Issue metadata
Sign in to add a comment
|
Deeply nested font tag causes stack overflow
Reported by
loorong...@gmail.com,
Jul 3 2016
|
||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 Steps to reproduce the problem: 1. Go to http://forum.seti.nl/showthread.php?17544-Test-van-molentje&p=592523&viewfull=1#post592523 2. Hover the windmill icon left to white sentence. What is the expected behavior? Nothing should happen. What went wrong? Several tabs return Aw, Snap! (Including tabs that are not from forum.seti.nl) Crashed report ID: 36d581fc00000000 (f75a39f5-7554-48a5-89b2-7b1ccaa6d453) How much crashed? Whole browser Is it a problem with a plugin? No Did this work before? N/A Chrome version: 51.0.2704.106 Channel: stable OS Version: 6.3 Flash Version: Shockwave Flash 22.0 r0 I tried to get more information myself and here are my findings: 1. Inspect the white sentence beside windmill icon with Chrome Devtools and crash. 2. Open Chrome Devtools > Elements, and navigate to the white sentence manually. Upon hovering the <font> element in Chrome Devtools, crash. The white sentence is wrapped with nested <font color="#ffffff"> tags. Hovering windmill icon right to white sentence does not seem to cause the crash. This tested in Windows 8.1. User from https://productforums.google.com/forum/#!topic/chrome/EJrQ9NV8RbY reported that Chrome OS-X does not have the problem.
,
Jul 4 2016
There are hundreds of levels of nested <font> tags. Perhaps the parser should bail out at certain depth when parsing deeply nested dom structures to avoid stack overflow in later stages.
,
Jul 4 2016
I think my change should not change anything about stack memory allocation. I saw two leak detector changes in the range. sque@ could the CLs change stack memory allocation behavior?
,
Jul 5 2016
My leak detector code is running on CrOS only. It should not affect Windows. Can you post what you saw regarding leak detector?
,
Jul 5 2016
Re #4: Thanks for the info. I had suspected the two leak detector CLs in the regression range: https://chromium.googlesource.com/chromium/src/+log/ff41c4d5183156ce755812cfdede63acef62028b..70024238824031e03c1b6ace610403e6b7db0e0d, but they seem not related based on your reply.
,
Jul 12 2016
This looks like something to do with hit testing; not parsing or DOM. I'd prefer to avoid adding depth limits to the DOM.
,
Jul 22 2016
,
Jul 22 2016
Issue 628108 has been merged into this issue.
,
Aug 25 2016
Moving Blink>Input>HitTesting to Blink>HitTesting
,
Apr 20 2017
Can someone check if this bug still exists? The link I posted originally no longer exists so I can't test that one. I created a html file with 200 nested <font> element and hover it, nothing happened. Tried testcase from Issue 628108 , nothing happened as well. (Tested with Chrome 58.0.3029.81 on Win10 x64)
,
Apr 20 2017
Closing given we cannot reproduce. There are many things that might have fixed this. It's also a stack overflow bug, so not generally fixable. |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by kavvaru@chromium.org
, Jul 4 2016Components: Blink
Labels: -Type-Bug M-51 hasbisect Type-Bug-Regression
Owner: wangxianzhu@chromium.org
Status: Assigned (was: Unconfirmed)