Closed Bug 507119 Opened 15 years ago Closed 15 years ago

[HTML5] crash [@ nsCSSFrameConstructor::ConstructBlock] in GMail when clicking on email with attachment

Categories

(Core :: DOM: HTML Parser, defect, P3)

Product:
Core
Component:
DOM: HTML Parser
Platform:
x86
Windows Vista
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: geeknik, Assigned: xtc4uall)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [sg:dos stack exhaustion])

Crash Data

Attachments

(2 files)

Email source code that caused the crash.
(deleted), application/zip
Details
reduced testcase
(deleted), text/html
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2a1pre) Gecko/20090728 Minefield/3.6a1pre Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2a1pre) Gecko/20090728 Minefield/3.6a1pre Clicking on an email w/ an attachment in Gmail crashes Minefield. Happens in safe mode as well, but when I turn toggle HTML5 off, it quits crashing. http://crash-stats.mozilla.com/report/index/855db8dd-dbf2-4162-9f10-312fd2090729 http://crash-stats.mozilla.com/report/index/abea8825-2a44-452b-8318-c153b2090729 http://crash-stats.mozilla.com/report/index/b28ec29f-e803-4250-82fb-8d2092090729 http://crash-stats.mozilla.com/report/index/aec3b1af-3bf7-4a55-97c4-644d72090729 http://crash-stats.mozilla.com/report/index/131fd5a7-c580-4274-9696-a5d652090729 Reproducible: Always Actual Results: Minefield crashes. Expected Results: Minefield should not crash. Vista 32bit SP2
Keywords: crash
Version: unspecified → Trunk
Signature nsFrame::DidSetStyleContext(nsStyleContext*) UUID 855db8dd-dbf2-4162-9f10-312fd2090729 Time 2009-07-29 06:12:59.537598 Uptime 45326 Last Crash 238819 seconds before submission Product Firefox Version 3.6a1pre Build ID 20090728045737 Branch 1.9.2 OS Windows NT OS Version 6.0.6002 Service Pack 2 CPU x86 CPU Info GenuineIntel family 6 model 15 stepping 7 Crash Reason EXCEPTION_STACK_OVERFLOW Crash Address 0x670d1fe6 User Comments Processor Notes Crashing Thread Frame Module Signature Source 0 xul.dll nsFrame::DidSetStyleContext(nsStyleContext*) layout/generic/nsFrame.cpp:522 1 xul.dll nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&,nsStyleDisplay const*,nsIContent*,nsIFrame*,nsIFrame*,nsStyleContext*,nsIFrame**,nsFrameItems&,int) layout/base/nsCSSFrameConstructor.cpp:10717 Frame Module Signature Source 0 xul.dll nsRuleNode::WalkRuleTree(nsStyleStructID,nsStyleContext*,nsRuleData*,nsCSSStruct*) layout/style/nsRuleNode.cpp:1725 1 xul.dll nsRuleNode::GetStyleData(nsStyleStructID,nsStyleContext*,int) layout/style/nsStyleStructList.h:89 2 xul.dll nsRuleNode::WalkRuleTree(nsStyleStructID,nsStyleContext*,nsRuleData*,nsCSSStruct*) layout/style/nsRuleNode.cpp:1816 3 xul.dll nsRuleNode::GetStyleText(nsStyleContext*,int) layout/style/nsStyleStructList.h:89 4 xul.dll nsStyleContext::GetStyleText() layout/style/nsStyleStructList.h:89 5 xul.dll xul.dll@0x3e6a54 6 xul.dll nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:9514 7 xul.dll nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&,nsIContent*,nsStyleContext*,nsIFrame*,int,nsFrameItems&,int) layout/base/nsCSSFrameConstructor.cpp:9627 8 xul.dll nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&,nsStyleDisplay const*,nsIContent*,nsIFrame*,nsIFrame*,nsStyleContext*,nsIFrame**,nsFrameItems&,int) layout/base/nsCSSFrameConstructor.cpp:10752 9 xul.dll nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&,nsFrameConstructorState&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:3887 10 xul.dll nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList::Iterator&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:5575 11 xul.dll nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:9514 12 xul.dll nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&,nsIContent*,nsStyleContext*,nsIFrame*,int,nsFrameItems&,int) layout/base/nsCSSFrameConstructor.cpp:9627 13 xul.dll nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&,nsStyleDisplay const*,nsIContent*,nsIFrame*,nsIFrame*,nsStyleContext*,nsIFrame**,nsFrameItems&,int) layout/base/nsCSSFrameConstructor.cpp:10752 14 xul.dll nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&,nsFrameConstructorState&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:3887 15 xul.dll nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList::Iterator&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:5575 16 xul.dll nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:9514 17 xul.dll nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&,nsIContent*,nsStyleContext*,nsIFrame*,int,nsFrameItems&,int) layout/base/nsCSSFrameConstructor.cpp:9627 18 xul.dll nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&,nsStyleDisplay const*,nsIContent*,nsIFrame*,nsIFrame*,nsStyleContext*,nsIFrame**,nsFrameItems&,int) layout/base/nsCSSFrameConstructor.cpp:10752 19 xul.dll nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&,nsFrameConstructorState&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:3887 20 xul.dll nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList::Iterator&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:5575 21 xul.dll nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:9514 22 xul.dll nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&,nsIContent*,nsStyleContext*,nsIFrame*,int,nsFrameItems&,int) layout/base/nsCSSFrameConstructor.cpp:9627 23 xul.dll nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&,nsStyleDisplay const*,nsIContent*,nsIFrame*,nsIFrame*,nsStyleContext*,nsIFrame**,nsFrameItems&,int) layout/base/nsCSSFrameConstructor.cpp:10752 24 xul.dll nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&,nsFrameConstructorState&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:3887 25 xul.dll nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList::Iterator&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:5575 26 xul.dll nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:9514 27 xul.dll nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&,nsIContent*,nsStyleContext*,nsIFrame*,int,nsFrameItems&,int) layout/base/nsCSSFrameConstructor.cpp:9627 28 xul.dll nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&,nsStyleDisplay const*,nsIContent*,nsIFrame*,nsIFrame*,nsStyleContext*,nsIFrame**,nsFrameItems&,int) layout/base/nsCSSFrameConstructor.cpp:10752 29 xul.dll nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&,nsFrameConstructorState&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:3887 30 xul.dll nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList::Iterator&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:5575 31 xul.dll nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:9514 32 xul.dll nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&,nsIContent*,nsStyleContext*,nsIFrame*,int,nsFrameItems&,int) layout/base/nsCSSFrameConstructor.cpp:9627 33 xul.dll nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&,nsStyleDisplay const*,nsIContent*,nsIFrame*,nsIFrame*,nsStyleContext*,nsIFrame**,nsFrameItems&,int) layout/base/nsCSSFrameConstructor.cpp:10752 34 xul.dll nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&,nsFrameConstructorState&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:3887 35 xul.dll nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList::Iterator&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:5575 36 xul.dll nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:9514 37 xul.dll nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&,nsIContent*,nsStyleContext*,nsIFrame*,int,nsFrameItems&,int) layout/base/nsCSSFrameConstructor.cpp:9627 38 xul.dll nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&,nsStyleDisplay const*,nsIContent*,nsIFrame*,nsIFrame*,nsStyleContext*,nsIFrame**,nsFrameItems&,int) layout/base/nsCSSFrameConstructor.cpp:10752 39 xul.dll nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&,nsFrameConstructorState&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:3887 40 xul.dll nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList::Iterator&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:5575 41 xul.dll nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:9514 42 xul.dll nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&,nsIContent*,nsStyleContext*,nsIFrame*,int,nsFrameItems&,int) layout/base/nsCSSFrameConstructor.cpp:9627 43 xul.dll nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&,nsStyleDisplay const*,nsIContent*,nsIFrame*,nsIFrame*,nsStyleContext*,nsIFrame**,nsFrameItems&,int) layout/base/nsCSSFrameConstructor.cpp:10752 44 xul.dll nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&,nsFrameConstructorState&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:3887 45 xul.dll nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList::Iterator&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:5575 46 xul.dll nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:9514 47 xul.dll nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&,nsIContent*,nsStyleContext*,nsIFrame*,int,nsFrameItems&,int) layout/base/nsCSSFrameConstructor.cpp:9627 48 xul.dll nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&,nsStyleDisplay const*,nsIContent*,nsIFrame*,nsIFrame*,nsStyleContext*,nsIFrame**,nsFrameItems&,int) layout/base/nsCSSFrameConstructor.cpp:10752 49 xul.dll nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&,nsFrameConstructorState&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:3887 50 xul.dll nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList::Iterator&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:5575 51 xul.dll nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:9514 52 xul.dll nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&,nsIContent*,nsStyleContext*,nsIFrame*,int,nsFrameItems&,int) layout/base/nsCSSFrameConstructor.cpp:9627 53 xul.dll nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&,nsStyleDisplay const*,nsIContent*,nsIFrame*,nsIFrame*,nsStyleContext*,nsIFrame**,nsFrameItems&,int) layout/base/nsCSSFrameConstructor.cpp:10752 54 xul.dll nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&,nsFrameConstructorState&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:3887 55 xul.dll nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList::Iterator&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:5575 56 xul.dll nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:9514 57 xul.dll nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&,nsIContent*,nsStyleContext*,nsIFrame*,int,nsFrameItems&,int) layout/base/nsCSSFrameConstructor.cpp:9627 58 xul.dll nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&,nsStyleDisplay const*,nsIContent*,nsIFrame*,nsIFrame*,nsStyleContext*,nsIFrame**,nsFrameItems&,int) layout/base/nsCSSFrameConstructor.cpp:10752 59 xul.dll nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&,nsFrameConstructorState&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:3887 60 xul.dll nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList::Iterator&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:5575 61 xul.dll nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:9514 62 xul.dll nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&,nsIContent*,nsStyleContext*,nsIFrame*,int,nsFrameItems&,int) layout/base/nsCSSFrameConstructor.cpp:9627 63 xul.dll nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&,nsStyleDisplay const*,nsIContent*,nsIFrame*,nsIFrame*,nsStyleContext*,nsIFrame**,nsFrameItems&,int) layout/base/nsCSSFrameConstructor.cpp:10752 64 xul.dll nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&,nsFrameConstructorState&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:3887 65 xul.dll nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList::Iterator&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:5575 66 xul.dll nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:9514 67 xul.dll nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&,nsIContent*,nsStyleContext*,nsIFrame*,int,nsFrameItems&,int) layout/base/nsCSSFrameConstructor.cpp:9627 68 xul.dll nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&,nsStyleDisplay const*,nsIContent*,nsIFrame*,nsIFrame*,nsStyleContext*,nsIFrame**,nsFrameItems&,int) layout/base/nsCSSFrameConstructor.cpp:10752 69 xul.dll nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&,nsFrameConstructorState&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:3887 70 xul.dll nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList::Iterator&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:5575 71 xul.dll nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:9514 72 xul.dll nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&,nsIContent*,nsStyleContext*,nsIFrame*,int,nsFrameItems&,int) layout/base/nsCSSFrameConstructor.cpp:9627 73 xul.dll nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&,nsStyleDisplay const*,nsIContent*,nsIFrame*,nsIFrame*,nsStyleContext*,nsIFrame**,nsFrameItems&,int) layout/base/nsCSSFrameConstructor.cpp:10752 74 xul.dll nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&,nsFrameConstructorState&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:3887 75 xul.dll nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList::Iterator&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:5575 76 xul.dll nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:9514 77 xul.dll nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&,nsIContent*,nsStyleContext*,nsIFrame*,int,nsFrameItems&,int) layout/base/nsCSSFrameConstructor.cpp:9627 78 xul.dll nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&,nsStyleDisplay const*,nsIContent*,nsIFrame*,nsIFrame*,nsStyleContext*,nsIFrame**,nsFrameItems&,int) layout/base/nsCSSFrameConstructor.cpp:10752 79 xul.dll nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&,nsFrameConstructorState&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:3887 80 xul.dll nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList::Iterator&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:5575 81 xul.dll nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:9514 82 xul.dll nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&,nsIContent*,nsStyleContext*,nsIFrame*,int,nsFrameItems&,int) layout/base/nsCSSFrameConstructor.cpp:9627 83 xul.dll nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&,nsStyleDisplay const*,nsIContent*,nsIFrame*,nsIFrame*,nsStyleContext*,nsIFrame**,nsFrameItems&,int) layout/base/nsCSSFrameConstructor.cpp:10752 84 xul.dll nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&,nsFrameConstructorState&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:3887 85 xul.dll nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList::Iterator&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:5575 86 xul.dll nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:9514 87 xul.dll nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&,nsIContent*,nsStyleContext*,nsIFrame*,int,nsFrameItems&,int) layout/base/nsCSSFrameConstructor.cpp:9627 88 xul.dll nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&,nsStyleDisplay const*,nsIContent*,nsIFrame*,nsIFrame*,nsStyleContext*,nsIFrame**,nsFrameItems&,int) layout/base/nsCSSFrameConstructor.cpp:10752 89 xul.dll nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&,nsFrameConstructorState&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:3887 90 xul.dll nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList::Iterator&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:5575 91 xul.dll nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:9514 92 xul.dll nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&,nsIContent*,nsStyleContext*,nsIFrame*,int,nsFrameItems&,int) layout/base/nsCSSFrameConstructor.cpp:9627 93 xul.dll nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&,nsStyleDisplay const*,nsIContent*,nsIFrame*,nsIFrame*,nsStyleContext*,nsIFrame**,nsFrameItems&,int) layout/base/nsCSSFrameConstructor.cpp:10752 94 xul.dll nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&,nsFrameConstructorState&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:3887 95 xul.dll nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList::Iterator&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:5575 96 xul.dll nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:9514 97 xul.dll nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&,nsIContent*,nsStyleContext*,nsIFrame*,int,nsFrameItems&,int) layout/base/nsCSSFrameConstructor.cpp:9627 98 xul.dll nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&,nsStyleDisplay const*,nsIContent*,nsIFrame*,nsIFrame*,nsStyleContext*,nsIFrame**,nsFrameItems&,int) layout/base/nsCSSFrameConstructor.cpp:10752 99 xul.dll nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&,nsFrameConstructorState&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:3887 100 xul.dll nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList::Iterator&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:5575 4578 xul.dll nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList::Iterator&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:5575 4579 xul.dll nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:9514 4580 xul.dll nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&,nsIContent*,nsStyleContext*,nsIFrame*,int,nsFrameItems&,int) layout/base/nsCSSFrameConstructor.cpp:9627 4581 xul.dll nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&,nsStyleDisplay const*,nsIContent*,nsIFrame*,nsIFrame*,nsStyleContext*,nsIFrame**,nsFrameItems&,int) layout/base/nsCSSFrameConstructor.cpp:10752 4582 xul.dll nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&,nsFrameConstructorState&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:3887 4583 xul.dll nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList::Iterator&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:5575 4584 xul.dll nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&,nsCSSFrameConstructor::FrameConstructionItemList&,nsIFrame*,nsFrameItems&) layout/base/nsCSSFrameConstructor.cpp:9514 4585 xul.dll nsCSSFrameConstructor::ContentInserted(nsIContent*,nsIContent*,int,nsILayoutHistoryState*) layout/base/nsCSSFrameConstructor.cpp:6798 4586 xul.dll nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*) layout/base/nsCSSFrameConstructor.cpp:9136 4587 xul.dll xul.dll@0x3c589e Signature CSSStyleRuleImpl::MapRuleInfoInto(nsRuleData*) UUID 131fd5a7-c580-4274-9696-a5d652090729 Time 2009-07-29 06:21:55.397914 Uptime 24 Last Crash 163 seconds before submission Product Firefox Version 3.6a1pre Build ID 20090728045737 Branch 1.9.2 OS Windows NT OS Version 6.0.6002 Service Pack 2 CPU x86 CPU Info GenuineIntel family 6 model 15 stepping 7 Crash Reason EXCEPTION_STACK_OVERFLOW Crash Address 0x62db9d5f User Comments Processor Notes Crashing Thread Frame Module Signature Source 0 xul.dll CSSStyleRuleImpl::MapRuleInfoInto(nsRuleData*) layout/style/nsCSSStyleRule.cpp:1454 1 xul.dll nsRuleNode::WalkRuleTree(nsStyleStructID,nsStyleContext*,nsRuleData*,nsCSSStruct*) layout/style/nsRuleNode.cpp:1725 2 xul.dll nsFrame::DidSetStyleContext(nsStyleContext*) layout/generic/nsFrame.cpp:564 3 xul.dll nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&,nsStyleDisplay const*,nsIContent*,nsIFrame*,nsIFrame*,nsStyleContext*,nsIFrame**,nsFrameItems&,int) layout/base/nsCSSFrameConstructor.cpp:10717
Product: Firefox → Core
QA Contact: general → general
Summary: [HTML5] Minefield crashes when clicking on email w/ attachment in Gmail. → [HTML5] crash [@ nsCSSFrameConstructor::ConstructBlock] in GMail when clicking on email with attachment
any special type of attachement? i fail reproducing ...
It was a jpeg attachment. I will zip up the email source code and attach it here. The HTML code is a disaster.
It's spam from a for sale ad I posted on craigslist so it's not like it's important, but if there is something malformed in the email that will cause a crash on demand, that's a problem.
ok, the crashing started within http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=ca23d3b5a999&tochange=643cdff78555 => landing of Bug 487949 i guess a more reduced testcase is wanted ...
Blocks: html5-parsing-land
Status: UNCONFIRMED → NEW
Component: General → HTML: Parser
Ever confirmed: true
QA Contact: general → parser
Looks like infinite recursion so not exploitable. Are we somehow creating a cyclic DOM tree?
Keywords: regression, testcase-wanted
I just re-checked the attachment. When I open the HTML inside the zip file, I get the "Minefield has stopped responding..." pop-up (no crash reporter) and I have to restart Minefield. However, if I toggle HTML5 = false, everything is fine.
Blocks: 542268
Attached file reduced testcase (deleted) —
after digging into this here's my reduced testcase. for me 554 lines with <div style="font-family:verdana, helvetica, sans-serif;font-size:8pt"> crash (you may have to reload the testcase after dragging it into a tab), while with 553 lines there's no crash. a recent crash report with yesterday's trunk build + above reduced testcase: bp-d62ca246-9040-4c6d-a0bb-52fe12100131
The difference in the produced content tree is that after about 200 nested divs (perhaps it needs to be nested divs with no proper closing tags) the old parser stops nesting them and instead makes them siblings. There are two places in the old parser that use the magic number "200": http://mxr.mozilla.org/mozilla-central/source/parser/htmlparser/src/nsHTMLTokenizer.cpp#382 http://mxr.mozilla.org/mozilla-central/source/parser/htmlparser/public/nsIHTMLContentSink.h#90
Uh... does the new parser not do any tree-depth-limiting at all? It needs to do it.
And we should have had regression tests for this, ideally, since it's been a problem in the past...
(In reply to comment #13) > Uh... does the new parser not do any tree-depth-limiting at all? It doesn't. > It needs to do it. Yeah. It needs to gain other DoS mitigation limits, too. What happens if a script tries to create a deeply-nested tree using the DOM APIs?
I know that comment #7 said that this wasn't exploitable, but it is now starting to look like this is something that could be exploited. Maybe we should CC the security team on this one?
> What happens if a script tries to create a deeply-nested tree using the DOM > APIs? Afaik we run out of stack and crash. The depth-limiting in the parser is to protect against incompetence, not malice. See bug 323394. Brian, what makes you think this can be exploited, exactly? It's a duplicate of bug 323394 except insofar as the new parser makes it more likely that websites will accidentally hit that bug due to common HTML coding errors...
Could I not craft an html e-mail using the attachment as a starting point to mass crash Firefox browsers? Or put it on a web page? I guess it's not as bad as a buffer overflow being used to run arbitrary code on a user's computer, but a denial of service attack using malformed html that the parser doesn't like which causes a crash is still a denial of service attack. :)
Quoting from a previous comment of mine regarding denial of service bugs and treating them as security bugs (bug 538035 comment 15, currently hidden, perhaps no longer needs to be but I won't push it): > But, denial of service in the browser, if that's all that's present, is not > considered a security issue in and of itself. There are a million different > ways to crash the browser, and choosing to escalate the priority of a game > of whack-a-mole against deliberate attempts to do so doesn't make much sense. > Users will stop visiting sites that make such deliberate attempts; it's a > self-limiting problem. Better to spend time on the crashes encountered by > well-behaving sites. DoS bugs can be frustrating, to be sure, but it's not > productive to treat them as security issues.
> Could I not craft an html e-mail using the attachment as a starting point to > mass crash Firefox browsers? Not if we fix this bug before shipping the the HTML5 parser enabled by default, no. > Or put it on a web page? If the web page can run script, then yes per my answer to comment 15. > still a denial of service attack Yes, but it doesn't need to be security-sensitive.
Depends on: 483209
Keywords: testcase-wantedtestcase
Whiteboard: [sg:dos stack exhaustion]
A landed a patch that added the good old stack limit of 200 to the HTML5 parser. Worth re-testing in tomorrow's Windows nightly.
actually i'm not able to reproduce the crashes neither with my testcase of comment 11 nor the site mentioned in Bug 542268 comment 4 even with yesterday's nightly (Built from http://hg.mozilla.org/mozilla-central/rev/050887c64183) (HTML5 parser on, new profile, hammering ctrl+f5). could this have been "fixed" by one of your other checkins? worth finding a progression range? or should other testcases be created to be able to verify Bug 483209's positive effects?
(In reply to comment #22) > actually i'm not able to reproduce the crashes neither with my testcase of > comment 11 nor the site mentioned in Bug 542268 comment 4 even with yesterday's > nightly (Built from http://hg.mozilla.org/mozilla-central/rev/050887c64183) > (HTML5 parser on, new profile, hammering ctrl+f5). Excellent. Thanks! Marking this fixed. > could this have been "fixed" by one of your other checkins? > worth finding a progression range? That's odd, but probably not worth finding a regression range to explain. > or should other testcases be created to be able to verify Bug 483209's positive > effects? I guess it would be proper to land a crashtest with a few hundred <font> start tags and another with a few hundred <div> start tags.
Status: NEW → RESOLVED
Closed: 15 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
(sorry, we usually use WFM when we're not sure what fixed a bug). Yes, please definitely land a crashtest, especially if we don't know what fixed it since it could be something unrelated to the HTML5 parser and so we won't know if it'll get changed back again.
Resolution: FIXED → WORKSFORME
(In reply to comment #19) > Quoting from a previous comment of mine regarding denial of service bugs and > treating them as security bugs (bug 538035 comment 15, currently hidden, > perhaps no longer needs to be but I won't push it): I mistyped the bug number -- that should have been bug 538085 comment 15. :-(
Crash Signature: [@ nsCSSFrameConstructor::ConstructBlock]
Crash test: https://hg.mozilla.org/integration/mozilla-inbound/rev/7d1a06fb39bd
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: