Closed Bug 205000 Opened 22 years ago Closed 22 years ago

onMouseOver="body.style.display='none';" crashes browser.

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED DUPLICATE of bug 204781

People

(Reporter: bwucke+bug, Assigned: rogerl)

References

Details

(Keywords: crash, regression, testcase)

Attachments

(1 file)

Reporters testcase
101 bytes, text/html
Details
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4b) Gecko/20030507 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4b) Gecko/20030507 I wanted to create a joke-code to hide whole document content on hovering over a link (one of the reasons was to prove a forum admin how insecure her forum code was) and came up with this "link": Reproducible: Always Steps to Reproduce: 1.Create a file with this code: <html><head></head><body> <a href="#" onMouseOver="body.style.display='none';">X</a> </body></html> 2. Open it in Mozilla. 3. Hover cursor over the X Actual Results: All Mozilla windows (mail too) closed - apparent crash. Expected Results: Make all contents of the window invisible - turn it into a blank white page. I tried it in MSIE 5.5 and Netscape 7 on Windows and it worked correctly. Crashes my Mozilla 1.4beta/Linux though.
I forgot to add - I tried it with "onClick" instead and worked correctly too, that's why I thought it's a JS thing.
Keywords: crash
Attached file Reporters testcase
OS: Linux → All
wfm using build 2003050509 on Win2k, could be a regression. Can you post a Talkback ID for this crash "mozilla/bin/components/talkback/talkback" or a GDB stack trace ?
Keywords: regression, stackwanted, testcase
Whiteboard: TB19932375Z
The bug 205010 seems related to this one (rollover too)...
Blocks: 205010
confirmed with 2003050811 on Windows XP It's exactly the same bug that breaks XBL #2 testcase... Got same error message, there's an AppCompat file attached there.
nsEventStateManager::GenerateMouseEnterExit(nsEventStateManager * const 0x05a60810, nsIPresContext * 0x05eed5a0, nsGUIEvent * 0x0012fa40) line 2641 + 5 bytes nsEventStateManager::PreHandleEvent(nsEventStateManager * const 0x05a60804, nsIPresContext * 0x05eed5a0, nsEvent * 0x0012fa40, nsIFrame * 0x062babd4, nsEventStatus * 0x0012f96c, nsIView * 0x0643fdd0) line 398 PresShell::HandleEventInternal(PresShell * const 0x05a60810, nsEvent * 0x00000000, nsIView * 0x0643fdd0, unsigned int 1, nsEventStatus * 0x0012f96c) line 6377 PresShell::HandleEvent(PresShell * const 0x02433500, nsIView * 0x0643fdd0, nsGUIEvent * 0x0012fa40, nsEventStatus * 0x0012f96c, int 0, int & 21929752) line 6297 + 19 bytes nsViewManager::HandleEvent(nsViewManager * const 0x05a60810, nsView * 0x00000000, nsGUIEvent * 0x0012fa40, int 0) line 2292 nsView::HandleEvent(nsView * const 0x05a60810, nsViewManager * 0x0456f5d0, nsGUIEvent * 0x0012fa40, int 0) line 308 nsViewManager::DispatchEvent(nsViewManager * const 0x0456f5d0, nsGUIEvent * 0x064e9ff8, nsEventStatus * 0x0012f9ec) line 2022 + 30 bytes HandleEvent(nsGUIEvent * 0x0012fa40) line 82 nsWindow::DispatchEvent(nsWindow * const 0x05b7a1f4, nsGUIEvent * 0x0012fa40, nsEventStatus & nsEventStatus_eIgnore) line 1054 + 3 bytes nsWindow::DispatchWindowEvent(nsWindow * const 0x05a60810, nsGUIEvent * 0x00000000) line 1075 nsWindow::DispatchMouseEvent(nsWindow * const 0x05a60810, unsigned int 300, unsigned int 0, nsPoint * 0x00000000) line 5198 ChildWindow::DispatchMouseEvent(ChildWindow * const 0x05a60810, unsigned int 300, unsigned int 0, nsPoint * 0x00000000) line 5452 + 19 bytes nsWindow::ProcessMessage(nsWindow * const 0x05a60810, unsigned int 512, unsigned int 0, long 1507346, long * 0x0012fd10) line 3976 nsWindow::WindowProc(HWND__ * 0x001d03dc, unsigned int 0, unsigned int 0, long 95920628) line 1348 + 16 bytes USER32! 77e2a244() USER32! 77e045e5() USER32! 77e0a792() nsAppShellService::Run(nsAppShellService * const 0x00de8008) line 479 main1(int 0, char * * 0x00243de8, nsISupports * 0x00000000) line 1268 + 9 bytes main(int 3, char * * 0x00243de8) line 1647 + 22 bytes WinMain(HINSTANCE__ * 0x00400000, HINSTANCE__ * 0x00400000, char * 0x001334ee, HINSTANCE__ * 0x00400000) line 1671 + 23 bytes MOZILLA! WinMainCRTStartup + 308 bytes KERNEL32! 77e9847c() *** This bug has been marked as a duplicate of 204781 ***
Status: NEW → RESOLVED
Closed: 22 years ago
Keywords: stackwanted
Resolution: --- → DUPLICATE
Whiteboard: TB19932375Z
Verified Duplicate - same stack trace. Note for future reference, a better component to file this bug under would have been Event Handling or DOM Style. The JavaScript Engine does not handle events or CSS style attributes. It is a language engine handling abstract objects such as Number(), Date(), and RegExp(); not browser objects. Bartosz: thank you for this report. You have been cc'ed on bug 204781 so you can follow progress on this issue -
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: