187595 - www.goodjet.com crashes the browser

Status: VERIFIED DUPLICATE of bug 77271

(Core :: DOM: Events, defect)

Description

[Simon Fraser [no longer active]]

This site has some evil JS that crashes trunk and branch builds. Top of stack
looks like:

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0xbff82ff0

Thread 0 Crashed:
 #0   0x02b7c3b8 in needsSecurityCheck(JSContext*, nsIXPConnectWrappedNative*)
 #1   0x02b7480c in nsWindowSH::GetProperty(nsIXPConnectWrappedNative*,
JSContext*, JSObject*, long, long*, int*)
 #2   0x006ed4ec in XPC_WN_Helper_GetProperty(JSContext*, JSObject*, long, long*)
 #3   0x001a8ac0 in js_Interpret
 #4   0x001a1068 in js_Invoke
 #5   0x001a8464 in js_Interpret
 #6   0x001a1068 in js_Invoke
 #7   0x001a8464 in js_Interpret
 #8   0x001a1068 in js_Invoke
 #9   0x001a8464 in js_Interpret
 #10  0x001a1068 in js_Invoke
 #11  0x001a8464 in js_Interpret
 #12  0x001a1068 in js_Invoke
(repeated over 400 times)

Comment 1

[Simon Fraser [no longer active]]

Attachment: Testcase (will crash!)

The problems seems to be here:

<body onload ="onload();">

This recurses, blowing the stack.

Comment 2

[Ruslan Ismailov]

See another behaviour on WinXP with 
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.3b) Gecko/20021230. There
is an error on JavascriptConsole: "Error: too much recursion", this script does
not working at all.

Comment 3

[Andrew Schultz]

I'm also getting "too much recursion" with linux trunk build 20030103

Comment 4

[Phil Schwartau]

Is this a JS Engine problem, or a browser issue? We don't crash
in the JS shell - we get a graceful exit with an error message:

js> function f() { f();}
js> f();
1: InternalError: too much recursion


I say this is a dupe of DOM Events bug 77271,
"Need to filter recursive events to prevent crashes"

Reassigning to DOM Events before duping -

Comment 5

[Phil Schwartau]

*** This bug has been marked as a duplicate of 77271 ***

Comment 6

[Vladimir Ermakov]

verifying