Closed Bug 91877 Opened 23 years ago Closed 23 years ago

Boolean expressions evaluating as strings in the DOM; causes infinite loop upon visiting page

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED WORKSFORME

People

(Reporter: david, Assigned: jst)

References

(
URL
)

Details

(Keywords: hang) 

When I visit http://www.philips.se I see the blue title page with the Philips
logo and then Mozilla seems to loop forever since the browser window stops
redrawing itself and the "busy" mouse cursor never goes away. I have no stack
trace since it doesn't crash. Have tried some earlier versions as well (approx
1-2 weeks old) and it's the same story.

Reproducible: Always
Confirmed on build 2001072208 (NT)
Status -> NEW.  Upping severity to major.  Adding 'hang' keyword because at
least on Linux, you must kill the mozilla-bin process.  OS, Platform -> All.
Severity: normal → major
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: hang
OS: Linux → All
Hardware: PC → All
It's actually the page that http://www.philips.se redirects to
(http://www.philips.se/home.htm) that causes the problems
URL: http://www.philips.sehttp://www.philips.se/home.htm
I see this also with win2k build 20010722..
No hang if I disable JS.

-> JS Engine (i don't know a better component :-( )

win2k stack trace
NTDLL! 778926d0()
NTDLL! 7789260c()
KERNEL32! 77e81495()
_CrtIsValidHeapPointer(const void * 0x03ab77e8) line 1697
_free_dbg_lk(void * 0x03ab77e8, int 1) line 1044 + 9 bytes
_free_dbg(void * 0x03ab77e8, int 1) line 1001 + 13 bytes
free(void * 0x03ab77e8) line 956 + 11 bytes
PR_Free(void * 0x03ab77e8) line 66 + 10 bytes
nsMemoryImpl::Free(nsMemoryImpl * const 0x00356f08, void * 0x03ab77e8) line 327 
+ 10 bytes
nsMemory::Free(void * 0x03ab77e8) line 560
nsJSID::Equals(nsJSID * const 0x03dc2fd0, nsIJSID * 0x03e39cd8, int * 
0x0012c7e0) line 151 + 9 bytes
XPTC_InvokeByIndex(nsISupports * 0x03dc2fd0, unsigned int 7, unsigned int 2, 
nsXPTCVariant * 0x0012c7d0) line 139
XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode 
CALL_METHOD) line 1881 + 42 bytes
XPC_WN_CallMethod(JSContext * 0x03a7a448, JSObject * 0x03949ca8, unsigned int 1, 
long * 0x03df20ac, long * 0x0012ca04) line 1252 + 11 bytes
js_Invoke(JSContext * 0x03a7a448, unsigned int 1, unsigned int 0) line 807 + 23 
bytes
js_Interpret(JSContext * 0x03a7a448, long * 0x0012d7a4) line 2701 + 15 bytes
js_Invoke(JSContext * 0x03a7a448, unsigned int 1, unsigned int 2) line 824 + 13 
bytes
js_InternalInvoke(JSContext * 0x03a7a448, JSObject * 0x03b43d08, long 41754312, 
unsigned int 0, unsigned int 1, long * 0x0012d8a8, long * 0x0012d8c4) line 896 + 
20 bytes
JS_CallFunctionValue(JSContext * 0x03a7a448, JSObject * 0x03b43d08, long 
41754312, unsigned int 1, long * 0x0012d8a8, long * 0x0012d8c4) line 3320 + 31 
bytes
nsXPCWrappedJSClass::CallQueryInterfaceOnJSObject(XPCCallContext & {...}, 
JSObject * 0x03b43d08, const nsID & {...}) line 263 + 28 bytes
nsXPCWrappedJSClass::GetRootJSObject(XPCCallContext & {...}, JSObject * 
0x03b43d08) line 407 + 22 bytes
nsXPCWrappedJS::GetNewOrUsed(XPCCallContext & {...}, JSObject * 0x03b43d08, 
const nsID & {...}, nsISupports * 0x00000000, nsXPCWrappedJS * * 0x0012d99c) 
line 218 + 16 bytes
XPCConvert::JSObject2NativeInterface(XPCCallContext & {...}, void * * 
0x0012dabc, JSObject * 0x03b43d08, const nsID * 0x011bb3e8 iid, nsISupports * 
0x00000000, unsigned int * 0x00000000) line 870 + 25 bytes
nsXPCWrappedJSClass::DelegatedQueryInterface(nsXPCWrappedJSClass * const 
0x03c7d588, nsXPCWrappedJS * 0x03c5cf68, const nsID & {...}, void * * 
0x0012dabc) line 394 + 31 bytes
nsXPCWrappedJS::QueryInterface(nsXPCWrappedJS * const 0x03c5cf68, const nsID & 
{...}, void * * 0x0012dabc) line 93
nsQueryInterface::operator()(const nsID & {...}, void * * 0x0012dabc) line 32 + 
25 bytes
nsCOMPtr<nsIXULBrowserWindow>::assign_from_helper(const nsCOMPtr_helper & {...}, 
const nsID & {...}) line 971 + 18 bytes
nsCOMPtr<nsIXULBrowserWindow>::nsCOMPtr<nsIXULBrowserWindow>(const 
nsQueryInterface & {...}) line 565
nsContentTreeOwner::SetStatus(nsContentTreeOwner * const 0x03c6f5ac, unsigned 
int 1, const unsigned short * 0x00e04800) line 325
GlobalWindowImpl::SetStatus(GlobalWindowImpl * const 0x03a7a21c, const nsAString 
& {...}) line 1076 + 56 bytes
XPTC_InvokeByIndex(nsISupports * 0x03a7a21c, unsigned int 39, unsigned int 1, 
nsXPTCVariant * 0x0012dd5c) line 139
XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode 
CALL_SETTER) line 1881 + 42 bytes
XPCWrappedNative::SetAttribute(XPCCallContext & {...}) line 1784 + 14 bytes
XPC_WN_GetterSetter(JSContext * 0x03a7a448, JSObject * 0x03949ad8, unsigned int 
1, long * 0x03df2088, long * 0x0012dfa4) line 1276 + 9 bytes
js_Invoke(JSContext * 0x03a7a448, unsigned int 1, unsigned int 2) line 807 + 23 
bytes
js_InternalInvoke(JSContext * 0x03a7a448, JSObject * 0x03949ad8, long 60071352, 
unsigned int 0, unsigned int 1, long * 0x0012ed80, long * 0x0012ed80) line 896 + 
20 bytes
js_SetProperty(JSContext * 0x03a7a448, JSObject * 0x03949ad8, long 15887104, 
long * 0x0012ed80) line 2554 + 47 bytes
js_Interpret(JSContext * 0x03a7a448, long * 0x0012efac) line 1891 + 1644 bytes
js_Execute(JSContext * 0x03a7a448, JSObject * 0x03949ad8, JSScript * 0x03dd6268, 
JSStackFrame * 0x00000000, unsigned int 0, long * 0x0012efac) line 986 + 13 
bytes
JS_EvaluateUCScriptForPrincipals(JSContext * 0x03a7a448, JSObject * 0x03949ad8, 
JSPrincipals * 0x03e910e8, const unsigned short * 0x03f0d028, unsigned int 
11138, const char * 0x03a79e80, unsigned int 1193, long * 0x0012efac) line 3273 
+ 25 bytes
nsJSContext::EvaluateString(nsJSContext * const 0x03a7a340, const nsAString & 
{...}, void * 0x03949ad8, nsIPrincipal * 0x03e910e4, const char * 0x03a79e80, 
unsigned int 1193, const char * 0x0103869c, nsAString & {...}, int * 0x0012f018) 
line 609 + 85 bytes
nsScriptLoader::EvaluateScript(nsScriptLoadRequest * 0x03a30060, const 
nsAFlatString & {...}) line 566
nsScriptLoader::ProcessRequest(nsScriptLoadRequest * 0x03a30060) line 478 + 22 
bytes
nsScriptLoader::ProcessScriptElement(nsScriptLoader * const 0x03e90f80, 
nsIDOMHTMLScriptElement * 0x03e90a90, nsIScriptLoaderObserver * 0x03e90a94) line 
421 + 15 bytes
nsHTMLScriptElement::SetDocument(nsHTMLScriptElement * const 0x03e90a68, 
nsIDocument * 0x03e72e30, int 0, int 1) line 140
nsGenericHTMLContainerElement::AppendChildTo(nsGenericHTMLContainerElement * 
const 0x03e91630, nsIContent * 0x03e90a68, int 0, int 0) line 3779
HTMLContentSink::ProcessSCRIPTTag(const nsIParserNode & {...}) line 5011
HTMLContentSink::AddLeaf(HTMLContentSink * const 0x03e90e08, const nsIParserNode 
& {...}) line 3436 + 12 bytes
CNavDTD::AddLeaf(const nsIParserNode * 0x03df8070) line 3789 + 22 bytes
CNavDTD::AddHeadLeaf(nsIParserNode * 0x03df8070) line 3847 + 15 bytes
CNavDTD::HandleStartToken(CToken * 0x03e69da0) line 1744 + 12 bytes
CNavDTD::HandleToken(CNavDTD * const 0x03de39f0, CToken * 0x00000000, nsIParser 
* 0x03e75468) line 910 + 12 bytes
CNavDTD::BuildModel(CNavDTD * const 0x03de39f0, nsIParser * 0x03e75468, 
nsITokenizer * 0x03e3a838, nsITokenObserver * 0x00000000, nsIContentSink * 
0x03e90e08) line 540 + 20 bytes
nsParser::BuildModel() line 2217 + 34 bytes
nsParser::ResumeParse(int 1, int 0) line 2083 + 11 bytes
nsParser::OnDataAvailable(nsParser * const 0x03e75470, nsIRequest * 0x03e2e6f0, 
nsISupports * 0x00000000, nsIInputStream * 0x03e3a368, unsigned int 15677, 
unsigned int 1448) line 2688 + 19 bytes
nsDocumentOpenInfo::OnDataAvailable(nsDocumentOpenInfo * const 0x03e2e830, 
nsIRequest * 0x03e2e6f0, nsISupports * 0x00000000, nsIInputStream * 0x03e3a368, 
unsigned int 15677, unsigned int 1448) line 235 + 46 bytes
nsStreamListenerTee::OnDataAvailable(nsStreamListenerTee * const 0x03dca4e0, 
nsIRequest * 0x03e2e6f0, nsISupports * 0x00000000, nsIInputStream * 0x03e5c5a8, 
unsigned int 15677, unsigned int 1448) line 56 + 51 bytes
nsHttpChannel::OnDataAvailable(nsHttpChannel * const 0x03e2e6f4, nsIRequest * 
0x03e3b210, nsISupports * 0x00000000, nsIInputStream * 0x03e5c5a8, unsigned int 
15677, unsigned int 1448) line 2150 + 57 bytes
nsOnDataAvailableEvent::HandleEvent() line 178 + 70 bytes
nsARequestObserverEvent::HandlePLEvent(PLEvent * 0x03cc1304) line 64
PL_HandleEvent(PLEvent * 0x03cc1304) line 590 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x00d78028) line 520 + 9 bytes
_md_EventReceiverProc(HWND__ * 0x001e03b8, unsigned int 49383, unsigned int 0, 
long 14123048) line 1071 + 9 bytes
USER32! 77e02e98()
USER32! 77e030e0()
USER32! 77e05824()
nsAppShellService::Run(nsAppShellService * const 0x00e4bc88) line 424
main1(int 2, char * * 0x003578d8, nsISupports * 0x00000000) line 1174 + 32 bytes
main(int 2, char * * 0x003578d8) line 1478 + 37 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 77e87d08()
Assignee: asa → rogerl
Severity: major → critical
Component: Browser-General → Javascript Engine
QA Contact: doronr → pschwartau
Some stack traces are unreliable because so much heap corruption has 
occurred. We have corrupted memory running through much of the stack. 
With a Mozilla debug build, one tipoff is the presence of a function calls 
like this in the stack:

_free_dbg_lk(void * 0x03ab77e8, int 1) line 1044 + 9 bytes
_free_dbg(void * 0x03ab77e8, int 1) line 1001 + 13 bytes
free(void * 0x03ab77e8) line 956 + 11 bytes


The free() function is freeing memory. The free_dbg_() functions notice that 
memory has somehow been corrupted and assert. They cannot provide further 
detail. For that, we need to run Purify. 

The problem is this loop at the site. It has become infinite in Mozilla:


// Choose Different products
var status= true;
ProductsChoosen[1]=Math.floor(1+(Big.length-1)*Math.random());
ProductsChoosen[1]=Math.floor(1+(Big2.length-1)*Math.random());
ProductsChoosen[2]=Math.floor(1+(Little.length-1)*Math.random());

while (status) {
  choosen=Math.floor(1+(Little.length-1)*Math.random());
  status=(ProductsChoosen[2]==choosen); 
}

This loop is infinite in Mozilla/N6 because typeof status 
is evaluating to 'string' instead of 'boolean'. 

Thus status evaluates to the string primitives 'true', 'false'
instead of the Boolean primitives true, false !!!

Since Boolean('true') == true  and  Boolean('false') == true, 
the condition 

                   while(status) 

constantly evaluates to true, and so the loop never terminates. 
I will attach a simple testcase below - 

Actually, the testcase is a one-liner. Just key this into the URL bar:

         javascript: var status=(1==2); alert(typeof status);


RESULTS:
                      IE4.7 -->  'boolean'
                      NN4.7 -->  'boolean'
                      Moz/N6 --> 'string'

The analogous test in the standalone JS shell produces 'boolean':

js>  var status=(1==2); print(typeof status);
boolean


Therefore I'm reassigning this to DOM Level 0 for further analysis.
Severity should remain critical, as I'm afraid many other Web pages 
could be affected by this...
Assignee: rogerl → jst
Component: Javascript Engine → DOM Level 0
QA Contact: pschwartau → desale
Summary: eternal loop upon visiting page → Boolean expressions evaluating as strings in the DOM; causes infinite loop upon visiting page
OOPS - jst pointed out to me that it's the specific identifier 'status'
that is causing the problem. Any variable defined in top-level JavaScript
is supposed to be added as a property of the global object. In the DOM,
that is the window object. But the window object ALREADY has a property
named 'status'; as in "window.status" etc. 


If you try the testcase with the identifier 'x' instead of 'status',
you get the same result in Mozilla as in the other browsers:


              javascript: var x=(1==2); alert(typeof x);


RESULTS:
                      IE4.7 -->  'boolean'
                      NN4.7 -->  'boolean'
                      Moz/N6 --> 'boolean'

So what do we do with this? Evangelism?
*** Bug 98726 has been marked as a duplicate of this bug. ***
NOTE: very similar if not identical to DOM bug 91206,
      "In DOM, null values for 'name' evaluate to true"
*** Bug 100149 has been marked as a duplicate of this bug. ***
As a "semi-workaround" you can go to http://www.ce.philips.se/ to get to Philip's
Swedish page for consumer electronics.


WORKSFORME now.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → WORKSFORME
Verified Worksforme using Mozilla trunk binaries 20011120xx on 
WinNT, Linux, and Mac 9.1. The given site loads fine, and the 
one-line testcase also works fine now:

      javascript: var status=(1==2); alert(typeof status);

RESULT:
             Moz/N6: ---> 'boolean'  (not 'string' as before)
Status: RESOLVED → VERIFIED
*** Bug 115687 has been marked as a duplicate of this bug. ***
You need to log in before you can comment on or make changes to this bug.