Stack Overflow Crash [@ nsGenericElement::GetBaseURI()|@ nsRuleNode::WalkRuleTree(nsStyleStructID, nsStyleContext*, nsRuleData*, nsCSSStruct*)|PresShell::AllocateFrame(unsigned int)|_MD_CURRENT_THREAD ]

RESOLVED DUPLICATE of bug 629982

Status

()

Core
General
RESOLVED DUPLICATE of bug 629982
7 years ago
2 years ago

People

(Reporter: bc, Unassigned)

Tracking

(Blocks: 1 bug, {crash, reproducible})

Trunk
x86
Windows XP
crash, reproducible
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(crash signature, URL)

(Reporter)

Description

7 years ago
1. http://www.masterwewbs.ru/index.php?showtopic=3851
2. Dismiss slow script dialog and let it run.
3. crash at nsGenericElement::GetBaseURI() Line 3413  with nsGenericElement::GetBaseURI() Line 3428 filling that stack.

1.9.2 and 2.0.0/winxp and win7 so far.

#299 in beta8pre top crashes

bp-045e729e-0b05-42d9-b6ba-0d5b32101210

see also bug 561874

<http://www.masterwebs.ru/index.php?showtopic=3851>

<http://www.masterwebs.ru/index.php?showtopic=6939%2526pid=40642%2526mode=threaded%2526start=>
(Reporter)

Updated

7 years ago
Version: 1.9.1 Branch → Trunk
(Reporter)

Comment 1

7 years ago
http://www.secovipr.com.br/admin/rel_informativos.php also crashes with related signatures:

1.9.2 (note the stack overflow causes Firefox to restart and generate duplicate minidumps)

Operating system: Windows NT
                  5.1.2600 Service Pack 3
CPU: x86
     GenuineIntel family 6 model 44 stepping 2
     1 CPU

Crash reason:  EXCEPTION_STACK_OVERFLOW
Crash address: 0x9012c9

Thread 0 (crashed)
 0  nspr4.dll!_MD_CURRENT_THREAD [w95thred.c : 308 + 0x5]
    eip = 0x009012c9   esp = 0x00033000   ebp = 0x00033004   ebx = 0x00000001
    esi = 0x00d49b70   edi = 0x00000000   eax = 0x00000012   ecx = 0x02c50168
    edx = 0x02c50158   efl = 0x00010202
    Found by: given as instruction pointer in context
 1  nspr4.dll!PR_GetCurrentThread [prcthr.c : 174 + 0x4]
    eip = 0x008f9756   esp = 0x0003300c   ebp = 0x0003300c
    Found by: call frame info
 2  nspr4.dll!PR_GetThreadPrivate [prtpd.c : 232 + 0x4]
    eip = 0x008dfdeb   esp = 0x00033014   ebp = 0x00033020
    Found by: call frame info
 3  xul.dll!NS_LogAddRef_P [nsTraceRefcntImpl.cpp : 979 + 0x14]
    eip = 0x110398eb   esp = 0x00033028   ebp = 0x00033048
    Found by: call frame info
 4  xul.dll!nsStandardURL::AddRef() [nsStandardURL.cpp : 901 + 0x97]
    eip = 0x10172358   esp = 0x00033050   ebp = 0x00033064
    Found by: call frame info
 5  xul.dll!nsCOMPtr<nsIURI>::assign_with_AddRef(nsISupports *) [nsCOMPtr.h : 1180 + 0xd]
    eip = 0x10103c7b   esp = 0x0003306c   ebp = 0x00033074
    Found by: call frame info
 6  xul.dll!nsCOMPtr<nsIURI>::operator=(nsIURI *) [nsCOMPtr.h : 640 + 0xb]
    eip = 0x10103c43   esp = 0x0003307c   ebp = 0x00033084
    Found by: call frame info
 7  xul.dll!nsGenericElement::GetBaseURI() [nsGenericElement.cpp : 3033 + 0x16]
    eip = 0x1059cada   esp = 0x0003308c   ebp = 0x0003315c
    Found by: call frame info
 8  xul.dll!nsGenericHTMLElement::GetBaseURI() [nsGenericHTMLElement.cpp : 1179 + 0xb]
    eip = 0x107aa031   esp = 0x00033164   ebp = 0x00033174
    Found by: call frame info

frame 8 repeats.

1.9.1 (note the stack overflow causes Firefox to restart generating different minidumps but the stacks appear to contain the same frames 18-22 repeat pattern)

Operating system: Windows NT
                  6.1.7600 
CPU: x86
     GenuineIntel family 6 model 44 stepping 2
     1 CPU

Crash reason:  EXCEPTION_STACK_OVERFLOW
Crash address: 0x64bd8586

Thread 0 (crashed)
 0  xul.dll!nsAString_internal::Capacity() [nsTSubstring.cpp : 274 + 0x6]
    eip = 0x64bd8586   esp = 0x00132ff8   ebp = 0x00133004   ebx = 0x7ffda000
    esi = 0x06726d70   edi = 0x00000000   eax = 0x00133070   ecx = 0x00133320
    edx = 0x00000006   efl = 0x00010212
    Found by: given as instruction pointer in context
 1  xul.dll!nsAString_internal::MutatePrep(unsigned int,unsigned short * *,unsigned int *) [nsTSubstring.cpp : 98 + 0x7]
    eip = 0x64bd81d6   esp = 0x0013300c   ebp = 0x00133034
    Found by: call frame info
 2  xul.dll!nsAString_internal::ReplacePrep(unsigned int,unsigned int,unsigned int) [nsTSubstring.cpp : 224 + 0x12]
    eip = 0x64bd846f   esp = 0x0013303c   ebp = 0x00133074
    Found by: call frame info
 3  xul.dll!nsAString_internal::AssignASCII(char const *,unsigned int) [nsTSubstring.cpp : 378 + 0x14]
    eip = 0x64bd8831   esp = 0x0013307c   ebp = 0x0013308c
    Found by: call frame info
 4  xul.dll!nsAString_internal::AssignASCII(char const *) [nsTSubstring.cpp : 385 + 0x17]
    eip = 0x64bd8904   esp = 0x00133094   ebp = 0x001330a0
    Found by: call frame info
 5  xul.dll!nsAttrValue::ToString(nsAString_internal &) [nsAttrValue.cpp : 401 + 0xf]
    eip = 0x643827fe   esp = 0x001330a8   ebp = 0x001332e4
    Found by: call frame info
 6  xul.dll!nsAttrValue::Equals(nsAString_internal const &,nsCaseTreatment) [nsAttrValue.cpp : 732 + 0x11]
    eip = 0x64383331   esp = 0x001332ec   ebp = 0x001333c0
    Found by: call frame info
 7  xul.dll!nsGenericElement::AttrValueIs(int,nsIAtom *,nsAString_internal const &,nsCaseTreatment) [nsGenericElement.cpp : 4487 + 0x15]
    eip = 0x6430a5f5   esp = 0x001333c8   ebp = 0x001333dc
    Found by: call frame info
 8  xul.dll!SelectorMatches [nsCSSRuleProcessor.cpp : 1680 + 0x49]
    eip = 0x6435680d   esp = 0x001333e4   ebp = 0x00133748
    Found by: call frame info
 9  xul.dll!SelectorMatches [nsCSSRuleProcessor.cpp : 1770 + 0x22]
    eip = 0x64356bae   esp = 0x00133750   ebp = 0x00133abc   ebx = 0x7ffda000
    Found by: call frame info
10  xul.dll!ContentEnumFunc [nsCSSRuleProcessor.cpp : 1888 + 0x14]
    eip = 0x64355251   esp = 0x00133ac4   ebp = 0x00133aec   ebx = 0x7ffda000
    Found by: call frame info
11  xul.dll!RuleHash::EnumerateAllRules(int,nsIAtom *,nsIAtom *,nsAttrValue const *,void (*)(nsICSSStyleRule *,nsCSSSelector *,void *),void *) [nsCSSRuleProcessor.cpp : 630 + 0x13]
    eip = 0x643541e0   esp = 0x00133af4   ebp = 0x00133b68
    Found by: call frame info
12  xul.dll!nsCSSRuleProcessor::RulesMatching(ElementRuleProcessorData *) [nsCSSRuleProcessor.cpp : 1919 + 0x2c]
    eip = 0x64355225   esp = 0x00133b70   ebp = 0x00133b8c
    Found by: call frame info
13  xul.dll!EnumRulesMatching [nsStyleSet.cpp : 409 + 0x11]
    eip = 0x644245ac   esp = 0x00133b94   ebp = 0x00133ba0
    Found by: call frame info
14  xul.dll!nsStyleSet::FileRules(int (*)(nsIStyleRuleProcessor *,void *),RuleProcessorData *,nsRuleWalker *) [nsStyleSet.cpp : 532 + 0x12]
    eip = 0x64423675   esp = 0x00133ba8   ebp = 0x00133bd8
    Found by: call frame info
15  xul.dll!nsStyleSet::ResolveStyleFor(nsIContent *,nsStyleContext *) [nsStyleSet.cpp : 676 + 0x14]
    eip = 0x64424408   esp = 0x00133be0   ebp = 0x00133c5c
    Found by: call frame info
16  xul.dll!nsCSSFrameConstructor::ResolveStyleContext(nsIFrame *,nsIContent *) [nsCSSFrameConstructor.cpp : 6841 + 0x13]
    eip = 0x643eb653   esp = 0x00133c64   ebp = 0x00133c7c
    Found by: call frame info
17  xul.dll!nsCSSFrameConstructor::ConstructFrame(nsFrameConstructorState &,nsIContent *,nsIFrame *,nsFrameItems &) [nsCSSFrameConstructor.cpp : 7430 + 0x13]
    eip = 0x643ecb3e   esp = 0x00133c84   ebp = 0x00133ca8
    Found by: call frame info
18  xul.dll!nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState &,nsIContent *,nsIFrame *,int,nsFrameItems &,int) [nsCSSFrameConstructor.cpp : 11517 + 0x39]
    eip = 0x643f52f2   esp = 0x00133cb0   ebp = 0x00133d84
    Found by: call frame info
19  xul.dll!nsCSSFrameConstructor::ConstructTableCellFrame(nsFrameConstructorState &,nsIContent *,nsIFrame *,nsStyleContext *,int,int,nsFrameItems &,nsIFrame * &,nsIFrame * &,int &) [nsCSSFrameConstructor.cpp : 4024 + 0x1f]
    eip = 0x643e5989   esp = 0x00133d8c   ebp = 0x00133e0c
    Found by: call frame info
20  xul.dll!nsCSSFrameConstructor::ConstructFrameByDisplayType(nsFrameConstructorState &,nsStyleDisplay const *,nsIContent *,int,nsIAtom *,nsIFrame *,nsStyleContext *,nsFrameItems &,int) [nsCSSFrameConstructor.cpp : 6742 + 0x2d]
    eip = 0x643eb2bb   esp = 0x00133e14   ebp = 0x00133e8c
    Found by: call frame info
21  xul.dll!nsCSSFrameConstructor::ConstructFrameInternal(nsFrameConstructorState &,nsIContent *,nsIFrame *,nsIAtom *,int,nsStyleContext *,nsFrameItems &,int) [nsCSSFrameConstructor.cpp : 7613 + 0x33]
    eip = 0x643ed200   esp = 0x00133e94   ebp = 0x00133f60
    Found by: call frame info
22  xul.dll!nsCSSFrameConstructor::ConstructFrame(nsFrameConstructorState &,nsIContent *,nsIFrame *,nsFrameItems &) [nsCSSFrameConstructor.cpp : 7444 + 0x34]
    eip = 0x643ecbb5   esp = 0x00133f68   ebp = 0x00133fa0
    Found by: call frame info

frame 18-22 repeats

I couldn't get a reduced testcase though the saved version of the page did crash. The inability of lithium to detect the crash/restart made things a bit more difficult to test the crash. Attempting to flag the leaking urls did work better but the file could not be reduced much below 35K lines or so.

1.9.1 nightly

The urls reported in socorro are incorrect for these two reports. They should be
http://www.secovipr.com.br/admin/rel_informativos.php
http://www.masterwebs.ru/index.php?showtopic=6939%2526pid=40642%2526mode=threaded%2526start=


bp-9fa7f15c-8036-4c44-8e7b-e07372101228
bp-6d52fcd5-6b92-46e8-b8cc-4a5fb2101228

1.9.2 nightly

http://www.secovipr.com.br/admin/rel_informativos.php
bp-a8c1468c-2669-43e8-9ec3-d66fc2101228

http://www.masterwebs.ru/index.php?showtopic=6939%2526pid=40642%2526mode=threaded%2526start=
bp-e71d6614-ae96-4978-87b8-913e42101228

2.0.0 

http://www.masterwebs.ru/index.php?showtopic=6939%2526pid=40642%2526mode=threaded%2526start=
bp-ffb69dbd-9b8f-4a8f-b237-8e8e92101228

I'm not sure where this should go so moving it back to Core:General.
Component: HTML: Parser → General
QA Contact: parser → general
Summary: Crash [@ nsGenericElement::GetBaseURI()] (Recurse to death) → Stack Overflow Crash [@ nsGenericElement::GetBaseURI()|@ nsRuleNode::WalkRuleTree(nsStyleStructID, nsStyleContext*, nsRuleData*, nsCSSStruct*)|PresShell::AllocateFrame(unsigned int)|_MD_CURRENT_THREAD ]
(Reporter)

Updated

7 years ago
(Reporter)

Comment 2

7 years ago
Previous to Bug 629982, the following urls crashed with stacks related to stack overflow.

<http://www.masterwebs.ru/index.php?showtopic=3851>
<http://www.masterwebs.ru/index.php?showtopic=6939%26pid=40642%26mode=threaded%26start=>
<http://www.masterwebs.ru/index.php?showtopic=7382>
<http://www.masterwebs.ru/index.php?showtopic=7382%26pid=45347%26mode=threaded%26start=>
<http://www.secovipr.com.br/admin/rel_informativos.php>
<http://www.xlh8.cn/zckszx/eschool/html/734.html>

Now they only crash on 1.9.2 though they do tend to hang on 2.0.0.

sicking, is this something we can also do on 1.9.2 ?
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 629982
(Assignee)

Updated

7 years ago
Crash Signature: [@ nsGenericElement::GetBaseURI()|@ nsRuleNode::WalkRuleTree(nsStyleStructID, nsStyleContext*, nsRuleData*, nsCSSStruct*)|PresShell::AllocateFrame(unsigned int)|_MD_CURRENT_THREAD ]
Keywords: testcase-wanted
You need to log in before you can comment on or make changes to this bug.