Closed Bug 12791 Opened 25 years ago Closed 25 years ago

Core dump while visiting this site...

Categories

(Core :: DOM: Core & HTML, defect, P3)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
VERIFIED WORKSFORME

People

(Reporter: roland.mainz, Assigned: vidur)

References

(
URL
)

Details

(Whiteboard: [TESTCASE])

Attachments

(1 file)

Simple test case
315 bytes, text/html
Details 
I tried to step into http://www.buecherwurm.de and got a core dump as the
response :-(
Tested with a M9 build on Solaris 7 sparc (sun4u)...

GDB give me some hint here it crashed:
-- snip --
#0  nsJSUtils::nsConvertObjectToJSVal (aSupports=0x1268, aContext=0x16f5760,
aReturn=0xffbed590)
    at ../../../../dom/src/base/nsJSUtils.cpp:133
133         if (NS_OK == aSupports->QueryInterface(kIScriptObjectOwnerIID,
(void**)&owner)) {
(gdb) bt
#0  nsJSUtils::nsConvertObjectToJSVal (aSupports=0x1268, aContext=0x16f5760,
aReturn=0xffbed590)
    at ../../../../dom/src/base/nsJSUtils.cpp:133
#1  0xff0f7c18 in GetHTMLLayerElementProperty (cx=0x16f5760, obj=0x17b7e58,
id=-15, vp=0xffbed590)
    at ../../../../dom/src/html/nsJSHTMLLayerElement.cpp:201
#2  0xfefc468c in js_GetProperty (cx=0x16f5760, obj=0x17b7e58, id=1626032,
vp=0xffbed590)
    at ../../../js/src/jsobj.c:1700
#3  0xfefb8484 in js_Interpret (cx=0x16f5760, result=0xffbed7ec) at
../../../js/src/jsinterp.c:2184
#4  0xfefb2ac8 in js_Execute (cx=0x16f5760, chain=0x17b7e90, script=0x231e398,
fun=0x1e43270, down=0xffbeda40,
    debugging=0, result=0xffbed7ec) at ../../../js/src/jsinterp.c:827
#5  0xfefc1bfc in obj_eval (cx=0x16f5760, obj=0x231e398, argc=1, argv=0x17b7e88,
rval=0xffbed7ec)
    at ../../../js/src/jsobj.c:672
#6  0xfefb26a4 in js_Invoke (cx=0x16f5760, argc=1, flags=0) at
../../../js/src/jsinterp.c:654
#7  0xfefb8f3c in js_Interpret (cx=0x16f5760, result=0xffbeda3c) at
../../../js/src/jsinterp.c:2228
#8  0xfefb26f8 in js_Invoke (cx=0x16f5760, argc=4, flags=0) at
../../../js/src/jsinterp.c:670
#9  0xfefb8f3c in js_Interpret (cx=0x16f5760, result=0xffbedcac) at
../../../js/src/jsinterp.c:2228
#10 0xfefb26f8 in js_Invoke (cx=0x16f5760, argc=0, flags=0) at
../../../js/src/jsinterp.c:670
#11 0xfefb8f3c in js_Interpret (cx=0x16f5760, result=0xffbedf1c) at
../../../js/src/jsinterp.c:2228
#12 0xfefb26f8 in js_Invoke (cx=0x16f5760, argc=1, flags=2) at
../../../js/src/jsinterp.c:670
#13 0xfefb2934 in js_InternalCall (cx=0x16f5760, obj=0x410d98, fval=14504760,
argc=1, argv=0xffbee17c,
    rval=0xffbee178) at ../../../js/src/jsinterp.c:747
#14 0xfef98a10 in JS_CallFunctionValue (cx=0x16f5760, obj=0x410d98,
fval=14504760, argc=1, argv=0xffbee17c,
    rval=0xffbee178) at ../../../js/src/jsapi.c:2643
#15 0xff0da550 in nsJSEventListener::HandleEvent (this=0x2176508,
aEvent=0x1f71580)
    at ../../../../dom/src/events/nsJSEventListener.cpp:97
#16 0xfd25a1d4 in nsEventListenerManager::HandleEvent (this=0x1448398,
aPresContext=@0x1f71580, aEvent=0xffbee3f0,
    aDOMEvent=0xffbee31c, aFlags=3, aEventStatus=@0xffbee3a4)
    at ../../../../layout/events/src/nsEventListenerManager.cpp:971
#17 0xff0c133c in GlobalWindowImpl::HandleDOMEvent (this=0x1433478,
aPresContext=@0xf874d8, aEvent=0xffbee3f0,
    aDOMEvent=0xffbee31c, aFlags=1, aEventStatus=@0xffbee3a4) at
../../../../dom/src/base/nsGlobalWindow.cpp:2820
#18 0xff258cb8 in nsWebShell::OnEndDocumentLoad (this=0x1f86378,
loader=0x49c960, channel=0x5322b8, aStatus=0,
    aWebShell=0x1f8638c) at ../../../webshell/src/nsWebShell.cpp:3248
#19 0xff24fb84 in nsDocLoaderImpl::FireOnEndDocumentLoad (this=0x49c960,
aLoadInitiator=0x49c960, aStatus=0)
    at ../../../webshell/src/nsDocLoader.cpp:1227
#20 0xff24f840 in nsDocLoaderImpl::OnStopRequest (this=0x49c960,
channel=0x24477a8, ctxt=0x0, status=0, errorMsg=0x0)
    at ../../../webshell/src/nsDocLoader.cpp:1097
#21 0xfd7a25f0 in nsLoadGroup::RemoveChannel (this=0x34ebc0, channel=0x24477a8,
ctxt=0x0, status=0, errorMsg=0x0)
    at ../../../../netwerk/base/src/nsLoadGroup.cpp:548
#22 0xfc2ff4a4 in nsHTTPChannel::ResponseCompleted (this=0x24477a8,
aTransport=0x255eb50, aStatus=0)
    at ../../../../../netwerk/protocol/http/src/nsHTTPChannel.cpp:640
#23 0xfc30184c in nsHTTPResponseListener::OnStopRequest (this=0x250ca20,
channel=0x255eb50, i_pContext=0x24477a8,
    i_Status=0, i_pMsg=0x0) at
../../../../../netwerk/protocol/http/src/nsHTTPResponseListener.cpp:235
#24 0xfd79574c in nsOnStopRequestEvent::HandleEvent (this=0x254c490)
    at ../../../../netwerk/base/src/nsAsyncStreamListener.cpp:273
#25 0xfd795148 in nsStreamListenerEvent::HandlePLEvent (aEvent=0x254c490)
    at ../../../../netwerk/base/src/nsAsyncStreamListener.cpp:149
#26 0xfee63088 in PL_HandleEvent (self=0x254c490) at plevent.c:509
#27 0xfee62f08 in PL_ProcessPendingEvents (self=0x9b110) at plevent.c:470
#28 0xfef033f0 in nsEventQueueImpl::ProcessPendingEvents (this=0xaaf88)
    at ../../../xpcom/threads/nsEventQueue.cpp:118
#29 0xff340e68 in event_processor_callback (data=0xaaf88, source=6,
condition=GDK_INPUT_READ)
    at ../../../../widget/src/gtk/nsAppShell.cpp:149
#30 0xfebcbf24 in gdk_io_invoke (source=0x109bc0, condition=G_IO_IN,
data=0xded30) at gdkevents.c:878
---Type <return> to continue, or q <return> to quit---
#31 0xfeb55478 in g_io_unix_dispatch (source_data=0x112690,
current_time=0xffbeec28, user_data=0xded30)
    at giounix.c:135
#32 0xfeb57138 in g_main_dispatch (current_time=0xffbeec28) at gmain.c:652
#33 0xfeb57a24 in g_main_iterate (block=1228, dispatch=1) at gmain.c:870
#34 0xfeb57c34 in g_main_run (loop=0x111b80) at gmain.c:928
#35 0xfecc5fbc in gtk_main () at gtkmain.c:475
#36 0xff3415e0 in nsAppShell::Run (this=0xa5d68) at
../../../../widget/src/gtk/nsAppShell.cpp:371
#37 0xfe57a064 in nsAppShellService::Run (this=0x83d20) at
../../../../xpfe/appshell/src/nsAppShellService.cpp:470
#38 0x141b4 in main1 (argc=0, argv=0xffbef0bc) at
../../../xpfe/bootstrap/nsAppRunner.cpp:761
#39 0x14384 in main (argc=1, argv=0xffbef0bc) at
../../../xpfe/bootstrap/nsAppRunner.cpp:828
-- snip --

