Crash when loading http://www.netlimiter.com/ due to JavaScript function named "onload"

RESOLVED DUPLICATE of bug 201828

Status

()

Core
DOM: Core & HTML
--
critical
RESOLVED DUPLICATE of bug 201828
15 years ago
15 years ago

People

(Reporter: Greg Hartwig, Unassigned)

Tracking

({crash})

Trunk
PowerPC
Mac OS X
crash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(1 attachment)

(Reporter)

Description

15 years ago
User-Agent:       Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.3) Gecko/20030312
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.3) Gecko/20030312

This problem may be similar to Bugzilla Bug 196385 (similar messages upon crash)
but it's easily reproducable here.

Page declares a fuction called "onload()" and then has '<body onload="onload();">'

This might be causing an infinite loop.  Changing the function name to "onload2"
fixes the crash.

Reproducible: Always

Steps to Reproduce:
1. open http://www.netlimiter.com/

Actual Results:  
Browser crash.  Camino 0.7 crashes also.  IE and Safari load OK.

Expected Results:  
No crash.

From Camino crash:

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_INVALID_ADDRESS (0x0001) at 0xbff7fff4

Thread 0 Crashed:
 #0   0x000a0664 in needsSecurityCheck(JSContext*, nsIXPConnectWrappedNative*)
 #1   0x00099204 in nsWindowSH::GetProperty(nsIXPConnectWrappedNative*,
JSContext*, JSObject*, long, long*, int*)
 #2   0x0067796c in XPC_WN_Helper_GetProperty(JSContext*, JSObject*, long, long*)
 #3   0x0402f4e0 in js_Interpret
 #4   0x04027a08 in js_Invoke
 #5   0x0402ee78 in js_Interpret
 #6   0x04027a08 in js_Invoke
 #7   0x0402ee78 in js_Interpret
 #8   0x04027a08 in js_Invoke
 #9   0x0402ee78 in js_Interpret
 #10  0x04027a08 in js_Invoke
 #11  0x0402ee78 in js_Interpret
 #12  0x04027a08 in js_Invoke
. . . (repeats these two lines 250 times or so)

Comment 1

15 years ago
Created attachment 123244 [details]
crash log

this is my crash log from moz 2003051308/OS X... looks like an infinite loop
between jsInvoke and jsInterpret


as a side note Talkback didn't launch

Comment 2

15 years ago
confirming as I don't see any obvious dupes... a test case should be pretty easy

this may be more appropriate in a DOM* component but I don't know where the root
of the conflict lies, nor where it would be solved
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash

Comment 3

15 years ago
All the ideas above are correct. The problem is caused by naming
the <body> onload handler "onload", as discovered in bug 201828.

In particular, see the stack in bug 201828 comment 2, and the
explanation of the infinite loop in bug 201828 comment 3.
Unfortunately, the summary of the bug makes it hard to find!

I'm going to reassign to DOM Level 0 for parity with the other
bug, and cc everyone on it so they can follow progress on this -
Assignee: rogerl → dom_bugs
Component: JavaScript Engine → DOM Level 0
QA Contact: pschwartau → ashishbhatt

Comment 4

15 years ago

*** This bug has been marked as a duplicate of 201828 ***
Status: NEW → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.