Closed Bug 83042 Opened 24 years ago Closed 24 years ago

Simple nested table causes runaway memory allocation, crash

Categories

(Core :: CSS Parsing and Computation, defect, P1)

x86
Linux
defect

Tracking

()

RESOLVED DUPLICATE of bug 72360
mozilla1.0

People

(Reporter: jwbaker, Assigned: waterson)

Details

(Keywords: crash, testcase)

Attachments

(1 file)

The simple testcase which I will attach causes mozilla (0.9 and 2001-05-28-08 Linux) to allocate as much memory as possible until it eventually crashes. The page is never displayed. Not sure who to assign to, taking an initial stab at Style, please don't take any offense :)
Attached file Testcase
Keywords: crash, testcase
In my debug build, I get this assertion before everything goes to hell: ###!!! ASSERTION: attempt to create circular frame list: 'aNextSibling != this', file nsFrame.cpp, line 2256 ###!!! Break: at file nsFrame.cpp, line 2256 Then I loop, on this stack: #0 0x41b38619 in nsLineBox::SetChildCount (this=0xa28fae0, aNewCount=1) at nsLineBox.h:252 #1 0x419aa3bc in nsLineBox::nsLineBox (this=0xa28fae0, aFrame=0x85e3b60, aCount=1, aIsBlock=1) at nsLineBox.cpp:58 #2 0x419aa488 in NS_NewLineBox (aPresShell=0x830e3b0, aFrame=0x85e3b60, aCount=1, aIsBlock=1) at nsLineBox.cpp:73 #3 0x41970e21 in nsBlockFrame::AddFrames (this=0x85a1574, aPresContext=0x85e4940, aFrameList=0x85e3b60, aPrevSibling=0x85e3b60) at nsBlockFrame.cpp:4465 #4 0x41974112 in nsBlockFrame::SetInitialChildList (this=0x85a1574, aPresContext=0x85e4940, aListName=0x0, aChildList=0x85e3b60) at nsBlockFrame.cpp:5704 #5 0x41a455b1 in ProcessPseudoFrame (aPresContext=0x85e4940, aPseudoData=@0xbfffeb74, aParent=@0xbfffe924) at nsCSSFrameConstructor.cpp:1814 #6 0x41a45767 in ProcessPseudoCellFrame (aPresContext=0x85e4940, aPseudoFrames=@0xbfffeafc, aParent=@0xbfffe924) at nsCSSFrameConstructor.cpp:1860 #7 0x41a45b40 in ProcessPseudoFrames (aPresContext=0x85e4940, aPseudoFrames=@0xbfffeafc, aHighestType=0x0, aHighestFrame=@0xbfffe924) at nsCSSFrameConstructor.cpp:1930 #8 0x41a45c62 in ProcessPseudoFrames (aPresContext=0x85e4940, aPseudoFrames=@0xbfffeafc, aItems=@0xbfffeb8c) at nsCSSFrameConstructor.cpp:1959 #9 0x41a58308 in nsCSSFrameConstructor::ContentAppended (this=0x8455ca8, aPresContext=0x85e4940, aContainer=0x8457760, aNewIndexInContainer=0) at nsCSSFrameConstructor.cpp:8235 #10 0x41521adc in StyleSetImpl::ContentAppended (this=0x8499140, aPresContext=0x85e4940, aContainer=0x8457760, aNewIndexInContainer=0) at nsStyleSet.cpp:1232 #11 0x419ce59a in PresShell::ContentAppended (this=0x830e3b0, aDocument=0x858e810, aContainer=0x8457760, aNewIndexInContainer=0) at nsPresShell.cpp:4830 #12 0x414a8232 in nsDocument::ContentAppended (this=0x858e810, aContainer=0x8457760, aNewIndexInContainer=0) at nsDocument.cpp:1582 #13 0x41368b31 in nsHTMLDocument::ContentAppended (this=0x858e810, aContainer=0x8457760, aNewIndexInContainer=0) at nsHTMLDocument.cpp:1169 #14 0x4135f163 in HTMLContentSink::NotifyAppend (this=0x85e2248, aContainer=0x8457760, aStartIndex=0) at nsHTMLContentSink.cpp:4301 #15 0x41355da8 in SinkContext::FlushTags (this=0x85e24b8, aNotify=1) at nsHTMLContentSink.cpp:2000 #16 0x41359533 in HTMLContentSink::CloseBody (this=0x85e2248, aNode=@0x85eb0c0) at nsHTMLContentSink.cpp:2887 #17 0x40dc9e3d in CNavDTD::CloseBody (this=0x84d1a88, aNode=0x85eb0c0) at CNavDTD.cpp:3150 #18 0x40dca81d in CNavDTD::CloseContainer (this=0x84d1a88, aNode=0x85eb0c0, aTarget=eHTMLTag_body, aClosedByStartTag=0) at CNavDTD.cpp:3495 #19 0x40dca9b4 in CNavDTD::CloseContainersTo (this=0x84d1a88, anIndex=1, aTarget=eHTMLTag_body, aClosedByStartTag=0) at CNavDTD.cpp:3557 #20 0x40dcae0b in CNavDTD::CloseContainersTo (this=0x84d1a88, aTarget=eHTMLTag_body, aClosedByStartTag=0) at CNavDTD.cpp:3708 #21 0x40dc43f9 in CNavDTD::DidBuildModel (this=0x84d1a88, anErrorCode=0, aNotifySink=1, aParser=0x858e658, aSink=0x85e2248) at CNavDTD.cpp:601 #22 0x40dd93f1 in nsParser::DidBuildModel (this=0x858e658, anErrorCode=0) at nsParser.cpp:1438 #23 0x40dda1e1 in nsParser::ResumeParse (this=0x858e658, allowIteration=1, aIsFinalChunk=1) at nsParser.cpp:1907 #24 0x40ddb077 in nsParser::OnStopRequest (this=0x858e658, request=0x85a8458, aContext=0x0, status=0) at nsParser.cpp:2362 #25 0x40e51cda in nsDocumentOpenInfo::OnStopRequest (this=0x8591990, request=0x85a8458, aCtxt=0x0, aStatus=0) at nsURILoader.cpp:252 #26 0x40c15d6f in nsFileChannel::OnStopRequest (this=0x85a8458, request=0x85a8554, context=0x0, aStatus=0) at nsFileChannel.cpp:469 #27 0x40c3a19e in nsOnStopRequestEvent::HandleEvent (this=0x8591e08) at nsRequestObserverProxy.cpp:158 #28 0x40bc22f9 in nsARequestObserverEvent::HandlePLEvent (plev=0x8591e08) at nsRequestObserverProxy.cpp:63 #29 0x4013d944 in PL_HandleEvent (self=0x8591e08) at plevent.c:590 ---Type <return> to continue, or q <return> to quit--- #30 0x4013e13d in PL_ProcessEventsBeforeID (aSelf=0x80aa1c0, aID=800) at plevent.c:1256 #31 0x409d54d7 in processQueue (aElement=0x80aa1c0, aData=0x320) at nsAppShell.cpp:475 #32 0x401065b1 in nsVoidArray::EnumerateForwards (this=0x80f3498, aFunc=0x409d54a8 <processQueue(void *, void *)>, aData=0x320) at nsVoidArray.cpp:313 #33 0x409d5520 in nsAppShell::ProcessBeforeID (aID=800) at nsAppShell.cpp:483 #34 0x409e12e7 in handle_gdk_event (event=0x81ca0a0, data=0x0) at nsGtkEventHandler.cpp:990 #35 0x4044fa36 in gdk_event_dispatch () from /usr/lib/libgdk-1.2.so.0 #36 0x4047c717 in g_main_dispatch () from /usr/lib/libglib-1.2.so.0 #37 0x4047ccdb in g_main_iterate () from /usr/lib/libglib-1.2.so.0 #38 0x4047ce59 in g_main_run () from /usr/lib/libglib-1.2.so.0 #39 0x403ab069 in gtk_main () from /usr/lib/libgtk-1.2.so.0 #40 0x409d5155 in nsAppShell::Run (this=0x80f3480) at nsAppShell.cpp:360 #41 0x40966e2e in nsAppShellService::Run (this=0x80e9b90) at nsAppShellService.cpp:417 #42 0x0805bad9 in main1 (argc=2, argv=0xbffff964, nativeApp=0x0) at nsAppRunner.cpp:1128 #43 0x0805c8e1 in main (argc=2, argv=0xbffff964) at nsAppRunner.cpp:1426 #44 0x405b52eb in __libc_start_main (main=0x805c6c8 <main>, argc=2, ubp_av=0xbffff964, init=0x8055420 <_init>, fini=0x806a13c <_fini>, rtld_fini=0x4000c130 <_dl_fini>, stack_end=0xbffff95c) at ../sysdeps/generic/libc-start.c:129
Reassigning to waterson and moving to m1.0. If there were a real url, we could make this m0.9.2 or m0.9.3.
Assignee: pierre → waterson
Target Milestone: --- → mozilla1.0
WOW such a simple testcase and so terrible results! This definitely needs to be resolved as soon as possible. It is serious security problem because malicious website is able to almost crash the users computer. It eventually crashes only the mozilla but the computer is almost unresponsible for at least 1 minute (time depending only on how much RAM/swap do you have). This is probably dogfood/catfood too. We should be rather happy that this is not on some frequent site. I'm even setting the severity to blocker.
Severity: critical → blocker
Priority: -- → P1
Whiteboard: need for mozilla 0.9.2
This is not a blocker. No reason to raise severity. Setting back to critical. This IS a remote resource consumption bug, but Mozilla has a pile of those.
Severity: blocker → critical
Whiteboard: need for mozilla 0.9.2
Heh. This is cute!
Status: NEW → ASSIGNED
Known bug. Marking duplicate (and reassigning duplicate to waterson). *** This bug has been marked as a duplicate of 72360 ***
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → DUPLICATE
QA -> petersen since i resolved it
QA Contact: ian → petersen
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: