Closed
Bug 551987
Opened 14 years ago
Closed 2 years ago
Crash [@ nsAttrAndChildArray::IndexOfAttr] with tree and filter
Categories
(Core :: Layout, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: martijn.martijn, Unassigned)
References
Details
(Keywords: crash, testcase, Whiteboard: [sg:dos recursion])
Crash Data
Attachments
(3 files)
See testcase, which crashes current trunk build on load.
It also crashes Firefox3.6, so marking security sensitive for now.
Stack from a debug build:
> xul.dll!nsAttrAndChildArray::IndexOfAttr(nsIAtom * aLocalName=0x00b05858, int aNamespaceID=0) Line 534 + 0x6 bytes C++
xul.dll!nsGenericElement::GetAttrInfo(int aNamespaceID=0, nsIAtom * aName=0x00b05858) Line 4500 + 0x13 bytes C++
xul.dll!nsXULElement::GetAttrInfo(int aNamespaceID=0, nsIAtom * aName=0x00b05858) Line 2214 C++
xul.dll!nsXULElement::FindLocalOrProtoAttr(int aNameSpaceID=0, nsIAtom * aName=0x00b05858) Line 635 + 0x14 bytes C++
xul.dll!nsXULElement::GetAttr(int aNameSpaceID=0, nsIAtom * aName=0x00b05858, nsAString_internal & aResult={...}) Line 1192 + 0x10 bytes C++
xul.dll!nsIFrame::AddCSSMinSize(nsBoxLayoutState & aState={...}, nsIFrame * aBox=0x0bb6b448, nsSize & aSize={...}) Line 776 C++
xul.dll!nsTreeBodyFrame::GetMinSize(nsBoxLayoutState & aBoxLayoutState={...}) Line 253 + 0x14 bytes C++
xul.dll!nsBox::GetPrefSize(nsBoxLayoutState & aState={...}) Line 458 C++
xul.dll!nsLeafBoxFrame::GetPrefSize(nsBoxLayoutState & aState={...}) Line 387 + 0x10 bytes C++
xul.dll!nsSprocketLayout::PopulateBoxSizes(nsIFrame * aBox=0x0bb6b258, nsBoxLayoutState & aState={...}, nsBoxSize * & aBoxSizes=0x00000000, int & aMinSize=0, int & aMaxSize=1073741824, int & aFlexes=0) Line 783 + 0x18 bytes C++
xul.dll!nsSprocketLayout::Layout(nsIFrame * aBox=0x0bb6b258, nsBoxLayoutState & aState={...}) Line 252 C++
xul.dll!nsBoxFrame::DoLayout(nsBoxLayoutState & aState={...}) Line 938 + 0x24 bytes C++
xul.dll!nsIFrame::Layout(nsBoxLayoutState & aState={...}) Line 550 C++
xul.dll!nsSprocketLayout::Layout(nsIFrame * aBox=0x0bb6afc8, nsBoxLayoutState & aState={...}) Line 525 C++
xul.dll!nsBoxFrame::DoLayout(nsBoxLayoutState & aState={...}) Line 938 + 0x24 bytes C++
xul.dll!nsIFrame::Layout(nsBoxLayoutState & aState={...}) Line 550 C++
xul.dll!nsStackLayout::Layout(nsIFrame * aBox=0x0bb6aad8, nsBoxLayoutState & aState={...}) Line 345 C++
xul.dll!nsBoxFrame::DoLayout(nsBoxLayoutState & aState={...}) Line 938 + 0x24 bytes C++
xul.dll!nsIFrame::Layout(nsBoxLayoutState & aState={...}) Line 550 C++
xul.dll!nsSprocketLayout::Layout(nsIFrame * aBox=0x0ba73cd0, nsBoxLayoutState & aState={...}) Line 525 C++
xul.dll!nsBoxFrame::DoLayout(nsBoxLayoutState & aState={...}) Line 938 + 0x24 bytes C++
xul.dll!nsIFrame::Layout(nsBoxLayoutState & aState={...}) Line 550 C++
xul.dll!nsXULScrollFrame::LayoutScrollArea(nsBoxLayoutState & aState={...}, const nsPoint & aScrollPosition={...}) Line 2536 C++
xul.dll!nsXULScrollFrame::Layout(nsBoxLayoutState & aState={...}) Line 2712 C++
xul.dll!nsXULScrollFrame::DoLayout(nsBoxLayoutState & aState={...}) Line 1182 + 0xc bytes C++
xul.dll!nsIFrame::Layout(nsBoxLayoutState & aState={...}) Line 550 C++
xul.dll!nsSprocketLayout::Layout(nsIFrame * aBox=0x09e789d0, nsBoxLayoutState & aState={...}) Line 525 C++
xul.dll!nsBoxFrame::DoLayout(nsBoxLayoutState & aState={...}) Line 938 + 0x24 bytes C++
xul.dll!nsIFrame::Layout(nsBoxLayoutState & aState={...}) Line 550 C++
xul.dll!nsSprocketLayout::Layout(nsIFrame * aBox=0x09e78120, nsBoxLayoutState & aState={...}) Line 525 C++
xul.dll!nsBoxFrame::DoLayout(nsBoxLayoutState & aState={...}) Line 938 + 0x24 bytes C++
xul.dll!nsIFrame::Layout(nsBoxLayoutState & aState={...}) Line 550 C++
xul.dll!nsStackLayout::Layout(nsIFrame * aBox=0x09e78040, nsBoxLayoutState & aState={...}) Line 345 C++
xul.dll!nsBoxFrame::DoLayout(nsBoxLayoutState & aState={...}) Line 938 + 0x24 bytes C++
xul.dll!nsIFrame::Layout(nsBoxLayoutState & aState={...}) Line 550 C++
xul.dll!nsBoxFrame::Reflow(nsPresContext * aPresContext=0x09a5ae08, nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState & aReflowState={...}, unsigned int & aStatus=0) Line 753 C++
xul.dll!nsRootBoxFrame::Reflow(nsPresContext * aPresContext=0x09a5ae08, nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState & aReflowState={...}, unsigned int & aStatus=0) Line 237 C++
xul.dll!nsContainerFrame::ReflowChild(nsIFrame * aKidFrame=0x09e78040, nsPresContext * aPresContext=0x09a5ae08, nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState & aReflowState={...}, int aX=0, int aY=0, unsigned int aFlags=0, unsigned int & aStatus=0, nsOverflowContinuationTracker * aTracker=0x00000000) Line 756 + 0x21 bytes C++
xul.dll!ViewportFrame::Reflow(nsPresContext * aPresContext=0x09a5ae08, nsHTMLReflowMetrics & aDesiredSize={...}, const nsHTMLReflowState & aReflowState={...}, unsigned int & aStatus=0) Line 285 + 0x2d bytes C++
xul.dll!PresShell::DoReflow(nsIFrame * target=0x039e0da0, int aInterruptible=0) Line 7346 C++
xul.dll!PresShell::ProcessReflowCommands(int aInterruptible=0) Line 7469 + 0x10 bytes C++
xul.dll!PresShell::FlushPendingNotifications(mozFlushType aType=Flush_Layout) Line 4800 + 0x12 bytes C++
xul.dll!PresShell::HandlePostedReflowCallbacks(int aInterruptible=0) Line 4692 C++
xul.dll!PresShell::DidDoReflow(int aInterruptible=0) Line 7221 C++
xul.dll!PresShell::ProcessReflowCommands(int aInterruptible=0) Line 7485 C++
xul.dll!PresShell::FlushPendingNotifications(mozFlushType aType=Flush_Layout) Line 4800 + 0x12 bytes C++
xul.dll!PresShell::HandlePostedReflowCallbacks(int aInterruptible=0) Line 4692 C++
xul.dll!PresShell::DidDoReflow(int aInterruptible=0) Line 7221 C++
xul.dll!PresShell::ProcessReflowCommands(int aInterruptible=0) Line 7485 C++
xul.dll!PresShell::FlushPendingNotifications(mozFlushType aType=Flush_Layout) Line 4800 + 0x12 bytes C++
xul.dll!PresShell::HandlePostedReflowCallbacks(int aInterruptible=0) Line 4692 C++
etc...
Comment 1•14 years ago
|
||
This is infinite recursion stack overflow. Probably not security-sensitive. Relevant part of the stack: #524 0x00007ffff602eedb in PresShell::FlushPendingNotifications (this= 0x7fffdd3cec00, aType=Flush_Layout) at ../../../mozilla/layout/base/nsPresShell.cpp:4800 #525 0x00007ffff602eb2f in PresShell::HandlePostedReflowCallbacks (this= 0x7fffdd3cec00, aInterruptible=0) at ../../../mozilla/layout/base/nsPresShell.cpp:4691 #526 0x00007ffff60378ca in PresShell::DidDoReflow (this=0x7fffdd3cec00, aInterruptible=0) at ../../../mozilla/layout/base/nsPresShell.cpp:7218 #527 0x00007ffff60387e1 in PresShell::ProcessReflowCommands (this=0x7fffdd3cec00, aInterruptible=0) at ../../../mozilla/layout/base/nsPresShell.cpp:7481 #528 0x00007ffff602eedb in PresShell::FlushPendingNotifications (this= 0x7fffdd3cec00, aType=Flush_Layout) at ../../../mozilla/layout/base/nsPresShell.cpp:4800 Timothy was looking into something similar recently, iirc.
Comment 2•14 years ago
|
||
Bug 550306 has a similar infinite flush-reflow-reflow callback-flush loop for XUL listboxes. Both are now on my list of things to look into.
Updated•14 years ago
|
Whiteboard: [sg:dos]
Reporter | ||
Comment 3•14 years ago
|
||
http://crash-stats.mozilla.com/report/index/78a3beaf-5f9c-4fb3-a63f-7cba52100315 0 xul.dll nsLayoutUtils::GetFontMetricsForStyleContext layout/base/nsLayoutUtils.cpp:1647 1 xul.dll ComputeLineHeight layout/generic/nsHTMLReflowState.cpp:2124 2 xul.dll nsBlockReflowState::nsBlockReflowState layout/generic/nsBlockReflowState.cpp:144 3 xul.dll nsBlockFrame::Reflow layout/generic/nsBlockFrame.cpp:948 4 xul.dll nsFrame::BoxReflow layout/generic/nsFrame.cpp:6562 5 xul.dll nsFrame::DoLayout layout/generic/nsFrame.cpp:6337 6 xul.dll nsIFrame::Layout layout/xul/base/src/nsBox.cpp:548 7 xul.dll nsSprocketLayout::Layout layout/xul/base/src/nsSprocketLayout.cpp:521 8 xul.dll nsBoxFrame::DoLayout layout/xul/base/src/nsBoxFrame.cpp:938 9 xul.dll nsIFrame::Layout layout/xul/base/src/nsBox.cpp:548 10 xul.dll nsSprocketLayout::Layout layout/xul/base/src/nsSprocketLayout.cpp:521 etc...
Assignee | ||
Updated•13 years ago
|
Crash Signature: [@ nsAttrAndChildArray::IndexOfAttr]
Updated•12 years ago
|
Group: core-security
Whiteboard: [sg:dos] → [sg:dos recursion]
Reporter | ||
Comment 4•9 years ago
|
||
The testcases are still crashing in current trunk build.
Reporter | ||
Updated•7 years ago
|
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WORKSFORME
Updated•7 years ago
|
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
Updated•2 years ago
|
Severity: critical → S2
Comment 5•2 years ago
•
|
||
I think this is WORKSFORME. No crashes when loading the attached XUL files, locally saved and renamed to .xhtml (which I think [?] is required and should be sufficient to make them load, with dom.allow_XUL_XBL_for_file
set to true
).
Status: REOPENED → RESOLVED
Closed: 7 years ago → 2 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•