Closed Bug 113856 Opened 23 years ago Closed 23 years ago

Crash when no implementation for class created with new

Categories

(Core :: DOM: Core & HTML, defect, P1)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
Windows XP
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla0.9.9

People

(Reporter: giscardg, Assigned: jst)

Details

(Keywords: crash, Whiteboard: [HAVE FIX])

Attachments

(3 files)

crash - stack trace from incident report
2.20 KB, text/plain
Details
Testcase
74 bytes, text/xml
Details
Fix the crash that happens when we do new Foo() where Foo is a class w/o a primary IID
1.87 KB, patch
hjtoi-bugzilla
: review+
vidur
: superreview+
Details | Diff | Splinter Review 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:0.9.6) Gecko/20011120
BuildID:    20011120

<?xml version="1.0"?>
<?proc file="2"?>
<test>
Hello world
</test>

serializing this document will crash the browser.  Load page in browser, type
the following line in the address bar.

javascript:alert(eval('s=new DOMSerializer();s.serializeToString(document);'))


This will crash your browser, you can also test this from another frame,
ser.serializeToString(parent.xmlDocument.document);

Reproducible: Always
Steps to Reproduce:
1.  Create an xml document with a processing instruction
2.  Load the xml document in the browser.
3.  Type the following line in your address bar
javascript:alert(eval('s=new DOMSerializer();s.serializeToString(document);'))



Actual Results:  Feedback agent appears, browser then closes.
Build ID: 2001 12 05 16 (really this one:  2001-12-05-18-AB_OUTLINER).
Windows 2000.

Confirm crash using reporter's recipe. Incident ID: TB133885M
Severity: normal → critical
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash
Over to heikki for futher investigation. From the stacktrace, it doesn't look
like this is a serializer specific bug tho, but I could be wrong...
Assignee: jst → heikki
Keywords: mozilla1.0
Target Milestone: --- → mozilla1.0
Still occurs, tested on Win2k.

Stack in debug build:

nsID::Equals(const nsID & {...}) line 78 + 6 bytes
nsWindowSH::GlobalResolve(nsISupports * 0x0437db80, JSContext * 0x0437d850,
JSObject * 0x0332d160, JSString * 0x034175c8, unsigned int 0, int * 0x00128694)
line 3176 + 14 bytes
nsWindowSH::NewResolve(nsWindowSH * const 0x005337c0, nsIXPConnectWrappedNative
* 0x04380550, JSContext * 0x0437d850, JSObject * 0x0332d160, long 54621644,
unsigned int 0, JSObject * * 0x00128798, int * 0x00128714) line 3423 + 34 bytes
XPC_WN_Helper_NewResolve(JSContext * 0x0437d850, JSObject * 0x0332d160, long
54621644, unsigned int 0, JSObject * * 0x001288b8) line 904 + 66 bytes
_js_LookupProperty(JSContext * 0x0437d850, JSObject * 0x0332d160, long 75611456,
JSObject * * 0x00128960, JSProperty * * 0x00128950, const char * 0x014f0fb4,
unsigned int 2297) line 2164 + 32 bytes
js_FindProperty(JSContext * 0x0437d850, long 75611456, JSObject * * 0x0012951c,
JSObject * * 0x001295a4, JSProperty * * 0x001294f0) line 2297 + 41 bytes
js_Interpret(JSContext * 0x0437d850, long * 0x001297c4) line 2857 + 34 bytes
js_Execute(JSContext * 0x0437d850, JSObject * 0x0332d160, JSScript * 0x0481bbe0,
JSStackFrame * 0x0012a4cc, unsigned int 8, long * 0x001297c4) line 1012 + 13 bytes
obj_eval(JSContext * 0x0437d850, JSObject * 0x0332d160, unsigned int 1, long *
0x03434e24, long * 0x001297c4) line 1032 + 27 bytes
js_Invoke(JSContext * 0x0437d850, unsigned int 1, unsigned int 0) line 832 + 23
bytes
js_Interpret(JSContext * 0x0437d850, long * 0x0012a624) line 2800 + 15 bytes
js_Execute(JSContext * 0x0437d850, JSObject * 0x0332d160, JSScript * 0x0481d160,
JSStackFrame * 0x00000000, unsigned int 0, long * 0x0012a624) line 1012 + 13 bytes
JS_EvaluateUCScriptForPrincipals(JSContext * 0x0437d850, JSObject * 0x0332d160,
JSPrincipals * 0x0484b580, const unsigned short * 0x0481f060, unsigned int 67,
const char * 0x00000000, unsigned int 0, long * 0x0012a624) line 3356 + 25 bytes
nsJSContext::EvaluateString(nsJSContext * const 0x0437db10, const nsAString &
{???}, void * 0x0332d160, nsIPrincipal * 0x0484b57c, const char * 0x00000000,
unsigned int 0, const char * 0x00000000, nsAString & {???}, int * 0x0012a818)
line 676 + 85 bytes
nsJSThunk::EvaluateScript() line 260 + 64 bytes
nsJSChannel::AsyncOpen(nsJSChannel * const 0x0481f540, nsIStreamListener *
0x0481f280, nsISupports * 0x00000000) line 576 + 11 bytes
nsDocumentOpenInfo::Open(nsIChannel * 0x0481f540, int 0, nsISupports *
0x04364150) line 168 + 18 bytes
nsURILoader::OpenURIVia(nsURILoader * const 0x005285e0, nsIChannel * 0x0481f540,
int 0, nsISupports * 0x04364150, unsigned int 0) line 534 + 20 bytes
nsURILoader::OpenURI(nsURILoader * const 0x005285e0, nsIChannel * 0x0481f540,
int 0, nsISupports * 0x04364150) line 496
nsDocShell::DoChannelLoad(nsIChannel * 0x0481f540, nsIURILoader * 0x005285e0)
line 4562 + 39 bytes
nsDocShell::DoURILoad(nsIURI * 0x0481f590, nsIURI * 0x00000000, nsISupports *
0x0484b570, nsIInputStream * 0x00000000, nsIInputStream * 0x00000000) line 4346
+ 38 bytes
nsDocShell::InternalLoad(nsDocShell * const 0x04364150, nsIURI * 0x0481f590,
nsIURI * 0x00000000, nsISupports * 0x00000000, int 1, const unsigned short *
0x0481e030, nsIInputStream * 0x00000000, nsIInputStream * 0x00000000, unsigned
int 1, nsISHEntry * 0x00000000) line 4158 + 39 bytes
nsDocShell::LoadURI(nsDocShell * const 0x04364150, nsIURI * 0x0481f590,
nsIDocShellLoadInfo * 0x0481f310, unsigned int 0) line 590 + 65 bytes
nsDocShell::LoadURI(nsDocShell * const 0x04364160, const unsigned short *
0x048136f0, unsigned int 0, nsIURI * 0x00000000, nsIInputStream * 0x00000000,
nsIInputStream * 0x00000000) line 2317 + 36 bytes
XPTC_InvokeByIndex(nsISupports * 0x04364160, unsigned int 8, unsigned int 5,
nsXPTCVariant * 0x0012b0c8) line 106
XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode
CALL_METHOD) line 1998 + 42 bytes
XPC_WN_CallMethod(JSContext * 0x026b0e70, JSObject * 0x034174e0, unsigned int 5,
long * 0x01346344, long * 0x0012b3a4) line 1266 + 14 bytes
js_Invoke(JSContext * 0x026b0e70, unsigned int 5, unsigned int 0) line 832 + 23
bytes
js_Interpret(JSContext * 0x026b0e70, long * 0x0012c194) line 2800 + 15 bytes
js_Invoke(JSContext * 0x026b0e70, unsigned int 1, unsigned int 0) line 849 + 13
bytes
js_Interpret(JSContext * 0x026b0e70, long * 0x0012cf3c) line 2800 + 15 bytes
js_Invoke(JSContext * 0x026b0e70, unsigned int 2, unsigned int 2) line 849 + 13
bytes
fun_apply(JSContext * 0x026b0e70, JSObject * 0x03303208, unsigned int 2, long *
0x013461c8, long * 0x0012d0b4) line 1509 + 15 bytes
js_Invoke(JSContext * 0x026b0e70, unsigned int 2, unsigned int 0) line 832 + 23
bytes
js_Interpret(JSContext * 0x026b0e70, long * 0x0012dea4) line 2800 + 15 bytes
js_Invoke(JSContext * 0x026b0e70, unsigned int 1, unsigned int 2) line 849 + 13
bytes
js_InternalInvoke(JSContext * 0x026b0e70, JSObject * 0x03303208, long 53633400,
unsigned int 0, unsigned int 1, long * 0x0012e0fc, long * 0x0012dfcc) line 924 +
20 bytes
JS_CallFunctionValue(JSContext * 0x026b0e70, JSObject * 0x03303208, long
53633400, unsigned int 1, long * 0x0012e0fc, long * 0x0012dfcc) line 3405 + 31 bytes
nsJSContext::CallEventHandler(nsJSContext * const 0x026a0a40, void * 0x03303208,
void * 0x03326178, unsigned int 1, void * 0x0012e0fc, int * 0x0012e100, int 0)
line 1016 + 33 bytes
nsJSEventListener::HandleEvent(nsJSEventListener * const 0x04509ed0, nsIDOMEvent
* 0x0450c328) line 180 + 77 bytes
nsXBLPrototypeHandler::ExecuteHandler(nsXBLPrototypeHandler * const 0x043c08a0,
nsIDOMEventReceiver * 0x039355b8, nsIDOMEvent * 0x0450c328) line 442
DoKey(nsIAtom * 0x026c7d40 {"keypress"}, nsIXBLPrototypeHandler * 0x043c08a0,
nsIDOMEvent * 0x0450c328, nsIDOMEventReceiver * 0x039355b8) line 108
nsXBLKeyHandler::KeyPress(nsXBLKeyHandler * const 0x043da4b0, nsIDOMEvent *
0x0450c328) line 123 + 40 bytes
nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x03935550,
nsIPresContext * 0x02d4b800, nsEvent * 0x0012f91c, nsIDOMEvent * * 0x0012f46c,
nsIDOMEventTarget * 0x039355b8, unsigned int 4, nsEventStatus * 0x0012f88c) line
1636 + 41 bytes
nsXULElement::HandleDOMEvent(nsXULElement * const 0x039355b0, nsIPresContext *
0x02d4b800, nsEvent * 0x0012f91c, nsIDOMEvent * * 0x0012f46c, unsigned int 4,
nsEventStatus * 0x0012f88c) line 3375
nsXULElement::HandleDOMEvent(nsXULElement * const 0x043d8210, nsIPresContext *
0x02d4b800, nsEvent * 0x0012f91c, nsIDOMEvent * * 0x0012f46c, unsigned int 4,
nsEventStatus * 0x0012f88c) line 3356
nsGenericElement::HandleDOMEvent(nsGenericElement * const 0x043d9f50,
nsIPresContext * 0x02d4b800, nsEvent * 0x0012f91c, nsIDOMEvent * * 0x0012f46c,
unsigned int 1, nsEventStatus * 0x0012f88c) line 1631
nsHTMLInputElement::HandleDOMEvent(nsHTMLInputElement * const 0x043d9f50,
nsIPresContext * 0x02d4b800, nsEvent * 0x0012f91c, nsIDOMEvent * * 0x00000000,
unsigned int 1, nsEventStatus * 0x0012f88c) line 1183 + 29 bytes
PresShell::HandleEventInternal(nsEvent * 0x0012f91c, nsIView * 0x02e01640,
unsigned int 1, nsEventStatus * 0x0012f88c) line 5986 + 44 bytes
PresShell::HandleEvent(PresShell * const 0x02e04424, nsIView * 0x02e01640,
nsGUIEvent * 0x0012f91c, nsEventStatus * 0x0012f88c, int 1, int & 1) line 5909 +
25 bytes
nsView::HandleEvent(nsView * const 0x02e01640, nsGUIEvent * 0x0012f91c, unsigned
int 0, nsEventStatus * 0x0012f88c, int 1, int & 1) line 387
nsViewManager::DispatchEvent(nsViewManager * const 0x02e02320, nsGUIEvent *
0x0012f91c, nsEventStatus * 0x0012f88c) line 1909
HandleEvent(nsGUIEvent * 0x0012f91c) line 83
nsWindow::DispatchEvent(nsWindow * const 0x02e01514, nsGUIEvent * 0x0012f91c,
nsEventStatus & nsEventStatus_eIgnore) line 850 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f91c) line 871
nsWindow::DispatchKeyEvent(unsigned int 131, unsigned short 0, unsigned int 13)
line 2600 + 15 bytes
nsWindow::OnChar(unsigned int 13, unsigned int 13, unsigned char 1) line 2733
nsWindow::ProcessMessage(unsigned int 258, unsigned int 13, long 1835009, long *
0x0012fd20) line 3282 + 51 bytes
nsWindow::WindowProc(HWND__ * 0x001907c6, unsigned int 258, unsigned int 13,
long 1835009) line 1115 + 27 bytes
USER32! 77e12e98()
USER32! 77e130e0()
USER32! 77e15824()
nsAppShellService::Run(nsAppShellService * const 0x004b5fb0) line 308
main1(int 2, char * * 0x00444ae0, nsISupports * 0x00000000) line 1285 + 32 bytes
main(int 2, char * * 0x00444ae0) line 1625 + 37 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 77e97d08()
Priority: -- → P1
The processing instructions don't matter, in fact the document you have
currently open does not matter at all, it could even be HTML.
Target Milestone: mozilla1.0 → ---
Looks like we have a name missmatch here, we have the interface
nsIDOMSerializer, and the JS "class" DOMSerializer, but we register the
xmlextras XML serializer as the JS "class" XMLSerializer. So the testcase here
(i.e. the javascript: URL) does the wrong thing, it should do "s=new
XMLSerializer();", not "s=new DOMSerializer();". I'm not sure what we want to do
about that, but after Pike is done hacking on the bug about new Foo() where Foo
is not really a new:able class, the testcase will throw an exception saying you
can't call new on this class...
Comment on attachment 66574 [details] [diff] [review]
Fix the crash that happens when we do new Foo() where Foo is a class w/o a primary IID

r=heikki
Attachment #66574 - Flags: review+
This belongs to jst. Get an sr and check in...
Assignee: heikki → jst
Summary: serializeToString crashes on processing instruction → Crash when no implementation for class created with new
Whiteboard: [HAVE FIX]
Target Milestone: --- → mozilla0.9.9
Comment on attachment 66574 [details] [diff] [review]
Fix the crash that happens when we do new Foo() where Foo is a class w/o a primary IID

sr=vidur
Attachment #66574 - Flags: superreview+
Fixed
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
QA Contact: lchiang → ian
Component: DOM: Mozilla Extensions → DOM
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: