Closed
Bug 113856
Opened 23 years ago
Closed 23 years ago
Crash when no implementation for class created with new
Categories
(Core :: DOM: Core & HTML, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla0.9.9
People
(Reporter: giscardg, Assigned: jst)
Details
(Keywords: crash, Whiteboard: [HAVE FIX])
Attachments
(3 files)
2.20 KB,
text/plain
|
Details | |
74 bytes,
text/xml
|
Details | |
1.87 KB,
patch
|
hjtoi-bugzilla
:
review+
vidur
:
superreview+
|
Details | Diff | Splinter Review |
From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:0.9.6) Gecko/20011120 BuildID: 20011120 <?xml version="1.0"?> <?proc file="2"?> <test> Hello world </test> serializing this document will crash the browser. Load page in browser, type the following line in the address bar. javascript:alert(eval('s=new DOMSerializer();s.serializeToString(document);')) This will crash your browser, you can also test this from another frame, ser.serializeToString(parent.xmlDocument.document); Reproducible: Always Steps to Reproduce: 1. Create an xml document with a processing instruction 2. Load the xml document in the browser. 3. Type the following line in your address bar javascript:alert(eval('s=new DOMSerializer();s.serializeToString(document);')) Actual Results: Feedback agent appears, browser then closes.
Comment 1•23 years ago
|
||
Build ID: 2001 12 05 16 (really this one: 2001-12-05-18-AB_OUTLINER). Windows 2000. Confirm crash using reporter's recipe. Incident ID: TB133885M
Assignee | ||
Comment 3•23 years ago
|
||
Over to heikki for futher investigation. From the stacktrace, it doesn't look like this is a serializer specific bug tho, but I could be wrong...
Assignee: jst → heikki
Updated•23 years ago
|
Keywords: mozilla1.0
Target Milestone: --- → mozilla1.0
Still occurs, tested on Win2k. Stack in debug build: nsID::Equals(const nsID & {...}) line 78 + 6 bytes nsWindowSH::GlobalResolve(nsISupports * 0x0437db80, JSContext * 0x0437d850, JSObject * 0x0332d160, JSString * 0x034175c8, unsigned int 0, int * 0x00128694) line 3176 + 14 bytes nsWindowSH::NewResolve(nsWindowSH * const 0x005337c0, nsIXPConnectWrappedNative * 0x04380550, JSContext * 0x0437d850, JSObject * 0x0332d160, long 54621644, unsigned int 0, JSObject * * 0x00128798, int * 0x00128714) line 3423 + 34 bytes XPC_WN_Helper_NewResolve(JSContext * 0x0437d850, JSObject * 0x0332d160, long 54621644, unsigned int 0, JSObject * * 0x001288b8) line 904 + 66 bytes _js_LookupProperty(JSContext * 0x0437d850, JSObject * 0x0332d160, long 75611456, JSObject * * 0x00128960, JSProperty * * 0x00128950, const char * 0x014f0fb4, unsigned int 2297) line 2164 + 32 bytes js_FindProperty(JSContext * 0x0437d850, long 75611456, JSObject * * 0x0012951c, JSObject * * 0x001295a4, JSProperty * * 0x001294f0) line 2297 + 41 bytes js_Interpret(JSContext * 0x0437d850, long * 0x001297c4) line 2857 + 34 bytes js_Execute(JSContext * 0x0437d850, JSObject * 0x0332d160, JSScript * 0x0481bbe0, JSStackFrame * 0x0012a4cc, unsigned int 8, long * 0x001297c4) line 1012 + 13 bytes obj_eval(JSContext * 0x0437d850, JSObject * 0x0332d160, unsigned int 1, long * 0x03434e24, long * 0x001297c4) line 1032 + 27 bytes js_Invoke(JSContext * 0x0437d850, unsigned int 1, unsigned int 0) line 832 + 23 bytes js_Interpret(JSContext * 0x0437d850, long * 0x0012a624) line 2800 + 15 bytes js_Execute(JSContext * 0x0437d850, JSObject * 0x0332d160, JSScript * 0x0481d160, JSStackFrame * 0x00000000, unsigned int 0, long * 0x0012a624) line 1012 + 13 bytes JS_EvaluateUCScriptForPrincipals(JSContext * 0x0437d850, JSObject * 0x0332d160, JSPrincipals * 0x0484b580, const unsigned short * 0x0481f060, unsigned int 67, const char * 0x00000000, unsigned int 0, long * 0x0012a624) line 3356 + 25 bytes nsJSContext::EvaluateString(nsJSContext * const 0x0437db10, const nsAString & {???}, void * 0x0332d160, nsIPrincipal * 0x0484b57c, const char * 0x00000000, unsigned int 0, const char * 0x00000000, nsAString & {???}, int * 0x0012a818) line 676 + 85 bytes nsJSThunk::EvaluateScript() line 260 + 64 bytes nsJSChannel::AsyncOpen(nsJSChannel * const 0x0481f540, nsIStreamListener * 0x0481f280, nsISupports * 0x00000000) line 576 + 11 bytes nsDocumentOpenInfo::Open(nsIChannel * 0x0481f540, int 0, nsISupports * 0x04364150) line 168 + 18 bytes nsURILoader::OpenURIVia(nsURILoader * const 0x005285e0, nsIChannel * 0x0481f540, int 0, nsISupports * 0x04364150, unsigned int 0) line 534 + 20 bytes nsURILoader::OpenURI(nsURILoader * const 0x005285e0, nsIChannel * 0x0481f540, int 0, nsISupports * 0x04364150) line 496 nsDocShell::DoChannelLoad(nsIChannel * 0x0481f540, nsIURILoader * 0x005285e0) line 4562 + 39 bytes nsDocShell::DoURILoad(nsIURI * 0x0481f590, nsIURI * 0x00000000, nsISupports * 0x0484b570, nsIInputStream * 0x00000000, nsIInputStream * 0x00000000) line 4346 + 38 bytes nsDocShell::InternalLoad(nsDocShell * const 0x04364150, nsIURI * 0x0481f590, nsIURI * 0x00000000, nsISupports * 0x00000000, int 1, const unsigned short * 0x0481e030, nsIInputStream * 0x00000000, nsIInputStream * 0x00000000, unsigned int 1, nsISHEntry * 0x00000000) line 4158 + 39 bytes nsDocShell::LoadURI(nsDocShell * const 0x04364150, nsIURI * 0x0481f590, nsIDocShellLoadInfo * 0x0481f310, unsigned int 0) line 590 + 65 bytes nsDocShell::LoadURI(nsDocShell * const 0x04364160, const unsigned short * 0x048136f0, unsigned int 0, nsIURI * 0x00000000, nsIInputStream * 0x00000000, nsIInputStream * 0x00000000) line 2317 + 36 bytes XPTC_InvokeByIndex(nsISupports * 0x04364160, unsigned int 8, unsigned int 5, nsXPTCVariant * 0x0012b0c8) line 106 XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode CALL_METHOD) line 1998 + 42 bytes XPC_WN_CallMethod(JSContext * 0x026b0e70, JSObject * 0x034174e0, unsigned int 5, long * 0x01346344, long * 0x0012b3a4) line 1266 + 14 bytes js_Invoke(JSContext * 0x026b0e70, unsigned int 5, unsigned int 0) line 832 + 23 bytes js_Interpret(JSContext * 0x026b0e70, long * 0x0012c194) line 2800 + 15 bytes js_Invoke(JSContext * 0x026b0e70, unsigned int 1, unsigned int 0) line 849 + 13 bytes js_Interpret(JSContext * 0x026b0e70, long * 0x0012cf3c) line 2800 + 15 bytes js_Invoke(JSContext * 0x026b0e70, unsigned int 2, unsigned int 2) line 849 + 13 bytes fun_apply(JSContext * 0x026b0e70, JSObject * 0x03303208, unsigned int 2, long * 0x013461c8, long * 0x0012d0b4) line 1509 + 15 bytes js_Invoke(JSContext * 0x026b0e70, unsigned int 2, unsigned int 0) line 832 + 23 bytes js_Interpret(JSContext * 0x026b0e70, long * 0x0012dea4) line 2800 + 15 bytes js_Invoke(JSContext * 0x026b0e70, unsigned int 1, unsigned int 2) line 849 + 13 bytes js_InternalInvoke(JSContext * 0x026b0e70, JSObject * 0x03303208, long 53633400, unsigned int 0, unsigned int 1, long * 0x0012e0fc, long * 0x0012dfcc) line 924 + 20 bytes JS_CallFunctionValue(JSContext * 0x026b0e70, JSObject * 0x03303208, long 53633400, unsigned int 1, long * 0x0012e0fc, long * 0x0012dfcc) line 3405 + 31 bytes nsJSContext::CallEventHandler(nsJSContext * const 0x026a0a40, void * 0x03303208, void * 0x03326178, unsigned int 1, void * 0x0012e0fc, int * 0x0012e100, int 0) line 1016 + 33 bytes nsJSEventListener::HandleEvent(nsJSEventListener * const 0x04509ed0, nsIDOMEvent * 0x0450c328) line 180 + 77 bytes nsXBLPrototypeHandler::ExecuteHandler(nsXBLPrototypeHandler * const 0x043c08a0, nsIDOMEventReceiver * 0x039355b8, nsIDOMEvent * 0x0450c328) line 442 DoKey(nsIAtom * 0x026c7d40 {"keypress"}, nsIXBLPrototypeHandler * 0x043c08a0, nsIDOMEvent * 0x0450c328, nsIDOMEventReceiver * 0x039355b8) line 108 nsXBLKeyHandler::KeyPress(nsXBLKeyHandler * const 0x043da4b0, nsIDOMEvent * 0x0450c328) line 123 + 40 bytes nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x03935550, nsIPresContext * 0x02d4b800, nsEvent * 0x0012f91c, nsIDOMEvent * * 0x0012f46c, nsIDOMEventTarget * 0x039355b8, unsigned int 4, nsEventStatus * 0x0012f88c) line 1636 + 41 bytes nsXULElement::HandleDOMEvent(nsXULElement * const 0x039355b0, nsIPresContext * 0x02d4b800, nsEvent * 0x0012f91c, nsIDOMEvent * * 0x0012f46c, unsigned int 4, nsEventStatus * 0x0012f88c) line 3375 nsXULElement::HandleDOMEvent(nsXULElement * const 0x043d8210, nsIPresContext * 0x02d4b800, nsEvent * 0x0012f91c, nsIDOMEvent * * 0x0012f46c, unsigned int 4, nsEventStatus * 0x0012f88c) line 3356 nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x043d9f50, nsIPresContext * 0x02d4b800, nsEvent * 0x0012f91c, nsIDOMEvent * * 0x0012f46c, unsigned int 1, nsEventStatus * 0x0012f88c) line 1631 nsHTMLInputElement::HandleDOMEvent(nsHTMLInputElement * const 0x043d9f50, nsIPresContext * 0x02d4b800, nsEvent * 0x0012f91c, nsIDOMEvent * * 0x00000000, unsigned int 1, nsEventStatus * 0x0012f88c) line 1183 + 29 bytes PresShell::HandleEventInternal(nsEvent * 0x0012f91c, nsIView * 0x02e01640, unsigned int 1, nsEventStatus * 0x0012f88c) line 5986 + 44 bytes PresShell::HandleEvent(PresShell * const 0x02e04424, nsIView * 0x02e01640, nsGUIEvent * 0x0012f91c, nsEventStatus * 0x0012f88c, int 1, int & 1) line 5909 + 25 bytes nsView::HandleEvent(nsView * const 0x02e01640, nsGUIEvent * 0x0012f91c, unsigned int 0, nsEventStatus * 0x0012f88c, int 1, int & 1) line 387 nsViewManager::DispatchEvent(nsViewManager * const 0x02e02320, nsGUIEvent * 0x0012f91c, nsEventStatus * 0x0012f88c) line 1909 HandleEvent(nsGUIEvent * 0x0012f91c) line 83 nsWindow::DispatchEvent(nsWindow * const 0x02e01514, nsGUIEvent * 0x0012f91c, nsEventStatus & nsEventStatus_eIgnore) line 850 + 10 bytes nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f91c) line 871 nsWindow::DispatchKeyEvent(unsigned int 131, unsigned short 0, unsigned int 13) line 2600 + 15 bytes nsWindow::OnChar(unsigned int 13, unsigned int 13, unsigned char 1) line 2733 nsWindow::ProcessMessage(unsigned int 258, unsigned int 13, long 1835009, long * 0x0012fd20) line 3282 + 51 bytes nsWindow::WindowProc(HWND__ * 0x001907c6, unsigned int 258, unsigned int 13, long 1835009) line 1115 + 27 bytes USER32! 77e12e98() USER32! 77e130e0() USER32! 77e15824() nsAppShellService::Run(nsAppShellService * const 0x004b5fb0) line 308 main1(int 2, char * * 0x00444ae0, nsISupports * 0x00000000) line 1285 + 32 bytes main(int 2, char * * 0x00444ae0) line 1625 + 37 bytes mainCRTStartup() line 338 + 17 bytes KERNEL32! 77e97d08()
Priority: -- → P1
The processing instructions don't matter, in fact the document you have currently open does not matter at all, it could even be HTML.
Target Milestone: mozilla1.0 → ---
Assignee | ||
Comment 7•23 years ago
|
||
Assignee | ||
Comment 8•23 years ago
|
||
Looks like we have a name missmatch here, we have the interface nsIDOMSerializer, and the JS "class" DOMSerializer, but we register the xmlextras XML serializer as the JS "class" XMLSerializer. So the testcase here (i.e. the javascript: URL) does the wrong thing, it should do "s=new XMLSerializer();", not "s=new DOMSerializer();". I'm not sure what we want to do about that, but after Pike is done hacking on the bug about new Foo() where Foo is not really a new:able class, the testcase will throw an exception saying you can't call new on this class...
Comment on attachment 66574 [details] [diff] [review] Fix the crash that happens when we do new Foo() where Foo is a class w/o a primary IID r=heikki
Attachment #66574 -
Flags: review+
This belongs to jst. Get an sr and check in...
Assignee: heikki → jst
Summary: serializeToString crashes on processing instruction → Crash when no implementation for class created with new
Whiteboard: [HAVE FIX]
Target Milestone: --- → mozilla0.9.9
Comment 11•23 years ago
|
||
Comment on attachment 66574 [details] [diff] [review] Fix the crash that happens when we do new Foo() where Foo is a class w/o a primary IID sr=vidur
Attachment #66574 -
Flags: superreview+
Assignee | ||
Comment 12•23 years ago
|
||
Fixed
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Updated•11 years ago
|
Component: DOM: Mozilla Extensions → DOM
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•