Closed Bug 63930 Opened 24 years ago Closed 23 years ago

crash when using a DOM function as a first-class function

Categories

(Core :: DOM: Core & HTML, defect)

defect
Not set
critical

Tracking

()

VERIFIED FIXED
Future

People

(Reporter: jacobs, Assigned: jst)

References

()

Details

(Keywords: crash, dom0, Whiteboard: [XPCDOM])

Attachments

(2 files)

Assignments from a DOM-provided function to a JavaScript variable
are not working correctly.  This is likely a bug in the type 
conversion between a "native method" and a JavaScript Function object.

e.g.:

  var c = document.createElement   // this runs without error
  c('H1')                          // however, this explodes

Reproducible: Always

Steps to Reproduce:
1a. Load http://penguin.theopalgroup.com/~jacobs/crash.html
or 
1b. Or use the script fragment in the description


Actual Results:  Kaboom.  Mozilla terminates with extreme prejudice.

Expected Results:  Mozilla should have continued, since the code as presented
should effectively be a NO-OP.

These kinds of assignments work with other "native" ECMAscript
objects.  I would suggest testing this with any other function
type conversion/bindings.

Note, that I classify this bug as critical, though many will
never see it and there are viable workarounds.  Nevertheless, 
it is a fundamental problem with Javascript DOM support.  Its 
also most likely an easy fix and should not get lost between 
the cracks.
Confirming on WinNT and Linux; changing OS to "All".


Using on WinNT:  debug build 2000-12-09  (the only one that DOESN'T crash !!!) 
                 nightly 2000120905      (crashes)
                 nightly 2000122105      (crashes)


Using on Linux:  debug build 2000-12-09 (crashes)
                 nightly 2000122108      (crashes)



Steps to reproduce:

1. Bring up Mozilla
2. In the URL bar, type this and hit enter:  

       javascript: var c = document.createElement; c('H1'); 
 
3. CRASH



Here is a searchable stack trace summary; will attach details below -


(gdb) bt
#0  0x4013b702 in nsQueryInterface::operator() () at nsCOMPtr.cpp:32
#1  0x4060106c in nsCOMPtr<nsIScriptObjectOwner>::assign_from_helper ()   at
../../../dist/include/nsCOMPtr.h:932
#2  0x40602589 in nsCOMPtr<nsIScriptObjectOwner>::nsCOMPtr () at
../../../dist/include/nsCOMPtr.h:563
#3  0x4057fb37 in nsJSUtils::nsConvertObjectToJSVal ()  at nsJSUtils.cpp:214
#4  0x40592d95 in DocumentCreateElement () at nsJSDocument.cpp:409
#5  0x401f8934 in js_Invoke () at jsinterp.c:790
#6  0x4020e2e7 in js_Interpret () at jsinterp.c:2613
#7  0x401f8f20 in js_Execute () at jsinterp.c:962
#8  0x401c7861 in JS_EvaluateUCScriptForPrincipals () at jsapi.c:3203
#9  0x4054bf32 in nsJSContext::EvaluateString () at nsJSEnvironment.cpp:603
#10 0x4231bbb2 in nsEvaluateStringProxy::EvaluateString () at
nsJSProtocolHandler.cpp:167
#11 0x4014be95 in XPTC_InvokeByIndex () at xptcinvoke_unixish_x86.cpp:134
#12 0x40131f80 in EventHandler () at nsProxyEvent.cpp:510
#13 0x4012a94e in PL_HandleEvent () at plevent.c:576
#14 0x4012a76c in PL_ProcessPendingEvents () at plevent.c:509
#15 0x4012c609 in nsEventQueueImpl::ProcessPendingEvents () at
nsEventQueue.cpp:356
#16 0x407f1cd4 in event_processor_callback () at nsAppShell.cpp:158
#17 0x407f190f in our_gdk_io_invoke () at nsAppShell.cpp:58
#18 0x409b952a in g_io_unix_dispatch () from /usr/lib/libglib-1.2.so.0
#19 0x409babe6 in g_main_dispatch () from /usr/lib/libglib-1.2.so.0
#20 0x409bb1a1 in g_main_iterate () from /usr/lib/libglib-1.2.so.0
#21 0x409bb341 in g_main_run () from /usr/lib/libglib-1.2.so.0
#22 0x408e5209 in gtk_main () from /usr/lib/libgtk-1.2.so.0
#23 0x407f23ca in nsAppShell::Run () at nsAppShell.cpp:350
#24 0x40774064 in nsAppShellService::Run () at nsAppShellService.cpp:407
#25 0x80565c5 in main1 () at nsAppRunner.cpp:1016
#26 0x8056f6a in main () at nsAppRunner.cpp:1260



I believe this is a DOM issue, not JS Engine; reassigning to DOM Level 0 -
Assignee: rogerl → jst
Status: UNCONFIRMED → NEW
Component: Javascript Engine → DOM Level 0
Ever confirmed: true
OS: Windows 2000 → All
QA Contact: pschwartau → desale
Attached file Linux stack trace
Keywords: crash
I am seeing no problem in the JS shell: 


js> var c = String;
js> c('Hi');
Hi

js> var c = Date;
js> c(0);
Fri Dec 29 14:38:21 GMT-0800 (Pacific Standard Time) 2000

js> var d = new c;
js> d;
Fri Dec 29 14:38:55 GMT-0800 (Pacific Standard Time) 2000
This will most likely be fixed when the DOM uses XPConnect (eta mozilla0.9) but
since I won't be working on this bug specifically I'll mark this as Future to
keep this off my bug radar.
Hardware: PC → All
Target Milestone: --- → Future
Whiteboard: [XPCDOM]
*** Bug 68354 has been marked as a duplicate of this bug. ***
Keywords: dom0
*** Bug 70844 has been marked as a duplicate of this bug. ***
*** Bug 75274 has been marked as a duplicate of this bug. ***
This crash is fixed on the XPCDOM branch, but using DOM (or any XPConnect
function) as an unbound function won't work in mozilla, but it won't crash any more.
Will the following work in the XPConnectDOM branch:
  document.gtbid = document.getElementById;
  document.gtbid('elementId');
??
Or is that also not supported?
  document.gtbid = document.getElementById;
  document.gtbid('elementId');

will work, but:

  window.gtbid = document.getElementById;
  window.gtbid('elementId');

will not.
Fixed by the XPCDOM landing, we no longer crash, and my above comment still applies.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Verified with 2001-05-22-04.
Status: RESOLVED → VERIFIED
*** Bug 84953 has been marked as a duplicate of this bug. ***
Attached file Error testcase
Reduced testcase demonstrating the bug.
This is happening again. I have tested it in:
- version 10 on linux x86
- version 15 on Windows 7 x64
- nightly 18.0a1 (2012-09-12) on linux x86
(In reply to Markyys from comment #15)
> This is happening again. I have tested it in:
> - version 10 on linux x86
> - version 15 on Windows 7 x64
> - nightly 18.0a1 (2012-09-12) on linux x86

This bug has long been fixed. If you're experiencing the same issue again, chances are it is not the same bug, but a different bug with the same symptoms.

Please file a new bug for it.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: