Closed
Bug 324746
Opened 19 years ago
Closed 19 years ago
XPathResult object can crash brower when calling iterateNext() or snapshotItem()
Categories
(Core :: XSLT, defect)
Tracking
()
RESOLVED
FIXED
mozilla1.9alpha1
People
(Reporter: warp56, Assigned: peterv)
Details
(4 keywords, Whiteboard: [rft-dl])
Attachments
(3 files)
171 bytes,
text/html
|
Details | |
4.88 KB,
text/plain
|
Details | |
950 bytes,
patch
|
sicking
:
review+
jst
:
superreview+
peterv
:
approval-branch-1.8.1+
dveditz
:
approval1.8.0.2+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5 The XPathResult object returned from a document.evaluate() query can cause the browser to crash when trying to call the XPathResult's iterateNext() or snapshotItem() methods. This happens when a query that should return a number value (such as "count(//*)") is evaluated and the XPathResult type argument is specifically set to one of the ITERATOR or SNAPSHOT types. Clearly it is an error of the script writer who set the incorrect XPath query or incorrect XPathResult type, but the application should just throw an exception rather than crashing. Crashes on both Firefox 1.5 and Firefox 1.6a1 on Windows XP. Reproducible: Always Steps to Reproduce: 1. Run any of the following Javascript lines in a webpage: document.evaluate("count(/*)",document,null,XPathResult.UNORDERED_NODE_SNAPSHOT_TYPE,null).snapshotItem(0); document.evaluate("count(/*)",document,null,XPathResult.UNORDERED_NODE_ITERATOR_TYPE,null).iterateNext(); document.evaluate("count(/*)",document,null,XPathResult.ORDERED_NODE_SNAPSHOT_TYPE,null).snapshotItem(0); document.evaluate("count(/*)",document,null,XPathResult.ORDERED_NODE_ITERATOR_TYPE,null).iterateNext(); Actual Results: Browser crashed. Expected Results: An exception is thrown which can either be caught, or gets logged to the console. Module crash in firefox.exe.
This is a simple testcase that should show the results of this bug.
Updated•19 years ago
|
Updated•19 years ago
|
Assignee: nobody → xslt
Component: General → XSLT
Product: Firefox → Core
QA Contact: general → keith
Version: unspecified → Trunk
Comment 2•19 years ago
|
||
Comment 3•19 years ago
|
||
The stack above was obtained from a Firefox trunk build from earlier today, on Windows.
Assignee | ||
Comment 4•19 years ago
|
||
We need to throw on impossible conversions (which I think is limited to "not a nodeset to an iterator, snapshot or node").
Attachment #209710 -
Flags: review?(bugmail)
Attachment #209710 -
Flags: review?(bugmail) → review+
Updated•19 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee | ||
Updated•19 years ago
|
Attachment #209710 -
Flags: superreview?(jst)
Comment 5•19 years ago
|
||
Comment on attachment 209710 [details] [diff] [review] v1 sr=jst
Attachment #209710 -
Flags: superreview?(jst) → superreview+
Assignee | ||
Updated•19 years ago
|
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•19 years ago
|
Target Milestone: --- → mozilla1.9alpha
Assignee | ||
Comment 6•19 years ago
|
||
Comment on attachment 209710 [details] [diff] [review] v1 Simple crash fix, low risk: just throw on certain conditions instead of crashing later on.
Attachment #209710 -
Flags: approval1.8.1?
Attachment #209710 -
Flags: approval1.8.0.2?
Updated•19 years ago
|
Attachment #209710 -
Flags: approval1.8.1? → branch-1.8.1?(bugmail)
Comment on attachment 209710 [details] [diff] [review] v1 Peterv is module owner so landing request over to him
Attachment #209710 -
Flags: branch-1.8.1?(bugmail) → branch-1.8.1?(peterv)
Assignee | ||
Comment 8•18 years ago
|
||
Comment on attachment 209710 [details] [diff] [review] v1 Crash fix.
Attachment #209710 -
Flags: branch-1.8.1?(peterv) → branch-1.8.1+
Assignee | ||
Updated•18 years ago
|
Keywords: fixed1.8.1
Updated•18 years ago
|
Flags: blocking1.8.0.2+
Comment 9•18 years ago
|
||
Comment on attachment 209710 [details] [diff] [review] v1 approved for 1.8.0 branch, a=dveditz
Attachment #209710 -
Flags: approval1.8.0.2? → approval1.8.0.2+
Assignee | ||
Updated•18 years ago
|
Keywords: fixed1.8.0.2
Comment 10•18 years ago
|
||
Marking [rft-dl] (ready for testing in Firefox 1.5.0.2 release candidates)
Whiteboard: [rft-dl]
Comment 11•18 years ago
|
||
v.fixed on 1.8.0 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060302 Firefox/1.5.0.1, no crash with testcase.
Keywords: fixed1.8.0.2 → verified1.8.0.2
You need to log in
before you can comment on or make changes to this bug.
Description
•