Closed
Bug 3585
Opened 26 years ago
Closed 26 years ago
Erasing current frame crashes browser
Categories
(Core :: JavaScript Engine, defect, P3)
Tracking
()
VERIFIED
FIXED
M5
People
(Reporter: morse, Assigned: pollmann)
References
()
Details
Following context causes browser to crash when button is pressed. Problem has
to do with the lines that clear out the current frame (document.open and
document.close) because if those lines are commented out the crash does not
occur.
Stack trace is shown below content.
<HTML>
<HEAD>
<SCRIPT>
button_frame = 0;
function loadFrames(){
top.frames[button_frame].document.open();
top.frames[button_frame].document.write(
"<FORM name=buttons>" +
"<INPUT type=BUTTON value=OK onclick=parent.clicker()>" +
"</FORM>"
);
top.frames[button_frame].document.close();
}
function clicker(){
top.frames[button_frame].document.open();
top.frames[button_frame].document.close();
}
</SCRIPT>
</HEAD>
<FRAMESET ROWS = 50,50 onLoad=loadFrames()>
<FRAME SRC=about:blank>
<FRAME SRC=about:blank>
</FRAMESET>
<NOFRAMES>
<BODY> <BR> </BODY>
</NOFRAMES>
</HTML>
00000000()
USER32! 77e7288d()
USER32! 77e72918()
nsWindow::WindowProc(void * 0x0001030c, unsigned int 514, unsigned int 0, long
1048585) line 462
USER32! 77e71250()
Reporter | ||
Comment 1•26 years ago
|
||
This is a regression. Same test worked fine on a tree that was pulled about a
week ago.
Assignee | ||
Updated•26 years ago
|
Assignee | ||
Comment 2•26 years ago
|
||
This seems to be related to deleting a form element which has the currently
executing javascript callback attached to it. (clickercrash2.html, in which the
callback is attached to a button, causes a crash, but clickercrash3.html, in
which the callback is not attached to a button, does not.)
CC'ing Mike. Is this a know problem to the Javascript guys? I get much from
the call stack on the bug, but it is being caused through javascript calls.
BTW, this works correctly and does not crash Linux.
Comment 3•26 years ago
|
||
This doesn't look familiar... I've looked at checkins back to the first of the
month, and I don't see any checkins of relevance to mozilla/js/src. (one to
Makefile.in, for irix only, and one to jsdate.c, etc.)
It's a crude method, but if you know its a recent regression, could binary
search find the offending checkin?
Assignee | ||
Updated•26 years ago
|
Target Milestone: M5
Assignee | ||
Updated•26 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 26 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 4•26 years ago
|
||
This bug has magically disappeared (probably related to Chris's recent removal
of nsFormFrameTable).
To verify, visit http://blueviper/forms/clickercrash2.html and click on the
button. The browser should not crash.
Updated•26 years ago
|
Status: RESOLVED → VERIFIED
Comment 5•26 years ago
|
||
Fixed in the April 28th Build.
Javacsript component begin retired. Moving this bug to Javascript Engine.
You need to log in
before you can comment on or make changes to this bug.
Description
•