Closed Bug 41599 Opened 25 years ago Closed 25 years ago

browser crashes when executing function with certain name such as Click()

Categories

(Core :: DOM: UI Events & Focus Handling, defect, P3)

Product:
Core
Component:
DOM: UI Events & Focus Handling
Platform:
x86
Windows NT
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: czhang, Assigned: hjtoi-bugzilla)

References

(
URL
)

Details

(Keywords: crash, Whiteboard: [nsbeta3+][Fix attached])

Attachments

(1 file)

Partial fix: Stops Click from recursing
1.54 KB, patch
Details | Diff | Splinter Review
load build 6/02 1. go to http://cathyz2/sameori/bug1.html, click the button in the browser expect: to see the URL of the iframe, or if there is syntax error, no event. result: browser crashes the code is ---------------bug1.html-------------------------------- <html> <head> </head> <body name="me" bgColor="FFF000"> <iframe ID="layer1" type="content" SRC="mylayer.html" style="position:absolute;t op:200pt;left:200pt;width:300;height:300;z-index:1;visibility:visible;" > </iframe> </body> </html> -----------------mylayer.html----------------------- <head> <script> function click(){ alert(document.referrer); } </script> </head> <body bgcolor="CCCCCC"> <form> <input type=button name="b1" value="change color" onClick="click()"> </form> </body> </html> changing the click() to be something else, for example: go(), then there is no problem at all ~ ~
Adding crash to keyword field.
Keywords: crash
Status: UNCONFIRMED → NEW
Ever confirmed: true
Bug still occurs on commercial M17 build 2000060908
Still crashing on Linux and WinNT tip builds from 06/27/00. On WinNT, the crash occurs at this spot in the code: // Node capturing stage if (NS_EVENT_FLAG_BUBBLE != aFlags) { if (mParent) { PRBool proceed = PR_TRUE; if (mIsAnonymous) { PRBool parentState; nsCOMPtr<nsIXULContent> parent = do_QueryInterface(mParent); if (parent) { parent->GetAnonymousState(parentState); if (!parentState) proceed = PR_FALSE; } else proceed = PR_FALSE; // Assume that the HTML Content is not anonymous // XXX Will need to do better for XBL. } // Pass off to our parent. if (proceed) mParent->HandleDOMEvent(aPresContext, aEvent, aDOMEvent, NS_EVENT_FLAG_CAPTURE, aEventStatus); } else if (mDocument != nsnull) { ret = mDocument->HandleDOMEvent(aPresContext, aEvent, aDOMEvent, NS_EVENT_FLAG_CAPTURE, aEventStatus); Here is the top of the WinNT stack trace: nsXULElement::HandleDOMEvent(nsXULElement * const 0x02d75820, nsIPresContext * 0x032e08a0, nsEvent * 0x00033c84, nsIDOMEvent * * 0x00033aa0, unsigned int 4, nsEventStatus * 0x00033cc8) line 3339 nsXULElement::HandleDOMEvent(nsXULElement * const 0x02d755a0, nsIPresContext * 0x032e08a0, nsEvent * 0x00033c84, nsIDOMEvent * * 0x00033aa0, unsigned int 4, nsEventStatus * 0x00033cc8) line 3339 nsXULElement::HandleDOMEvent(nsXULElement * const 0x02d751d0, nsIPresContext * 0x032e08a0, nsEvent * 0x00033c84, nsIDOMEvent * * 0x00033aa0, unsigned int 4, nsEventStatus * 0x00033cc8) line 3339 nsXULElement::HandleDOMEvent(nsXULElement * const 0x02d75070, nsIPresContext * 0x032e08a0, nsEvent * 0x00033c84, nsIDOMEvent * * 0x00033aa0, unsigned int 4, nsEventStatus * 0x00033cc8) line 3339 nsXULElement::HandleChromeEvent(nsXULElement * const 0x02d7508c, nsIPresContext * 0x032e08a0, nsEvent * 0x00033c84, nsIDOMEvent * * 0x00033aa0, unsigned int 4, nsEventStatus * 0x00033cc8) line 4296 + 39 bytes GlobalWindowImpl::HandleDOMEvent(GlobalWindowImpl * const 0x032e0540, nsIPresContext * 0x032e08a0, nsEvent * 0x00033c84, nsIDOMEvent * * 0x00033aa0, unsigned int 4, nsEventStatus * 0x00033cc8) line 409 nsDocument::HandleDOMEvent(nsDocument * const 0x032e5e80, nsIPresContext * 0x032e08a0, nsEvent * 0x00033c84, nsIDOMEvent * * 0x00033aa0, unsigned int 4, nsEventStatus * 0x00033cc8) line 2992 nsGenericElement::HandleDOMEvent(nsIPresContext * 0x032e08a0, nsEvent * 0x00033c84, nsIDOMEvent * * 0x00033aa0, unsigned int 4, nsEventStatus * 0x00033cc8) line 1381 nsHTMLHtmlElement::HandleDOMEvent(nsHTMLHtmlElement * const 0x032e36c8, nsIPresContext * 0x032e08a0, nsEvent * 0x00033c84, nsIDOMEvent * * 0x00033aa0, unsigned int 4, nsEventStatus * 0x00033cc8) line 187 nsGenericElement::HandleDOMEvent(nsIPresContext * 0x032e08a0, nsEvent * 0x00033c84, nsIDOMEvent * * 0x00033aa0, unsigned int 4, nsEventStatus * 0x00033cc8) line 1370 nsHTMLBodyElement::HandleDOMEvent(nsHTMLBodyElement * const 0x03324118, nsIPresContext * 0x032e08a0, nsEvent * 0x00033c84, nsIDOMEvent * * 0x00033aa0, unsigned int 4, nsEventStatus * 0x00033cc8) line 901 nsGenericElement::HandleDOMEvent(nsIPresContext * 0x032e08a0, nsEvent * 0x00033c84, nsIDOMEvent * * 0x00033aa0, unsigned int 4, nsEventStatus * 0x00033cc8) line 1370 nsHTMLFormElement::HandleDOMEvent(nsHTMLFormElement * const 0x0334933c, nsIPresContext * 0x032e08a0, nsEvent * 0x00033c84, nsIDOMEvent * * 0x00033aa0, unsigned int 4, nsEventStatus * 0x00033cc8) line 438 nsGenericElement::HandleDOMEvent(nsIPresContext * 0x032e08a0, nsEvent * 0x00033c84, nsIDOMEvent * * 0x00033aa0, unsigned int 1, nsEventStatus * 0x00033cc8) line 1370 nsHTMLInputElement::HandleDOMEvent(nsHTMLInputElement * const 0x0334862c, nsIPresContext * 0x032e08a0, nsEvent * 0x00033c84, nsIDOMEvent * * 0x00000000, unsigned int 1, nsEventStatus * 0x00033cc8) line 813 + 31 bytes nsHTMLInputElement::Click(nsHTMLInputElement * const 0x03348620) line 748 + 49 bytes HTMLInputElementClick(JSContext * 0x032e0350, JSObject * 0x02bf23d8, unsigned int 0, long * 0x02c893a0, long * 0x00033e44) line 882 + 15 bytes js_Invoke(JSContext * 0x032e0350, unsigned int 0, unsigned int 0) line 716 + 23 bytes js_Interpret(JSContext * 0x032e0350, long * 0x00034780) line 2520 + 15 bytes js_Invoke(JSContext * 0x032e0350, unsigned int 1, unsigned int 2) line 732 + 13 bytes js_InternalInvoke(JSContext * 0x032e0350, JSObject * 0x02bf23d8, long 46081000, unsigned int 0, unsigned int 1, long * 0x00034914, long * 0x000348a4) line 805 + 19 bytes JS_CallFunctionValue(JSContext * 0x032e0350, JSObject * 0x02bf23d8, long 46081000, unsigned int 1, long * 0x00034914, long * 0x000348a4) line 2815 + 31 bytes nsJSContext::CallEventHandler(nsJSContext * const 0x032e04e0, void * 0x02bf23d8, void * 0x02bf23e8, unsigned int 1, void * 0x00034914, int * 0x00034910, int 0) line 847 + 33 bytes nsJSEventListener::HandleEvent(nsIDOMEvent * 0x03675614) line 154 + 64 bytes nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x03357fe0, nsIDOMEvent * 0x03675614, nsIDOMEventTarget * 0x03354fa4, unsigned int 4, unsigned int 7) line 772 + 19 bytes nsEventListenerManager::HandleEvent(nsIPresContext * 0x032e08a0, nsEvent * 0x00034fdc, nsIDOMEvent * * 0x00034df8, nsIDOMEventTarget * 0x03354fa4, unsigned int 7, nsEventStatus * 0x00035020) line 915 + 39 bytes nsGenericElement::HandleDOMEvent(nsIPresContext * 0x032e08a0, nsEvent * 0x00034fdc, nsIDOMEvent * * 0x00034df8, unsigned int 1, nsEventStatus * 0x00035020) line 1385 nsHTMLInputElement::HandleDOMEvent(nsHTMLInputElement * const 0x0334862c, nsIPresContext * 0x032e08a0, nsEvent * 0x00034fdc, nsIDOMEvent * * 0x00000000, unsigned int 1, nsEventStatus * 0x00035020) line 813 + 31 bytes nsHTMLInputElement::Click(nsHTMLInputElement * const 0x03348620) line 748 + 49 bytes HTMLInputElementClick(JSContext * 0x032e0350, JSObject * 0x02bf23d8, unsigned int 0, long * 0x02c89384, long * 0x0003519c) line 882 + 15 bytes js_Invoke(JSContext * 0x032e0350, unsigned int 0, unsigned int 0) line 716 + 23 bytes js_Interpret(JSContext * 0x032e0350, long * 0x00035ad8) line 2520 + 15 bytes js_Invoke(JSContext * 0x032e0350, unsigned int 1, unsigned int 2) line 732 + 13 bytes js_InternalInvoke(JSContext * 0x032e0350, JSObject * 0x02bf23d8, long 46081000, unsigned int 0, unsigned int 1, long * 0x00035c6c, long * 0x00035bfc) line 805 + 19 bytes JS_CallFunctionValue(JSContext * 0x032e0350, JSObject * 0x02bf23d8, long 46081000, unsigned int 1, long * 0x00035c6c, long * 0x00035bfc) line 2815 + 31 bytes nsJSContext::CallEventHandler(nsJSContext * const 0x032e04e0, void * 0x02bf23d8, void * 0x02bf23e8, unsigned int 1, void * 0x00035c6c, int * 0x00035c68, int 0) line 847 + 33 bytes nsJSEventListener::HandleEvent(nsIDOMEvent * 0x036756c4) line 154 + 64 bytes nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x03357fe0, nsIDOMEvent * 0x036756c4, nsIDOMEventTarget * 0x03354fa4, unsigned int 4, unsigned int 7) line 772 + 19 bytes nsEventListenerManager::HandleEvent(nsIPresContext * 0x032e08a0, nsEvent * 0x00036334, nsIDOMEvent * * 0x00036150, nsIDOMEventTarget * 0x03354fa4, unsigned int 7, nsEventStatus * 0x00036378) line 915 + 39 bytes nsGenericElement::HandleDOMEvent(nsIPresContext * 0x032e08a0, nsEvent * 0x00036334, nsIDOMEvent * * 0x00036150, unsigned int 1, nsEventStatus * 0x00036378) line 1385 nsHTMLInputElement::HandleDOMEvent(nsHTMLInputElement * const 0x0334862c, nsIPresContext * 0x032e08a0, nsEvent * 0x00036334, nsIDOMEvent * * 0x00000000, unsigned int 1, nsEventStatus * 0x00036378) line 813 + 31 bytes nsHTMLInputElement::Click(nsHTMLInputElement * const 0x03348620) line 748 + 49 bytes HTMLInputElementClick(JSContext * 0x032e0350, JSObject * 0x02bf23d8, unsigned int 0, long * 0x02c89368, long * 0x000364f4) line 882 + 15 bytes js_Invoke(JSContext * 0x032e0350, unsigned int 0, unsigned int 0) line 716 + 23 bytes js_Interpret(JSContext * 0x032e0350, long * 0x00036e30) line 2520 + 15 bytes js_Invoke(JSContext * 0x032e0350, unsigned int 1, unsigned int 2) line 732 + 13 bytes js_InternalInvoke(JSContext * 0x032e0350, JSObject * 0x02bf23d8, long 46081000, unsigned int 0, unsigned int 1, long * 0x00036fc4, long * 0x00036f54) line 805 + 19 bytes JS_CallFunctionValue(JSContext * 0x032e0350, JSObject * 0x02bf23d8, long 46081000, unsigned int 1, long * 0x00036fc4, long * 0x00036f54) line 2815 + 31 bytes nsJSContext::CallEventHandler(nsJSContext * const 0x032e04e0, void * 0x02bf23d8, void * 0x02bf23e8, unsigned int 1, void * 0x00036fc4, int * 0x00036fc0, int 0) line 847 + 33 bytes nsJSEventListener::HandleEvent(nsIDOMEvent * 0x03675774) line 154 + 64 bytes nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x03357fe0, nsIDOMEvent * 0x03675774, nsIDOMEventTarget * 0x03354fa4, unsigned int 4, unsigned int 7) line 772 + 19 bytes nsEventListenerManager::HandleEvent(nsIPresContext * 0x032e08a0, nsEvent * 0x0003768c, nsIDOMEvent * * 0x000374a8, nsIDOMEventTarget * 0x03354fa4, unsigned int 7, nsEventStatus * 0x000376d0) line 915 + 39 bytes nsGenericElement::HandleDOMEvent(nsIPresContext * 0x032e08a0, nsEvent * 0x0003768c, nsIDOMEvent * * 0x000374a8, unsigned int 1, nsEventStatus * 0x000376d0) line 1385 nsHTMLInputElement::HandleDOMEvent(nsHTMLInputElement * const 0x0334862c, nsIPresContext * 0x032e08a0, nsEvent * 0x0003768c, nsIDOMEvent * * 0x00000000, unsigned int 1, nsEventStatus * 0x000376d0) line 813 + 31 bytes nsHTMLInputElement::Click(nsHTMLInputElement * const 0x03348620) line 748 + 49 bytes HTMLInputElementClick(JSContext * 0x032e0350, JSObject * 0x02bf23d8, unsigned int 0, long * 0x02c8934c, long * 0x0003784c) line 882 + 15 bytes js_Invoke(JSContext * 0x032e0350, unsigned int 0, unsigned int 0) line 716 + 23 bytes js_Interpret(JSContext * 0x032e0350, long * 0x00038188) line 2520 + 15 bytes js_Invoke(JSContext * 0x032e0350, unsigned int 1, unsigned int 2) line 732 + 13 bytes js_InternalInvoke(JSContext * 0x032e0350, JSObject * 0x02bf23d8, long 46081000, unsigned int 0, unsigned int 1, long * 0x0003831c, long * 0x000382ac) line 805 + 19 bytes JS_CallFunctionValue(JSContext * 0x032e0350, JSObject * 0x02bf23d8, long 46081000, unsigned int 1, long * 0x0003831c, long * 0x000382ac) line 2815 + 31 bytes nsJSContext::CallEventHandler(nsJSContext * const 0x032e04e0, void * 0x02bf23d8, void * 0x02bf23e8, unsigned int 1, void * 0x0003831c, int * 0x00038318, int 0) line 847 + 33 bytes nsJSEventListener::HandleEvent(nsIDOMEvent * 0x03675824) line 154 + 64 bytes nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x03357fe0, nsIDOMEvent * 0x03675824, nsIDOMEventTarget * 0x03354fa4, unsigned int 4, unsigned int 7) line 772 + 19 bytes nsEventListenerManager::HandleEvent(nsIPresContext * 0x032e08a0, nsEvent * 0x000389e4, nsIDOMEvent * * 0x00038800, nsIDOMEventTarget * 0x03354fa4, unsigned int 7, nsEventStatus * 0x00038a28) line 915 + 39 bytes nsGenericElement::HandleDOMEvent(nsIPresContext * 0x032e08a0, nsEvent * 0x000389e4, nsIDOMEvent * * 0x00038800, unsigned int 1, nsEventStatus * 0x00038a28) line 1385 nsHTMLInputElement::HandleDOMEvent(nsHTMLInputElement * const 0x0334862c, nsIPresContext * 0x032e08a0, nsEvent * 0x000389e4, nsIDOMEvent * * 0x00000000, unsigned int 1, nsEventStatus * 0x00038a28) line 813 + 31 bytes nsHTMLInputElement::Click(nsHTMLInputElement * const 0x03348620) line 748 + 49 bytes HTMLInputElementClick(JSContext * 0x032e0350, JSObject * 0x02bf23d8, unsigned int 0, long * 0x02c89330, long * 0x00038ba4) line 882 + 15 bytes . . etc. etc. Reassigning - doesn't seem to be a JS Engine issue. Is Event Handling the correct component?
Assignee: rogerl → joki
Component: Javascript Engine → Event Handling
QA Contact: pschwartau → janc
So the scoping of the click call inside the event handler is making it trigger the nsHTMLInputElement::Click() method, which then recurses to death. Neat. We'll have to put in an anti-recursion technique. Either way, calling click() from inside the event handler probably isn't going to work.
Status: NEW → ASSIGNED
Chris, is the patch 07/14/00 10:54 what you had in mind for a fix? The patch only prevents the crash, trying to call your own click() function like that still does not work. I don't think it even should work. However, there is a way to have a function called click(), in this context you would just need to call it with onClick="window.click()". The reason it should not work is that the input element where click() is called already has a function called click(), and because of scoping it is the first function named click(), and that is what we must call. If you tried to change the function name to blur() for instance, it would still not work because it would call a different blur() than you expected. However, blur() (at least) does not recurse to death. It is possible there are other cases like this lurking around. Places where we create a DOM Event and then call HandleDOMEvent (which might end up calling the original function again) might have this kind of problem.
Whiteboard: [Fix attached]
The intent was not to make it work, just to make sure we don't crash. You're right, it won't work because of scoping, and that isn't our problem. The patch looks okay to me.
Nominating for nsbeta3 because we have a simple fix for this already attached.
Keywords: nsbeta3
I have green light from chofmann to check this in the carpool tomorrow/Tursday. I will check in the patch and mark r=saari unless I hear loud complaints ;)
Assignee: joki → heikki
Status: ASSIGNED → NEW
Mass update: changing qacontact to ckritzer@netscape.com
QA Contact: janc → ckritzer
Status: NEW → ASSIGNED
Marking nsbeta3+...
Whiteboard: [Fix attached] → [Fix attached]nsbeta3+
Whiteboard: [Fix attached]nsbeta3+ → [nsbeta3+][Fix attached]
Linux still crashes, even with this patch applied. I will have to take a look in the debugger. Chris, can you see what Mac does if you apply the patch?
I swear the computers are teamed up against me... The patch did not work properly on Linux, it patched the code to *wrong place*. It still said patch succeeded, so I did not bother to look... No wonder it did not work on Linux. But now it does, I will check in as soon as tree opens.
Marking fixed.
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
Well, no crash, so... Marking VERIFIED FIXED on: - LinuxRH62 2000-09-07-08-M18 Commercial - Win98 2000-09-07-08-M18 Mozilla - MacOS86 2000-09-07-04-M18 Commercial
Status: RESOLVED → VERIFIED
Component: Event Handling → User events and focus handling
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: