Closed Bug 551987 Opened 14 years ago Closed 2 years ago

Crash [@ nsAttrAndChildArray::IndexOfAttr] with tree and filter

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86
Windows 7
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: martijn.martijn, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: [sg:dos recursion])

Crash Data

Attachments

(3 files)

testcase
321 bytes, application/vnd.mozilla.xul+xml
Details
testcase2
340 bytes, application/vnd.mozilla.xul+xml
Details
nsIFrameGetBorderAndPadding.xul
274 bytes, application/vnd.mozilla.xul+xml
Details
Attached file testcase 
See testcase, which crashes current trunk build on load.
It also crashes Firefox3.6, so marking security sensitive for now.

Stack from a debug build:
>	xul.dll!nsAttrAndChildArray::IndexOfAttr(nsIAtom * aLocalName=0x00b05858, int aNamespaceID=0)  Line 534 + 0x6 bytes	C++
 	xul.dll!nsGenericElement::GetAttrInfo(int aNamespaceID=0, nsIAtom * aName=0x00b05858)  Line 4500 + 0x13 bytes	C++
 	xul.dll!nsXULElement::GetAttrInfo(int aNamespaceID=0, nsIAtom * aName=0x00b05858)  Line 2214	C++
 	xul.dll!nsXULElement::FindLocalOrProtoAttr(int aNameSpaceID=0, nsIAtom * aName=0x00b05858)  Line 635 + 0x14 bytes	C++
 	xul.dll!nsXULElement::GetAttr(int aNameSpaceID=0, nsIAtom * aName=0x00b05858, nsAString_internal & aResult={...})  Line 1192 + 0x10 bytes	C++
 	xul.dll!nsIFrame::AddCSSMinSize(nsBoxLayoutState & aState={...}, nsIFrame * aBox=0x0bb6b448, nsSize & aSize={...})  Line 776	C++
 	xul.dll!nsTreeBodyFrame::GetMinSize(nsBoxLayoutState & aBoxLayoutState={...})  Line 253 + 0x14 bytes	C++
 	xul.dll!nsBox::GetPrefSize(nsBoxLayoutState & aState={...})  Line 458	C++
 	xul.dll!nsLeafBoxFrame::GetPrefSize(nsBoxLayoutState & aState={...})  Line 387 + 0x10 bytes	C++
 	xul.dll!nsSprocketLayout::PopulateBoxSizes(nsIFrame * aBox=0x0bb6b258, nsBoxLayoutState & aState={...}, nsBoxSize * & aBoxSizes=0x00000000, int & aMinSize=0, int & aMaxSize=1073741824, int & aFlexes=0)  Line 783 + 0x18 bytes	C++
 	xul.dll!nsSprocketLayout::Layout(nsIFrame * aBox=0x0bb6b258, nsBoxLayoutState & aState={...})  Line 252	C++
 	xul.dll!nsBoxFrame::DoLayout(nsBoxLayoutState & aState={...})  Line 938 + 0x24 bytes	C++
 	xul.dll!nsIFrame::Layout(nsBoxLayoutState & aState={...})  Line 550	C++
 	xul.dll!nsSprocketLayout::Layout(nsIFrame * aBox=0x0bb6afc8, nsBoxLayoutState & aState={...})  Line 525	C++
 	xul.dll!nsBoxFrame::DoLayout(nsBoxLayoutState & aState={...})  Line 938 + 0x24 bytes	C++
 	xul.dll!nsIFrame::Layout(nsBoxLayoutState & aState={...})  Line 550	C++
 	xul.dll!nsStackLayout::Layout(nsIFrame * aBox=0x0bb6aad8, nsBoxLayoutState & aState={...})  Line 345	C++
 	xul.dll!nsBoxFrame::DoLayout(nsBoxLayoutState & aState={...})  Line 938 + 0x24 bytes	C++
 	xul.dll!nsIFrame::Layout(nsBoxLayoutState & aState={...})  Line 550	C++
 	xul.dll!nsSprocketLayout::Layout(nsIFrame * aBox=0x0ba73cd0, nsBoxLayoutState & aState={...})  Line 525	C++
 	xul.dll!nsBoxFrame::DoLayout(nsBoxLayoutState & aState={...})  Line 938 + 0x24 bytes	C++
 	xul.dll!nsIFrame::Layout(nsBoxLayoutState & aState={...})  Line 550	C++
 	xul.dll!nsXULScrollFrame::LayoutScrollArea(nsBoxLayoutState & aState={...}, const nsPoint & aScrollPosition={...})  Line 2536	C++
 	xul.dll!nsXULScrollFrame::Layout(nsBoxLayoutState & aState={...})  Line 2712	C++
 	xul.dll!nsXULScrollFrame::DoLayout(nsBoxLayoutState & aState={...})  Line 1182 + 0xc bytes	C++
 	xul.dll!nsIFrame::Layout(nsBoxLayoutState & aState={...})  Line 550	C++
 	xul.dll!nsSprocketLayout::Layout(nsIFrame * aBox=0x09e789d0, nsBoxLayoutState & aState={...})  Line 525	C++
 	xul.dll!nsBoxFrame::DoLayout(nsBoxLayoutState & aState={...})  Line 938 + 0x24 bytes	C++
 	xul.dll!nsIFrame::Layout(nsBoxLayoutState & aState={...})  Line 550	C++
 	xul.dll!nsSprocketLayout::Layout(nsIFrame * aBox=0x09e78120, nsBoxLayoutState & aState={...})  Line 525	C++
 	xul.dll!nsBoxFrame::DoLayout(nsBoxLayoutState & aState={...})  Line 938 + 0x24 bytes	C++
 	xul.dll!nsIFrame::Layout(nsBoxLayoutState & aState={...})  Line 550	C++
 	xul.dll!nsStackLayout::Layout(nsIFrame * aBox=0x09e78040, nsBoxLayoutState & aState={...})  Line 345	C++
 	xul.dll!nsBoxFrame::DoLayout(nsBoxLayoutState & aState={...})  Line 938 + 0x24 bytes	C++
 	xul.dll!nsIFrame::Layout(nsBoxLayoutState & aState={...})  Line 550	C++
 	xul.dll!nsBoxFrame::Reflow(nsPresContext * aPresContext=0x09a5ae08, nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState & aReflowState={...}, unsigned int & aStatus=0)  Line 753	C++
 	xul.dll!nsRootBoxFrame::Reflow(nsPresContext * aPresContext=0x09a5ae08, nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState & aReflowState={...}, unsigned int & aStatus=0)  Line 237	C++
 	xul.dll!nsContainerFrame::ReflowChild(nsIFrame * aKidFrame=0x09e78040, nsPresContext * aPresContext=0x09a5ae08, nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState & aReflowState={...}, int aX=0, int aY=0, unsigned int aFlags=0, unsigned int & aStatus=0, nsOverflowContinuationTracker * aTracker=0x00000000)  Line 756 + 0x21 bytes	C++
 	xul.dll!ViewportFrame::Reflow(nsPresContext * aPresContext=0x09a5ae08, nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState & aReflowState={...}, unsigned int & aStatus=0)  Line 285 + 0x2d bytes	C++
 	xul.dll!PresShell::DoReflow(nsIFrame * target=0x039e0da0, int aInterruptible=0)  Line 7346	C++
 	xul.dll!PresShell::ProcessReflowCommands(int aInterruptible=0)  Line 7469 + 0x10 bytes	C++
 	xul.dll!PresShell::FlushPendingNotifications(mozFlushType aType=Flush_Layout)  Line 4800 + 0x12 bytes	C++
 	xul.dll!PresShell::HandlePostedReflowCallbacks(int aInterruptible=0)  Line 4692	C++
 	xul.dll!PresShell::DidDoReflow(int aInterruptible=0)  Line 7221	C++
 	xul.dll!PresShell::ProcessReflowCommands(int aInterruptible=0)  Line 7485	C++
 	xul.dll!PresShell::FlushPendingNotifications(mozFlushType aType=Flush_Layout)  Line 4800 + 0x12 bytes	C++
 	xul.dll!PresShell::HandlePostedReflowCallbacks(int aInterruptible=0)  Line 4692	C++
 	xul.dll!PresShell::DidDoReflow(int aInterruptible=0)  Line 7221	C++
 	xul.dll!PresShell::ProcessReflowCommands(int aInterruptible=0)  Line 7485	C++
 	xul.dll!PresShell::FlushPendingNotifications(mozFlushType aType=Flush_Layout)  Line 4800 + 0x12 bytes	C++
 	xul.dll!PresShell::HandlePostedReflowCallbacks(int aInterruptible=0)  Line 4692	C++
etc...
This is infinite recursion stack overflow.  Probably not security-sensitive.  Relevant part of the stack:

#524 0x00007ffff602eedb in PresShell::FlushPendingNotifications (this=
    0x7fffdd3cec00, aType=Flush_Layout)
    at ../../../mozilla/layout/base/nsPresShell.cpp:4800
#525 0x00007ffff602eb2f in PresShell::HandlePostedReflowCallbacks (this=
    0x7fffdd3cec00, aInterruptible=0)
    at ../../../mozilla/layout/base/nsPresShell.cpp:4691
#526 0x00007ffff60378ca in PresShell::DidDoReflow (this=0x7fffdd3cec00, 
    aInterruptible=0) at ../../../mozilla/layout/base/nsPresShell.cpp:7218
#527 0x00007ffff60387e1 in PresShell::ProcessReflowCommands (this=0x7fffdd3cec00, 
    aInterruptible=0) at ../../../mozilla/layout/base/nsPresShell.cpp:7481
#528 0x00007ffff602eedb in PresShell::FlushPendingNotifications (this=
    0x7fffdd3cec00, aType=Flush_Layout)
    at ../../../mozilla/layout/base/nsPresShell.cpp:4800

Timothy was looking into something similar recently, iirc.
Bug 550306 has a similar infinite flush-reflow-reflow callback-flush loop for XUL listboxes. Both are now on my list of things to look into.
Whiteboard: [sg:dos]
Attached file testcase2 
http://crash-stats.mozilla.com/report/index/78a3beaf-5f9c-4fb3-a63f-7cba52100315
0  	xul.dll  	nsLayoutUtils::GetFontMetricsForStyleContext  	 layout/base/nsLayoutUtils.cpp:1647
1 	xul.dll 	ComputeLineHeight 	layout/generic/nsHTMLReflowState.cpp:2124
2 	xul.dll 	nsBlockReflowState::nsBlockReflowState 	layout/generic/nsBlockReflowState.cpp:144
3 	xul.dll 	nsBlockFrame::Reflow 	layout/generic/nsBlockFrame.cpp:948
4 	xul.dll 	nsFrame::BoxReflow 	layout/generic/nsFrame.cpp:6562
5 	xul.dll 	nsFrame::DoLayout 	layout/generic/nsFrame.cpp:6337
6 	xul.dll 	nsIFrame::Layout 	layout/xul/base/src/nsBox.cpp:548
7 	xul.dll 	nsSprocketLayout::Layout 	layout/xul/base/src/nsSprocketLayout.cpp:521
8 	xul.dll 	nsBoxFrame::DoLayout 	layout/xul/base/src/nsBoxFrame.cpp:938
9 	xul.dll 	nsIFrame::Layout 	layout/xul/base/src/nsBox.cpp:548
10 	xul.dll 	nsSprocketLayout::Layout 	layout/xul/base/src/nsSprocketLayout.cpp:521
etc...
Crash Signature: [@ nsAttrAndChildArray::IndexOfAttr]
Group: core-security
Whiteboard: [sg:dos] → [sg:dos recursion]
The testcases are still crashing in current trunk build.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WORKSFORME
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
Depends on: 1403656
Severity: critical → S2

I think this is WORKSFORME. No crashes when loading the attached XUL files, locally saved and renamed to .xhtml (which I think [?] is required and should be sufficient to make them load, with dom.allow_XUL_XBL_for_file set to true).

Status: REOPENED → RESOLVED
Closed: 7 years ago2 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: