Closed Bug 3585 Opened 26 years ago Closed 26 years ago

Erasing current frame crashes browser

Categories

(Core :: JavaScript Engine, defect, P3)

x86
Windows NT
defect

Tracking

()

VERIFIED FIXED

People

(Reporter: morse, Assigned: pollmann)

References

()

Details

Following context causes browser to crash when button is pressed. Problem has to do with the lines that clear out the current frame (document.open and document.close) because if those lines are commented out the crash does not occur. Stack trace is shown below content. <HTML> <HEAD> <SCRIPT> button_frame = 0; function loadFrames(){ top.frames[button_frame].document.open(); top.frames[button_frame].document.write( "<FORM name=buttons>" + "<INPUT type=BUTTON value=OK onclick=parent.clicker()>" + "</FORM>" ); top.frames[button_frame].document.close(); } function clicker(){ top.frames[button_frame].document.open(); top.frames[button_frame].document.close(); } </SCRIPT> </HEAD> <FRAMESET ROWS = 50,50 onLoad=loadFrames()> <FRAME SRC=about:blank> <FRAME SRC=about:blank> </FRAMESET> <NOFRAMES> <BODY> <BR> </BODY> </NOFRAMES> </HTML> 00000000() USER32! 77e7288d() USER32! 77e72918() nsWindow::WindowProc(void * 0x0001030c, unsigned int 514, unsigned int 0, long 1048585) line 462 USER32! 77e71250()
This is a regression. Same test worked fine on a tree that was pulled about a week ago.
Status: NEW → ASSIGNED
Component: Layout → JavaScript
This seems to be related to deleting a form element which has the currently executing javascript callback attached to it. (clickercrash2.html, in which the callback is attached to a button, causes a crash, but clickercrash3.html, in which the callback is not attached to a button, does not.) CC'ing Mike. Is this a know problem to the Javascript guys? I get much from the call stack on the bug, but it is being caused through javascript calls. BTW, this works correctly and does not crash Linux.
This doesn't look familiar... I've looked at checkins back to the first of the month, and I don't see any checkins of relevance to mozilla/js/src. (one to Makefile.in, for irix only, and one to jsdate.c, etc.) It's a crude method, but if you know its a recent regression, could binary search find the offending checkin?
Target Milestone: M5
Status: ASSIGNED → RESOLVED
Closed: 26 years ago
Resolution: --- → FIXED
This bug has magically disappeared (probably related to Chris's recent removal of nsFormFrameTable). To verify, visit http://blueviper/forms/clickercrash2.html and click on the button. The browser should not crash.
Status: RESOLVED → VERIFIED
Fixed in the April 28th Build.
Javacsript component begin retired. Moving this bug to Javascript Engine.
You need to log in before you can comment on or make changes to this bug.