IE crashes when opening developer tools when stylesheet is loaded twice

Not reproducible Issue #7115476

Details

Created
Apr 5, 2016
Privacy
This issue is public.
Reports
Reported by 5 people

Sign in to watch or report this issue.

Steps to reproduce

IE crashes when opening developer tools (F12) when a stylesheet is loaded twice.
demo at: http://bug.pluscare.nl/20160405/
after much trimming down code it boils down to:
page.htm

<!DOCTYPE html>
<HTML>
<head>
    <title>bug</title>
    <meta http-equiv="X-UA-Compatible" content="IE=EDGE">
    <link rel="stylesheet" href="stylesheet.css">
    <link rel="stylesheet" href="stylesheet.css">
</head>
<body>
        crash when you press F12
</body>
</html>

Stylesheet.css:

@keyframes fa-spin {
  0% {
    transform: rotate(0deg);
  }
}

The same thing happens when you have the stylesheet in main page and in a sub frame:
main.htm:

<!DOCTYPE html>
<HTML>
<head>
    <title>bug</title>
    <meta http-equiv="X-UA-Compatible" content="IE=EDGE">
    <link rel="stylesheet" href="stylesheet.css">
</head>
<body>
        <iframe src="subframe.htm">
</body>
</html>

frame.htm:

<!DOCTYPE html>
<HTML>
    <HEAD>
        <TITLE>bug, subFrame</TITLE>
        <link rel="stylesheet" href="stylesheet.css">
    </HEAD>
    <BODY scroll="no">
        this is a subframe<BR>
        crash when you press F12
    </BODY>
</HTML>

Attachments

0 attachments

    Comments and activity

    • Microsoft Edge Team

      Changed Assigned To to “Leo L.”

      Changed Status to “Not reproducible”

    • Hello,

      Thank you for the feedback. This appears to be fixed in Edge as I am not able to repro this. Please note that we are not working on IE feature bugs any longer unless they are security related. As a result this item will be closed out as not repro to reflect the testing results from Edge.

      All the best,
      The MS Edge Team

    • Hello,
      I also notice this bug: when a css file with a @keyframes is loaded twice, F12 crashes IE11 on Windows 10 (v.1511) (but not on Windows 8.1).
      Very annoying for developers: we can’t test our development on IE11 on Windows 10, unless keeping an old computer with Windows 8 or 7 !
      Please, solve this issue!
      All the best,
      Ruben

    • We have this same issue (10 developers running Windows 10 IE 11) - It appears to do a stack overflow getting CSS keyframe information. We really need a resolution, even though I know you consider this a feature bug. It was working fine until we upgraded our PCs from Windows 8.1 to 10.

      MSHTML!MEMORY::SMALLHEAPBLOCKALLOCATOR >::INLINEDALLOCIMPL+2In IEXPLORE__PID__15868__Date__10_25_2016__Time_03_52_01PM__862__Second_Chance_Exception_C00000FD.dmp the assembly instruction at mshtml!Memory::SmallHeapBlockAllocator >::InlinedAllocImpl+2 in C:\Windows\System32\mshtml.dll from Microsoft Corporation has caused a stack overflow exception (0xC00000FD) when trying to write to memory location 0x06e82ffc on thread 2

      Thread 2 - System ID 6712
      Entry point   iertutil!TFlatIsoAPIMessage::Post+71 
      Create time   10/25/2016 3:28:13 PM 
      Time spent in user mode   0 Days 0:1:51.562 
      Time spent in kernel mode   0 Days 0:0:10.984 
      
      
      
      
      
      
      Full Call Stack
      
      
      
      Function     Arg 1     Arg 2     Arg 3     Arg 4   Source 
      mshtml!Memory::SmallHeapBlockAllocator<Memory::SmallNormalHeapBlockT >::InlinedAllocImpl+2     06630158     00000030     00000008     06671478    
      mshtml!Memory::HeapInfo::RealAlloc+2b     06630158     00000030     d521cbdb     04680000    
      mshtml!MemProtectHeapRootAlloc+9c     06e830b0     60f4c250     04680000     610c847f    
      mshtml!MemoryProtection::HeapAllocClear+29     06e830d0     22119ca0     0695e060     16dd83f0    
      mshtml!`TextInput::TextInputLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+16a01f     22119ca0     00000000     16dd83f0     22119ca0    
      mshtml!CCSSRuleCacheEntry::GetRuleOM+6c     16dd83f0     22119ca0     22119ca0     22119c80    
      mshtml!CStyleSheet::GetCSSRule+54     22119ca0     00000002     00000018     06e83130    
      mshtml!CMSCSSKeyframeRule::CMSCSSKeyframeRule+3a     16dd83f0     22579290     06e83150     22119c70    
      mshtml!`TextInput::TextInputLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+16a034     22119c70     00000000     16dd83f0     22119c70    
      mshtml!CCSSRuleCacheEntry::GetRuleOM+6c     16dd83f0     22119c70     22119c70     22119c50    
      mshtml!CStyleSheet::GetCSSRule+54     22119c70     00000002     00000018     06e831b0    
      mshtml!CMSCSSKeyframeRule::CMSCSSKeyframeRule+3a     16dd83f0     22579290     06e831d0     22119c40    
      
      ... part of stack cut ...
      
      mshtml!`TextInput::TextInputLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+16a034     0707a6c4     00000000     16dd83f0     0707a6c4    
      mshtml!CCSSRuleCacheEntry::GetRuleOM+6c     16dd83f0     0707a6c4     0707a6c4     00000000    
      mshtml!CStyleSheet::GetCSSRule+54     0707a6c4     00000002     00000018     21ea52f0    
      mshtml!CMSCSSKeyframesRule::GetChildRule+34     00000000     0707a6c4     21ea52c0     0707a734    
      mshtml!`TextInput::TextInputLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+169ccb     21ea52c0     00000000     0707a6ec     21ea52c0    
      mshtml!CStyleSheetRuleArray::GetItem+5a     00000000     0707a734     60e03110     00000000    
      mshtml!CCollectionBase::GetItemHelper+9b     00000000     00000000     0707a734     00000003    
      mshtml!CCollectionBaseTypeOperations::GetOwnItem+2ec     14a5d960     1044bf38     18f684b0     00000001    
      jscript9!Js::CustomExternalObject::GetItem+17d     18f684b0     00000000     0707a84c     169db478    
      jscript9!Js::JavascriptOperators::OP_GetElementI+775     18f684b0     00000001     169db478     00000000    
      jscript9!Js::JavascriptOperators::OP_GetElementI_Int32+44     1a6469c0     02000003     1a646220     18f67ba0    
      jscript9!Js::InterpreterStackFrame::Process+1f50     eb3ab8b3     23e473f0     1e0c6570     0707adb0    
      jscript9!Js::InterpreterStackFrame::OP_TryCatch+49     0707ada0     23e473ec     0666eb48     272df480    
      jscript9!Js::InterpreterStackFrame::Process+3c6d     23e4745e     272df480     23e473a0     1f646380    
      jscript9!Js::InterpreterStackFrame::InterpreterThunk+1fe     0707aef8     0707b0e8     5f8b313e     1a6469e0    
      0x0d0306b1     1a6469e0     02000003     1a646220     1e0c6570    
      jscript9!Js::InterpreterStackFrame::Process+abe     1aee7450     12c48900     1aee7410     1f645bb8    
      jscript9!Js::InterpreterStackFrame::InterpreterThunk+1fe     0707b218     0707b250     0d2ca2ab     1a646f60    
      0x0d0306b9     102ef320     02000003     2d7a21b0     1bd5ddb0    
      jscript9!Js::InterpreterStackFrame::Process+1f50     eb3aa7f3     2a08ee74     2a08ee68     0707b670    
      jscript9!Js::InterpreterStackFrame::OP_TryCatch+49     0707b660     2a08ee70     0666eb48     2115b5a0    
      jscript9!Js::InterpreterStackFrame::Process+3c6d     2a08efac     2115b5a0     2a08ee00     1f84c1a8    
      jscript9!Js::InterpreterStackFrame::InterpreterThunk+1fe     0707b7d0     0707b818     5f8f4378     13b111c0    
      0x0d0306c9     13b111c0     02000004     17c75d70     1bd5ddb0    
      jscript9!Js::JavascriptArray::EntryForEach+1e8     0c6c65e0     10000002     1519be00     13b111c0    
      jscript9!Js::InterpreterStackFrame::Process+1cde     11e4580e     2115b480     11e45750     1f84bf50    
      jscript9!Js::InterpreterStackFrame::InterpreterThunk+1fe     0707bb40     0707bb88     5f8f4378     13b115e0    
      0x0d0306d1     13b115e0     02000004     17c75d70     1b67f6f0    
      jscript9!Js::JavascriptArray::EntryForEach+1e8     0c6c65e0     02000002     1519be70     13b115e0    
      jscript9!Js::InterpreterStackFrame::Process+abe     1b66330c     2681d260     1b663220     1f84bfb0    
      jscript9!Js::InterpreterStackFrame::InterpreterThunk+1fe     0707bec0     0707c0a8     5f8b313e     1da4ae60    
      0x0d0306e1     1da4ae60     02000001     2d7a2390     00000004    
      jscript9!Js::InterpreterStackFrame::Process+abe     21590930     2115b120     21590900     1f84c0e8    
      jscript9!Js::InterpreterStackFrame::InterpreterThunk+1fe     0707c1f0     0707c3d8     5f8b313e     102ef080    
      0x0d0306e9     102ef080     02000002     2d7a2390     1b67f6f0    
      jscript9!Js::InterpreterStackFrame::Process+abe     0d7afec4     29741ea0     0d7afe00     1f84be60    
      jscript9!Js::InterpreterStackFrame::InterpreterThunk+1fe     0707c508     0707c590     5f80f370     0faf0aa0    
      0x0d0306f1     0faf0aa0     02000002     2d7aaf00     1906dee0    
      jscript9!Js::JavascriptFunction::EntryApply+2b0     175dfa00     02000003     0faf0aa0     2d7aaf00    
      jscript9!Js::InterpreterStackFrame::Process+1f50     11dff240     272d7ea0     11dff000     1f646398    
      jscript9!Js::InterpreterStackFrame::InterpreterThunk+1fe     0707c900     0707cae8     5f8b313e     1a646a40    
      0x0d030981     1a646a40     02000002     17c75d70     190c2860    
      jscript9!Js::InterpreterStackFrame::Process+abe     1290d19a     12bf1480     1290d0e0     0ce0ce00    
      jscript9!Js::InterpreterStackFrame::InterpreterThunk+1fe     0707cc30     0707cc70     5f90f47d     19928c80    
      0x0d030991     19928c80     10000002     19be7b10     190c2860    
      jscript9!Js::JavascriptFunction::CallFunction+91     10000002     0707ccb8     0707cea0     0707cf48    
      jscript9!Js::BoundFunction::NewInstance+76     19be7ab0     10000002     19be7b10     190c2860    
      jscript9!Js::InterpreterStackFrame::Process+1cde     12a7965e     21147360     12a795b0     16a47c38    
      jscript9!Js::InterpreterStackFrame::InterpreterThunk+1fe     0707cfd0     0707d000     113b42ad     175dff20    
      0x0d030999     175dfce0     00000002     196d6000     12537200    
      jscript9!Js::JavascriptFunction::CallFunction+91     00000002     0707d204     eb3ac3b3     00000002    
      jscript9!Js::JavascriptFunction::CallRootFunction+c4     169db478     00000002     0707d204     eb3ac27b    
      jscript9!ScriptSite::CallRootFunction+42     0707d134     00000002     0707d204     eb3ac23f    
      jscript9!ScriptSite::Execute+bf     175dfce0     0707d17c     00000000     0707d178    
      jscript9!ScriptEngineBase::Execute+c8     0707d1e4     6181e211     1044bf38     175dfce0    
      mshtml!CJScript9Holder::ExtensionRefFromVar+31     1e3fc800     0707d278     0707d284     00000003    
      DiagnosticsTap_65290000!EngineSite::OnMessage+77     165cef50     189adc74     1397a524     ab2688df    
      DiagnosticsTap_65290000!IPCChannel::PipeHelper::OnIPCMessage+a9     1061c348     ab2688f3     00000000     1f653228    
      DiagnosticsTap_65290000!IPCChannel::PipeMultiplexor::ProcessPackets+f9     1f653228     ab268937     0707d36c     169ec3f8    
      DiagnosticsTap_65290000!IPCChannel::PipeMultiplexor::ProcessPackets+5e     0707d36c     65292960     169ec400     652a7040    
      DiagnosticsTap_65290000!IPCChannel::PipeMultiplexor::ThreadCallHandler+2c     169ec3f8     00000542     00000000     00000000    
      DiagnosticsTap_65290000!IPCChannel::PipeMultiplexor::ProcessWindowMessage+8d     00030688     00000542     00000000     00000000    
      DiagnosticsTap_65290000!ATL::CWindowImplBaseT<ATL::CWindow,ATL::CWinTraits >::WindowProc+69     169ec400     00000542     00000000     00000000    
      atlthunk!__safe_se_handler_table+5ac     00030688     00000542     00000000     00000000    
      user32!_InternalCallWinProc+2b     5e211a90     00030688     00000542     00000000    
      user32!UserCallWinProcCheckWow+1f0     5e211a90     00000000     00000542     00000000    
      user32!DispatchMessageWorker+231     c7f5dd23     0707f6bc     61ce3c0f     0707d578    
      user32!DispatchMessageW+10     0707d578     04dedd50     046c5040     00000001    
      ieframe!CTabWindow::_TabWindowThreadProc+45f     0707f788     61ce4b70     04de0578     047007e8    
      ieframe!LCIETab_ThreadProc+393     04dedd50     72a09520     72a09520     04de0578    
      iertutil!TFlatIsoAPIMessage::Post+8d     04de0578     75da3720     c0ab5f98     0707f7f0    
      kernel32!BaseThreadInitThunk+24     04de0578     c2ceda6b     00000000     00000000    
      ntdll!__RtlUserThreadStart+2f     ffffffff     7777d7b0     00000000     00000000    
      ntdll!_RtlUserThreadStart+1b     72a09520     04de0578     00000000     00000000    
      
    • Hi,

      I am not a security expert, but I always read that a stack overflow, sooner or later, will lead to a security hole!
      And IE family has a long list of security holes exploited by stack overflow.

      So, YES, this regression in IE11 for W10 will be a security hole sooner or later! It is not only a "IE feature bugs". It is only a matter of time before hackers exploit it…

      So, please Microsoft Edge Team, correct it.

      Thanks,
      Ruben

    You need to sign in to your Microsoft account to add a comment.

    Sign in