangeList={...})  Line 7619	C++
 	gklayout.dll!nsCSSFrameConstructor::RestyleElement(nsIContent * aContent=0x086902c0, nsIFrame * aPrimaryFrame=0x085ae360, nsChangeHint aMinHint=0)  Line 7693	C++
 	gklayout.dll!nsCSSFrameConstructor::ProcessOneRestyle(nsIContent * aContent=0x086902c0, nsReStyleHint aRestyleHint=eReStyle_Self, nsChangeHint aChangeHint=0)  Line 11457	C++
 	gklayout.dll!nsCSSFrameConstructor::ProcessPendingRestyles()  Line 11565	C++
 	gklayout.dll!PresShell::FlushPendingNotifications(mozFlushType aType=Flush_InterruptibleLayout)  Line 4742	C++
 	gklayout.dll!PresShell::HandlePostedReflowCallbacks(int aInterruptible=1)  Line 4672	C++
 	gklayout.dll!PresShell::DidDoReflow(int aInterruptible=1)  Line 6870	C++
 	gklayout.dll!PresShell::ProcessReflowCommands(int aInterruptible=1)  Line 7105	C++
 	gklayout.dll!PresShell::FlushPendingNotifications(mozFlushType aType=Flush_InterruptibleLayout)  Line 4771 + 0x12 bytes	C++
 	gklayout.dll!PresShell::HandlePostedReflowCallbacks(int aInterruptible=1)  Line 4672	C++
 	gklayout.dll!PresShell::DidDoReflow(int aInterruptible=1)  Line 6870	C++
 	gklayout.dll!PresShell::ProcessReflowCommands(int aInterruptible=1)  Line 7105	C++
 	gklayout.dll!PresShell::FlushPendingNotifications(mozFlushType aType=Flush_InterruptibleLayout)  Line 4771 + 0x12 bytes	C++
etc...

This reminds me bug 451198, btw. Perhaps related to that bug?
As usual, it doesn't seem to crash online, so you have to download the testcase locally.
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.12?
Flags: blocking1.9.0.12?
Flags: wanted1.9.1.x+
status1.9.1: --- → wanted
Flags: wanted1.9.1.x+
Whiteboard: [needs owner]
Depends on: 507991
This is a running-out-of-stack-space crash, so not a security bug.

On Mac / Firefox trunk, I don't get a crash, just a bunch of:
************************************************************
* Call to xpconnect wrapped JSObject produced this error:  *
[Exception... "'[JavaScript Error: "too much recursion"]' when calling method: [nsIContentPolicy::shouldLoad]"  nsresult: "0x80570021 (NS_ERROR_XPC_JAVASCRIPT_ERROR_WITH_DETAILS)"  location: "<unknown>"  data: yes]
************************************************************
Group: core-security
Summary: Crash [@ _chkstk] with binding, float, overflow:scroll and generated content → Stack-exhaustion crash with binding, float, overflow:scroll and generated content
Whiteboard: [needs owner]
Should be fixed by bug 507991.
Status: NEW → RESOLVED
Closed: 15 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: