Closed Bug 123953 Opened 23 years ago Closed 23 years ago

crash when using XMLSerializer on "orphaned" node

Categories

(Core :: XML, defect, P2)

Product:
Core
Component:
XML
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.0

People

(Reporter: lp, Assigned: hjtoi-bugzilla)

References

(
URL
)

Details

(Keywords: crash)

Attachments

(1 file, 1 obsolete file)

Fix: Need to return an error
471 bytes, patch
harishd
: review+
vidur
: superreview+
asa
: approval+
Details | Diff | Splinter Review 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.8+) Gecko/20020206
BuildID:    Mozilla 0.9.8 20020205
(my own patched version)

The following simple JavaScript will crash the browser:

javascript:new XMLSerializer().serializeToString(document.createElement("p"))

Reproducible: Always
Steps to Reproduce:
1. Paste javascript:new
XMLSerializer().serializeToString(document.createElement("p")) into location field
Attached patch Simple patch for SetUpEncoder (obsolete) — Splinter Review 
I am not sure if anything special must be done if encoder cannot be created, so
patch might not be correct.
Confirming issue. Tested under Mac OS X Feb 7th build (2002-02-07-10)



**********

Date/Time:  2002-02-07 14:26:17 -0800
OS Version: 10.1.2 (Build 5P48)

Command:    Mozilla
PID:        455

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x00000000

Thread 0:
 #0   0x035ea8bc in SerializeToString__15nsDOMSerializerFP10nsIDOMNodePPw
 #1   0x035ea8b0 in SerializeToString__15nsDOMSerializerFP10nsIDOMNodePPw
 #2   0x005b318c in XPTC_InvokeByIndex
 #3   0x005b3080 in XPTC_InvokeByIndex
 #4   0x0365258c in 0x365258c
 #5   0x0365898c in XPC_WN_CallMethod__FP9JSContextP8JSObjectUiPlPl
 #6   0x01b5e54c in js_Invoke
 #7   0x01b66610 in 0x1b66610
 #8   0x01b5ea40 in js_Execute
 #9   0x01b3f91c in JS_EvaluateUCScriptForPrincipals
 #10  0x022bff98 in EvaluateString__11nsJSContextFRC9nsAStringPvP12nsIPrincipalPCc
 #11  0x01d22500 in EvaluateScript__9nsJSThunkFv
 #12  0x01d247cc in AsyncOpen__11nsJSChannelFP17nsIStreamListenerP11nsISupports
 #13  0x03501a30 in Open__18nsDocumentOpenInfoFP10nsIChanneliP11nsISupports
 #14  0x03503de0 in OpenURIVia__11nsURILoaderFP10nsIChanneliP11nsISupportsUi
 #15  0x03503bcc in OpenURI__11nsURILoaderFP10nsIChanneliP11nsISupports
 #16  0x022820c8 in DoChannelLoad__10nsDocShellFP10nsIChannelP12nsIURILoader
 #17  0x02280970 in DoURILoad__10nsDocShellFP6nsIURIP6nsIURIP11nsISupportsP14nsIIn
 #18  0x0227e758 in InternalLoad__10nsDocShellFP6nsIURIP6nsIURIP11nsISupportsiPCwP
 #19  0x0226371c in LoadURI__10nsDocShellFP6nsIURIP19nsIDocShellLoadInfoUi
 #20  0x02273660 in LoadURI__10nsDocShellFPCwUiP6nsIURIP14nsIInputStreamP14nsIInpu
 #21  0x005b318c in XPTC_InvokeByIndex
 #22  0x005b3080 in XPTC_InvokeByIndex
 #23  0x0365258c in 0x365258c
 #24  0x0365898c in XPC_WN_CallMethod__FP9JSContextP8JSObjectUiPlPl
 #25  0x01b5e54c in js_Invoke
 #26  0x01b66610 in 0x1b66610
 #27  0x01b5e5a4 in js_Invoke
 #28  0x01b66610 in 0x1b66610
 #29  0x01b5e5a4 in js_Invoke
 #30  0x01b5aa84 in fun_apply
 #31  0x01b5e54c in js_Invoke
 #32  0x01b66610 in 0x1b66610
 #33  0x01b5e5a4 in js_Invoke
 #34  0x01b5e7f0 in js_InternalInvoke
 #35  0x01b3fb3c in JS_CallFunctionValue
 #36  0x022c10a0 in CallEventHandler__11nsJSContextFPvPvUiPvPii
 #37  0x022ddd14 in HandleEvent__17nsJSEventListenerFP11nsIDOMEvent
 #38  0x0201b248 in ExecuteHandler__21nsXBLPrototypeHandlerFP19nsIDOMEventReceiver
 #39  0x0201f7c4 in KeyPress__15nsXBLKeyHandlerFP11nsIDOMEvent
 #40  0x01e7d058 in 0x1e7d058
 #41  0x0209bcf4 in HandleDOMEvent__12nsXULElementFP14nsIPresContextP7nsEventPP11n
 #42  0x0209bbec in HandleDOMEvent__12nsXULElementFP14nsIPresContextP7nsEventPP11
 #43  0x0209bbec in HandleDOMEvent__12nsXULElementFP14nsIPresContextP7nsEventPP11
 #44  0x01f70664 in 0x1f70664
 #45  0x01ef27c4 in 0x1ef27c4
 #46  0x025f52c4 in HandleEventInternal__9PresShellFP7nsEventP7nsIViewUiP13nsEvent
 #47  0x025f5024 in HandleEvent__9PresShellFP7nsIViewP10nsGUIEventP13nsEventStatus
 #48  0x03537720 in HandleEvent__6nsViewFP10nsGUIEventUiP13nsEventStatusiRi
 #49  0x03540ff8 in 0x3540ff8
 #50  0x03536bb8 in HandleEvent__FP10nsGUIEvent
 #51  0x0358ba94 in DispatchEvent__8nsWindowFP10nsGUIEventR13nsEventStatus
 #52  0x0358bb6c in DispatchWindowEvent__8nsWindowFR10nsGUIEvent
 #53  0x0359cd10 in HandleUKeyEvent__17nsMacEventHandlerFPwlR11EventRecord
 #54  0x035ae178 in UnicodeNotFromInputMethodHandler__19nsMacTSMMessagePumpFPC6AED
 #55  0x735fce08 in TryEventTable
 #56  0x735f2d8c in AEMDispatcher
 #57  0x735f3f4c in aeResumeTheCurrentEvent
 #58  0x735f79d8 in aeSend
 #59  0x7315b834 in HandleTextInputEvent
 #60  0x731ab554 in ToolboxEventDispatcherHandler
 #61  0x731185b0 in DispatchEventToHandlers
 #62  0x731017b4 in SendEventToEventTargetInternal
 #63  0x731b59e0 in SendEventToEventTarget
 #64  0x73156b50 in SendTSMEvent
 #65  0x7312563c in SendUnicodeTextAEToUnicodeDoc
 #66  0x7330d630 in utDeliverTSMEvent
 #67  0x73161b60 in TSMKeyEvent
 #68  0x73125334 in TSMProcessRawKeyEvent
 #69  0x7312a1d0 in HandleCompatibilityKeyEvent
 #70  0x731b1e30 in CompatibilityEventHandler
 #71  0x73118504 in DispatchEventToHandlers
 #72  0x731017b4 in SendEventToEventTargetInternal
 #73  0x7314f9e0 in SendEventToEventTargetWithOptions
 #74  0x7326d91c in HandleKeyboardEvent
 #75  0x731ab548 in ToolboxEventDispatcherHandler
 #76  0x731185b0 in DispatchEventToHandlers
 #77  0x731017b4 in SendEventToEventTargetInternal
 #78  0x731b59e0 in SendEventToEventTarget
 #79  0x731d27f4 in ToolboxEventDispatcher
 #80  0x731cfb94 in CallEventDispatchHook
 #81  0x731790ac in GetOrPeekEvent
 #82  0x731a086c in GetNextEventMatchingMask
 #83  0x731ad904 in WNEInternal
 #84  0x731c5474 in WaitNextEvent
 #85  0x035a1524 in GetEvent__16nsMacMessagePumpFR11EventRecord
 #86  0x035a12dc in DoMessagePump__16nsMacMessagePumpFv
 #87  0x035a0c2c in Run__10nsAppShellFv
 #88  0x01bc9d3c in Run__17nsAppShellServiceFv
 #89  0x004baba4 in main1__FiPPcP11nsISupports
 #90  0x004bb67c in main

Thread 1:
 #0   0x7000497c in syscall
 #1   0x70557600 in BSD_waitevent
 #2   0x70554b80 in CarbonSelectThreadFunc
 #3   0x7002054c in _pthread_body

Thread 2:
 #0   0x7003f4c8 in semaphore_wait_signal_trap
 #1   0x7003f2c8 in _pthread_cond_wait
 #2   0x705593ec in CarbonOperationThreadFunc
 #3   0x7002054c in _pthread_body

Thread 3:
 #0   0x70044cf8 in semaphore_timedwait_signal_trap
 #1   0x70044cd8 in semaphore_timedwait_signal
 #2   0x7003f2b8 in _pthread_cond_wait
 #3   0x70283ea4 in TSWaitOnConditionTimedRelative
 #4   0x7027d748 in TSWaitOnSemaphoreCommon
 #5   0x702c2078 in TimerThread
 #6   0x7002054c in _pthread_body

Thread 4:
 #0   0x7003f4c8 in semaphore_wait_signal_trap
 #1   0x7003f2c8 in _pthread_cond_wait
 #2   0x70250ab0 in TSWaitOnCondition
 #3   0x7027d730 in TSWaitOnSemaphoreCommon
 #4   0x70243d14 in AsyncFileThread
 #5   0x7002054c in _pthread_body

Thread 5:
 #0   0x7003f4c8 in semaphore_wait_signal_trap
 #1   0x7003f2c8 in _pthread_cond_wait
 #2   0x7055b884 in CarbonInetOperThreadFunc
 #3   0x7002054c in _pthread_body

Thread 6:
 #0   0x70000978 in mach_msg_overwrite_trap
 #1   0x70005a04 in mach_msg
 #2   0x70026a2c in _pthread_become_available
 #3   0x70026724 in pthread_exit
 #4   0x70020550 in _pthread_body


PPC Thread State:
  srr0: 0x035ea8bc srr1: 0x0000f030                vrsave: 0x00000000
   xer: 0x0000000c   lr: 0x035ea8b0  ctr: 0x00629030   mq: 0x00000000
    r0: 0x035ea8b0   r1: 0xbfffa6a0   r2: 0x035d5000   r3: 0x00000000
    r4: 0xbfffa6dc   r5: 0xbfffa6dc   r6: 0x80000000   r7: 0x00000001
    r8: 0x00000000   r9: 0x00000001  r10: 0x021094d8  r11: 0x021094e8
   r12: 0x000f24ec  r13: 0x00000000  r14: 0x00000036  r15: 0x000628a0
   r16: 0x000628d0  r17: 0xbfffee90  r18: 0x0063edc8  r19: 0x00000c0b
   r20: 0x00000000  r21: 0x0000001c  r22: 0x70004234  r23: 0x700042c8
   r24: 0x00000004  r25: 0x000006eb  r26: 0x8081ab5c  r27: 0x00059d50
   r28: 0x00000000  r29: 0xbfffef00  r30: 0x00000000  r31: 0x00000001

**********
Status: UNCONFIRMED → NEW
Ever confirmed: true
Severity: normal → critical
Keywords: crash
Priority: -- → P2
Whiteboard: [fixinhand?]
Target Milestone: --- → mozilla1.0
This patch fixes the crash by making sure we propagate the error from range
implementation if it cannot serialize the node. We currently do not support
serializing free standing subtrees (i.e. nodes that are not attached to a
document, like in here). That is bug 63568.
Attachment #68189 - Attachment is obsolete: true
Status: NEW → ASSIGNED
OS: Linux → All
Hardware: PC → All
Whiteboard: [fixinhand?] → [fixinhand]
Comment on attachment 71293 [details] [diff] [review]
Fix: Need to return an error

r=harishd
Attachment #71293 - Flags: review+
Comment on attachment 71293 [details] [diff] [review]
Fix: Need to return an error

sr=vidur
Attachment #71293 - Flags: superreview+
Moving Netscape owned 0.9.9 and 1.0 bugs that don't have an nsbeta1, nsbeta1+,
topembed, topembed+, Mozilla0.9.9+ or Mozilla1.0+ keyword.  Please send any
questions or feedback about this to adt@netscape.com.  You can search for
"Moving bugs not scheduled for a project" to quickly delete this bugmail.
Target Milestone: mozilla1.0 → mozilla1.2
Comment on attachment 71293 [details] [diff] [review]
Fix: Need to return an error

a=asa (on behalf of drivers) for checkin to the 1.0 trunk
Attachment #71293 - Flags: approval+
Checked in.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Whiteboard: [fixinhand]
Target Milestone: mozilla1.2 → mozilla1.0
QA Contact: petersen → rakeshmishra
Verified fixed on the trunk build 2002-12-10-08-trunk on win2k 
There is no more crash with the URL:
javascript:new XMLSerializer().serializeToString(document.createElement("p"))

marking verified
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: