Closed Bug 507119 Opened 15 years ago Closed 14 years ago

[HTML5] crash [@ nsCSSFrameConstructor::ConstructBlock] in GMail when clicking on email with attachment

Categories

(Core :: DOM: HTML Parser, defect, P3)

Product:
Core
Component:
DOM: HTML Parser
Platform:
x86
Windows Vista
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: geeknik, Assigned: xtc4uall)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [sg:dos stack exhaustion])

Crash Data

Attachments

(2 files)

Email source code that caused the crash.
3.36 KB, application/zip
Details
reduced testcase
38.95 KB, text/html
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2a1pre) Gecko/20090728 Minefield/3.6a1pre
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2a1pre) Gecko/20090728 Minefield/3.6a1pre

Clicking on an email w/ an attachment in Gmail crashes Minefield. Happens in safe mode as well, but when I turn toggle HTML5 off, it quits crashing.

http://crash-stats.mozilla.com/report/index/855db8dd-dbf2-4162-9f10-312fd2090729
http://crash-stats.mozilla.com/report/index/abea8825-2a44-452b-8318-c153b2090729
http://crash-stats.mozilla.com/report/index/b28ec29f-e803-4250-82fb-8d2092090729
http://crash-stats.mozilla.com/report/index/aec3b1af-3bf7-4a55-97c4-644d72090729
http://crash-stats.mozilla.com/report/index/131fd5a7-c580-4274-9696-a5d652090729

Reproducible: Always

Actual Results:  
Minefield crashes.

Expected Results:  
Minefield should not crash.

Vista 32bit SP2
Keywords: crash
Version: unspecified → Trunk
Signature	nsFrame::DidSetStyleContext(nsStyleContext*)
UUID	855db8dd-dbf2-4162-9f10-312fd2090729
Time 	2009-07-29 06:12:59.537598
Uptime	45326
Last Crash	238819 seconds before submission
Product	Firefox
Version	3.6a1pre
Build ID	20090728045737
Branch	1.9.2
OS	Windows NT
OS Version	6.0.6002 Service Pack 2
CPU	x86
CPU Info	GenuineIntel family 6 model 15 stepping 7
Crash Reason	EXCEPTION_STACK_OVERFLOW
Crash Address	0x670d1fe6
User Comments	
Processor Notes 	
Crashing Thread
Frame 	Module 	Signature 	Source
0 	xul.dll 	nsFrame::DidSetStyleContext(nsStyleContext*) 	layout/generic/nsFrame.cpp:522
1 	xul.dll 	nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&,nsStyleDisplay const*,nsIContent*,nsIFrame*,nsIFrame*,nsStyleContext*,nsIFrame**,nsFrameItems&,int) 	layout/base/nsCSSFrameConstructor.cpp:10717


Frame 	Module 	Signature 	Source
0 	xul.dll 	nsRuleNode::WalkRuleTree(nsStyleStructID,nsStyleContext*,nsRuleData*,nsCSSStruct*) 	layout/style/nsRuleNode.cpp:1725
1 	xul.dll 	nsRuleNode::GetStyleData(nsStyleStructID,nsStyleContext*,int) 	layout/style/nsStyleStructList.h:89
2 	xul.dll 	nsRuleNode::WalkRuleTree(nsStyleStructID,nsStyleContext*,nsRuleData*,nsCSSStruct*) 	layout/style/nsRuleNode.cpp:1816
3 	xul.dll 	nsRuleNode::GetStyleText(nsStyleContext*,int) 	layout/style/nsStyleStructList.h:89
4 	xul.dll 	nsStyleContext::GetStyleText() 	layout/style/nsStyleStructList.h:89
5 	xul.dll 	xul.dll@0x3e6a54 	
6 	xul.dll 	nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:9514
7 	xul.dll 	nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&,nsIContent*,nsStyleContext*,nsIFrame*,int,nsFrameItems&,int) 	layout/base/nsCSSFrameConstructor.cpp:9627
8 	xul.dll 	nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&,nsStyleDisplay const*,nsIContent*,nsIFrame*,nsIFrame*,nsStyleContext*,nsIFrame**,nsFrameItems&,int) 	layout/base/nsCSSFrameConstructor.cpp:10752
9 	xul.dll 	nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&,nsFrameConstructorState&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:3887
10 	xul.dll 	nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList::Iterator&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:5575
11 	xul.dll 	nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:9514
12 	xul.dll 	nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&,nsIContent*,nsStyleContext*,nsIFrame*,int,nsFrameItems&,int) 	layout/base/nsCSSFrameConstructor.cpp:9627
13 	xul.dll 	nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&,nsStyleDisplay const*,nsIContent*,nsIFrame*,nsIFrame*,nsStyleContext*,nsIFrame**,nsFrameItems&,int) 	layout/base/nsCSSFrameConstructor.cpp:10752
14 	xul.dll 	nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&,nsFrameConstructorState&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:3887
15 	xul.dll 	nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList::Iterator&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:5575
16 	xul.dll 	nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:9514
17 	xul.dll 	nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&,nsIContent*,nsStyleContext*,nsIFrame*,int,nsFrameItems&,int) 	layout/base/nsCSSFrameConstructor.cpp:9627
18 	xul.dll 	nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&,nsStyleDisplay const*,nsIContent*,nsIFrame*,nsIFrame*,nsStyleContext*,nsIFrame**,nsFrameItems&,int) 	layout/base/nsCSSFrameConstructor.cpp:10752
19 	xul.dll 	nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&,nsFrameConstructorState&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:3887
20 	xul.dll 	nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList::Iterator&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:5575
21 	xul.dll 	nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:9514
22 	xul.dll 	nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&,nsIContent*,nsStyleContext*,nsIFrame*,int,nsFrameItems&,int) 	layout/base/nsCSSFrameConstructor.cpp:9627
23 	xul.dll 	nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&,nsStyleDisplay const*,nsIContent*,nsIFrame*,nsIFrame*,nsStyleContext*,nsIFrame**,nsFrameItems&,int) 	layout/base/nsCSSFrameConstructor.cpp:10752
24 	xul.dll 	nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&,nsFrameConstructorState&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:3887
25 	xul.dll 	nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList::Iterator&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:5575
26 	xul.dll 	nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:9514
27 	xul.dll 	nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&,nsIContent*,nsStyleContext*,nsIFrame*,int,nsFrameItems&,int) 	layout/base/nsCSSFrameConstructor.cpp:9627
28 	xul.dll 	nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&,nsStyleDisplay const*,nsIContent*,nsIFrame*,nsIFrame*,nsStyleContext*,nsIFrame**,nsFrameItems&,int) 	layout/base/nsCSSFrameConstructor.cpp:10752
29 	xul.dll 	nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&,nsFrameConstructorState&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:3887
30 	xul.dll 	nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList::Iterator&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:5575
31 	xul.dll 	nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:9514
32 	xul.dll 	nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&,nsIContent*,nsStyleContext*,nsIFrame*,int,nsFrameItems&,int) 	layout/base/nsCSSFrameConstructor.cpp:9627
33 	xul.dll 	nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&,nsStyleDisplay const*,nsIContent*,nsIFrame*,nsIFrame*,nsStyleContext*,nsIFrame**,nsFrameItems&,int) 	layout/base/nsCSSFrameConstructor.cpp:10752
34 	xul.dll 	nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&,nsFrameConstructorState&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:3887
35 	xul.dll 	nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList::Iterator&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:5575
36 	xul.dll 	nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:9514
37 	xul.dll 	nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&,nsIContent*,nsStyleContext*,nsIFrame*,int,nsFrameItems&,int) 	layout/base/nsCSSFrameConstructor.cpp:9627
38 	xul.dll 	nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&,nsStyleDisplay const*,nsIContent*,nsIFrame*,nsIFrame*,nsStyleContext*,nsIFrame**,nsFrameItems&,int) 	layout/base/nsCSSFrameConstructor.cpp:10752
39 	xul.dll 	nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&,nsFrameConstructorState&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:3887
40 	xul.dll 	nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList::Iterator&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:5575
41 	xul.dll 	nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:9514
42 	xul.dll 	nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&,nsIContent*,nsStyleContext*,nsIFrame*,int,nsFrameItems&,int) 	layout/base/nsCSSFrameConstructor.cpp:9627
43 	xul.dll 	nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&,nsStyleDisplay const*,nsIContent*,nsIFrame*,nsIFrame*,nsStyleContext*,nsIFrame**,nsFrameItems&,int) 	layout/base/nsCSSFrameConstructor.cpp:10752
44 	xul.dll 	nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&,nsFrameConstructorState&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:3887
45 	xul.dll 	nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList::Iterator&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:5575
46 	xul.dll 	nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:9514
47 	xul.dll 	nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&,nsIContent*,nsStyleContext*,nsIFrame*,int,nsFrameItems&,int) 	layout/base/nsCSSFrameConstructor.cpp:9627
48 	xul.dll 	nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&,nsStyleDisplay const*,nsIContent*,nsIFrame*,nsIFrame*,nsStyleContext*,nsIFrame**,nsFrameItems&,int) 	layout/base/nsCSSFrameConstructor.cpp:10752
49 	xul.dll 	nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&,nsFrameConstructorState&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:3887
50 	xul.dll 	nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList::Iterator&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:5575
51 	xul.dll 	nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:9514
52 	xul.dll 	nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&,nsIContent*,nsStyleContext*,nsIFrame*,int,nsFrameItems&,int) 	layout/base/nsCSSFrameConstructor.cpp:9627
53 	xul.dll 	nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&,nsStyleDisplay const*,nsIContent*,nsIFrame*,nsIFrame*,nsStyleContext*,nsIFrame**,nsFrameItems&,int) 	layout/base/nsCSSFrameConstructor.cpp:10752
54 	xul.dll 	nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&,nsFrameConstructorState&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:3887
55 	xul.dll 	nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList::Iterator&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:5575
56 	xul.dll 	nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:9514
57 	xul.dll 	nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&,nsIContent*,nsStyleContext*,nsIFrame*,int,nsFrameItems&,int) 	layout/base/nsCSSFrameConstructor.cpp:9627
58 	xul.dll 	nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&,nsStyleDisplay const*,nsIContent*,nsIFrame*,nsIFrame*,nsStyleContext*,nsIFrame**,nsFrameItems&,int) 	layout/base/nsCSSFrameConstructor.cpp:10752
59 	xul.dll 	nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&,nsFrameConstructorState&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:3887
60 	xul.dll 	nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList::Iterator&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:5575
61 	xul.dll 	nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:9514
62 	xul.dll 	nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&,nsIContent*,nsStyleContext*,nsIFrame*,int,nsFrameItems&,int) 	layout/base/nsCSSFrameConstructor.cpp:9627
63 	xul.dll 	nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&,nsStyleDisplay const*,nsIContent*,nsIFrame*,nsIFrame*,nsStyleContext*,nsIFrame**,nsFrameItems&,int) 	layout/base/nsCSSFrameConstructor.cpp:10752
64 	xul.dll 	nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&,nsFrameConstructorState&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:3887
65 	xul.dll 	nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList::Iterator&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:5575
66 	xul.dll 	nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:9514
67 	xul.dll 	nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&,nsIContent*,nsStyleContext*,nsIFrame*,int,nsFrameItems&,int) 	layout/base/nsCSSFrameConstructor.cpp:9627
68 	xul.dll 	nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&,nsStyleDisplay const*,nsIContent*,nsIFrame*,nsIFrame*,nsStyleContext*,nsIFrame**,nsFrameItems&,int) 	layout/base/nsCSSFrameConstructor.cpp:10752
69 	xul.dll 	nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&,nsFrameConstructorState&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:3887
70 	xul.dll 	nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList::Iterator&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:5575
71 	xul.dll 	nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:9514
72 	xul.dll 	nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&,nsIContent*,nsStyleContext*,nsIFrame*,int,nsFrameItems&,int) 	layout/base/nsCSSFrameConstructor.cpp:9627
73 	xul.dll 	nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&,nsStyleDisplay const*,nsIContent*,nsIFrame*,nsIFrame*,nsStyleContext*,nsIFrame**,nsFrameItems&,int) 	layout/base/nsCSSFrameConstructor.cpp:10752
74 	xul.dll 	nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&,nsFrameConstructorState&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:3887
75 	xul.dll 	nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList::Iterator&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:5575
76 	xul.dll 	nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:9514
77 	xul.dll 	nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&,nsIContent*,nsStyleContext*,nsIFrame*,int,nsFrameItems&,int) 	layout/base/nsCSSFrameConstructor.cpp:9627
78 	xul.dll 	nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&,nsStyleDisplay const*,nsIContent*,nsIFrame*,nsIFrame*,nsStyleContext*,nsIFrame**,nsFrameItems&,int) 	layout/base/nsCSSFrameConstructor.cpp:10752
79 	xul.dll 	nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&,nsFrameConstructorState&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:3887
80 	xul.dll 	nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList::Iterator&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:5575
81 	xul.dll 	nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:9514
82 	xul.dll 	nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&,nsIContent*,nsStyleContext*,nsIFrame*,int,nsFrameItems&,int) 	layout/base/nsCSSFrameConstructor.cpp:9627
83 	xul.dll 	nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&,nsStyleDisplay const*,nsIContent*,nsIFrame*,nsIFrame*,nsStyleContext*,nsIFrame**,nsFrameItems&,int) 	layout/base/nsCSSFrameConstructor.cpp:10752
84 	xul.dll 	nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&,nsFrameConstructorState&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:3887
85 	xul.dll 	nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList::Iterator&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:5575
86 	xul.dll 	nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:9514
87 	xul.dll 	nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&,nsIContent*,nsStyleContext*,nsIFrame*,int,nsFrameItems&,int) 	layout/base/nsCSSFrameConstructor.cpp:9627
88 	xul.dll 	nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&,nsStyleDisplay const*,nsIContent*,nsIFrame*,nsIFrame*,nsStyleContext*,nsIFrame**,nsFrameItems&,int) 	layout/base/nsCSSFrameConstructor.cpp:10752
89 	xul.dll 	nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&,nsFrameConstructorState&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:3887
90 	xul.dll 	nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList::Iterator&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:5575
91 	xul.dll 	nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:9514
92 	xul.dll 	nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&,nsIContent*,nsStyleContext*,nsIFrame*,int,nsFrameItems&,int) 	layout/base/nsCSSFrameConstructor.cpp:9627
93 	xul.dll 	nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&,nsStyleDisplay const*,nsIContent*,nsIFrame*,nsIFrame*,nsStyleContext*,nsIFrame**,nsFrameItems&,int) 	layout/base/nsCSSFrameConstructor.cpp:10752
94 	xul.dll 	nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&,nsFrameConstructorState&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:3887
95 	xul.dll 	nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList::Iterator&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:5575
96 	xul.dll 	nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:9514
97 	xul.dll 	nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&,nsIContent*,nsStyleContext*,nsIFrame*,int,nsFrameItems&,int) 	layout/base/nsCSSFrameConstructor.cpp:9627
98 	xul.dll 	nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&,nsStyleDisplay const*,nsIContent*,nsIFrame*,nsIFrame*,nsStyleContext*,nsIFrame**,nsFrameItems&,int) 	layout/base/nsCSSFrameConstructor.cpp:10752
99 	xul.dll 	nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&,nsFrameConstructorState&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:3887
100 	xul.dll 	nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList::Iterator&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:5575
4578 	xul.dll 	nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList::Iterator&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:5575
4579 	xul.dll 	nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:9514
4580 	xul.dll 	nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&,nsIContent*,nsStyleContext*,nsIFrame*,int,nsFrameItems&,int) 	layout/base/nsCSSFrameConstructor.cpp:9627
4581 	xul.dll 	nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&,nsStyleDisplay const*,nsIContent*,nsIFrame*,nsIFrame*,nsStyleContext*,nsIFrame**,nsFrameItems&,int) 	layout/base/nsCSSFrameConstructor.cpp:10752
4582 	xul.dll 	nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&,nsFrameConstructorState&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:3887
4583 	xul.dll 	nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList::Iterator&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:5575
4584 	xul.dll 	nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList&,nsIFrame*,nsFrameItems&) 	layout/base/nsCSSFrameConstructor.cpp:9514
4585 	xul.dll 	nsCSSFrameConstructor::ContentInserted(nsIContent*,nsIContent*,int,nsILayoutHistoryState*) 	layout/base/nsCSSFrameConstructor.cpp:6798
4586 	xul.dll 	nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*) 	layout/base/nsCSSFrameConstructor.cpp:9136
4587 	xul.dll 	xul.dll@0x3c589e


Signature	CSSStyleRuleImpl::MapRuleInfoInto(nsRuleData*)
UUID	131fd5a7-c580-4274-9696-a5d652090729
Time 	2009-07-29 06:21:55.397914
Uptime	24
Last Crash	163 seconds before submission
Product	Firefox
Version	3.6a1pre
Build ID	20090728045737
Branch	1.9.2
OS	Windows NT
OS Version	6.0.6002 Service Pack 2
CPU	x86
CPU Info	GenuineIntel family 6 model 15 stepping 7
Crash Reason	EXCEPTION_STACK_OVERFLOW
Crash Address	0x62db9d5f
User Comments	
Processor Notes 	
Crashing Thread
Frame 	Module 	Signature 	Source
0 	xul.dll 	CSSStyleRuleImpl::MapRuleInfoInto(nsRuleData*) 	layout/style/nsCSSStyleRule.cpp:1454
1 	xul.dll 	nsRuleNode::WalkRuleTree(nsStyleStructID,nsStyleContext*,nsRuleData*,nsCSSStruct*) 	layout/style/nsRuleNode.cpp:1725
2 	xul.dll 	nsFrame::DidSetStyleContext(nsStyleContext*) 	layout/generic/nsFrame.cpp:564
3 	xul.dll 	nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&,nsStyleDisplay const*,nsIContent*,nsIFrame*,nsIFrame*,nsStyleContext*,nsIFrame**,nsFrameItems&,int) 	layout/base/nsCSSFrameConstructor.cpp:10717
Product: Firefox → Core
QA Contact: general → general
Summary: [HTML5] Minefield crashes when clicking on email w/ attachment in Gmail. → [HTML5] crash [@ nsCSSFrameConstructor::ConstructBlock] in GMail when clicking on email with attachment
any special type of attachement?
i fail reproducing ...
It was a jpeg attachment. I will zip up the email source code and attach it here. The HTML code is a disaster.
It's spam from a for sale ad I posted on craigslist so it's not like it's important, but if there is something malformed in the email that will cause a crash on demand, that's a problem.
ok, the crashing started within
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=ca23d3b5a999&tochange=643cdff78555
=> landing of Bug 487949
i guess a more reduced testcase is wanted ...
Blocks: html5-parsing-land
Status: UNCONFIRMED → NEW
Component: General → HTML: Parser
Ever confirmed: true
QA Contact: general → parser
Looks like infinite recursion so not exploitable. Are we somehow creating a cyclic DOM tree?
Keywords: regression, testcase-wanted
Priority: -- → P3
Do you still see this crash?
I just re-checked the attachment. When I open the HTML inside the zip file, I get the "Minefield has stopped responding..." pop-up (no crash reporter) and I have to restart Minefield. However, if I toggle HTML5 = false, everything is fine.
Blocks: 542268
Attached file reduced testcase 
after digging into this here's my reduced testcase.

for me 554 lines with
<div style="font-family:verdana, helvetica, sans-serif;font-size:8pt">
crash (you may have to reload the testcase after dragging it into a tab), while with 553 lines there's no crash.

a recent crash report with yesterday's trunk build + above reduced testcase:
bp-d62ca246-9040-4c6d-a0bb-52fe12100131
The difference in the produced content tree is that after about 200 nested divs (perhaps it needs to be nested divs with no proper closing tags) the old parser stops nesting them and instead makes them siblings. There are two places in the old parser that use the magic number "200":

http://mxr.mozilla.org/mozilla-central/source/parser/htmlparser/src/nsHTMLTokenizer.cpp#382
http://mxr.mozilla.org/mozilla-central/source/parser/htmlparser/public/nsIHTMLContentSink.h#90
Uh... does the new parser not do any tree-depth-limiting at all?  It needs to do it.
And we should have had regression tests for this, ideally, since it's been a problem in the past...
(In reply to comment #13)
> Uh... does the new parser not do any tree-depth-limiting at all?

It doesn't.

> It needs to do it.

Yeah. It needs to gain other DoS mitigation limits, too.

What happens if a script tries to create a deeply-nested tree using the DOM APIs?
I know that comment #7 said that this wasn't exploitable, but it is now starting to look like this is something that could be exploited. Maybe we should CC the security team on this one?
> What happens if a script tries to create a deeply-nested tree using the DOM
> APIs?

Afaik we run out of stack and crash.  The depth-limiting in the parser is to protect against incompetence, not malice.  See bug 323394.

Brian, what makes you think this can be exploited, exactly?  It's a duplicate of bug 323394 except insofar as the new parser makes it more likely that websites will accidentally hit that bug due to common HTML coding errors...
Could I not craft an html e-mail using the attachment as a starting point to mass crash Firefox browsers? Or put it on a web page? I guess it's not as bad as a buffer overflow being used to run arbitrary code on a user's computer, but a denial of service attack using malformed html that the parser doesn't like which causes a crash is still a denial of service attack. :)
Quoting from a previous comment of mine regarding denial of service bugs and treating them as security bugs (bug 538035 comment 15, currently hidden, perhaps no longer needs to be but I won't push it):

> But, denial of service in the browser, if that's all that's present, is not
> considered a security issue in and of itself.  There are a million different
> ways to crash the browser, and choosing to escalate the priority of a game
> of whack-a-mole against deliberate attempts to do so doesn't make much sense. 
> Users will stop visiting sites that make such deliberate attempts; it's a
> self-limiting problem.  Better to spend time on the crashes encountered by
> well-behaving sites.  DoS bugs can be frustrating, to be sure, but it's not
> productive to treat them as security issues.
> Could I not craft an html e-mail using the attachment as a starting point to
> mass crash Firefox browsers?

Not if we fix this bug before shipping the the HTML5 parser enabled by default, no.

> Or put it on a web page?

If the web page can run script, then yes per my answer to comment 15.

> still a denial of service attack

Yes, but it doesn't need to be security-sensitive.
Depends on: 483209
Keywords: testcase-wantedtestcase
Whiteboard: [sg:dos stack exhaustion]
A landed a patch that added the good old stack limit of 200 to the HTML5 parser. Worth re-testing in tomorrow's Windows nightly.
actually i'm not able to reproduce the crashes neither with my testcase of comment 11 nor the site mentioned in Bug 542268 comment 4 even with yesterday's nightly (Built from http://hg.mozilla.org/mozilla-central/rev/050887c64183) (HTML5 parser on, new profile, hammering ctrl+f5).

could this have been "fixed" by one of your other checkins?
worth finding a progression range?
or should other testcases be created to be able to verify Bug 483209's positive effects?
(In reply to comment #22)
> actually i'm not able to reproduce the crashes neither with my testcase of
> comment 11 nor the site mentioned in Bug 542268 comment 4 even with yesterday's
> nightly (Built from http://hg.mozilla.org/mozilla-central/rev/050887c64183)
> (HTML5 parser on, new profile, hammering ctrl+f5).

Excellent. Thanks! Marking this fixed.

> could this have been "fixed" by one of your other checkins?
> worth finding a progression range?

That's odd, but probably not worth finding a regression range to explain.

> or should other testcases be created to be able to verify Bug 483209's positive
> effects?

I guess it would be proper to land a crashtest with a few hundred <font> start tags and another with a few hundred <div> start tags.
Status: NEW → RESOLVED
Closed: 14 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
(sorry, we usually use WFM when we're not sure what fixed a bug).

Yes, please definitely land a crashtest, especially if we don't know what fixed it since it could be something unrelated to the HTML5 parser and so we won't know if it'll get changed back again.
Resolution: FIXED → WORKSFORME
(In reply to comment #19)
> Quoting from a previous comment of mine regarding denial of service bugs and
> treating them as security bugs (bug 538035 comment 15, currently hidden,
> perhaps no longer needs to be but I won't push it):

I mistyped the bug number -- that should have been bug 538085 comment 15.  :-(
Crash Signature: [@ nsCSSFrameConstructor::ConstructBlock]
Crash test:
https://hg.mozilla.org/integration/mozilla-inbound/rev/7d1a06fb39bd
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: