deep DOM tree in an XHTML document causes stack overflow in frame construction

RESOLVED WORKSFORME

Status

()

--
critical
RESOLVED WORKSFORME
7 years ago
3 years ago

People

(Reporter: preissa, Unassigned)

Tracking

(Depends on: 1 bug, Blocks: 1 bug, {crash})

Trunk
x86_64
Windows 7
crash
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: DUPEME, crash signature, URL)

Attachments

(2 attachments)

(Reporter)

Description

7 years ago
Created attachment 553930 [details]
Example XHTML page that reproduces the crash.

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0) Gecko/20100101 Firefox/6.0
Build ID: 20110811165603

Steps to reproduce:

I experimented with an XHTML page that contains a lot of nested <div> elements, like ...<div><div><div></div></div></div>... (about 2000).


Actual results:

Firefox 2.0.20, 3.6.20, 4.0.1, 5.0.1, 6.0 crash when I open the page.
I made an example XHTML page that reproduces the problem and attached it (please note that Firefox must use its XML parser for the crash to occur. When the SGML parser is used, it doesn't crash). The example is also available under this URL:
http://preisser.dynalias.org/dere1/temp/FF-Crash/index.xhtml

When this URL is opened with Firefox 6.0 (or older versions) under a Windows operating system (at least Windows 7, Windows Vista and Windows XP), Firefox crashes.


Expected results:

Firefox shouldn't crash but render the page.

Updated

7 years ago
Attachment #553930 - Attachment mime type: application/octet-stream → application/xhtml+xml
I can reproduce this.  We're crashing with a stack overflow.
Severity: normal → critical
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash
Version: 6 Branch → Trunk
-> Layout
Component: General → Layout
Product: Firefox → Core
QA Contact: general → layout
Summary: Firefox 3, 4, 5, 6 (on Windows) crashes when XHTML document contains very deep DOM tree → deep DOM tree in an XHTML document causes stack overflow in frame construction
I see this in the terminal:

WARNING: frame tree too deep; setting zero size and returning: file c:/dev/mozil
la-central/layout/generic/nsFrame.cpp, line 4605

So we've recognized that the tree is too deep, but we still fail anyways.

Comment 5

7 years ago
fwiw, out of Firefox, Chrome, Safari and Opera we are the only one not to handle this gracefully and relatively quickly. Blocking sisyphus-crashes to indicate it shows up in automation.

dupe of bug 485941 ?
Whiteboard: DUPEME

Updated

7 years ago
Crash Signature: [@ SelectorMatches ]

Comment 6

6 years ago
(In reply to Bob Clary [:bc:] from comment #5)
> fwiw, out of Firefox, Chrome, Safari and Opera we are the only one not to
> handle this gracefully and relatively quickly. Blocking sisyphus-crashes to
> indicate it shows up in automation.
> 
> dupe of bug 485941 ?
Flags: needinfo?(khuey)

Updated

5 years ago
Depends on: 485941
does not crash anymore - marking as wfm
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.