User-Agent: Mozilla/5.0 (X11; U; Linux i686; es-ES; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; es-ES; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6 The problem seems to be the script into div created with the createElement function. The function rewrites its own code. It only crashes if the div is created with createElement. Reproducible: Always Steps to Reproduce: 1. Open Firefox 2. Load the example page 3. Pray Actual Results: Sometimes firefox closes without warnnings, sometimes a bug report window appears. Expected Results: The javascript should show "lalala". In Opera 8.52 works fine. In Internet Explorer does nothing. Tested with Firefox versions 1.5.0.6, 1.0.7 in Linux. The code: <html> <head> </head> <body> <script type="text/javascript"> var div = document.createElement('div'); div.setAttribute('id', 'firefly'); var scrpt = ''; scrpt += '<script>\n'; scrpt += 'document.getElementById(\'firefly\').innerHTML=\'lalala\';\n'; scrpt += '</script'+'>\n'; div.innerHTML=scrpt; document.getElementsByTagName('body')[0].appendChild(div); </script> </body> </html>

Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.1) Gecko/20060929 BonEcho/2.0 Talkback TB24066788G Also crashing seamonkey.

I'm afraid we need this.

Nice timing. I think the patch I just attached to bug 343730 should fix this.

(In reply to comment #3) > Nice timing. I think the patch I just attached to bug 343730 should fix this. > That is the correct fix for this, but what about branches? Bug 343730 is so only-for-trunk.

Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.1) Gecko/20060929 BonEcho/2.0 Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.1) Gecko/20061002 SeaMonkey/1.1b I'm changing to Core, DOM, All, as that bug is seen on Seamonkey and Firefox, Linux and Windows, and the bug it depends on is on Mac OS X. How are people supposed to learn about triage when bugs with patches are still Firefox/General NEW?

Comment on attachment 241047 [details] [diff] [review] Is this needed? But I'd still like to keep the review request.

The (In reply to comment #2) > Created an attachment (id=241047) [edit] > Is this needed? > > I'm afraid we need this. > This parch works OK for Deer Park 1.5.0.7

Comment on attachment 241047 [details] [diff] [review] Is this needed? Yeah... For branches we need this. Add a comment explaining why we need the weak ref (that is, that the kid can remove itself from the parent in BindToTree)?

I want to check this in to trunk too. Partially to see whether this affects tp or tdhtml.

Incident ID: 24066788 Stack Signature 0x042b682f 85287b6b Product ID Firefox2 Build ID 2006092903 Trigger Time 2006-10-03 02:59:36.0 Platform Win32 Operating System Windows 98 4.10 build 67766222 Module URL visited http://adlead.com/crash.html User Comments Bug 355221 All firefox windows closes suddenly if I load the page. Since Last Crash 8654 sec Total Uptime 8654 sec Trigger Reason Access violation Source File, Line No. N/A Stack Trace 0x042b682f nsGenericHTMLElement::BindToTree [mozilla/content/html/content/src/nsGenericHTMLElement.cpp, line 1425] nsGenericElement::InsertChildAt [mozilla/content/base/src/nsGenericElement.cpp, line 2778] nsGenericElement::InsertBefore [mozilla/content/base/src/nsGenericElement.cpp, line 3067] XPCWrappedNative::CallMethod [mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2169] XPC_WN_CallMethod [mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1455] js_Invoke [mozilla/js/src/jsinterp.c, line 1373] js_Interpret [mozilla/js/src/jsinterp.c, line 4110] js_Execute [mozilla/js/src/jsinterp.c, line 1619] JS_EvaluateUCScriptForPrincipals [mozilla/js/src/jsapi.c, line 4364] nsJSContext::EvaluateString [mozilla/dom/src/base/nsJSEnvironment.cpp, line 1100] nsScriptLoader::EvaluateScript [mozilla/content/base/src/nsScriptLoader.cpp, line 775] nsScriptLoader::ProcessRequest [mozilla/content/base/src/nsScriptLoader.cpp, line 673] nsScriptLoader::DoProcessScriptElement [mozilla/content/base/src/nsScriptLoader.cpp, line 606] nsScriptLoader::ProcessScriptElement [mozilla/content/base/src/nsScriptLoader.cpp, line 358] nsHTMLScriptElement::MaybeProcessScript [mozilla/content/html/content/src/nsHTMLScriptElement.cpp, line 663] nsHTMLScriptElement::BindToTree [mozilla/content/html/content/src/nsHTMLScriptElement.cpp, line 456] nsGenericElement::AppendChildTo [mozilla/content/base/src/nsGenericElement.cpp, line 2869] HTMLContentSink::ProcessSCRIPTTag [mozilla/content/html/document/src/nsHTMLContentSink.cpp, line 4174] HTMLContentSink::AddLeaf [mozilla/content/html/document/src/nsHTMLContentSink.cpp, line 3040] CNavDTD::AddLeaf [mozilla/parser/htmlparser/src/CNavDTD.cpp, line 3576] CNavDTD::HandleDefaultStartToken [mozilla/parser/htmlparser/src/CNavDTD.cpp, line 1283] CNavDTD::HandleStartToken [mozilla/parser/htmlparser/src/CNavDTD.cpp, line 1668] CNavDTD::HandleToken [mozilla/parser/htmlparser/src/CNavDTD.cpp, line 955] CNavDTD::BuildModel [mozilla/parser/htmlparser/src/CNavDTD.cpp, line 458] nsParser::BuildModel [mozilla/parser/htmlparser/src/nsParser.cpp, line 2145]

not going to block on this for 1.8.1, this is not a regression from 1.5 and we're very late in the game. Pushing nom to 1.8.1.1

Fwiw i'm planning on landing 343730 on branches too, or at least a variation of it.

(In reply to comment #12) > Fwiw i'm planning on landing 343730 on branches too, or at least a variation of > it. > oh, when exactly? I just checked in this to trunk.

As soon as I get reviews I'll land on trunk. For branch we may or may not want to scale down the patch for branches, but this discussion belongs in bug 343730

Comment on attachment 241084 [details] [diff] [review] applies cleanly to branches and review comments addressed The patch didn't seem to cause any tp or tdhtml hit on trunk.

Comment on attachment 241084 [details] [diff] [review] applies cleanly to branches and review comments addressed too late for this, try to get this for 1.8.1.1

we're trying to keep 1.8.0.8 in sync with 1.8.1, pushing request to 1.8.0.9

This is fixed on trunk, removing blocking1.9? (And bug 343730 is also fixed)

Comment on attachment 241084 [details] [diff] [review] applies cleanly to branches and review comments addressed approved for 1.8/1.8.0 branches, a=dveditz for drivers

fixed1.8.0.9, fixed1.8.1.1

Verified fixed on trunk by using a build before and a build after patch was checked in on trunk, and verified fixed on trunk by looking on the bonsai log on trunk. I couldn't get the page to crash on branch builds, so I verified the fix on branches by looking at the bonsai logs for MOZILLA_1_8_BRANCH and MOZILLA_1_8_1_BRANCH.