Closed
Bug 123953
Opened 23 years ago
Closed 23 years ago
crash when using XMLSerializer on "orphaned" node
Categories
(Core :: XML, defect, P2)
Core
XML
Tracking
()
VERIFIED
FIXED
mozilla1.0
People
(Reporter: lp, Assigned: hjtoi-bugzilla)
References
()
Details
(Keywords: crash)
Attachments
(1 file, 1 obsolete file)
471 bytes,
patch
|
harishd
:
review+
vidur
:
superreview+
asa
:
approval+
|
Details | Diff | Splinter Review |
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.8+) Gecko/20020206 BuildID: Mozilla 0.9.8 20020205 (my own patched version) The following simple JavaScript will crash the browser: javascript:new XMLSerializer().serializeToString(document.createElement("p")) Reproducible: Always Steps to Reproduce: 1. Paste javascript:new XMLSerializer().serializeToString(document.createElement("p")) into location field
Reporter | ||
Comment 1•23 years ago
|
||
I am not sure if anything special must be done if encoder cannot be created, so patch might not be correct.
Reporter | ||
Updated•23 years ago
|
Comment 2•23 years ago
|
||
Confirming issue. Tested under Mac OS X Feb 7th build (2002-02-07-10) ********** Date/Time: 2002-02-07 14:26:17 -0800 OS Version: 10.1.2 (Build 5P48) Command: Mozilla PID: 455 Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000000 Thread 0: #0 0x035ea8bc in SerializeToString__15nsDOMSerializerFP10nsIDOMNodePPw #1 0x035ea8b0 in SerializeToString__15nsDOMSerializerFP10nsIDOMNodePPw #2 0x005b318c in XPTC_InvokeByIndex #3 0x005b3080 in XPTC_InvokeByIndex #4 0x0365258c in 0x365258c #5 0x0365898c in XPC_WN_CallMethod__FP9JSContextP8JSObjectUiPlPl #6 0x01b5e54c in js_Invoke #7 0x01b66610 in 0x1b66610 #8 0x01b5ea40 in js_Execute #9 0x01b3f91c in JS_EvaluateUCScriptForPrincipals #10 0x022bff98 in EvaluateString__11nsJSContextFRC9nsAStringPvP12nsIPrincipalPCc #11 0x01d22500 in EvaluateScript__9nsJSThunkFv #12 0x01d247cc in AsyncOpen__11nsJSChannelFP17nsIStreamListenerP11nsISupports #13 0x03501a30 in Open__18nsDocumentOpenInfoFP10nsIChanneliP11nsISupports #14 0x03503de0 in OpenURIVia__11nsURILoaderFP10nsIChanneliP11nsISupportsUi #15 0x03503bcc in OpenURI__11nsURILoaderFP10nsIChanneliP11nsISupports #16 0x022820c8 in DoChannelLoad__10nsDocShellFP10nsIChannelP12nsIURILoader #17 0x02280970 in DoURILoad__10nsDocShellFP6nsIURIP6nsIURIP11nsISupportsP14nsIIn #18 0x0227e758 in InternalLoad__10nsDocShellFP6nsIURIP6nsIURIP11nsISupportsiPCwP #19 0x0226371c in LoadURI__10nsDocShellFP6nsIURIP19nsIDocShellLoadInfoUi #20 0x02273660 in LoadURI__10nsDocShellFPCwUiP6nsIURIP14nsIInputStreamP14nsIInpu #21 0x005b318c in XPTC_InvokeByIndex #22 0x005b3080 in XPTC_InvokeByIndex #23 0x0365258c in 0x365258c #24 0x0365898c in XPC_WN_CallMethod__FP9JSContextP8JSObjectUiPlPl #25 0x01b5e54c in js_Invoke #26 0x01b66610 in 0x1b66610 #27 0x01b5e5a4 in js_Invoke #28 0x01b66610 in 0x1b66610 #29 0x01b5e5a4 in js_Invoke #30 0x01b5aa84 in fun_apply #31 0x01b5e54c in js_Invoke #32 0x01b66610 in 0x1b66610 #33 0x01b5e5a4 in js_Invoke #34 0x01b5e7f0 in js_InternalInvoke #35 0x01b3fb3c in JS_CallFunctionValue #36 0x022c10a0 in CallEventHandler__11nsJSContextFPvPvUiPvPii #37 0x022ddd14 in HandleEvent__17nsJSEventListenerFP11nsIDOMEvent #38 0x0201b248 in