Closed
Bug 91877
Opened 23 years ago
Closed 23 years ago
Boolean expressions evaluating as strings in the DOM; causes infinite loop upon visiting page
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
VERIFIED
WORKSFORME
People
(Reporter: david, Assigned: jst)
References
()
Details
(Keywords: hang)
When I visit http://www.philips.se I see the blue title page with the Philips logo and then Mozilla seems to loop forever since the browser window stops redrawing itself and the "busy" mouse cursor never goes away. I have no stack trace since it doesn't crash. Have tried some earlier versions as well (approx 1-2 weeks old) and it's the same story. Reproducible: Always
Comment 1•23 years ago
|
||
Confirmed on build 2001072208 (NT)
Comment 2•23 years ago
|
||
Status -> NEW. Upping severity to major. Adding 'hang' keyword because at least on Linux, you must kill the mozilla-bin process. OS, Platform -> All.
Severity: normal → major
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: hang
OS: Linux → All
Hardware: PC → All
Reporter | ||
Comment 3•23 years ago
|
||
It's actually the page that http://www.philips.se redirects to (http://www.philips.se/home.htm) that causes the problems
Comment 4•23 years ago
|
||
I see this also with win2k build 20010722.. No hang if I disable JS. -> JS Engine (i don't know a better component :-( ) win2k stack trace NTDLL! 778926d0() NTDLL! 7789260c() KERNEL32! 77e81495() _CrtIsValidHeapPointer(const void * 0x03ab77e8) line 1697 _free_dbg_lk(void * 0x03ab77e8, int 1) line 1044 + 9 bytes _free_dbg(void * 0x03ab77e8, int 1) line 1001 + 13 bytes free(void * 0x03ab77e8) line 956 + 11 bytes PR_Free(void * 0x03ab77e8) line 66 + 10 bytes nsMemoryImpl::Free(nsMemoryImpl * const 0x00356f08, void * 0x03ab77e8) line 327 + 10 bytes nsMemory::Free(void * 0x03ab77e8) line 560 nsJSID::Equals(nsJSID * const 0x03dc2fd0, nsIJSID * 0x03e39cd8, int * 0x0012c7e0) line 151 + 9 bytes XPTC_InvokeByIndex(nsISupports * 0x03dc2fd0, unsigned int 7, unsigned int 2, nsXPTCVariant * 0x0012c7d0) line 139 XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode CALL_METHOD) line 1881 + 42 bytes XPC_WN_CallMethod(JSContext * 0x03a7a448, JSObject * 0x03949ca8, unsigned int 1, long * 0x03df20ac, long * 0x0012ca04) line 1252 + 11 bytes js_Invoke(JSContext * 0x03a7a448, unsigned int 1, unsigned int 0) line 807 + 23 bytes js_Interpret(JSContext * 0x03a7a448, long * 0x0012d7a4) line 2701 + 15 bytes js_Invoke(JSContext * 0x03a7a448, unsigned int 1, unsigned int 2) line 824 + 13 bytes js_InternalInvoke(JSContext * 0x03a7a448, JSObject * 0x03b43d08, long 41754312, unsigned int 0, unsigned int 1, long * 0x0012d8a8, long * 0x0012d8c4) line 896 + 20 bytes JS_CallFunctionValue(JSContext * 0x03a7a448, JSObject * 0x03b43d08, long 41754312, unsigned int 1, long * 0x0012d8a8, long * 0x0012d8c4) line 3320 + 31 bytes nsXPCWrappedJSClass::CallQueryInterfaceOnJSObject(XPCCallContext & {...}, JSObject * 0x03b43d08, const nsID & {...}) line 263 + 28 bytes nsXPCWrappedJSClass::GetRootJSObject(XPCCallContext & {...}, JSObject * 0x03b43d08) line 407 + 22 bytes nsXPCWrappedJS::GetNewOrUsed(XPCCallContext & {...}, JSObject * 0x03b43d08, const nsID & {...}, nsISupports * 0x00000000, nsXPCWrappedJS * * 0x0012d99c) line 218 + 16 bytes XPCConvert::JSObject2NativeInterface(XPCCallContext & {...}, void * * 0x0012dabc, JSObject * 0x03b43d08, const nsID * 0x011bb3e8 iid, nsISupports * 0x00000000, unsigned int * 0x00000000) line 870 + 25 bytes nsXPCWrappedJSClass::DelegatedQueryInterface(nsXPCWrappedJSClass * const 0x03c7d588, nsXPCWrappedJS * 0x03c5cf68, const nsID & {...}, void * * 0x0012dabc) line 394 + 31 bytes nsXPCWrappedJS::QueryInterface(nsXPCWrappedJS * const 0x03c5cf68, const nsID & {...}, void * * 0x0012dabc) line 93 nsQueryInterface::operator()(const nsID & {...}, void * * 0x0012dabc) line 32 + 25 bytes nsCOMPtr<nsIXULBrowserWindow>::assign_from_helper(const nsCOMPtr_helper & {...}, const nsID & {...}) line 971 + 18 bytes nsCOMPtr<nsIXULBrowserWindow>::nsCOMPtr<nsIXULBrowserWindow>(const nsQueryInterface & {...}) line 565 nsContentTreeOwner::SetStatus(nsContentTreeOwner * const 0x03c6f5ac, unsigned int 1, const unsigned short * 0x00e04800) line 325 GlobalWindowImpl::SetStatus(GlobalWindowImpl * const 0x03a7a21c, const nsAString & {...}) line 1076 + 56 bytes XPTC_InvokeByIndex(nsISupports * 0x03a7a21c, unsigned int 39, unsigned int 1, nsXPTCVariant * 0x0012dd5c) line 139 XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode CALL_SETTER) line 1881 + 42 bytes XPCWrappedNative::SetAttribute(XPCCallContext & {...}) line 1784 + 14 bytes XPC_WN_GetterSetter(JSContext * 0x03a7a448, JSObject * 0x03949ad8, unsigned int 1, long * 0x03df2088, long * 0x0012dfa4) line 1276 + 9 bytes js_Invoke(JSContext * 0x03a7a448, unsigned int 1, unsigned int 2) line 807 + 23 bytes js_InternalInvoke(JSContext * 0x03a7a448, JSObject * 0x03949ad8, long 60071352, unsigned int 0, unsigned int 1, long * 0x0012ed80, long * 0x0012ed80) line 896 + 20 bytes js_SetProperty(JSContext * 0x03a7a448, JSObject * 0x03949ad8, long 15887104, long * 0x0012ed80) line 2554 + 47 bytes js_Interpret(JSContext * 0x03a7a448, long * 0x0012efac) line 1891 + 1644 bytes js_Execute(JSContext * 0x03a7a448, JSObject * 0x03949ad8, JSScript * 0x03dd6268, JSStackFrame * 0x00000000, unsigned int 0, long * 0x0012efac) line 986 + 13 bytes JS_EvaluateUCScriptForPrincipals(JSContext * 0x03a7a448, JSObject * 0x03949ad8, JSPrincipals * 0x03e910e8, const unsigned short * 0x03f0d028, unsigned int 11138, const char * 0x03a79e80, unsigned int 1193, long * 0x0012efac) line 3273 + 25 bytes nsJSContext::EvaluateString(nsJSContext * const 0x03a7a340, const nsAString & {...}, void * 0x03949ad8, nsIPrincipal * 0x03e910e4, const char * 0x03a79e80, unsigned int 1193, const char * 0x0103869c, nsAString & {...}, int * 0x0012f018) line 609 + 85 bytes nsScriptLoader::EvaluateScript(nsScriptLoadRequest * 0x03a30060, const nsAFlatString & {...}) line 566 nsScriptLoader::ProcessRequest(nsScriptLoadRequest * 0x03a30060) line 478 + 22 bytes nsScriptLoader::ProcessScriptElement(nsScriptLoader * const 0x03e90f80, nsIDOMHTMLScriptElement * 0x03e90a90, nsIScriptLoaderObserver * 0x03e90a94) line 421 + 15 bytes nsHTMLScriptElement::SetDocument(nsHTMLScriptElement * const 0x03e90a68, nsIDocument * 0x03e72e30, int 0, int 1) line 140 nsGenericHTMLContainerElement::AppendChildTo(nsGenericHTMLContainerElement * const 0x03e91630, nsIContent * 0x03e90a68, int 0, int 0) line 3779 HTMLContentSink::ProcessSCRIPTTag(const nsIParserNode & {...}) line 5011 HTMLContentSink::AddLeaf(HTMLContentSink * const 0x03e90e08, const nsIParserNode & {...}) line 3436 + 12 bytes CNavDTD::AddLeaf(const nsIParserNode * 0x03df8070) line 3789 + 22 bytes CNavDTD::AddHeadLeaf(nsIParserNode * 0x03df8070) line 3847 + 15 bytes CNavDTD::HandleStartToken(CToken * 0x03e69da0) line 1744 + 12 bytes CNavDTD::HandleToken(CNavDTD * const 0x03de39f0, CToken * 0x00000000, nsIParser * 0x03e75468) line 910 + 12 bytes CNavDTD::BuildModel(CNavDTD * const 0x03de39f0, nsIParser * 0x03e75468, nsITokenizer * 0x03e3a838, nsITokenObserver * 0x00000000, nsIContentSink * 0x03e90e08) line 540 + 20 bytes nsParser::BuildModel() line 2217 + 34 bytes nsParser::ResumeParse(int 1, int 0) line 2083 + 11 bytes nsParser::OnDataAvailable(nsParser * const 0x03e75470, nsIRequest * 0x03e2e6f0, nsISupports * 0x00000000, nsIInputStream * 0x03e3a368, unsigned int 15677, unsigned int 1448) line 2688 + 19 bytes nsDocumentOpenInfo::OnDataAvailable(nsDocumentOpenInfo * const 0x03e2e830, nsIRequest * 0x03e2e6f0, nsISupports * 0x00000000, nsIInputStream * 0x03e3a368, unsigned int 15677, unsigned int 1448) line 235 + 46 bytes nsStreamListenerTee::OnDataAvailable(nsStreamListenerTee * const 0x03dca4e0, nsIRequest * 0x03e2e6f0, nsISupports * 0x00000000, nsIInputStream * 0x03e5c5a8, unsigned int 15677, unsigned int 1448) line 56 + 51 bytes nsHttpChannel::OnDataAvailable(nsHttpChannel * const 0x03e2e6f4, nsIRequest * 0x03e3b210, nsISupports * 0x00000000, nsIInputStream * 0x03e5c5a8, unsigned int 15677, unsigned int 1448) line 2150 + 57 bytes nsOnDataAvailableEvent::HandleEvent() line 178 + 70 bytes nsARequestObserverEvent::HandlePLEvent(PLEvent * 0x03cc1304) line 64 PL_HandleEvent(PLEvent * 0x03cc1304) line 590 + 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x00d78028) line 520 + 9 bytes _md_EventReceiverProc(HWND__ * 0x001e03b8, unsigned int 49383, unsigned int 0, long 14123048) line 1071 + 9 bytes USER32! 77e02e98() USER32! 77e030e0() USER32! 77e05824() nsAppShellService::Run(nsAppShellService * const 0x00e4bc88) line 424 main1(int 2, char * * 0x003578d8, nsISupports * 0x00000000) line 1174 + 32 bytes main(int 2, char * * 0x003578d8) line 1478 + 37 bytes mainCRTStartup() line 338 + 17 bytes KERNEL32! 77e87d08()
Assignee: asa → rogerl
Severity: major → critical
Component: Browser-General → Javascript Engine
QA Contact: doronr → pschwartau
Comment 5•23 years ago
|
||
Some stack traces are unreliable because so much heap corruption has occurred. We have corrupted memory running through much of the stack. With a Mozilla debug build, one tipoff is the presence of a function calls like this in the stack: _free_dbg_lk(void * 0x03ab77e8, int 1) line 1044 + 9 bytes _free_dbg(void * 0x03ab77e8, int 1) line 1001 + 13 bytes free(void * 0x03ab77e8) line 956 + 11 bytes The free() function is freeing memory. The free_dbg_() functions notice that memory has somehow been corrupted and assert. They cannot provide further detail. For that, we need to run Purify.
Comment 6•23 years ago
|
||
The problem is this loop at the site. It has become infinite in Mozilla: // Choose Different products var status= true; ProductsChoosen[1]=Math.floor(1+(Big.length-1)*Math.random()); ProductsChoosen[1]=Math.floor(1+(Big2.length-1)*Math.random()); ProductsChoosen[2]=Math.floor(1+(Little.length-1)*Math.random()); while (status) { choosen=Math.floor(1+(Little.length-1)*Math.random()); status=(ProductsChoosen[2]==choosen); }
Comment 7•23 years ago
|
||
This loop is infinite in Mozilla/N6 because typeof status is evaluating to 'string' instead of 'boolean'. Thus status evaluates to the string primitives 'true', 'false' instead of the Boolean primitives true, false !!! Since Boolean('true') == true and Boolean('false') == true, the condition while(status) constantly evaluates to true, and so the loop never terminates. I will attach a simple testcase below -
Comment 8•23 years ago
|
||
Actually, the testcase is a one-liner. Just key this into the URL bar: javascript: var status=(1==2); alert(typeof status); RESULTS: IE4.7 --> 'boolean' NN4.7 --> 'boolean' Moz/N6 --> 'string'
Comment 9•23 years ago
|
||
The analogous test in the standalone JS shell produces 'boolean': js> var status=(1==2); print(typeof status); boolean Therefore I'm reassigning this to DOM Level 0 for further analysis. Severity should remain critical, as I'm afraid many other Web pages could be affected by this...
Assignee: rogerl → jst
Component: Javascript Engine → DOM Level 0
QA Contact: pschwartau → desale
Summary: eternal loop upon visiting page → Boolean expressions evaluating as strings in the DOM; causes infinite loop upon visiting page
Comment 10•23 years ago
|
||
OOPS - jst pointed out to me that it's the specific identifier 'status' that is causing the problem. Any variable defined in top-level JavaScript is supposed to be added as a property of the global object. In the DOM, that is the window object. But the window object ALREADY has a property named 'status'; as in "window.status" etc. If you try the testcase with the identifier 'x' instead of 'status', you get the same result in Mozilla as in the other browsers: javascript: var x=(1==2); alert(typeof x); RESULTS: IE4.7 --> 'boolean' NN4.7 --> 'boolean' Moz/N6 --> 'boolean'
Comment 11•23 years ago
|
||
So what do we do with this? Evangelism?
Comment 12•23 years ago
|
||
*** Bug 98726 has been marked as a duplicate of this bug. ***
Comment 13•23 years ago
|
||
NOTE: very similar if not identical to DOM bug 91206, "In DOM, null values for 'name' evaluate to true"
Comment 14•23 years ago
|
||
*** Bug 100149 has been marked as a duplicate of this bug. ***
Comment 15•23 years ago
|
||
As a "semi-workaround" you can go to http://www.ce.philips.se/ to get to Philip's Swedish page for consumer electronics.
Assignee | ||
Comment 16•23 years ago
|
||
WORKSFORME now.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → WORKSFORME
Comment 17•23 years ago
|
||
Verified Worksforme using Mozilla trunk binaries 20011120xx on WinNT, Linux, and Mac 9.1. The given site loads fine, and the one-line testcase also works fine now: javascript: var status=(1==2); alert(typeof status); RESULT: Moz/N6: ---> 'boolean' (not 'string' as before)
Status: RESOLVED → VERIFIED
Comment 18•23 years ago
|
||
*** Bug 115687 has been marked as a duplicate of this bug. ***
You need to log in
before you can comment on or make changes to this bug.
Description
•