Closed Bug 102022 Opened 23 years ago Closed 23 years ago

Mozilla crashes at above site

Categories

(Core :: DOM: Events, defect)

Product:
Core
Component:
DOM: Events
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
VERIFIED DUPLICATE of bug 77271

People

(Reporter: radha, Assigned: joki)

References

(
URL
)

Details

(Keywords: crash)

Attachments

(1 file)

Reduced HTML testcase
279 bytes, text/html
Details 
Steps to reproduce:
-------------------
1) Goto www.csuhayward.edu
2) Click on Campus directory in the left frame at the bottom.
3) Mozilla crashes immediately.

The problem seems to be an infinite loop caused probably by bad javascript.
Nav 4.x renders the page just fine.


nsXULElement::QueryInterface(nsXULElement * const 0x03800510, const nsID & 
{...}, void * * 0x00033038) line 728
nsQueryInterface::operator()(const nsID & {...}, void * * 0x00033038) line 32 + 
25 bytes
nsCOMPtr<nsIContent>::assign_from_helper(const nsCOMPtr_helper & {...}, const 
nsID & {...}) line 971 + 18 bytes
nsCOMPtr<nsIContent>::nsCOMPtr<nsIContent>(const nsQueryInterface & {...}) line 
565
nsCOMPtr<nsIContent>::Assert_NoQueryNeeded() line 500
nsGetterAddRefs<nsIContent>::~nsGetterAddRefs<nsIContent>() line 1055
nsXULElement::HandleDOMEvent(nsXULElement * const 0x03dc53a0, nsIPresContext * 
0x0479b550, nsEvent * 0x00034bf8, nsIDOMEvent * * 0x00034914, unsigned int 4, 
nsEventStatus * 0x00034c20) line 3629
nsXULElement::HandleDOMEvent(nsXULElement * const 0x03dc5110, nsIPresContext * 
0x0479b550, nsEvent * 0x00034bf8, nsIDOMEvent * * 0x00034914, unsigned int 4, 
nsEventStatus * 0x00034c20) line 3699
nsXULElement::HandleChromeEvent(nsXULElement * const 0x03dc5120, nsIPresContext 
* 0x0479b550, nsEvent * 0x00034bf8, nsIDOMEvent * * 0x00034914, unsigned int 4, 
nsEventStatus * 0x00034c20) line 5100 + 39 bytes
GlobalWindowImpl::HandleDOMEvent(GlobalWindowImpl * const 0x03efe4c0, 
nsIPresContext * 0x0479b550, nsEvent * 0x00034bf8, nsIDOMEvent * * 0x00034914, 
unsigned int 4, nsEventStatus * 0x00034c20) line 616
nsDocument::HandleDOMEvent(nsDocument * const 0x04409490, nsIPresContext * 
0x0479b550, nsEvent * 0x00034bf8, nsIDOMEvent * * 0x00034914, unsigned int 4, 
nsEventStatus * 0x00034c20) line 3022
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x04418860, 
nsIPresContext * 0x0479b550, nsEvent * 0x00034bf8, nsIDOMEvent * * 0x00034914, 
unsigned int 4, nsEventStatus * 0x00034c20) line 1808 + 39 bytes
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x047ae720, 
nsIPresContext * 0x0479b550, nsEvent * 0x00034bf8, nsIDOMEvent * * 0x00034914, 
unsigned int 4, nsEventStatus * 0x00034c20) line 1806
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x04af9930, 
nsIPresContext * 0x0479b550, nsEvent * 0x00034bf8, nsIDOMEvent * * 0x00034914, 
unsigned int 4, nsEventStatus * 0x00034c20) line 1806
nsHTMLFormElement::HandleDOMEvent(nsHTMLFormElement * const 0x04af9930, 
nsIPresContext * 0x0479b550, nsEvent * 0x00034bf8, nsIDOMEvent * * 0x00034914, 
unsigned int 4, nsEventStatus * 0x00034c20) line 463 + 29 bytes
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x04afeec0, 
nsIPresContext * 0x0479b550, nsEvent * 0x00034bf8, nsIDOMEvent * * 0x00034914, 
unsigned int 4, nsEventStatus * 0x00034c20) line 1806
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x04afa920, 
nsIPresContext * 0x0479b550, nsEvent * 0x00034bf8, nsIDOMEvent * * 0x00034914, 
unsigned int 4, nsEventStatus * 0x00034c20) line 1806
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x04afb270, 
nsIPresContext * 0x0479b550, nsEvent * 0x00034bf8, nsIDOMEvent * * 0x00034914, 
unsigned int 4, nsEventStatus * 0x00034c20) line 1806
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x04af8380, 
nsIPresContext * 0x0479b550, nsEvent * 0x00034bf8, nsIDOMEvent * * 0x00034914, 
unsigned int 4, nsEventStatus * 0x00034c20) line 1806
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x04af8320, 
nsIPresContext * 0x0479b550, nsEvent * 0x00034bf8, nsIDOMEvent * * 0x00034914, 
unsigned int 4, nsEventStatus * 0x00034c20) line 1806
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x04af8980, 
nsIPresContext * 0x0479b550, nsEvent * 0x00034bf8, nsIDOMEvent * * 0x00034914, 
unsigned int 1, nsEventStatus * 0x00034c20) line 1806
nsHTMLInputElement::HandleDOMEvent(nsHTMLInputElement * const 0x04af8980, 
nsIPresContext * 0x0479b550, nsEvent * 0x00034bf8, nsIDOMEvent * * 0x00000000, 
unsigned int 1, nsEventStatus * 0x00034c20) line 1111 + 29 bytes
nsHTMLInputElement::Select(nsHTMLInputElement * const 0x04af89ac) line 813 + 49 
bytes
XPTC_InvokeByIndex(nsISupports * 0x04af89ac, unsigned int 91, unsigned int 0, 
nsXPTCVariant * 0x00034e58) line 139
XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode 
CALL_METHOD) line 1952 + 42 bytes
XPC_WN_CallMethod(JSContext * 0x03efe260, JSObject * 0x02a95ea0, unsigned int 0, 
long * 0x02b355dc, long * 0x00035090) line 1254 + 14 bytes
js_Invoke(JSContext * 0x03efe260, unsigned int 0, unsigned int 0) line 807 + 23 
bytes
js_Interpret(JSContext * 0x03efe260, long * 0x00035e34) line 2719 + 15 bytes
js_Invoke(JSContext * 0x03efe260, unsigned int 1, unsigned int 2) line 824 + 13 
bytes
js_InternalInvoke(JSContext * 0x03efe260, JSObject * 0x02a95ea0, long 44654464, 
unsigned int 0, unsigned int 1, long * 0x00036014, long * 0x00035f5c) line 899 + 
20 bytes
JS_CallFunctionValue(JSContext * 0x03efe260, JSObject * 0x02a95ea0, long 
44654464, unsigned int 1, long * 0x00036014, long * 0x00035f5c) line 3380 + 31 
bytes
nsJSContext::CallEventHandler(nsJSContext * const 0x03efe450, void * 0x02a95ea0, 
void * 0x02a95f80, unsigned int 1, void * 0x00036014, int * 0x00036010, int 0) 
line 976 + 33 bytes
nsJSEventListener::HandleEvent(nsJSEventListener * const 0x04afc510, nsIDOMEvent 
* 0x04261c34) line 155 + 74 bytes
nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x04afc470, 
nsIDOMEvent * 0x04261c34, nsIDOMEventTarget * 0x04261bf0, unsigned int 8, 
unsigned int 7) line 1213 + 20 bytes
nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x04afb9b0, 
nsIPresContext * 0x0479b550, nsEvent * 0x00036b00, nsIDOMEvent * * 0x0003681c, 
nsIDOMEventTarget * 0x04261bf0, unsigned int 7, nsEventStatus * 0x00036b28) line 
1814 + 36 bytes
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x04af8980, 
nsIPresContext * 0x0479b550, nsEvent * 0x00036b00, nsIDOMEvent * * 0x0003681c, 
unsigned int 1, nsEventStatus * 0x00036b28) line 1826
nsHTMLInputElement::HandleDOMEvent(nsHTMLInputElement * const 0x04af8980, 
nsIPresContext * 0x0479b550, nsEvent * 0x00036b00, nsIDOMEvent * * 0x00000000, 
unsigned int 1, nsEventStatus * 0x00036b28) line 1111 + 29 bytes
nsHTMLInputElement::Select(nsHTMLInputElement * const 0x04af89ac) line 813 + 49 
bytes
XPTC_InvokeByIndex(nsISupports * 0x04af89ac, unsigned int 91, unsigned int 0, 
nsXPTCVariant * 0x00036d60) line 139
XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode 
CALL_METHOD) line 1952 + 42 bytes
XPC_WN_CallMethod(JSContext * 0x03efe260, JSObject * 0x02a95ea0, unsigned int 0, 
long * 0x02b355b8, long * 0x00036f98) line 1254 + 14 bytes
js_Invoke(JSContext * 0x03efe260, unsigned int 0, unsigned int 0) line 807 + 23 
bytes
js_Interpret(JSContext * 0x03efe260, long * 0x00037d3c) line 2719 + 15 bytes
js_Invoke(JSContext * 0x03efe260, unsigned int 1, unsigned int 2) line 824 + 13 
bytes
js_InternalInvoke(JSContext * 0x03efe260, JSObject * 0x02a95ea0, long 44654464, 
unsigned int 0, unsigned int 1, long * 0x00037f1c, long * 0x00037e64) line 899 + 
20 bytes
JS_CallFunctionValue(JSContext * 0x03efe260, JSObject * 0x02a95ea0, long 
44654464, unsigned int 1, long * 0x00037f1c, long * 0x00037e64) line 3380 + 31 
bytes
Keywords: crash
Confirming crash on Linux 2001092306; OS : Win --> All. 

The "Campus Directory" link is this URL, which provokes an 
immediate crash on load:

  http://imctwo.csuhayward.edu/public/staffdir/index.cfm?FuseAction=Advanced
OS: Windows 2000 → All
Attached file Reduced HTML testcase 

    
    

    
  
The reduced testcase loads in NN4.7, but crashes in Mozilla 20010923xx.
Like the original site, it causes stack overflow with this HTML:


<BODY onload=document.input.name.focus()>
<P><B>
DID THIS PAGE LOAD? IF SO, THE BUG HAS GONE AWAY - USED TO CRASH ON LOAD
</B>

<form name="input">
  <INPUT TYPE="text" NAME="name" 
         onClick="this.focus()"
         onFocus="this.select()"
         onSelect="this.select()">
</FORM>
</BODY>


    
    

    
  
Not sure who is supposed to police this kind of recursive HTML,
but it's not JS Engine.

Reassigning to DOM Events for further triage -  
Assignee: rogerl → joki
Component: Javascript Engine → DOM Events
QA Contact: pschwartau → vladimire

    
    

    
  
This is a duplicate of 77271 Need to filter recursive events to prevent crashes


*** This bug has been marked as a duplicate of 77271 ***
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → DUPLICATE

    
    

    
  
verifying
Status: RESOLVED → VERIFIED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: