Bug 473911 - Crash due to too much recursion in nsCSSDocumentRule::URL::~URL. r+sr=dbaron
authorJeff Walden <jwalden@mit.edu>
Fri, 16 Jan 2009 15:33:57 -0800
changeset 23837 0cb4f7b53ca078258659e732ff98f359e7f65680
parent 23836 58b777f8849a6e5454262a962c8f1fdb295c8593
child 23838 f87acf3efb63415a42d0070591bc800ef0fe596e
push id4752
push userjwalden@mit.edu
push dateFri, 16 Jan 2009 23:38:25 +0000
treeherdermozilla-central@f87acf3efb63 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
bugs473911
milestone1.9.2a1pre
Bug 473911 - Crash due to too much recursion in nsCSSDocumentRule::URL::~URL. r+sr=dbaron
layout/style/crashtests/crashtests.list
layout/style/crashtests/long-url-list-stack-overflow.html
layout/style/nsCSSRules.cpp
layout/style/nsCSSRules.h
--- a/layout/style/crashtests/crashtests.list
+++ b/layout/style/crashtests/crashtests.list
@@ -22,8 +22,9 @@ load 447776-1.html
 load 447783-1.html
 load 448161-1.html
 load 448161-2.html
 load 456196.html
 load 460217-1.html
 load 466845-1.html
 HTTP(..) load 472237-1.html
 load about:blank # 472237 doesn't occur when it's the last in the list
+load long-url-list-stack-overflow.html
new file mode 100644
--- /dev/null
+++ b/layout/style/crashtests/long-url-list-stack-overflow.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+<head>
+<style id="s"></style>
+<script type="text/javascript">
+
+// Duplicates the string 2^n times
+function exp(s, n)
+{
+  for (var i = 0; i < n; ++i)
+    s += s;
+  return s;
+}
+
+var stylesheet = "@-moz-document url(http://www.w3.org/)" + exp(", url-prefix(file:///)", 20) + " { }";
+document.getElementById("s").textContent = stylesheet;
+
+</script>
+</head>
+<body>
+<div></div>
+</body>
+</html>
--- a/layout/style/nsCSSRules.cpp
+++ b/layout/style/nsCSSRules.cpp
@@ -1252,16 +1252,20 @@ nsCSSDocumentRule::UseForPresentation(ns
         }
       } break;
     }
   }
 
   return PR_FALSE;
 }
 
+nsCSSDocumentRule::URL::~URL()
+{
+  NS_CSS_DELETE_LIST_MEMBER(nsCSSDocumentRule::URL, this, next);
+}
 
 // -------------------------------------------
 // nsICSSNameSpaceRule
 //
 class CSSNameSpaceRuleImpl : public nsCSSRule,
                              public nsICSSNameSpaceRule,
                              public nsIDOMCSSRule
 {
--- a/layout/style/nsCSSRules.h
+++ b/layout/style/nsCSSRules.h
@@ -201,17 +201,17 @@ public:
 
     URL() : next(nsnull) {}
     URL(const URL& aOther)
       : func(aOther.func)
       , url(aOther.url)
       , next(aOther.next ? new URL(*aOther.next) : nsnull)
     {
     }
-    ~URL() { delete next; }
+    ~URL();
   };
 
   void SetURLs(URL *aURLs) { mURLs = aURLs; }
 
 protected:
   nsAutoPtr<URL> mURLs; // linked list of |struct URL| above.
 };