Closed Bug 213482 Opened 21 years ago Closed 21 years ago

setting a watched property within the function called by a watch results in crash

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows XP
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.5beta

People

(Reporter: brant, Assigned: brendan)

Details

(Keywords: crash, js1.5)

Attachments

(3 files)

testcase
272 bytes, text/html
Details
Talkack stack trace
5.78 KB, text/plain
Details
proposed fix
14.66 KB, patch
scole
: review+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5a) Gecko/20030714 Mozilla Firebird/0.6
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5a) Gecko/20030714 Mozilla Firebird/0.6

I had an input element on a page whose value property I was watching.  However,
I was new to using the watch method and was setting the value property from
within the function called by the watch method.  This (now) obviously leads to
an infinite loop which caused Firebird to crash.

Reproducible: Always

Steps to Reproduce:
1. Set the value property of an input element from the function called by the
watch method that is watching that property.

Actual Results:  
Firebird crashed.

Expected Results:  
Firebird should not crash.

Here is a minimal case:
<input id="test">

<script type="text/html">
test = document.getElementById('test');

function watched (a, b, c) {
    test.value = 'a';
}

test.watch("value", watched);
</script>
The only other bug I found relating to the watch method is Bug 127243.
Attached file testcase 
I e-mailed this file to myself in Thunderbird with JS on and it also crashes
there so this definitely is not Firebird-specific.

I'd give a Talkback ID, but it hasn't gone through yet.
Attached file Talkack stack trace 

    
    

    
  
cc'ing Brendan, Mike -
Assignee: rogerl → khanson

    
    

    
  
.
Assignee: khanson → brendan

    
    

    
  
Here are three Talkback IDs if they are useful, although we already have a stack
trace attached.

TB22108259X
TB22108009W
TB22107993H

Additionally, Windows did not appear to catch this crash, only Talkback caught
it if that narrows things down.

    
    

    
  
Brant: thank you for these extra incident IDs. I looked them up,
and they confirm your original stack trace attached in Comment #3.
They all show the same call patterns leading to stack overflow -

    
    

    
  
Oops, just need some recursion dampening.  Path soon.

/be
Keywords: js1.5
Priority: -- → P1
Target Milestone: --- → mozilla1.5beta

    
    

    
  

      
      
      
      

        Attached patch
          
          
        proposed fixSplinter Review
      

    


  
Also fixes a bug calling GC from a JSClass.resolve hook that scole has worked
around for a while now.

/be

    
  

        Attachment #129039 -
        Flags: review?(scole)

    
    

    
  
Comment on attachment 129039 [details] [diff] [review]
proposed fix

You're stretching the limits of my understanding of how the engine works... but
ok.  The scheme is understandable, and the code looks clean.  r=scole

        Attachment #129039 -
        Flags: review?(scole) → review+

    
    

    
  
Fixed, thanks.

/be
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED

    
  
Keywords: crash
Flags: testcase?

    
    

    
  
Checking in regress-213482.js;
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-213482.js,v  <--  regress-213482.js
initial revision: 1.1
done

Flags: testcase? → testcase+

    
    

    
  
verified fixed
Status: RESOLVED → VERIFIED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: