Closed
Bug 276370
Opened 20 years ago
Closed 19 years ago
crash when changing style.left and setting innerHTML of div containing object in table with crash recovery or sessionsaver extension [@ nsLineBox::IsEmpty ]
Categories
(Firefox :: General, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: moz.jomel, Assigned: bugzilla)
References
()
Details
(Keywords: crash)
Crash Data
Attachments
(2 files)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 The code below crashes Firefox if the crash recovery extension is installed (and perhaps other Gecko-based apps, I haven't got any others to test with) Reproducible: Always Steps to Reproduce: 1. Install the Crash Recovery 0.4.2 extension by zeniko from http://forums.mozillazine.org/viewtopic.php?t=164513 (http://www.haslo.ch/zeniko/software/crashrecovery.xpi) 2. Go to the testcase I uploaded at http://jomel.freeprohost.com/crash.html The source code for it is: <a href="javascript:void(0);" onclick="go();">If you click this twice, Firefox will crash.</a> <div id="_div"></div> <script type="text/javascript"> var _div=document.getElementById("_div"); function go(){ _div.style.left='0px'; _div.style.left='1px'; _div.innerHTML='<table><tr><td><object data="about:blank" type="text/html" /></td></tr></table>'; } </script> Actual Results: Browser crashed. Expected Results: Not crashed :) 1. Talkback crash id: TB2805819W 2. Crash info: (more in attachment) AppName: firefox.exe AppVer: 1.0.0.0 ModName: firefox.exe ModVer: 1.0.0.0 Offset: 002cb05b 3. You can also add a setTimeout("go();",0); to the end of go() and then it will crash with one click only. adding go(); to the end of go() doesn't make it crash with one click though. 4. This can be made to crash the browser without user interaction, e.g. so links to a page with the code from another app will crash the browser. Here's the code to crash on page load (not attaching as a testcase in case people click it by accident, and it's using the same bug as the one I attached): <html> <body onload="go();"> <div id="_div"></div> <script type="text/javascript"> var _div=document.getElementById("_div"); function go(){ _div.style.left='0px'; _div.style.left='1px'; _div.innerHTML='<table><tr><td><object data="about:blank" type="text/html" /></td></tr></table>'; setTimeout("go();",0); } </script> </body> </html> 5. The "_div.style.left='1px';" line is optional the second time the method executes, but must be run the first time for there to be a crash 6. All of the code within the go() method seems necessary except 'data="about:blank"'.
Reporter | ||
Comment 1•20 years ago
|
||
Reporter | ||
Comment 2•20 years ago
|
||
crash data collected by windows
Comment 3•20 years ago
|
||
Stack: http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB2805819W
Summary: crash when changing style.left and setting innerHTML of div containing object in table with crash recovery extension → crash when changing style.left and setting innerHTML of div containing object in table with crash recovery extension [@ nsLineBox::IsEmpty ]
Comment 4•19 years ago
|
||
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b2) Gecko/20050220 Firefox/1.0+ No crash for me. I do not have the extension installed. It is not my call, but you may find that the regulars on bugzilla will not debug problems with an extension. If you can reproduce it on a fresh build ... Demonstrate a problem with the source ... Engage the help of the extension's author or fireside community ...
Comment 5•19 years ago
|
||
The same crash happens also with the popular SessionSaver extension (which provided the code base for Crash Recovery). However, these extensions rely both exclusively on XUL and JavaScript and should therefore not be able to crash Firefox at all. Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050223 Firefox/1.0.1
Comment 6•19 years ago
|
||
Some bugs with that signature were fixed, is this still a problem with trunk builds? https://bugzilla.mozilla.org/buglist.cgi?bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=RESOLVED&bug_status=VERIFIED&bug_status=CLOSED&field0-0-0=product&type0-0-0=substring&value0-0-0=nsLineBox&field0-0-1=component&type0-0-1=substring&value0-0-1=nsLineBox&field0-0-2=short_desc&type0-0-2=substring&value0-0-2=nsLineBox&field0-0-3=status_whiteboard&type0-0-3=substring&value0-0-3=nsLineBox&field1-0-0=product&type1-0-0=substring&value1-0-0=IsEmpty&field1-0-1=component&type1-0-1=substring&value1-0-1=IsEmpty&field1-0-2=short_desc&type1-0-2=substring&value1-0-2=IsEmpty&field1-0-3=status_whiteboard&type1-0-3=substring&value1-0-3=IsEmpty
Comment 7•19 years ago
|
||
Reporter: Is this still a problem for you with Deer Park Alpha 1?
Reporter | ||
Comment 8•19 years ago
|
||
Short answer: Cannot reproduce crash in Deer Park Alpha 1, resolving WORKSFORME. Long answer: I couldn't reproduce the crash in deer park alpha 1 using a legacy copy of the crashrecovery extension (but I could still reproduce it in 1.0.4). As crashrecovery has been discontinued anyway, I tried this using the SessionSaver extension as well. Using the latest pass of sessionsaver (28), I couldn't reproduce the crash in 1.0.4 or deer park. Using the previous pass (27) I couldn't reproduce the crash in deer park (though I could still reproduce it in 1.0.4) Thus it appears the bug was fixed, so I am resolving this as WORKSFORME. Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050531 Firefox/1.0+
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → WORKSFORME
Summary: crash when changing style.left and setting innerHTML of div containing object in table with crash recovery extension [@ nsLineBox::IsEmpty ] → crash when changing style.left and setting innerHTML of div containing object in table with crash recovery or sessionsaver extension [@ nsLineBox::IsEmpty ]
Updated•13 years ago
|
Crash Signature: [@ nsLineBox::IsEmpty ]
You need to log in
before you can comment on or make changes to this bug.
Description
•