Closed Bug 184697 Opened 22 years ago Closed 22 years ago

Crash on XML that uses a namespace that's not declared

Categories

(Core :: DOM: HTML Parser, defect)

Product:
Core
Component:
DOM: HTML Parser
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.3beta

People

(Reporter: bzbarsky, Assigned: sicking)

References

(
URL
)

Details

(Keywords: crash)

Attachments

(2 files, 2 obsolete files)

testcase
7 bytes, text/xml
Details
...with an addref
898 bytes, patch
harishd
: review+
hjtoi-bugzilla
: superreview+
Details | Diff | Splinter Review 
The basic problem is that if I use an element like

<foo:bar>

in XML and do not have an xmlns:foo="something", we will crash because the
PR_ASSERT in nsXMLContentSink::HandleEndElement triggers (the one that asserts
eXMLContentSinkState_InDocumentElement == mState).

It does not seem to matter what else is in the document....  Minimal testcase is
an XML document containing the 6 chars:

<a:b/>
Severity: normal → critical
Keywords: crash, mozilla1.3
Attached file testcase 

    
    

    
  
Oh, if I uncomment the PR_ASSERT then PopContent() returns null (asserting as it
does so) and we crash in nsXMLContentSink::CloseElement after asserting that
we've got nothing to close.....  

    
    

    
  
*** Bug 188026 has been marked as a duplicate of this bug. ***

    
  
Flags: blocking1.3b?

    
    

    
  
Sounds like this has the potential to become a topcrash. Harish, can you take a
look at this for fixing in 1.3beta (about 2 weeks away).
Flags: blocking1.3b? → blocking1.3b+

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Patch v1.0 (obsolete)
        — Splinter Review
      

    


  
Added a couple of lines that got yanked when sicking landed the pretty printing
changes.
Target Milestone: --- → mozilla1.3beta

    
    

    
  
Comment on attachment 111450 [details] [diff] [review]
Patch v1.0

this shouldn't be needed. If no factory is registered we set up a default
factory that always calls NS_NewXMLElement(aResult, aNodeInfo);

    
    

    
  
ooh, i understand what's happening. When the prefix is undeclared nameSpaceID
will be -1 (kNameSpaceID_Unknown) and GetElementFactory will return null.

IMHO a better fix would be to let GetElementFactory return the default factory
for that namespace.
URL: da

    
    

    
  
actually we should abort the parsing if this occurs (I have that filed as a bug
somewhere), but for now we will have to work around it.

    
    

    
  
harish: which approach do you think we should go with?

    
    

    
  
Jonas: I like your patch, however, you should addref aElementFactory before
returning. no?

    
    

    
  


  
thanks! of course i thould addref

        Attachment #111450 -
        Attachment is obsolete: true

        Attachment #111472 -
        Attachment is obsolete: true

    
    

    
  
Comment on attachment 111589 [details] [diff] [review]
...with an addref

r=harishd

        Attachment #111589 -
        Flags: superreview?(heikki)

        Attachment #111589 -
        Flags: review+

    
    

    
  
--> sicking 
Assignee: harishd → bugmail

        Attachment #111589 -
        Flags: superreview?(heikki) → superreview+

    
    

    
  
checked in. Thanks for catching this and for the reviews
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: