63742 - recursive crash/leak from setting window.inner* via onResize

Status: VERIFIED FIXED

(Core :: DOM: UI Events & Focus Handling, defect)

Description

[Vaughn Gardner]

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; m18) Gecko/20001108 Netscape6/6.0
BuildID:    2000122520

On the page http://cid.lib.byu.edu/~vhg/family.html the function forceSize() is
defined, and afterwards is called in the onResize event handler.  The function
boils down to two calls:

window.innerHeight=560;
window.innerWidth =600;

When this code is called in the onResize event handler the window's right margin
resizes repeatedly in a seemingly random fashion, and a LARGE amount of memory
is used.  The browser immediately crashes and the memory is not trash collected,
leaving the system with about half of its available RAM left.  Doing this twice
crashes my system (P3 550, 128 MB physical RAM).

Reproducible: Always


Steps to Reproduce:
load the URL http://cid.lib.byu.edu/~vhg/family.html

The bug should demonstrate itself immediately.

Note: if the innerHeight and innerWidth of the browser window happen to already
be at 560x600 the bug will not appear immediately.  In this case it is necesary
to resize the window to trigger the onResize event handler, which will then
trigger the bug.


Actual Results:  Browser's right margin resizes repeatedly, rapidly, and
randomly; then the browser crashes.  A large amount of memory is allocated and
locked before the browser crashes, this memory is not reclaimed by the system
after the crash.


Expected Results:  The window should resize to the specified innerHeight and
innerWidth dimensions and stay there.  If the window is subsequently resized by
the page's visitor it should snap back to the specified dimensions.


I have tested this on the 20001108 Netscape6/6.0 build and the 20001205 Mozilla
build as well, and can reproduce the memory leak every time on both.  I have not
tested on other M$ operating systems, nor have I tested to see if other JS calls
such as window.resizeTo() would have the same effect.

Comment 1

[David Baron :dbaron: (⌚️UTC-5, no longer working on Mozilla)]

Attachment: stack trace showing infinite recursion

Comment 2

[Brasten Sager]

I see this on Win2000, Moz-build 2000122604.  Mozilla does not crash for me, 
but after the bug takes affect I do have some 15MB of memory claimed by Mozilla 
AFTER I terminate Mozilla manually.  (End-tasking reclaims memory).

Comment 3

[Keyser Sose]

Changing OS to All. Since I tried this on Linux and it just sat there resizing
it for about 10 seconds and then exited. Linux didnt lose any memory to the
process it just exited Mozilla. Anyway marking NEW since this seems to be a doosy.

Comment 4

[Heikki Toivonen (remove -bugzilla when emailing directly)]

Setting milestone to mozilla0.9, crashers should be fixed soon...

Comment 5

[Hixie (not reading bugmail)]

Reassigning QA Contact for all open and unverified bugs previously under Lorca's
care to Gerardo as per phone conversation this morning.

Comment 6

[Heikki Toivonen (remove -bugzilla when emailing directly)]

Minusing, doesn't seem that common. But leaving still to 0.9.

Comment 7

[joki (gone)]

Attachment: Proposed patch

Comment 8

[joki (gone)]

Proposed fix puts resize events on a timer which resets each time a new resize 
would be fire in order to get one resize event at the end.  Very similar to the 
method used in 4.x.

Comment 9

[Johnny Stenback (:jst)]

Patch looks good to me, sr=jst

Comment 10

[joki (gone)]

Attachment: revised patch

Comment 11

[Eric Pollmann]

r=pollmann@netscape.com, sounds good.

Comment 12

[joki (gone)]

Fix checked in.

Comment 13

[Madhur Bhatia]

QA contact updated

Comment 14

[luis rincon]

verified on build 2001-07-10 

Comment 15

[luis rincon]

verified on build 2001-07-10