Closed Bug 701630 Opened 14 years ago Closed 10 years ago

Stack Overflow Crash releasing nsHtml5UTF16Buffer::Release during OOM

Categories

(Core :: DOM: HTML Parser, defect)

Product:
Core
Component:
DOM: HTML Parser
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox9 --- affected
firefox10 --- affected
firefox11 --- affected

People

(Reporter: bc, Unassigned)

References

(
URL
)

Details

(Keywords: crash)

Crash Data

This is for Nightly, Aurora, Beta on Windows 7. This is not about the OOM abort that occurs on this page. 1. http://www.meine-urlaubswelt.com/urlaub/ferienwohnung-deutschland-nordsee-borkum-3160.html 2. Stack Overflow Crash Operating system: Windows NT 6.1.7601 Service Pack 1 CPU: x86 GenuineIntel family 6 model 44 stepping 2 2 CPUs Crash reason: EXCEPTION_STACK_OVERFLOW Crash address: 0x7796dece Thread 0 (crashed) 0 ntdll.dll + 0x2dece eip = 0x7796dece esp = 0x00142ff4 ebp = 0x0014303c ebx = 0x00000001 esi = 0x00000001 edi = 0x00000000 eax = 0x00000038 ecx = 0x0d77da90 edx = 0x00450000 efl = 0x00210202 Found by: given as instruction pointer in context 1 KERNELBASE.dll + 0x14bf8 eip = 0x76bd4bf9 esp = 0x00143044 ebp = 0x00143050 Found by: previous frame's frame pointer 2 msvcr80d.dll + 0x1cb09 eip = 0x725acb0a esp = 0x00143058 ebp = 0x00143078 Found by: previous frame's frame pointer 3 msvcr80d.dll + 0x1bb55 eip = 0x725abb56 esp = 0x00143080 ebp = 0x00143088 Found by: previous frame's frame pointer 4 msvcr80d.dll + 0x1ba0d eip = 0x725aba0e esp = 0x00143090 ebp = 0x001430c0 Found by: previous frame's frame pointer 5 msvcr80d.dll + 0x1b98d eip = 0x725ab98e esp = 0x001430c8 ebp = 0x001430d0 Found by: previous frame's frame pointer 6 mozalloc.dll!moz_free [mozalloc.cpp : 97 + 0x9] eip = 0x7252114d esp = 0x001430d8 ebp = 0x001430dc Found by: previous frame's frame pointer 7 xul.dll!operator delete[](void *) [mozalloc.h : 265 + 0x9] eip = 0x6efb61fd esp = 0x001430e4 ebp = 0x001430e8 Found by: call frame info 8 xul.dll!nsHtml5UTF16Buffer::~nsHtml5UTF16Buffer() [nsHtml5UTF16BufferCppSupplement.h : 63 + 0x10] eip = 0x6f9c18c1 esp = 0x001430f0 ebp = 0x001430fc Found by: call frame info 9 xul.dll!nsHtml5UTF16Buffer::`scalar deleting destructor'(unsigned int) + 0xe eip = 0x6f9c1a1f esp = 0x00143104 ebp = 0x00143108 Found by: call frame info 10 xul.dll!nsHtml5UTF16Buffer::Release() [nsHtml5UTF16BufferCppSupplement.h : 86 + 0x1b] eip = 0x6f9c19e7 esp = 0x00143110 ebp = 0x00143124 Found by: call frame info 11 xul.dll!nsRefPtr<nsHtml5UTF16Buffer>::~nsRefPtr<nsHtml5UTF16Buffer>() [nsAutoPtr.h : 907 + 0x9] eip = 0x6f996a59 esp = 0x0014312c ebp = 0x00143130 Found by: call frame info ... Running in visual studio I get the stack overflow during the _CrtIsValidHeapPointer check. Running a nightly Nightly build I get bp-f3d3ac33-c0d2-4a3c-9ebc-beb982111110
This is basically DoS by too much data. The page serves MySQL errors endlessly.
page was fixed. Retested with OSX 10.{6,8,9}, RHEL6 {32,64}bit, Windows 7 {32,64}bit, Beta/38, Aurora/39, Nightly/40 and no crash. -> WFM.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.