ExecuteHandler__21nsXBLPrototypeHandlerFP19nsIDOMEventReceiver #39 0x0201f7c4 in KeyPress__15nsXBLKeyHandlerFP11nsIDOMEvent #40 0x01e7d058 in 0x1e7d058 #41 0x0209bcf4 in HandleDOMEvent__12nsXULElementFP14nsIPresContextP7nsEventPP11n #42 0x0209bbec in HandleDOMEvent__12nsXULElementFP14nsIPresContextP7nsEventPP11 #43 0x0209bbec in HandleDOMEvent__12nsXULElementFP14nsIPresContextP7nsEventPP11 #44 0x01f70664 in 0x1f70664 #45 0x01ef27c4 in 0x1ef27c4 #46 0x025f52c4 in HandleEventInternal__9PresShellFP7nsEventP7nsIViewUiP13nsEvent #47 0x025f5024 in HandleEvent__9PresShellFP7nsIViewP10nsGUIEventP13nsEventStatus #48 0x03537720 in HandleEvent__6nsViewFP10nsGUIEventUiP13nsEventStatusiRi #49 0x03540ff8 in 0x3540ff8 #50 0x03536bb8 in HandleEvent__FP10nsGUIEvent #51 0x0358ba94 in DispatchEvent__8nsWindowFP10nsGUIEventR13nsEventStatus #52 0x0358bb6c in DispatchWindowEvent__8nsWindowFR10nsGUIEvent #53 0x0359cd10 in HandleUKeyEvent__17nsMacEventHandlerFPwlR11EventRecord #54 0x035ae178 in UnicodeNotFromInputMethodHandler__19nsMacTSMMessagePumpFPC6AED #55 0x735fce08 in TryEventTable #56 0x735f2d8c in AEMDispatcher #57 0x735f3f4c in aeResumeTheCurrentEvent #58 0x735f79d8 in aeSend #59 0x7315b834 in HandleTextInputEvent #60 0x731ab554 in ToolboxEventDispatcherHandler #61 0x731185b0 in DispatchEventToHandlers #62 0x731017b4 in SendEventToEventTargetInternal #63 0x731b59e0 in SendEventToEventTarget #64 0x73156b50 in SendTSMEvent #65 0x7312563c in SendUnicodeTextAEToUnicodeDoc #66 0x7330d630 in utDeliverTSMEvent #67 0x73161b60 in TSMKeyEvent #68 0x73125334 in TSMProcessRawKeyEvent #69 0x7312a1d0 in HandleCompatibilityKeyEvent #70 0x731b1e30 in CompatibilityEventHandler #71 0x73118504 in DispatchEventToHandlers #72 0x731017b4 in SendEventToEventTargetInternal #73 0x7314f9e0 in SendEventToEventTargetWithOptions #74 0x7326d91c in HandleKeyboardEvent #75 0x731ab548 in ToolboxEventDispatcherHandler #76 0x731185b0 in DispatchEventToHandlers #77 0x731017b4 in SendEventToEventTargetInternal #78 0x731b59e0 in SendEventToEventTarget #79 0x731d27f4 in ToolboxEventDispatcher #80 0x731cfb94 in CallEventDispatchHook #81 0x731790ac in GetOrPeekEvent #82 0x731a086c in GetNextEventMatchingMask #83 0x731ad904 in WNEInternal #84 0x731c5474 in WaitNextEvent #85 0x035a1524 in GetEvent__16nsMacMessagePumpFR11EventRecord #86 0x035a12dc in DoMessagePump__16nsMacMessagePumpFv #87 0x035a0c2c in Run__10nsAppShellFv #88 0x01bc9d3c in Run__17nsAppShellServiceFv #89 0x004baba4 in main1__FiPPcP11nsISupports #90 0x004bb67c in main Thread 1: #0 0x7000497c in syscall #1 0x70557600 in BSD_waitevent #2 0x70554b80 in CarbonSelectThreadFunc #3 0x7002054c in _pthread_body Thread 2: #0 0x7003f4c8 in semaphore_wait_signal_trap #1 0x7003f2c8 in _pthread_cond_wait #2 0x705593ec in CarbonOperationThreadFunc #3 0x7002054c in _pthread_body Thread 3: #0 0x70044cf8 in semaphore_timedwait_signal_trap #1 0x70044cd8 in semaphore_timedwait_signal #2 0x7003f2b8 in _pthread_cond_wait #3 0x70283ea4 in TSWaitOnConditionTimedRelative #4 0x7027d748 in TSWaitOnSemaphoreCommon #5 0x702c2078 in TimerThread #6 0x7002054c in _pthread_body Thread 4: #0 0x7003f4c8 in semaphore_wait_signal_trap #1 0x7003f2c8 in _pthread_cond_wait #2 0x70250ab0 in TSWaitOnCondition #3 0x7027d730 in TSWaitOnSemaphoreCommon #4 0x70243d14 in AsyncFileThread #5 0x7002054c in _pthread_body Thread 5: #0 0x7003f4c8 in semaphore_wait_signal_trap #1 0x7003f2c8 in _pthread_cond_wait #2 0x7055b884 in CarbonInetOperThreadFunc #3 0x7002054c in _pthread_body Thread 6: #0 0x70000978 in mach_msg_overwrite_trap #1 0x70005a04 in mach_msg #2 0x70026a2c in _pthread_become_available #3 0x70026724 in pthread_exit #4 0x70020550 in _pthread_body PPC Thread State: srr0: 0x035ea8bc srr1: 0x0000f030 vrsave: 0x00000000 xer: 0x0000000c lr: 0x035ea8b0 ctr: 0x00629030 mq: 0x00000000 r0: 0x035ea8b0 r1: 0xbfffa6a0 r2: 0x035d5000 r3: 0x00000000 r4: 0xbfffa6dc r5: 0xbfffa6dc r6: 0x80000000 r7: 0x00000001 r8: 0x00000000 r9: 0x00000001 r10: 0x021094d8 r11: 0x021094e8 r12: 0x000f24ec r13: 0x00000000 r14: 0x00000036 r15: 0x000628a0 r16: 0x000628d0 r17: 0xbfffee90 r18: 0x0063edc8 r19: 0x00000c0b r20: 0x00000000 r21: 0x0000001c r22: 0x70004234 r23: 0x700042c8 r24: 0x00000004 r25: 0x000006eb r26: 0x8081ab5c r27: 0x00059d50 r28: 0x00000000 r29: 0xbfffef00 r30: 0x00000000 r31: 0x00000001 **********
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee | ||
Updated•23 years ago
|
Severity: normal → critical
Keywords: crash
Priority: -- → P2
Whiteboard: [fixinhand?]
Target Milestone: --- → mozilla1.0
Assignee | ||
Comment 3•23 years ago
|
||
This patch fixes the crash by making sure we propagate the error from range implementation if it cannot serialize the node. We currently do not support serializing free standing subtrees (i.e. nodes that are not attached to a document, like in here). That is bug 63568.
Attachment #68189 -
Attachment is obsolete: true
Assignee | ||
Updated•23 years ago
|
Status: NEW → ASSIGNED
OS: Linux → All
Hardware: PC → All
Whiteboard: [fixinhand?] → [fixinhand]
Comment on attachment 71293 [details] [diff] [review] Fix: Need to return an error r=harishd
Attachment #71293 -
Flags: review+
Comment 5•23 years ago
|
||
Comment on attachment 71293 [details] [diff] [review] Fix: Need to return an error sr=vidur
Attachment #71293 -
Flags: superreview+
Comment 6•23 years ago
|
||
Moving Netscape owned 0.9.9 and 1.0 bugs that don't have an nsbeta1, nsbeta1+, topembed, topembed+, Mozilla0.9.9+ or Mozilla1.0+ keyword. Please send any questions or feedback about this to adt@netscape.com. You can search for "Moving bugs not scheduled for a project" to quickly delete this bugmail.
Target Milestone: mozilla1.0 → mozilla1.2
Comment 7•23 years ago
|
||
Comment on attachment 71293 [details] [diff] [review] Fix: Need to return an error a=asa (on behalf of drivers) for checkin to the 1.0 trunk
Attachment #71293 -
Flags: approval+
Assignee | ||
Comment 8•23 years ago
|
||
Checked in.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Whiteboard: [fixinhand]
Target Milestone: mozilla1.2 → mozilla1.0
Updated•22 years ago
|
QA Contact: petersen → rakeshmishra
Comment 9•22 years ago
|
||
Verified fixed on the trunk build 2002-12-10-08-trunk on win2k There is no more crash with the URL: javascript:new XMLSerializer().serializeToString(document.createElement("p")) marking verified
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•