I assume this is a javascript problem, isn't it ??
Assignee: mccabe → vidur
Component: Javascript Engine → DOM Level 0
...dumping another one on vidur :(

No, this is not a JavaScript Engine bug. It sounds like
GetHTMLLayerElementProperty is handing a bogus pointer to
nsJSUtils::nsConvertObjectToJSVal in the middle of some nasty event handling.

I can only hope that this bug in M9 has been fixed.
QA Contact: cbegle → desale
updating qa contact for this component.
OS: Solaris → All
Hardware: Sun → All
The bug appears also on Win95, so I'm taking a wild guess with Platform=OS=All.

The problem with the page seems to be the silly little scrolling ad at the top
which is implemented as a moving layer within a layer--anyway, no nasty event
handling is necessary to make it appear, just a javascript reference to a
layer-within-layer property will do. I have a pretty simple testcase on this
coming right up.
Attached file Simple test case 

    
  
Whiteboard: [TESTCASE]

    
  
Status: NEW → RESOLVED
Closed: 25 years ago
Resolution: --- → WORKSFORME

    
    

    
  
Doesn't core dump for me.  Verified with Oct. 8th build.

Marking WORKSFORME.

    
  
Status: RESOLVED → VERIFIED

    
    

    
  
I also don't see this one. Tested with 10-09-09 builds. Marking verified.

    
    

    
      
  

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: