Closed Bug 41599 Opened 20 years ago Closed 20 years ago

browser crashes when executing function with certain name such as Click()

Categories

(Core :: DOM: UI Events & Focus Handling, defect, P3)

x86
Windows NT
defect

Tracking

()

VERIFIED FIXED

People

(Reporter: czhang, Assigned: hjtoi-bugzilla)

References

()

Details

(Keywords: crash, Whiteboard: [nsbeta3+][Fix attached])

Attachments

(1 file)

load build 6/02
1. go to http://cathyz2/sameori/bug1.html, click the button in the browser
expect: to see the URL of the iframe, or if there is syntax error, no event.
result:  browser crashes
 the code is 
---------------bug1.html--------------------------------
<html>
<head>
</head>
<body name="me" bgColor="FFF000">
<iframe ID="layer1" type="content" SRC="mylayer.html" style="position:absolute;t
op:200pt;left:200pt;width:300;height:300;z-index:1;visibility:visible;" >
   </iframe>
</body>
</html>


-----------------mylayer.html-----------------------

<head>
<script>
  function click(){
      alert(document.referrer);
  }

</script>
</head>
<body bgcolor="CCCCCC">
<form>
<input type=button name="b1" value="change color" onClick="click()">
</form>
</body>
</html>

changing the click() to be something else, for example: go(), then there is no 
problem at all
~           
~
Adding crash to keyword field.
Keywords: crash
Status: UNCONFIRMED → NEW
Ever confirmed: true
Bug still occurs on commercial M17 build 2000060908
Still crashing on Linux and WinNT tip builds from  06/27/00.
On WinNT, the crash occurs at this spot in the code:

// Node capturing stage
if (NS_EVENT_FLAG_BUBBLE != aFlags) {
    if (mParent) {
        PRBool proceed = PR_TRUE;
        if (mIsAnonymous) {
          PRBool parentState;
          nsCOMPtr<nsIXULContent> parent = do_QueryInterface(mParent);
          if (parent) {
            parent->GetAnonymousState(parentState);
            if (!parentState)
              proceed = PR_FALSE;
          }
          else proceed = PR_FALSE; // Assume that the HTML Content is not                                                                    
anonymous
                                   // XXX Will need to do better for XBL.
        }

        // Pass off to our parent.
        if (proceed)
          mParent->HandleDOMEvent(aPresContext, aEvent, aDOMEvent,
                                  NS_EVENT_FLAG_CAPTURE, aEventStatus);
    }
    else if (mDocument != nsnull) {
        ret = mDocument->HandleDOMEvent(aPresContext, aEvent, aDOMEvent,
                                        NS_EVENT_FLAG_CAPTURE,                                                                                                                    
aEventStatus);



Here is the top of the WinNT stack trace: 

nsXULElement::HandleDOMEvent(nsXULElement * const 0x02d75820, nsIPresContext * 
0x032e08a0, nsEvent * 0x00033c84, nsIDOMEvent * * 0x00033aa0, unsigned int 4, 
nsEventStatus * 0x00033cc8) line 3339
nsXULElement::HandleDOMEvent(nsXULElement * const 0x02d755a0, nsIPresContext * 
0x032e08a0, nsEvent * 0x00033c84, nsIDOMEvent * * 0x00033aa0, unsigned int 4, 
nsEventStatus * 0x00033cc8) line 3339
nsXULElement::HandleDOMEvent(nsXULElement * const 0x02d751d0, nsIPresContext * 
0x032e08a0, nsEvent * 0x00033c84, nsIDOMEvent * * 0x00033aa0, unsigned int 4, 
nsEventStatus * 0x00033cc8) line 3339
nsXULElement::HandleDOMEvent(nsXULElement * const 0x02d75070, nsIPresContext * 
0x032e08a0, nsEvent * 0x00033c84, nsIDOMEvent * * 0x00033aa0, unsigned int 4, 
nsEventStatus * 0x00033cc8) line 3339
nsXULElement::HandleChromeEvent(nsXULElement * const 0x02d7508c, nsIPresContext 
* 0x032e08a0, nsEvent * 0x00033c84, nsIDOMEvent * * 0x00033aa0, unsigned int 4, 
nsEventStatus * 0x00033cc8) line 4296 + 39 bytes
GlobalWindowImpl::HandleDOMEvent(GlobalWindowImpl * const 0x032e0540, 
nsIPresContext * 0x032e08a0, nsEvent * 0x00033c84, nsIDOMEvent * * 0x00033aa0, 
unsigned int 4, nsEventStatus * 0x00033cc8) line 409
nsDocument::HandleDOMEvent(nsDocument * const 0x032e5e80, nsIPresContext * 
0x032e08a0, nsEvent * 0x00033c84, nsIDOMEvent * * 0x00033aa0, unsigned int 4, 
nsEventStatus * 0x00033cc8) line 2992
nsGenericElement::HandleDOMEvent(nsIPresContext * 0x032e08a0, nsEvent * 
0x00033c84, nsIDOMEvent * * 0x00033aa0, unsigned int 4, nsEventStatus * 
0x00033cc8) line 1381
nsHTMLHtmlElement::HandleDOMEvent(nsHTMLHtmlElement * const 0x032e36c8, 
nsIPresContext * 0x032e08a0, nsEvent * 0x00033c84, nsIDOMEvent * * 0x00033aa0, 
unsigned int 4, nsEventStatus * 0x00033cc8) line 187
nsGenericElement::HandleDOMEvent(nsIPresContext * 0x032e08a0, nsEvent * 
0x00033c84, nsIDOMEvent * * 0x00033aa0, unsigned int 4, nsEventStatus * 
0x00033cc8) line 1370
nsHTMLBodyElement::HandleDOMEvent(nsHTMLBodyElement * const 0x03324118, 
nsIPresContext * 0x032e08a0, nsEvent * 0x00033c84, nsIDOMEvent * * 0x00033aa0, 
unsigned int 4, nsEventStatus * 0x00033cc8) line 901
nsGenericElement::HandleDOMEvent(nsIPresContext * 0x032e08a0, nsEvent * 
0x00033c84, nsIDOMEvent * * 0x00033aa0, unsigned int 4, nsEventStatus * 
0x00033cc8) line 1370
nsHTMLFormElement::HandleDOMEvent(nsHTMLFormElement * const 0x0334933c, 
nsIPresContext * 0x032e08a0, nsEvent * 0x00033c84, nsIDOMEvent * * 0x00033aa0, 
unsigned int 4, nsEventStatus * 0x00033cc8) line 438
nsGenericElement::HandleDOMEvent(nsIPresContext * 0x032e08a0, nsEvent * 
0x00033c84, nsIDOMEvent * * 0x00033aa0, unsigned int 1, nsEventStatus * 
0x00033cc8) line 1370
nsHTMLInputElement::HandleDOMEvent(nsHTMLInputElement * const 0x0334862c, 
nsIPresContext * 0x032e08a0, nsEvent * 0x00033c84, nsIDOMEvent * * 0x00000000, 
unsigned int 1, nsEventStatus * 0x00033cc8) line 813 + 31 bytes
nsHTMLInputElement::Click(nsHTMLInputElement * const 0x03348620) line 748 + 49 
bytes
HTMLInputElementClick(JSContext * 0x032e0350, JSObject * 0x02bf23d8, unsigned 
int 0, long * 0x02c893a0, long * 0x00033e44) line 882 + 15 bytes
js_Invoke(JSContext * 0x032e0350, unsigned int 0, unsigned int 0) line 716 + 23 
bytes
js_Interpret(JSContext * 0x032e0350, long * 0x00034780) line 2520 + 15 bytes
js_Invoke(JSContext * 0x032e0350, unsigned int 1, unsigned int 2) line 732 + 13 
bytes
js_InternalInvoke(JSContext * 0x032e0350, JSObject * 0x02bf23d8, long 46081000, 
unsigned int 0, unsigned int 1, long * 0x00034914, long * 0x000348a4) line 805 + 
19 bytes
JS_CallFunctionValue(JSContext * 0x032e0350, JSObject * 0x02bf23d8, long 
46081000, unsigned int 1, long * 0x00034914, long * 0x000348a4) line 2815 + 31 
bytes
nsJSContext::CallEventHandler(nsJSContext * const 0x032e04e0, void * 0x02bf23d8, 
void * 0x02bf23e8, unsigned int 1, void * 0x00034914, int * 0x00034910, int 0) 
line 847 + 33 bytes
nsJSEventListener::HandleEvent(nsIDOMEvent * 0x03675614) line 154 + 64 bytes
nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x03357fe0, 
nsIDOMEvent * 0x03675614, nsIDOMEventTarget * 0x03354fa4, unsigned int 4, 
unsigned int 7) line 772 + 19 bytes
nsEventListenerManager::HandleEvent(nsIPresContext * 0x032e08a0, nsEvent * 
0x00034fdc, nsIDOMEvent * * 0x00034df8, nsIDOMEventTarget * 0x03354fa4, unsigned 
int 7, nsEventStatus * 0x00035020) line 915 + 39 bytes
nsGenericElement::HandleDOMEvent(nsIPresContext * 0x032e08a0, nsEvent * 
0x00034fdc, nsIDOMEvent * * 0x00034df8, unsigned int 1, nsEventStatus * 
0x00035020) line 1385
nsHTMLInputElement::HandleDOMEvent(nsHTMLInputElement * const 0x0334862c, 
nsIPresContext * 0x032e08a0, nsEvent * 0x00034fdc, nsIDOMEvent * * 0x00000000, 
unsigned int 1, nsEventStatus * 0x00035020) line 813 + 31 bytes
nsHTMLInputElement::Click(nsHTMLInputElement * const 0x03348620) line 748 + 49 
bytes
HTMLInputElementClick(JSContext * 0x032e0350, JSObject * 0x02bf23d8, unsigned 
int 0, long * 0x02c89384, long * 0x0003519c) line 882 + 15 bytes
js_Invoke(JSContext * 0x032e0350, unsigned int 0, unsigned int 0) line 716 + 23 
bytes
js_Interpret(JSContext * 0x032e0350, long * 0x00035ad8) line 2520 + 15 bytes
js_Invoke(JSContext * 0x032e0350, unsigned int 1, unsigned int 2) line 732 + 13 
bytes
js_InternalInvoke(JSContext * 0x032e0350, JSObject * 0x02bf23d8, long 46081000, 
unsigned int 0, unsigned int 1, long * 0x00035c6c, long * 0x00035bfc) line 805 + 
19 bytes
JS_CallFunctionValue(JSContext * 0x032e0350, JSObject * 0x02bf23d8, long 
46081000, unsigned int 1, long * 0x00035c6c, long * 0x00035bfc) line 2815 + 31 
bytes
nsJSContext::CallEventHandler(nsJSContext * const 0x032e04e0, void * 0x02bf23d8, 
void * 0x02bf23e8, unsigned int 1, void * 0x00035c6c, int * 0x00035c68, int 0) 
line 847 + 33 bytes
nsJSEventListener::HandleEvent(nsIDOMEvent * 0x036756c4) line 154 + 64 bytes
nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x03357fe0, 
nsIDOMEvent * 0x036756c4, nsIDOMEventTarget * 0x03354fa4, unsigned int 4, 
unsigned int 7) line 772 + 19 bytes
nsEventListenerManager::HandleEvent(nsIPresContext * 0x032e08a0, nsEvent * 
0x00036334, nsIDOMEvent * * 0x00036150, nsIDOMEventTarget * 0x03354fa4, unsigned 
int 7, nsEventStatus * 0x00036378) line 915 + 39 bytes
nsGenericElement::HandleDOMEvent(nsIPresContext * 0x032e08a0, nsEvent * 
0x00036334, nsIDOMEvent * * 0x00036150, unsigned int 1, nsEventStatus * 
0x00036378) line 1385
nsHTMLInputElement::HandleDOMEvent(nsHTMLInputElement * const 0x0334862c, 
nsIPresContext * 0x032e08a0, nsEvent * 0x00036334, nsIDOMEvent * * 0x00000000, 
unsigned int 1, nsEventStatus * 0x00036378) line 813 + 31 bytes
nsHTMLInputElement::Click(nsHTMLInputElement * const 0x03348620) line 748 + 49 
bytes
HTMLInputElementClick(JSContext * 0x032e0350, JSObject * 0x02bf23d8, unsigned 
int 0, long * 0x02c89368, long * 0x000364f4) line 882 + 15 bytes
js_Invoke(JSContext * 0x032e0350, unsigned int 0, unsigned int 0) line 716 + 23 
bytes
js_Interpret(JSContext * 0x032e0350, long * 0x00036e30) line 2520 + 15 bytes
js_Invoke(JSContext * 0x032e0350, unsigned int 1, unsigned int 2) line 732 + 13 
bytes
js_InternalInvoke(JSContext * 0x032e0350, JSObject * 0x02bf23d8, long 46081000, 
unsigned int 0, unsigned int 1, long * 0x00036fc4, long * 0x00036f54) line 805 + 
19 bytes
JS_CallFunctionValue(JSContext * 0x032e0350, JSObject * 0x02bf23d8, long 
46081000, unsigned int 1, long * 0x00036fc4, long * 0x00036f54) line 2815 + 31 
bytes
nsJSContext::CallEventHandler(nsJSContext * const 0x032e04e0, void * 0x02bf23d8, 
void * 0x02bf23e8, unsigned int 1, void * 0x00036fc4, int * 0x00036fc0, int 0) 
line 847 + 33 bytes
nsJSEventListener::HandleEvent(nsIDOMEvent * 0x03675774) line 154 + 64 bytes
nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x03357fe0, 
nsIDOMEvent * 0x03675774, nsIDOMEventTarget * 0x03354fa4, unsigned int 4, 
unsigned int 7) line 772 + 19 bytes
nsEventListenerManager::HandleEvent(nsIPresContext * 0x032e08a0, nsEvent * 
0x0003768c, nsIDOMEvent * * 0x000374a8, nsIDOMEventTarget * 0x03354fa4, unsigned 
int 7, nsEventStatus * 0x000376d0) line 915 + 39 bytes
nsGenericElement::HandleDOMEvent(nsIPresContext * 0x032e08a0, nsEvent * 
0x0003768c, nsIDOMEvent * * 0x000374a8, unsigned int 1, nsEventStatus * 
0x000376d0) line 1385
nsHTMLInputElement::HandleDOMEvent(nsHTMLInputElement * const 0x0334862c, 
nsIPresContext * 0x032e08a0, nsEvent * 0x0003768c, nsIDOMEvent * * 0x00000000, 
unsigned int 1, nsEventStatus * 0x000376d0) line 813 + 31 bytes
nsHTMLInputElement::Click(nsHTMLInputElement * const 0x03348620) line 748 + 49 
bytes
HTMLInputElementClick(JSContext * 0x032e0350, JSObject * 0x02bf23d8, unsigned 
int 0, long * 0x02c8934c, long * 0x0003784c) line 882 + 15 bytes
js_Invoke(JSContext * 0x032e0350, unsigned int 0, unsigned int 0) line 716 + 23 
bytes
js_Interpret(JSContext * 0x032e0350, long * 0x00038188) line 2520 + 15 bytes
js_Invoke(JSContext * 0x032e0350, unsigned int 1, unsigned int 2) line 732 + 13 
bytes
js_InternalInvoke(JSContext * 0x032e0350, JSObject * 0x02bf23d8, long 46081000, 
unsigned int 0, unsigned int 1, long * 0x0003831c, long * 0x000382ac) line 805 + 
19 bytes
JS_CallFunctionValue(JSContext * 0x032e0350, JSObject * 0x02bf23d8, long 
46081000, unsigned int 1, long * 0x0003831c, long * 0x000382ac) line 2815 + 31 
bytes
nsJSContext::CallEventHandler(nsJSContext * const 0x032e04e0, void * 0x02bf23d8, 
void * 0x02bf23e8, unsigned int 1, void * 0x0003831c, int * 0x00038318, int 0) 
line 847 + 33 bytes
nsJSEventListener::HandleEvent(nsIDOMEvent * 0x03675824) line 154 + 64 bytes
nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x03357fe0, 
nsIDOMEvent * 0x03675824, nsIDOMEventTarget * 0x03354fa4, unsigned int 4, 
unsigned int 7) line 772 + 19 bytes
nsEventListenerManager::HandleEvent(nsIPresContext * 0x032e08a0, nsEvent * 
0x000389e4, nsIDOMEvent * * 0x00038800, nsIDOMEventTarget * 0x03354fa4, unsigned 
int 7, nsEventStatus * 0x00038a28) line 915 + 39 bytes
nsGenericElement::HandleDOMEvent(nsIPresContext * 0x032e08a0, nsEvent * 
0x000389e4, nsIDOMEvent * * 0x00038800, unsigned int 1, nsEventStatus * 
0x00038a28) line 1385
nsHTMLInputElement::HandleDOMEvent(nsHTMLInputElement * const 0x0334862c, 
nsIPresContext * 0x032e08a0, nsEvent * 0x000389e4, nsIDOMEvent * * 0x00000000, 
unsigned int 1, nsEventStatus * 0x00038a28) line 813 + 31 bytes
nsHTMLInputElement::Click(nsHTMLInputElement * const 0x03348620) line 748 + 49 
bytes
HTMLInputElementClick(JSContext * 0x032e0350, JSObject * 0x02bf23d8, unsigned 
int 0, long * 0x02c89330, long * 0x00038ba4) line 882 + 15 bytes
 .
 .
etc. 
etc.


Reassigning - doesn't seem to be a JS Engine issue.
Is Event Handling the correct component? 
Assignee: rogerl → joki
Component: Javascript Engine → Event Handling
QA Contact: pschwartau → janc
So the scoping of the click call inside the event handler is making it trigger 
the nsHTMLInputElement::Click() method, which then recurses to death.  Neat.  
We'll have to put in an anti-recursion technique.

Either way, calling click() from inside the event handler probably isn't going 
to work.
Status: NEW → ASSIGNED
Chris, is the patch 07/14/00 10:54 what you had in mind for a fix?

The patch only prevents the crash, trying to call your own click() function like 
that still does not work. I don't think it even should work. However, there is a 
way to have a function called click(), in this context you would just need to 
call it with onClick="window.click()". The reason it should not work is that the 
input element where click() is called already has a function called click(), and 
because of scoping it is the first function named click(), and that is what we 
must call. If you tried to change the function name to blur() for instance, it 
would still not work because it would call a different blur() than you expected. 
However, blur() (at least) does not recurse to death.

It is possible there are other cases like this lurking around. Places where we 
create a DOM Event and then call HandleDOMEvent (which might end up calling the 
original function again) might have this kind of problem.
Whiteboard: [Fix attached]
The intent was not to make it work, just to make sure we don't crash. You're 
right, it won't work because of scoping, and that isn't our problem.

The patch looks okay to me.
Nominating for nsbeta3 because we have a simple fix for this already attached.
Keywords: nsbeta3
I have green light from chofmann to check this in the carpool tomorrow/Tursday.
I will check in the patch and mark r=saari unless I hear loud complaints ;)
Assignee: joki → heikki
Status: ASSIGNED → NEW
Mass update:  changing qacontact to ckritzer@netscape.com
QA Contact: janc → ckritzer
Status: NEW → ASSIGNED
Marking nsbeta3+...
Whiteboard: [Fix attached] → [Fix attached]nsbeta3+
Whiteboard: [Fix attached]nsbeta3+ → [nsbeta3+][Fix attached]
Linux still crashes, even with this patch applied. I will have to take a look in
the debugger. Chris, can you see what Mac does if you apply the patch?
I swear the computers are teamed up against me... The patch did not work
properly on Linux, it patched the code to *wrong place*. It still said patch
succeeded, so I did not bother to look... No wonder it did not work on Linux.
But now it does, I will check in as soon as tree opens.
Marking fixed.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Well, no crash, so...
Marking VERIFIED FIXED on:
- LinuxRH62 2000-09-07-08-M18 Commercial
- Win98     2000-09-07-08-M18 Mozilla
- MacOS86   2000-09-07-04-M18 Commercial
Status: RESOLVED → VERIFIED
Component: Event Handling → User events and focus handling
You need to log in before you can comment on or make changes to this bug.