Closed
Bug 1234523
Opened 9 years ago
Closed 9 years ago
Firefox crashes after loading css 'nl:nth-child(3):after { content:"\A"; white-space:pre; }'
Categories
(Core :: CSS Parsing and Computation, defect)
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: wladyslaw.motyka, Unassigned)
Details
(Keywords: testcase-wanted)
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0
Build ID: 20151029115835
Steps to reproduce:
I wrongly adden ':after' after my ''nl:nth-child(3)' css code and create:
nl:nth-child(3):after {
content:"\A";
white-space:pre;
}
Actual results:
Firefox crashed after loading the page with this css code included.
Expected results:
-
|
||
Comment 1•9 years ago
|
||
Could you attach/link to a more complete testcase? I don't recognize the "nl" element and so I'm not sure about the DOM structure that caused the crash. A single page with both the HTML and CSS to cause the problem would make it much easier to reproduce/assign this bug.
Flags: needinfo?(wladyslaw.motyka)
|
Reporter | |
Comment 2•9 years ago
|
||
Sorry I can not. It is from my company confidential site. Neverless I can not replicate it any other page, so I will close it. Ok?
Flags: needinfo?(wladyslaw.motyka)
|
||
Comment 3•9 years ago
|
||
(In reply to wladyslaw.motyka from comment #2)
> Sorry I can not. It is from my company confidential site. Neverless I can
> not replicate it any other page, so I will close it. Ok?
The alternative would be to create a minimal testcase that you can publish, or to get permission to publish whatever part of this site is necessary to reproduce.
Another thing that might be useful is to use an official Mozilla build if you aren't already, and if the crash reproduces there, to link to a crashreport ID as given by the about:crashes page inside Firefox. That may or may not shed light on what's going on here, and is less work than either of the other options - but it's still possible-to-likely that we'd need a testcase to be able to fix the issue.
Flags: needinfo?(wladyslaw.motyka)
|
||
Comment 4•9 years ago
|
||
If firefox crashed did you submit the the crash report to us? If so that might provide helpful clues. Open the page about:crashes and you will see a list of links to crash reports. When you find the one that corresponds to this crash you can paste the link in a bug comment.
|
|
Reporter | |
Comment 5•9 years ago
|
||
I do not remember if I report it :-( But I usually do so. Unfortunately I can not go to the about:crashes.
Maybe it is because of my Firefox ESR 38.4.0 IBMCCK - 2.2.4 (CCK2)
here is state.json:
{"v":1,"clientID":"813478a4-12d6-412e-9eb5-21cb49f66eb9","clientIDVersion":1,"remoteIDs":["4d69aecc-ed05-486f-9304-c53815f2fdc7"],"lastPingTime":1451981926389,"removedOutdatedLastpayload":true}
Flags: needinfo?(wladyslaw.motyka)
|
|
||
Comment 6•9 years ago
|
||
Those IDs give me "invalid crash ID". If you can't go to about:crashes perhaps the enterprise customizations removed that functionality and you're not submitting these at all.
Flags: needinfo?(wladyslaw.motyka)
Keywords: testcase-wanted
|
|
||
Comment 7•9 years ago
|
||
Jesse: does your CSS fuzzer create things like comment 0? I think that would be our only hope of finding whatever crash might be lurking here.
Flags: needinfo?(jruderman)
|
||
Comment 8•9 years ago
|
||
Without a testcase or crash report, this bug isn't actionable. Holding off on a response from Jesse before closing this as incomplete, but AFAICT, there's nothing else we can do here.
Group: firefox-core-security → core-security
Component: Untriaged → CSS Parsing and Computation
Product: Firefox → Core
|
|
||
Updated•9 years ago
|
Group: core-security → layout-core-security
|
||
Comment 9•9 years ago
|
||
> Jesse: does your CSS fuzzer create things like comment 0? I think that would be our only hope of finding whatever crash might be lurking here.
Yes, my DOM fuzzer generates combinations of pseudo-classes (like :nth-child) with pseudo-elements (like :after). https://github.com/MozillaSecurity/funfuzz/blob/8323913955fe44193aa4ee0ed90e9a8c4c211190/dom/fuzzer/values.js#L918
I just tweaked it to generate :nth-child(3). Previously it was only doing even/odd, which might have hit a different code path.
Flags: needinfo?(jruderman)
|
|
||
Comment 10•9 years ago
|
||
wladyslaw.motyka,
* If your company's build of Firefox has the crash reporter disabled, you can try downloading a build from Mozilla and using it to report the crash. This will let us quickly check whether we've fixed a bug with the same crash signature. It will also give us a sense of whether the crash is likely to be a security hole, and thus worth worrying about if it's ESR-only.
* https://developer.mozilla.org/en-US/docs/Mozilla/QA/Reducing_testcases has tips for making a reduced testcase that won't contain confidential information. You can email me if you get stuck.
|
||
Comment 11•9 years ago
|
||
I sent an email to the reporter directly a couple of weeks ago (in case bugmail
to him was blocked somehow) but I got no reply. I don't see much point keeping
this bug open without a way to reproduce the crash.
(I did try a few variations from the snippet in comment 0 without success)
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → INCOMPLETE
|
|
Reporter | |
Comment 12•9 years ago
|
||
Hi guys, I finally have time to read all my emails and found yours. Sorry for the delay.
I tried to dupicate it today on my updated FF v38.7 and I was unable to duplicate it.
So how cen I help you now. Or should I somehow close this ticket or ...???
Flags: needinfo?(wladyslaw.motyka)
|
|
||
Comment 13•9 years ago
|
||
Wladyslaw, can you test that it still works in the current stable version of Firefox?
https://www.mozilla.org/firefox/
And also in a Nightly build?
https://nightly.mozilla.org/
Thanks.
|
|
Reporter | |
Comment 14•9 years ago
|
||
Sorry, I can not do that - I have RHEL 6 and I am unable to install newest software versions :-(
|
|
||
Updated•5 years ago
|
Group: layout-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•