Closed Bug 205599 Opened 21 years ago Closed 21 years ago

Crash when loading http://www.netlimiter.com/ due to JavaScript function named "onload"

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
PowerPC
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 201828

People

(Reporter: ghartwig, Unassigned)

References

(
URL
)

Details

(Keywords: crash)

Attachments

(1 file)

crash log
20.80 KB, text/plain
Details 
User-Agent:       Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.3) Gecko/20030312
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.3) Gecko/20030312

This problem may be similar to Bugzilla Bug 196385 (similar messages upon crash)
but it's easily reproducable here.

Page declares a fuction called "onload()" and then has '<body onload="onload();">'

This might be causing an infinite loop.  Changing the function name to "onload2"
fixes the crash.

Reproducible: Always

Steps to Reproduce:
1. open http://www.netlimiter.com/

Actual Results:  
Browser crash.  Camino 0.7 crashes also.  IE and Safari load OK.

Expected Results:  
No crash.

From Camino crash:

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_INVALID_ADDRESS (0x0001) at 0xbff7fff4

Thread 0 Crashed:
 #0   0x000a0664 in needsSecurityCheck(JSContext*, nsIXPConnectWrappedNative*)
 #1   0x00099204 in nsWindowSH::GetProperty(nsIXPConnectWrappedNative*,
JSContext*, JSObject*, long, long*, int*)
 #2   0x0067796c in XPC_WN_Helper_GetProperty(JSContext*, JSObject*, long, long*)
 #3   0x0402f4e0 in js_Interpret
 #4   0x04027a08 in js_Invoke
 #5   0x0402ee78 in js_Interpret
 #6   0x04027a08 in js_Invoke
 #7   0x0402ee78 in js_Interpret
 #8   0x04027a08 in js_Invoke
 #9   0x0402ee78 in js_Interpret
 #10  0x04027a08 in js_Invoke
 #11  0x0402ee78 in js_Interpret
 #12  0x04027a08 in js_Invoke
. . . (repeats these two lines 250 times or so)
Attached file crash log 
this is my crash log from moz 2003051308/OS X... looks like an infinite loop
between jsInvoke and jsInterpret


as a side note Talkback didn't launch
confirming as I don't see any obvious dupes... a test case should be pretty easy

this may be more appropriate in a DOM* component but I don't know where the root
of the conflict lies, nor where it would be solved
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash
All the ideas above are correct. The problem is caused by naming
the <body> onload handler "onload", as discovered in bug 201828.

In particular, see the stack in bug 201828 comment 2, and the
explanation of the infinite loop in bug 201828 comment 3.
Unfortunately, the summary of the bug makes it hard to find!

I'm going to reassign to DOM Level 0 for parity with the other
bug, and cc everyone on it so they can follow progress on this -
Assignee: rogerl → dom_bugs
Component: JavaScript Engine → DOM Level 0
QA Contact: pschwartau → ashishbhatt

*** This bug has been marked as a duplicate of 201828 ***
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: