Closed
Bug 41599
Opened 24 years ago
Closed 24 years ago
browser crashes when executing function with certain name such as Click()
Categories
(Core :: DOM: UI Events & Focus Handling, defect, P3)
Tracking
()
VERIFIED
FIXED
People
(Reporter: czhang, Assigned: hjtoi-bugzilla)
References
()
Details
(Keywords: crash, Whiteboard: [nsbeta3+][Fix attached])
Attachments
(1 file)
1.54 KB,
patch
|
Details | Diff | Splinter Review |
load build 6/02 1. go to http://cathyz2/sameori/bug1.html, click the button in the browser expect: to see the URL of the iframe, or if there is syntax error, no event. result: browser crashes the code is ---------------bug1.html-------------------------------- <html> <head> </head> <body name="me" bgColor="FFF000"> <iframe ID="layer1" type="content" SRC="mylayer.html" style="position:absolute;t op:200pt;left:200pt;width:300;height:300;z-index:1;visibility:visible;" > </iframe> </body> </html> -----------------mylayer.html----------------------- <head> <script> function click(){ alert(document.referrer); } </script> </head> <body bgcolor="CCCCCC"> <form> <input type=button name="b1" value="change color" onClick="click()"> </form> </body> </html> changing the click() to be something else, for example: go(), then there is no problem at all ~ ~
Updated•24 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 2•24 years ago
|
||
Bug still occurs on commercial M17 build 2000060908
Comment 3•24 years ago
|
||
Still crashing on Linux and WinNT tip builds from 06/27/00. On WinNT, the crash occurs at this spot in the code: // Node capturing stage if (NS_EVENT_FLAG_BUBBLE != aFlags) { if (mParent) { PRBool proceed = PR_TRUE; if (mIsAnonymous) { PRBool parentState; nsCOMPtr<nsIXULContent> parent = do_QueryInterface(mParent); if (parent) { parent->GetAnonymousState(parentState); if (!parentState) proceed = PR_FALSE; } else proceed = PR_FALSE; // Assume that the HTML Content is not anonymous // XXX Will need to do better for XBL. } // Pass off to our parent. if (proceed) mParent->HandleDOMEvent(aPresContext, aEvent, aDOMEvent, NS_EVENT_FLAG_CAPTURE, aEventStatus); } else if (mDocument != nsnull) { ret = mDocument->HandleDOMEvent(aPresContext, aEvent, aDOMEvent, NS_EVENT_FLAG_CAPTURE, aEventStatus); Here is the top of the WinNT stack trace: nsXULElement::HandleDOMEvent(nsXULElement * const 0x02d75820, nsIPresContext * 0x032e08a0, nsEvent * 0x00033c84, nsIDOMEvent * * 0x00033aa0, unsigned int 4, nsEventStatus * 0x00033cc8) line 3339 nsXULElement::HandleDOMEvent(nsXULElement * const 0x02d755a0, nsIPresContext * 0x032e08a0, nsEvent * 0x00033c84, nsIDOMEvent * * 0x00033aa0, unsigned int 4, nsEventStatus * 0x00033cc8) line 3339 nsXULElement::HandleDOMEvent(nsXULElement * const 0x02d751d0, nsIPresContext * 0x032e08a0, nsEvent * 0x00033c84, nsIDOMEvent * * 0x00033aa0, unsigned int 4, nsEventStatus * 0x00033cc8) line 3339 nsXULElement::HandleDOMEvent(nsXULElement * const 0x02d75070, nsIPresContext * 0x032e08a0, nsEvent * 0x00033c84, nsIDOMEvent * * 0x00033aa0, unsigned int 4, nsEventStatus * 0x00033cc8) line 3339 nsXULElement::HandleChromeEvent(nsXULElement * const 0x02d7508c, nsIPresContext * 0x032e08a0, nsEvent * 0x00033c84, nsIDOMEvent * * 0x00033aa0, unsigned int 4, nsEventStatus * 0x00033cc8) line 4296 + 39 bytes GlobalWindowImpl::HandleDOMEvent(GlobalWindowImpl * const 0x032e0540, nsIPresContext * 0x032e08a0, nsEvent * 0x00033c84, nsIDOMEvent * * 0x00033aa0, unsigned int 4, nsEventStatus * 0x00033cc8) line 409 nsDocument::HandleDOMEvent(nsDocument * const 0x032e5e80, nsIPresContext * 0x032e08a0, nsEvent * 0x00033c84, nsIDOMEvent * * 0x00033aa0, unsigned int 4, nsEventStatus * 0x00033cc8) line 2992 nsGenericElement::HandleDOMEvent(nsIPresContext * 0x032e08a0, nsEvent * 0x00033c84, nsIDOMEvent * * 0x00033aa0, unsigned int 4, nsEventStatus * 0x00033cc8) line 1381 nsHTMLHtmlElement::HandleDOMEvent(nsHTMLHtmlElement * const 0x032e36c8, nsIPresContext * 0x032e08a0, nsEvent * 0x00033c84, nsIDOMEvent * * 0x00033aa0, unsigned int 4, nsEventStatus * 0x00033cc8) line 187 nsGenericElement::HandleDOMEvent(nsIPresContext * 0x032e08a0, nsEvent * 0x00033c84, nsIDOMEvent * * 0x00033aa0, unsigned int 4, nsEventStatus * 0x00033cc8) line 1370 nsHTMLBodyElement::HandleDOMEvent(nsHTMLBodyElement * const 0x03324118, nsIPresContext * 0x032e08a0, nsEvent * 0x00033c84, nsIDOMEvent * * 0x00033aa0, unsigned int 4, nsEventStatus * 0x00033cc8) line 901 nsGenericElement::HandleDOMEvent(nsIPresContext * 0x032e08a0, nsEvent * 0x00033c84, nsIDOMEvent * * 0x00033aa0, unsigned int 4, nsEventStatus * 0x00033cc8) line 1370 nsHTMLFormElement::HandleDOMEvent(nsHTMLFormElement * const 0x0334933c, nsIPresContext * 0x032e08a0, nsEvent * 0x00033c84, nsIDOMEvent * * 0x00033aa0, unsigned int 4, nsEventStatus * 0x00033cc8) line 438 nsGenericElement::HandleDOMEvent(nsIPresContext * 0x032e08a0, nsEvent * 0x00033c84, nsIDOMEvent * * 0x00033aa0, unsigned int 1, nsEventStatus * 0x00033cc8) line 1370 nsHTMLInputElement::HandleDOMEvent(nsHTMLInputElement * const 0x0334862c, nsIPresContext * 0x032e08a0, nsEvent * 0x00033c84, nsIDOMEvent * * 0x00000000, unsigned int 1, nsEventStatus * 0x00033cc8) line 813 + 31 bytes nsHTMLInputElement::Click(nsHTMLInputElement * const 0x03348620) line 748 + 49 bytes HTMLInputElementClick(JSContext * 0x032e0350, JSObject * 0x02bf23d8, unsigned int 0, long * 0x02c893a0, long * 0x00033e44) line 882 + 15 bytes js_Invoke(JSContext * 0x032e0350, unsigned int 0, unsigned int 0) line 716 + 23 bytes js_Interpret(JSContext * 0x032e0350, long * 0x00034780) line 2520 + 15 bytes js_Invoke(JSContext * 0x032e0350, unsigned int 1, unsigned int 2) line 732 + 13 bytes js_InternalInvoke(JSContext * 0x032e0350, JSObject * 0x02bf23d8, long 46081000, unsigned int 0, unsigned int 1, long * 0x00034914, long * 0x000348a4) line 805 + 19 bytes JS_CallFunctionValue(JSContext * 0x032e0350, JSObject * 0x02bf23d8, long 46081000, unsigned int 1, long * 0x00034914, long * 0x000348a4) line 2815 + 31 bytes nsJSContext::CallEventHandler(nsJSContext * const 0x032e04e0, void * 0x02bf23d8, void * 0x02bf23e8, unsigned int 1, void * 0x00034914, int * 0x00034910, int 0) line 847 + 33 bytes nsJSEventListener::HandleEvent(nsIDOMEvent * 0x03675614) line 154 + 64 bytes nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x03357fe0, nsIDOMEvent * 0x03675614, nsIDOMEventTarget * 0x03354fa4, unsigned int 4, unsigned int 7) line 772 + 19 bytes nsEventListenerManager::HandleEvent(nsIPresContext * 0x032e08a0, nsEvent * 0x00034fdc, nsIDOMEvent * * 0x00034df8, nsIDOMEventTarget * 0x03354fa4, unsigned int 7, nsEventStatus * 0x00035020) line 915 + 39 bytes nsGenericElement::HandleDOMEvent(nsIPresContext * 0x032e08a0, nsEvent * 0x00034fdc, nsIDOMEvent * * 0x00034df8, unsigned int 1, nsEventStatus * 0x00035020) line 1385 nsHTMLInputElement::HandleDOMEvent(nsHTMLInputElement * const 0x0334862c, nsIPresContext * 0x032e08a0, nsEvent * 0x00034fdc, nsIDOMEvent * * 0x00000000, unsigned int 1, nsEventStatus * 0x00035020) line 813 + 31 bytes nsHTMLInputElement::Click(nsHTMLInputElement * const 0x03348620) line 748 + 49 bytes HTMLInputElementClick(JSContext * 0x032e0350, JSObject * 0x02bf23d8, unsigned int 0, long * 0x02c89384, long * 0x0003519c) line 882 + 15 bytes js_Invoke(JSContext * 0x032e0350, unsigned int 0, unsigned int 0) line 716 + 23 bytes js_Interpret(JSContext * 0x032e0350, long * 0x00035ad8) line 2520 + 15 bytes js_Invoke(JSContext * 0x032e0350, unsigned int 1, unsigned int 2) line 732 + 13 bytes js_InternalInvoke(JSContext * 0x032e0350, JSObject * 0x02bf23d8, long 46081000, unsigned int 0, unsigned int 1, long * 0x00035c6c, long * 0x00035bfc) line 805 + 19 bytes JS_CallFunctionValue(JSContext * 0x032e0350, JSObject * 0x02bf23d8, long 46081000, unsigned int 1, long * 0x00035c6c, long * 0x00035bfc) line 2815 + 31 bytes nsJSContext::CallEventHandler(nsJSContext * const 0x032e04e0, void * 0x02bf23d8, void * 0x02bf23e8, unsigned int 1, void * 0x00035c6c, int * 0x00035c68, int 0) line 847 + 33 bytes nsJSEventListener::HandleEvent(nsIDOMEvent * 0x036756c4) line 154 + 64 bytes nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x03357fe0, nsIDOMEvent * 0x036756c4, nsIDOMEventTarget * 0x03354fa4, unsigned int 4, unsigned int 7) line 772 + 19 bytes nsEventListenerManager::HandleEvent(nsIPresContext * 0x032e08a0, nsEvent * 0x00036334, nsIDOMEvent * * 0x00036150, nsIDOMEventTarget * 0x03354fa4, unsigned int 7, nsEventStatus * 0x00036378) line 915 + 39 bytes nsGenericElement::HandleDOMEvent(nsIPresContext * 0x032e08a0, nsEvent * 0x00036334, nsIDOMEvent * * 0x00036150, unsigned int 1, nsEventStatus * 0x00036378) line 1385 nsHTMLInputElement::HandleDOMEvent(nsHTMLInputElement * const 0x0334862c, nsIPresContext * 0x032e08a0, nsEvent * 0x00036334, nsIDOMEvent * * 0x00000000, unsigned int 1, nsEventStatus * 0x00036378) line 813 + 31 bytes nsHTMLInputElement::Click(nsHTMLInputElement * const 0x03348620) line 748 + 49 bytes HTMLInputElementClick(JSContext * 0x032e0350, JSObject * 0x02bf23d8, unsigned int 0, long * 0x02c89368, long * 0x000364f4) line 882 + 15 bytes js_Invoke(JSContext * 0x032e0350, unsigned int 0, unsigned int 0) line 716 + 23 bytes js_Interpret(JSContext * 0x032e0350, long * 0x00036e30) line 2520 + 15 bytes js_Invoke(JSContext * 0x032e0350, unsigned int 1, unsigned int 2) line 732 + 13 bytes js_InternalInvoke(JSContext * 0x032e0350, JSObject * 0x02bf23d8, long 46081000, unsigned int 0, unsigned int 1, long * 0x00036fc4, long * 0x00036f54) line 805 + 19 bytes JS_CallFunctionValue(JSContext * 0x032e0350, JSObject * 0x02bf23d8, long 46081000, unsigned int 1, long * 0x00036fc4, long * 0x00036f54) line 2815 + 31 bytes nsJSContext::CallEventHandler(nsJSContext * const 0x032e04e0, void * 0x02bf23d8, void * 0x02bf23e8, unsigned int 1, void * 0x00036fc4, int * 0x00036fc0, int 0) line 847 + 33 bytes nsJSEventListener::HandleEvent(nsIDOMEvent * 0x03675774) line 154 + 64 bytes nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x03357fe0, nsIDOMEvent * 0x03675774, nsIDOMEventTarget * 0x03354fa4, unsigned int 4, unsigned int 7) line 772 + 19 bytes nsEventListenerManager::HandleEvent(nsIPresContext * 0x032e08a0, nsEvent * 0x0003768c, nsIDOMEvent * * 0x000374a8, nsIDOMEventTarget * 0x03354fa4, unsigned int 7, nsEventStatus * 0x000376d0) line 915 + 39 bytes nsGenericElement::HandleDOMEvent(nsIPresContext * 0x032e08a0, nsEvent * 0x0003768c, nsIDOMEvent * * 0x000374a8, unsigned int 1, nsEventStatus * 0x000376d0) line 1385 nsHTMLInputElement::HandleDOMEvent(nsHTMLInputElement * const 0x0334862c, nsIPresContext * 0x032e08a0, nsEvent * 0x0003768c, nsIDOMEvent * * 0x00000000, unsigned int 1, nsEventStatus * 0x000376d0) line 813 + 31 bytes nsHTMLInputElement::Click(nsHTMLInputElement * const 0x03348620) line 748 + 49 bytes HTMLInputElementClick(JSContext * 0x032e0350, JSObject * 0x02bf23d8, unsigned int 0, long * 0x02c8934c, long * 0x0003784c) line 882 + 15 bytes js_Invoke(JSContext * 0x032e0350, unsigned int 0, unsigned int 0) line 716 + 23 bytes js_Interpret(JSContext * 0x032e0350, long * 0x00038188) line 2520 + 15 bytes js_Invoke(JSContext * 0x032e0350, unsigned int 1, unsigned int 2) line 732 + 13 bytes js_InternalInvoke(JSContext * 0x032e0350, JSObject * 0x02bf23d8, long 46081000, unsigned int 0, unsigned int 1, long * 0x0003831c, long * 0x000382ac) line 805 + 19 bytes JS_CallFunctionValue(JSContext * 0x032e0350, JSObject * 0x02bf23d8, long 46081000, unsigned int 1, long * 0x0003831c, long * 0x000382ac) line 2815 + 31 bytes nsJSContext::CallEventHandler(nsJSContext * const 0x032e04e0, void * 0x02bf23d8, void * 0x02bf23e8, unsigned int 1, void * 0x0003831c, int * 0x00038318, int 0) line 847 + 33 bytes nsJSEventListener::HandleEvent(nsIDOMEvent * 0x03675824) line 154 + 64 bytes nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x03357fe0, nsIDOMEvent * 0x03675824, nsIDOMEventTarget * 0x03354fa4, unsigned int 4, unsigned int 7) line 772 + 19 bytes nsEventListenerManager::HandleEvent(nsIPresContext * 0x032e08a0, nsEvent * 0x000389e4, nsIDOMEvent * * 0x00038800, nsIDOMEventTarget * 0x03354fa4, unsigned int 7, nsEventStatus * 0x00038a28) line 915 + 39 bytes nsGenericElement::HandleDOMEvent(nsIPresContext * 0x032e08a0, nsEvent * 0x000389e4, nsIDOMEvent * * 0x00038800, unsigned int 1, nsEventStatus * 0x00038a28) line 1385 nsHTMLInputElement::HandleDOMEvent(nsHTMLInputElement * const 0x0334862c, nsIPresContext * 0x032e08a0, nsEvent * 0x000389e4, nsIDOMEvent * * 0x00000000, unsigned int 1, nsEventStatus * 0x00038a28) line 813 + 31 bytes nsHTMLInputElement::Click(nsHTMLInputElement * const 0x03348620) line 748 + 49 bytes HTMLInputElementClick(JSContext * 0x032e0350, JSObject * 0x02bf23d8, unsigned int 0, long * 0x02c89330, long * 0x00038ba4) line 882 + 15 bytes . . etc. etc. Reassigning - doesn't seem to be a JS Engine issue. Is Event Handling the correct component?
Assignee: rogerl → joki
Component: Javascript Engine → Event Handling
QA Contact: pschwartau → janc
Comment 4•24 years ago
|
||
So the scoping of the click call inside the event handler is making it trigger the nsHTMLInputElement::Click() method, which then recurses to death. Neat. We'll have to put in an anti-recursion technique. Either way, calling click() from inside the event handler probably isn't going to work.
Status: NEW → ASSIGNED
Assignee | ||
Comment 5•24 years ago
|
||
Assignee | ||
Comment 6•24 years ago
|
||
Chris, is the patch 07/14/00 10:54 what you had in mind for a fix? The patch only prevents the crash, trying to call your own click() function like that still does not work. I don't think it even should work. However, there is a way to have a function called click(), in this context you would just need to call it with onClick="window.click()". The reason it should not work is that the input element where click() is called already has a function called click(), and because of scoping it is the first function named click(), and that is what we must call. If you tried to change the function name to blur() for instance, it would still not work because it would call a different blur() than you expected. However, blur() (at least) does not recurse to death. It is possible there are other cases like this lurking around. Places where we create a DOM Event and then call HandleDOMEvent (which might end up calling the original function again) might have this kind of problem.
Assignee | ||
Updated•24 years ago
|
Whiteboard: [Fix attached]
Comment 7•24 years ago
|
||
The intent was not to make it work, just to make sure we don't crash. You're right, it won't work because of scoping, and that isn't our problem. The patch looks okay to me.
Assignee | ||
Comment 8•24 years ago
|
||
Nominating for nsbeta3 because we have a simple fix for this already attached.
Keywords: nsbeta3
Assignee | ||
Comment 9•24 years ago
|
||
I have green light from chofmann to check this in the carpool tomorrow/Tursday. I will check in the patch and mark r=saari unless I hear loud complaints ;)
Assignee: joki → heikki
Status: ASSIGNED → NEW
Comment 10•24 years ago
|
||
Mass update: changing qacontact to ckritzer@netscape.com
QA Contact: janc → ckritzer
Assignee | ||
Updated•24 years ago
|
Status: NEW → ASSIGNED
Updated•24 years ago
|
Whiteboard: [Fix attached]nsbeta3+ → [nsbeta3+][Fix attached]
Assignee | ||
Comment 12•24 years ago
|
||
Linux still crashes, even with this patch applied. I will have to take a look in the debugger. Chris, can you see what Mac does if you apply the patch?
Assignee | ||
Comment 13•24 years ago
|
||
I swear the computers are teamed up against me... The patch did not work properly on Linux, it patched the code to *wrong place*. It still said patch succeeded, so I did not bother to look... No wonder it did not work on Linux. But now it does, I will check in as soon as tree opens.
Assignee | ||
Comment 14•24 years ago
|
||
Marking fixed.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Comment 15•24 years ago
|
||
Well, no crash, so... Marking VERIFIED FIXED on: - LinuxRH62 2000-09-07-08-M18 Commercial - Win98 2000-09-07-08-M18 Mozilla - MacOS86 2000-09-07-04-M18 Commercial
Status: RESOLVED → VERIFIED
Updated•5 years ago
|
Component: Event Handling → User events and focus handling
You need to log in
before you can comment on or make changes to this bug.
Description
•