Closed Bug 13144 Opened 21 years ago Closed 20 years ago

Crash when passing functions (!) to JS DOM API:s (I think!)...

Categories

(Core :: DOM: Core & HTML, defect, P3, critical)

defect

Tracking

()

VERIFIED FIXED

People

(Reporter: jst, Assigned: vidur)

Details

I don't know much about JS but here's what I think happends (and sorry if this
is the wrong component).

This JS code crashes both viewer and apprunner.

  var child = document.getElementById("abc");

  var bar = child.cloneNode;

  child.parentNode.appendChild(bar);

Note that "bar" is "child.cloneNode" without the ():s, ie it's a something
like a function. When "bar" is passed to "appendChild" viewer/apprunner
crashes in nsJSUtils::nsConvertJSValToObject when it tries to convert the
argument ("bar") into an object. Here's what happends under gdb on linux.

Program received signal SIGSEGV, Segmentation fault.
0x40411325 in nsJSUtils::nsConvertJSValToObject (aSupports=0xbfffe8b4,
    aIID=@0x4049b79c, aTypeName=@0xbfffe888, aContext=0x860e330,
    aValue=140209712) at nsJSUtils.cpp:205
205           if (NS_OK != supports->QueryInterface(aIID, (void **)aSupports)) {
(gdb) print supports
$1 = (nsISupports *) 0x8574a90
(gdb) print *supports
$2 = {_vptr. = 0x1}
(gdb) bt 10
#0  0x40411325 in nsJSUtils::nsConvertJSValToObject (aSupports=0xbfffe8b4,
    aIID=@0x4049b79c, aTypeName=@0xbfffe888, aContext=0x860e330,
    aValue=140209712) at nsJSUtils.cpp:205
#1  0x404265ef in NodeAppendChild (cx=0x860e330, obj=0x85b74c8, argc=1,
    argv=0x82eeaa8, rval=0xbfffe960) at nsJSNode.cpp:603
#2  0x4007e70e in js_Invoke (cx=0x860e330, argc=1, flags=0) at jsinterp.c:654
#3  0x4008ce81 in js_Interpret (cx=0x860e330, result=0xbffff2fc)
    at jsinterp.c:2228
#4  0x4007e76d in js_Invoke (cx=0x860e330, argc=1, flags=2) at jsinterp.c:670
#5  0x4007ea88 in js_InternalCall (cx=0x860e330, obj=0x85b6ab0,
    fval=140210800, argc=1, argv=0x82915f8, rval=0xbffff4c8) at jsinterp.c:747
#6  0x40056999 in JS_CallFunctionValue (cx=0x860e330, obj=0x85b6ab0,
    fval=140210800, argc=1, argv=0x82915f8, rval=0xbffff4c8) at jsapi.c:2643
#7  0x40409957 in GlobalWindowImpl::RunTimeout (this=0x85d6a98,
    aTimeout=0x82915b0) at nsGlobalWindow.cpp:1745
#8  0x404094f1 in nsGlobalWindow_RunTimeout (aTimer=0x8291620,
    aClosure=0x82915b0) at nsGlobalWindow.cpp:1633
#9  0x41acb8d5 in nsTimerGtk::FireTimeout (this=0x8291620) at nsTimerGtk.cpp:31
(More stack frames follow...)

I'll attach an example.
I tried to attach a file but I can't find the attachment, let me know if the
attachment doesn't show up.
Assignee: mccabe → vidur
Component: Javascript Engine → DOM Level 0
Not the JavaScript engine.

Sounds like either a problem with the DOM our your use of it. I don't know
enough to say which.
QA Contact: cbegle → desale
updating qa contact for this component.
Couldn't attach this so I'm including it here, this demonstrates the problem.

Hopefully this helps.

<html>
<head><title>foo</title>
<script>
function foo()
{
  var child = document.getElementById("abc");

  var bar = child.cloneNode;

  child.parentNode.appendChild(bar);
}

setTimeout(foo, 1000);

</script>
</head>
<body>
<p id="abc">test</p>
</body>
</html>
It probably shouldn't crash, but I'm not sure if this *should* work. The level 1
DOM spec says that appendChild takes a single parameter of type Node.
I do not expect this code to *work* but I do expect it *not* to *crash* mozilla.
An exception or error message would be appropriate.
Severity: normal → critical
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Added check to ensure that private of JSObject is actually an nsISupports. We
report an error now.
Status: RESOLVED → VERIFIED
Don't see crash anymore. Verified with 1999-11-22-09.
You need to log in before you can comment on or make changes to this bug.