Closed Bug 267050 Opened 20 years ago Closed 20 years ago

Crash in rdf_BlockingWrite() with a simple javascript: URI

Categories

(Core Graveyard :: RDF, defect)

Product:
Core Graveyard
Component:
RDF
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: WeirdAl, Assigned: axel)

References

(
URL
)

Details

(Keywords: crash, regression, testcase)

Attachments

(1 file)

add missing break;
581 bytes, patch
benjamin
: review+
darin.moz
: superreview+
Details | Diff | Splinter Review 
Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.8a5) Gecko/20041031

I ran a very simple JavaScript URI, and unfortunately crashed very quickly.

Steps to reproduce:
(1) Click on URL field in this bug.
(2) An alert dialog pops up with a text of "0".  Click the OK button.

Expected results: A new dialog appears with a text of "1".
Actual results: Crash.

#0  0x407076f6 in nanosleep () from /lib/libc.so.6
#1  0x0000001c in ?? ()
#2  0x08060575 in ah_crap_handler(int) (signum=11) at nsSigHandlers.cpp:132
#3  0x41a7e939 in nsProfileLock::FatalSignalHandler(int) (signo=11) at
nsProfileLock.cpp:208
#4  0x4028ec2d in __pthread_sighandler () from /lib/libpthread.so.0
#5  0x40682d58 in __libc_sigaction () from /lib/libc.so.6
#6  0x4187ddec in rdf_BlockingWrite (stream=0x88e9550,
    buf=0xbfff8540 "p;amp;gt&gt&gt>lt; 2; j++) {alert(j)}",
size=1631256628) at nsRDFXMLSerializer.cpp:189
#7  0x4187de60 in rdf_BlockingWrite (stream=0x88e9550, s=@0xbfff8528) at
nsRDFXMLSerializer.cpp:201
#8  0x4188150f in nsRDFXMLSerializer::SerializeMember(nsIOutputStream*,
nsIRDFResource*, nsIRDFNode*) (this=0x8413c60,
    aStream=0x88e9550, aContainer=0x82ba0f8, aMember=0x8880eb8) at
nsRDFXMLSerializer.cpp:830
#9  0x41882072 in nsRDFXMLSerializer::SerializeContainer(nsIOutputStream*,
nsIRDFResource*) (this=0x8413c60,
    aStream=0x88e9550, aContainer=0x82ba0f8) at nsRDFXMLSerializer.cpp:969
#10 0x4188302a in nsRDFXMLSerializer::Serialize(nsIOutputStream*)
(this=0x8413c60, aStream=0x88e9550)
    at nsRDFXMLSerializer.cpp:1171
#11 0x41877797 in RDFXMLDataSourceImpl::Serialize(nsIOutputStream*)
(this=0x81f8728, aStream=0x88e9550)
    at nsRDFXMLDataSource.cpp:1201
#12 0x41876603 in RDFXMLDataSourceImpl::rdfXMLFlush(nsIURI*) (this=0x81f8728,
aURI=0x8246df8) at nsRDFXMLDataSource.cpp:832
#13 0x418768da in RDFXMLDataSourceImpl::Flush() (this=0x81f8728) at
nsRDFXMLDataSource.cpp:885
#14 0x41885386 in LocalStoreImpl::Flush() (this=0x8241ef0) at nsLocalStore.cpp:354
#15 0x4142af17 in ~nsXULDocument (this=0x888a178) at nsXULDocument.cpp:404
#16 0x411cf1bb in nsDocument::Release() (this=0x888a178) at nsDocument.cpp:674
#17 0x413ef8d7 in nsXMLDocument::Release() (this=0x888a178) at nsXMLDocument.cpp:210
#18 0x4142b383 in nsXULDocument::Release() (this=0x888a178) at nsXULDocument.cpp:477
#19 0x4090ed83 in XPCJSRuntime::GCCallback(JSContext*, JSGCStatus)
(cx=0x878fa80, status=JSGC_END) at xpcjsruntime.cpp:556
#20 0x4146d725 in DOMGCCallback (cx=0x878fa80, status=JSGC_END) at
nsJSEnvironment.cpp:1994
#21 0x401b7126 in js_GC (cx=0x878fa80, gcflags=0) at jsgc.c:1440
#22 0x401b6396 in js_ForceGC (cx=0x878fa80, gcflags=0) at jsgc.c:1024
#23 0x40182f8a in JS_GC (cx=0x878fa80) at jsapi.c:1744
#24 0x4146d5be in nsJSContext::Notify(nsITimer*) (this=0x88847d8,
timer=0x888d768) at nsJSEnvironment.cpp:1947
#25 0x4010e4ea in nsTimerImpl::Fire() (this=0x888d768) at nsTimerImpl.cpp:386
#26 0x4010e6b0 in handleTimerEvent(TimerEventType*) (event=0x42300570) at
nsTimerImpl.cpp:448
#27 0x4010612c in PL_HandleEvent (self=0x42300570) at plevent.c:692
#28 0x4010687a in PL_ProcessEventsBeforeID (aSelf=0x8881ab0, aID=17344) at
plevent.c:1697
#29 0x419dd93d in processQueue(void*, void*) (aElement=0x8881ab0, aData=0x43c0)
at nsAppShell.cpp:417
#30 0x400ba4d0 in nsVoidArray::EnumerateForwards(int (*)(void*, void*), void*)
(this=0x81430d0,
    aFunc=0x419dd910 <processQueue(void*, void*)>, aData=0x43c0) at
nsVoidArray.cpp:648
#31 0x419dd97e in nsAppShell::ProcessBeforeID(unsigned long) (aID=17344) at
nsAppShell.cpp:425
#32 0x419ebf32 in handle_gdk_event(_GdkEvent*, void*) (event=0x820cad4,
data=0x0) at nsGtkEventHandler.cpp:871

This may be a smoketest blocker.
I did not crash with
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8a5) Gecko/20041027

CTho did crash with:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a5) Gecko/20041028

OS -> All
OS: Linux → All
Using a CVS trunk debug build of firefox on Linux, I cannot reproduce this crash.
Correction to steps to reproduce:  Clicking the URL link here apparently doesn't
produce a crash.  But entering the URL manually into the location bar does, and
it does crash my 10/27 build.
I cannot recreate this with a 20041022 cvs build. Neither does it happen with an
optimized 20041031 cvs build.

Even when entering the javascript into the location bar.
I tried clicking the link and I also tried entering the URL manually into the
URL bar.  In both cases I did not experience a crash.

    
  
Assignee: nobody → axel
Status: NEW → ASSIGNED

    
  

        Attachment #164286 -
        Flags: superreview?(darin)

        Attachment #164286 -
        Flags: review?(bsmedberg)

    
  

        Attachment #164286 -
        Flags: review?(bsmedberg) → review+

    
  

        Attachment #164286 -
        Flags: superreview?(darin) → superreview+

    
    

    
  
Fix landed on the trunk. The offending code isn't on the branch, so no problem 
on that front.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED

    
    

    
  
Verified FIXED with build 2004-11-12-04 on Windows XP, even with the ammended
steps in comment 3.
Status: RESOLVED → VERIFIED

    
  
Product: Core → Core Graveyard

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: