browser crash while running javascript with multiline string literal




7 years ago
2 months ago


(Reporter: pavlocherkashyn, Unassigned)


({crash, testcase})

5 Branch
crash, testcase

Firefox Tracking Flags

(Not tracked)


(Whiteboard: [sg:dos oom], crash signature)


(3 attachments)



7 years ago
Created attachment 547534 [details]
the zipped content. to reproduce - open index.html as a file (from disk) or as web page (via site)

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30

Steps to reproduce:

I am developing/testing my own script which is not in the internet yet.

Actual results:

total browser crash.

crash details are here

Note: the same bug is in Chrome and IE

Expected results:

1 option one: only one tab should crash is this is syntax mistake
2 option two: javascript exception if parsing is fine, but something is wrong in javascript


7 years ago
Duplicate of this bug: 673266


7 years ago
Crash Signature: [@ PL_DHashTableOperate ]


7 years ago
Attachment #547534 - Attachment mime type: application/octet-stream → application/zip
Created attachment 547561 [details]
the script
The script creates an deep tree of HTML table elements, using innerHTML.
I do get an "Unresponsive Script" warning dialog and if I click Stop 
I can then close the tab and no harm is done.  If I click Continue it
eventually runs out of memory.  So this looks like a bug we're already
well aware of.
Whiteboard: [sg:dos oom]
Attachment #547534 - Attachment mime type: application/zip → application/java-archive
How does this become recursive? There's only one <div> in the html to start with and the innerHTML that adds more isn't called until the getElementsByTagName list is already returned.
Created attachment 547602 [details]

The collection returned by getElementsByTagName is a /live/ collection, see:
so when this loops inserts new <div>s the become part of what you're
looping over.

Here's value of document.body.innerHTML for the first few iterations.
I printed the values of 'i' and 'doc.length' as well.

Comment 6

7 years ago
couple more comments:

in lines
<div id="'+boxId+'-but-fb" class="bb-box-but-32x32 bb-box-but-fb" \
<div id="'+boxId+'-but-tweet" class="bb-box-but-32x32 bb-box-but-tweet" \
<div id="'+boxId+'-but-in" class="bb-box-but-32x32 bb-box-but-in" \

if i skip '+boxId+' and rewrite like these lines below - it works fine.

<div id="but-fb" class="bb-box-but-32x32 bb-box-but-fb" \
<div id="but-tweet" class="bb-box-but-32x32 bb-box-but-tweet" \
<div id="but-in" class="bb-box-but-32x32 bb-box-but-in" \

the same happens id i use plain javascript to insert dom elements - it crushes when i try to set element id equal to boxId + '-smth'.
Group: core-security
Ever confirmed: true
Keywords: crash, testcase
Closing because no crash reported since 12 weeks.
Last Resolved: 2 months ago
Resolution: --- → WONTFIX
Reopening because crash bugs **with testcases** should not be resolved **as WONTFIX** based on queries of crash-stats.  Other resolutions may be appropriate for other reasons.

(Crash signatures are not the same as bug identity; they're merely a search aid to find and group similar crashes.  The bug may still be present, but the signature may have changed slightly, or the bug may even still be present with the same signature but there are simply no recent reports of crashes in that function.)
Resolution: WONTFIX → ---
You need to log in before you can comment on or make changes to this bug.