Closed Bug 193710 Opened 22 years ago Closed 22 years ago

Simple javascript crashes Mozilla (window.onerror)

Categories

(Core :: DOM: Events, defect, P1)

Product:
Core
Component:
DOM: Events
Platform:
x86
All
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.3final

People

(Reporter: shill, Assigned: jst)

References

Details

(Keywords: crash, testcase, Whiteboard: [HAVE FIX])

Attachments

(3 files)

Zipped HTML file
299 bytes, application/zip
Details
stacktrace
13.17 KB, text/plain
Details
Fix error pointed out by brendan.
614 bytes, patch
peterv
: review+
brendan
: superreview+
dbaron
: approval1.3+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.3b) Gecko/20030210 Build Identifier: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.3b) Gecko/20030210 I will attach a small HTML file which consistently crashes Mozilla. It is zipped because the crash does not occur when the file is read over the network. Download the zipped HTML file and open it locally. Disclaimer: I know nothing about javascript. I was working on a test case for bug 167499. Reproducible: Always Steps to Reproduce: 1. Download crash.zip 2. Open crash.html locally 3.
Attached file Zipped HTML file
confirming on win2k with 1.3b. stack coming up...
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash
Attached file stacktrace
stacktrace from biesi #3 0x405f5846 in abort () from /lib/libc.so.6 #4 0x400b20ee in JS_Assert (s=0x400bc72d "sh", file=0x400bc5a0 "/home/chb/mozilla/js/src/jsinterp.c", ln=405) at /home/chb/mozilla/js/src/jsutil.c:173 Relevant code: /* We can assert because js_FreeStack always balances js_AllocStack. */ sh = cx->stackHeaders; JS_ASSERT(sh); <---- This fails
biesi's stack was linux, so platform -> all and just in case - my crash was TB17262290M
OS: Windows 98 → All
Keywords: testcase
Is the JS error handling stuff trying to reenter itself and failing? It doesn't matter what I put in the onError handler as long as it triggers an error....
Rev 1.29 of dom/src/events/nsJSEventListener.cpp introduced a bad call to JS_PopArguments, but a void* formal parameter type precluded the compiler from catching the bug. JS_PopArguments' second actual param should be stackPtr, not &stackPtr. /be
Assignee: rogerl → jst
Component: JavaScript Engine → DOM Events
Status: NEW → ASSIGNED
Priority: -- → P1
Whiteboard: [HAVE FIX]
Target Milestone: --- → mozilla1.3final
Comment on attachment 114698 [details] [diff] [review] Fix error pointed out by brendan. Requesting reviews and approval, trivial fix for a crasher bug.
Attachment #114698 - Flags: superreview?(brendan)
Attachment #114698 - Flags: review?(peterv)
Attachment #114698 - Flags: approval1.3?
Comment on attachment 114698 [details] [diff] [review] Fix error pointed out by brendan. sr=brendan@mozilla.org /be
Attachment #114698 - Flags: superreview?(brendan) → superreview+
Setting default QA -
QA Contact: pschwartau → desale
Attachment #114698 - Flags: review?(peterv) → review+
Confirming it with build 2003021008 under Windows XP SP1. Talkback ID: TB17270779W
FIXED.
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Johnny, Can you take a look at bug 167499, it looks similar to this bug? I've included a testcase as well. Can someone check whether the fix to this bug also fixed bug 167499?
*** Bug 167499 has been marked as a duplicate of this bug. ***
Crashtest added as part of http://hg.mozilla.org/mozilla-central/rev/afc662d52ab1
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: