All Firefox windows closes suddenly (crash) if I load the page [@ 0x042b682f] [@ nsGenericHTMLElement::BindToTree]

VERIFIED FIXED

Status

()

Core
DOM
--
critical
VERIFIED FIXED
12 years ago
12 years ago

People

(Reporter: raul_rodriguez, Assigned: smaug)

Tracking

(4 keywords)

1.8 Branch
x86
All
crash, testcase, verified1.8.0.9, verified1.8.1.1
Points:
---
Bug Flags:
blocking1.8.1 -
blocking1.8.1.1 +
blocking1.8.0.8 -
blocking1.8.0.9 +

Firefox Tracking Flags

(Not tracked)

Details

(crash signature, URL)

Attachments

(2 attachments)

(Reporter)

Description

12 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; es-ES; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; es-ES; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6

The problem seems to be the script into div created with the createElement function. The function rewrites its own code. It only crashes if the div is created with createElement.

Reproducible: Always

Steps to Reproduce:
1. Open Firefox
2. Load the example page
3. Pray

Actual Results:  
Sometimes firefox closes without warnnings, sometimes a bug report window appears.

Expected Results:  
The javascript should show "lalala". In Opera 8.52 works fine. In Internet Explorer does nothing.

Tested with Firefox versions 1.5.0.6, 1.0.7 in Linux.

The code:
<html>
<head>
</head>
<body>
<script type="text/javascript">
var div = document.createElement('div');
div.setAttribute('id', 'firefly');
var scrpt = '';
scrpt += '<script>\n';
scrpt += 'document.getElementById(\'firefly\').innerHTML=\'lalala\';\n';
scrpt += '</script'+'>\n';
div.innerHTML=scrpt;
document.getElementsByTagName('body')[0].appendChild(div);
</script>
</body>
</html>

Comment 1

12 years ago
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.1) Gecko/20060929 BonEcho/2.0
Talkback TB24066788G
Also crashing seamonkey.
OS: Linux → All
(Assignee)

Updated

12 years ago
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: All → Linux
(Assignee)

Updated

12 years ago
Flags: blocking1.9?
Flags: blocking1.8.1.1?
Flags: blocking1.8.0.9?
Created attachment 241047 [details] [diff] [review]
Is this needed?

I'm afraid we need this.
Attachment #241047 - Flags: review?(bzbarsky)
Nice timing. I think the patch I just attached to bug 343730 should fix this.
Depends on: 343730
Flags: blocking-firefox2?
(In reply to comment #3)
> Nice timing. I think the patch I just attached to bug 343730 should fix this.
> 
That is the correct fix for this, but what about branches?
Bug 343730 is so only-for-trunk.

Comment 5

12 years ago
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.1) Gecko/20060929 BonEcho/2.0
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.1) Gecko/20061002 SeaMonkey/1.1b

I'm changing to Core, DOM, All, as that bug is seen on Seamonkey and Firefox, Linux and Windows, and the bug it depends on is on Mac OS X.
How are people supposed to learn about triage when bugs with patches are still Firefox/General NEW?
Assignee: nobody → general
Component: General → DOM
Flags: review?(bzbarsky)
Flags: blocking-firefox2?
OS: Linux → All
Product: Firefox → Core
QA Contact: general → ian
Version: unspecified → 1.8 Branch
Comment on attachment 241047 [details] [diff] [review]
Is this needed?

But I'd still like to keep the review request.
Attachment #241047 - Flags: review?(bzbarsky)
(Assignee)

Updated

12 years ago
Flags: blocking1.8.1?
Flags: blocking1.8.1.1?
Flags: blocking1.8.0.9?
Flags: blocking1.8.0.8?
(Reporter)

Comment 7

12 years ago
The (In reply to comment #2)
> Created an attachment (id=241047) [edit]
> Is this needed?
> 
> I'm afraid we need this.
> 

 This parch works OK for Deer Park 1.5.0.7
Comment on attachment 241047 [details] [diff] [review]
Is this needed?

Yeah... For branches we need this.  Add a comment explaining why we need the weak ref (that is, that the kid can remove itself from the parent in BindToTree)?
Attachment #241047 - Flags: superreview+
Attachment #241047 - Flags: review?(bzbarsky)
Attachment #241047 - Flags: review+
(Assignee)

Updated

12 years ago
Attachment #241047 - Flags: approval1.8.1?
Attachment #241047 - Flags: approval1.8.0.8?
I want to check this in to trunk too. Partially to see whether this affects tp or tdhtml.
Assignee: general → Olli.Pettay

Comment 10

12 years ago
Incident ID: 24066788
Stack Signature	0x042b682f 85287b6b
Product ID	Firefox2
Build ID	2006092903
Trigger Time	2006-10-03 02:59:36.0
Platform	Win32
Operating System	Windows 98 4.10 build 67766222
Module	
URL visited	http://adlead.com/crash.html
User Comments	Bug 355221 All firefox windows closes suddenly if I load the page.
Since Last Crash	8654 sec
Total Uptime	8654 sec
Trigger Reason	Access violation
Source File, Line No.	N/A
Stack Trace 	
0x042b682f
nsGenericHTMLElement::BindToTree  [mozilla/content/html/content/src/nsGenericHTMLElement.cpp, line 1425]
nsGenericElement::InsertChildAt  [mozilla/content/base/src/nsGenericElement.cpp, line 2778]
nsGenericElement::InsertBefore  [mozilla/content/base/src/nsGenericElement.cpp, line 3067]
XPCWrappedNative::CallMethod  [mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2169]
XPC_WN_CallMethod  [mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1455]
js_Invoke  [mozilla/js/src/jsinterp.c, line 1373]
js_Interpret  [mozilla/js/src/jsinterp.c, line 4110]
js_Execute  [mozilla/js/src/jsinterp.c, line 1619]
JS_EvaluateUCScriptForPrincipals  [mozilla/js/src/jsapi.c, line 4364]
nsJSContext::EvaluateString  [mozilla/dom/src/base/nsJSEnvironment.cpp, line 1100]
nsScriptLoader::EvaluateScript  [mozilla/content/base/src/nsScriptLoader.cpp, line 775]
nsScriptLoader::ProcessRequest  [mozilla/content/base/src/nsScriptLoader.cpp, line 673]
nsScriptLoader::DoProcessScriptElement  [mozilla/content/base/src/nsScriptLoader.cpp, line 606]
nsScriptLoader::ProcessScriptElement  [mozilla/content/base/src/nsScriptLoader.cpp, line 358]
nsHTMLScriptElement::MaybeProcessScript  [mozilla/content/html/content/src/nsHTMLScriptElement.cpp, line 663]
nsHTMLScriptElement::BindToTree  [mozilla/content/html/content/src/nsHTMLScriptElement.cpp, line 456]
nsGenericElement::AppendChildTo  [mozilla/content/base/src/nsGenericElement.cpp, line 2869]
HTMLContentSink::ProcessSCRIPTTag  [mozilla/content/html/document/src/nsHTMLContentSink.cpp, line 4174]
HTMLContentSink::AddLeaf  [mozilla/content/html/document/src/nsHTMLContentSink.cpp, line 3040]
CNavDTD::AddLeaf  [mozilla/parser/htmlparser/src/CNavDTD.cpp, line 3576]
CNavDTD::HandleDefaultStartToken  [mozilla/parser/htmlparser/src/CNavDTD.cpp, line 1283]
CNavDTD::HandleStartToken  [mozilla/parser/htmlparser/src/CNavDTD.cpp, line 1668]
CNavDTD::HandleToken  [mozilla/parser/htmlparser/src/CNavDTD.cpp, line 955]
CNavDTD::BuildModel  [mozilla/parser/htmlparser/src/CNavDTD.cpp, line 458]
nsParser::BuildModel  [mozilla/parser/htmlparser/src/nsParser.cpp, line 2145]
Keywords: crash
Summary: All firefox windows closes suddenly if I load the page. → All Firefox windows closes suddenly (crash) if I load the page [@ 0x042b682f] [@ nsGenericHTMLElement::BindToTree]
not going to block on this for 1.8.1, this is not a regression from 1.5 and we're very late in the game.  Pushing nom to 1.8.1.1
Flags: blocking1.8.1?
Flags: blocking1.8.1.1?
Flags: blocking1.8.1-
Fwiw i'm planning on landing 343730 on branches too, or at least a variation of it.
Created attachment 241084 [details] [diff] [review]
applies cleanly to branches and review comments addressed
(In reply to comment #12)
> Fwiw i'm planning on landing 343730 on branches too, or at least a variation of
> it.
> 

oh, when exactly? I just checked in this to trunk.

As soon as I get reviews I'll land on trunk. For branch we may or may not want to scale down the patch for branches, but this discussion belongs in bug 343730
(Assignee)

Updated

12 years ago
Attachment #241047 - Flags: approval1.8.1?
Attachment #241047 - Flags: approval1.8.0.8?
Comment on attachment 241084 [details] [diff] [review]
applies cleanly to branches and review comments addressed

The patch didn't seem to cause any tp or tdhtml hit on trunk.
Attachment #241084 - Flags: approval1.8.1?
Attachment #241084 - Flags: approval1.8.0.8?
Comment on attachment 241084 [details] [diff] [review]
applies cleanly to branches and review comments addressed

too late for this, try to get this for 1.8.1.1
Attachment #241084 - Flags: approval1.8.1? → approval1.8.1-
we're trying to keep 1.8.0.8 in sync with 1.8.1, pushing request to 1.8.0.9
Flags: blocking1.8.0.9?
Flags: blocking1.8.0.8?
Flags: blocking1.8.0.8-
Attachment #241084 - Flags: approval1.8.1.1?
Attachment #241084 - Flags: approval1.8.0.9?
Attachment #241084 - Flags: approval1.8.0.8?
Flags: blocking1.8.1.1?
Flags: blocking1.8.1.1+
Flags: blocking1.8.0.9?
Flags: blocking1.8.0.9+
This is fixed on trunk, removing blocking1.9?
(And bug 343730 is also fixed)
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Flags: blocking1.9?
Resolution: --- → FIXED
Comment on attachment 241084 [details] [diff] [review]
applies cleanly to branches and review comments addressed

approved for 1.8/1.8.0 branches, a=dveditz for drivers
Attachment #241084 - Flags: approval1.8.1.1?
Attachment #241084 - Flags: approval1.8.1.1+
Attachment #241084 - Flags: approval1.8.0.9?
Attachment #241084 - Flags: approval1.8.0.9+
(Assignee)

Updated

12 years ago
Keywords: fixed1.8.0.9
fixed1.8.0.9, fixed1.8.1.1
Keywords: fixed1.8.1.1
Verified fixed on trunk by using a build before and a build after patch was checked in on trunk, and verified fixed on trunk by looking on the bonsai log on trunk.
I couldn't get the page to crash on branch builds, so I verified the fix on branches by looking at the bonsai logs for MOZILLA_1_8_BRANCH and MOZILLA_1_8_1_BRANCH.
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.0.9, fixed1.8.1.1 → testcase, verified1.8.0.9, verified1.8.1.1
Crash Signature: [@ 0x042b682f] [@ nsGenericHTMLElement::BindToTree]
You need to log in before you can comment on or make changes to this bug.