Closed Bug 276370 Opened 20 years ago Closed 19 years ago

crash when changing style.left and setting innerHTML of div containing object in table with crash recovery or sessionsaver extension [@ nsLineBox::IsEmpty ]

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: moz.jomel, Assigned: bugzilla)

References

(
URL
)

Details

(Keywords: crash)

Crash Data

Attachments

(2 files)

Testcase
705 bytes, text/html
Details
crash data
49.00 KB, text/plain
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

The code below crashes Firefox if the crash recovery extension is installed (and
perhaps other Gecko-based apps, I haven't got any others to test with)

Reproducible: Always

Steps to Reproduce:
1. Install the Crash Recovery 0.4.2 extension by zeniko from
http://forums.mozillazine.org/viewtopic.php?t=164513
(http://www.haslo.ch/zeniko/software/crashrecovery.xpi)

2. Go to the testcase I uploaded at http://jomel.freeprohost.com/crash.html

The source code for it is:

<a href="javascript:void(0);" onclick="go();">If you click this twice, Firefox
will crash.</a>
<div id="_div"></div>
<script type="text/javascript">
var _div=document.getElementById("_div");
function go(){
	_div.style.left='0px';
	_div.style.left='1px';
	_div.innerHTML='<table><tr><td><object data="about:blank" type="text/html"
/></td></tr></table>';
}
</script>
Actual Results:  
Browser crashed.

Expected Results:  
Not crashed :)

1. Talkback crash id: TB2805819W

2. Crash info: (more in attachment)
AppName: firefox.exe	 AppVer: 1.0.0.0	 ModName: firefox.exe
ModVer: 1.0.0.0	 Offset: 002cb05b

3. You can also add a setTimeout("go();",0); to the end of go() and then it will
crash with one click only.
adding go(); to the end of go() doesn't make it crash with one click though.

4. This can be made to crash the browser without user interaction, e.g. so links
to a page with the code from another app will crash the browser.
Here's the code to crash on page load (not attaching as a testcase in case
people click it by accident, and it's using the same bug as the one I attached):
<html>
<body onload="go();">
<div id="_div"></div>
<script type="text/javascript">
var _div=document.getElementById("_div");
function go(){
	_div.style.left='0px';
	_div.style.left='1px';
	_div.innerHTML='<table><tr><td><object data="about:blank" type="text/html"
/></td></tr></table>';
	setTimeout("go();",0);
}
</script>
</body>
</html>

5. The "_div.style.left='1px';" line is optional the second time the method
executes, but must be run the first time for there to be a crash

6. All of the code within the go() method seems necessary except
'data="about:blank"'.
Attached file Testcase 

    
    

    
  

      
      
      
      

        Attached file
          
        crash data
      

    


  
crash data collected by windows

    
  
Severity: major → critical
Keywords: crash

    
    

    
  
Stack:
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB2805819W
Summary: crash when changing style.left and setting innerHTML of div containing object in table with crash recovery extension → crash when changing style.left and setting innerHTML of div containing object in table with crash recovery extension [@ nsLineBox::IsEmpty ]

    
    

    
  
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b2) Gecko/20050220
Firefox/1.0+

No crash for me.

I do not have the extension installed.

It is not my call, but you may find that the regulars on bugzilla will not
debug problems with an extension. If you can reproduce it on a fresh build ...
Demonstrate a problem with the source ... Engage the help of the extension's
author or fireside community ...

    
    

    
  
The same crash happens also with the popular SessionSaver extension (which
provided the code base for Crash Recovery). However, these extensions rely both
exclusively on XUL and JavaScript and should therefore not be able to crash
Firefox at all.

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050223
Firefox/1.0.1

    
    

    
  
Reporter: Is this still a problem for you with Deer Park Alpha 1?

    
    

    
  
Short answer:
Cannot reproduce crash in Deer Park Alpha 1, resolving WORKSFORME.

Long answer:
I couldn't reproduce the crash in deer park alpha 1 using a legacy copy of the
crashrecovery extension (but I could still reproduce it in 1.0.4).
As crashrecovery has been discontinued anyway, I tried this using the
SessionSaver extension as well.
Using the latest pass of sessionsaver (28), I couldn't reproduce the crash in
1.0.4 or deer park.
Using the previous pass (27) I couldn't reproduce the crash in deer park (though
I could still reproduce it in 1.0.4)
Thus it appears the bug was fixed, so I am resolving this as WORKSFORME.

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050531
Firefox/1.0+
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → WORKSFORME
Summary: crash when changing style.left and setting innerHTML of div containing object in table with crash recovery extension [@ nsLineBox::IsEmpty ] → crash when changing style.left and setting innerHTML of div containing object in table with crash recovery or sessionsaver extension [@ nsLineBox::IsEmpty ]
Crash Signature: [@ nsLineBox::IsEmpty ]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: