Closed Bug 679905 Opened 13 years ago Closed 8 years ago

deep DOM tree in an XHTML document causes stack overflow in frame construction

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: preissa, Unassigned)

References

(
URL
)

Details

(Keywords: crash, Whiteboard: DUPEME)

Crash Data

Attachments

(2 files)

Example XHTML page that reproduces the crash.
32.86 KB, application/xhtml+xml
Details
Stack
1.23 MB, text/plain
Details 
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0) Gecko/20100101 Firefox/6.0
Build ID: 20110811165603

Steps to reproduce:

I experimented with an XHTML page that contains a lot of nested <div> elements, like ...<div><div><div></div></div></div>... (about 2000).


Actual results:

Firefox 2.0.20, 3.6.20, 4.0.1, 5.0.1, 6.0 crash when I open the page.
I made an example XHTML page that reproduces the problem and attached it (please note that Firefox must use its XML parser for the crash to occur. When the SGML parser is used, it doesn't crash). The example is also available under this URL:
http://preisser.dynalias.org/dere1/temp/FF-Crash/index.xhtml

When this URL is opened with Firefox 6.0 (or older versions) under a Windows operating system (at least Windows 7, Windows Vista and Windows XP), Firefox crashes.


Expected results:

Firefox shouldn't crash but render the page.
Attachment #553930 - Attachment mime type: application/octet-stream → application/xhtml+xml
I can reproduce this.  We're crashing with a stack overflow.
Severity: normal → critical
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash
Version: 6 Branch → Trunk
-> Layout
Component: General → Layout
Product: Firefox → Core
QA Contact: general → layout
Summary: Firefox 3, 4, 5, 6 (on Windows) crashes when XHTML document contains very deep DOM tree → deep DOM tree in an XHTML document causes stack overflow in frame construction
I see this in the terminal:

WARNING: frame tree too deep; setting zero size and returning: file c:/dev/mozil
la-central/layout/generic/nsFrame.cpp, line 4605

So we've recognized that the tree is too deep, but we still fail anyways.
fwiw, out of Firefox, Chrome, Safari and Opera we are the only one not to handle this gracefully and relatively quickly. Blocking sisyphus-crashes to indicate it shows up in automation.

dupe of bug 485941 ?
URL: http://preisser.dynalias.org/dere1/te...
Whiteboard: DUPEME
Crash Signature: [@ SelectorMatches ]
(In reply to Bob Clary [:bc:] from comment #5)
> fwiw, out of Firefox, Chrome, Safari and Opera we are the only one not to
> handle this gracefully and relatively quickly. Blocking sisyphus-crashes to
> indicate it shows up in automation.
> 
> dupe of bug 485941 ?
Flags: needinfo?(khuey)
Depends on: CVE-2009-1232
does not crash anymore - marking as wfm
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: