browser crash while running javascript with multiline string literal




7 years ago
6 years ago


(Reporter: Pavlo Cherkashyn, Unassigned)


({crash, testcase})

5 Branch
crash, testcase

Firefox Tracking Flags

(Not tracked)


(Whiteboard: [sg:dos oom], crash signature)


(3 attachments)



7 years ago
Created attachment 547534 [details]
the zipped content. to reproduce - open index.html as a file (from disk) or as web page (via site)

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30

Steps to reproduce:

I am developing/testing my own script which is not in the internet yet.

Actual results:

total browser crash.

crash details are here

Note: the same bug is in Chrome and IE

Expected results:

1 option one: only one tab should crash is this is syntax mistake
2 option two: javascript exception if parsing is fine, but something is wrong in javascript
Duplicate of this bug: 673266
Crash Signature: [@ PL_DHashTableOperate ]
Attachment #547534 - Attachment mime type: application/octet-stream → application/zip
The script creates an deep tree of HTML table elements, using innerHTML.
I do get an "Unresponsive Script" warning dialog and if I click Stop 
I can then close the tab and no harm is done.  If I click Continue it
eventually runs out of memory.  So this looks like a bug we're already
well aware of.
Whiteboard: [sg:dos oom]
Attachment #547534 - Attachment mime type: application/zip → application/java-archive
How does this become recursive? There's only one <div> in the html to start with and the innerHTML that adds more isn't called until the getElementsByTagName list is already returned.
Created attachment 547602 [details]

The collection returned by getElementsByTagName is a /live/ collection, see:
so when this loops inserts new <div>s the become part of what you're
looping over.

Here's value of document.body.innerHTML for the first few iterations.
I printed the values of 'i' and 'doc.length' as well.

Comment 6

7 years ago
couple more comments:

in lines
<div id="'+boxId+'-but-fb" class="bb-box-but-32x32 bb-box-but-fb" \
<div id="'+boxId+'-but-tweet" class="bb-box-but-32x32 bb-box-but-tweet" \
<div id="'+boxId+'-but-in" class="bb-box-but-32x32 bb-box-but-in" \

if i skip '+boxId+' and rewrite like these lines below - it works fine.

<div id="but-fb" class="bb-box-but-32x32 bb-box-but-fb" \
<div id="but-tweet" class="bb-box-but-32x32 bb-box-but-tweet" \
<div id="but-in" class="bb-box-but-32x32 bb-box-but-in" \

the same happens id i use plain javascript to insert dom elements - it crushes when i try to set element id equal to boxId + '-smth'.
Group: core-security
Ever confirmed: true
Keywords: crash, testcase
You need to log in before you can comment on or make changes to this bug.