Crash in rdf_BlockingWrite() with a simple javascript: URI

VERIFIED FIXED

Status

()

Core
RDF
--
critical
VERIFIED FIXED
14 years ago
14 years ago

People

(Reporter: WeirdAl, Assigned: Axel Hecht)

Tracking

({crash, regression, testcase})

Trunk
x86
All
crash, regression, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(1 attachment)

581 bytes, patch
Benjamin Smedberg
: review+
Darin Fisher
: superreview+
Details | Diff | Splinter Review
(Reporter)

Description

14 years ago
Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.8a5) Gecko/20041031

I ran a very simple JavaScript URI, and unfortunately crashed very quickly.

Steps to reproduce:
(1) Click on URL field in this bug.
(2) An alert dialog pops up with a text of "0".  Click the OK button.

Expected results: A new dialog appears with a text of "1".
Actual results: Crash.

#0  0x407076f6 in nanosleep () from /lib/libc.so.6
#1  0x0000001c in ?? ()
#2  0x08060575 in ah_crap_handler(int) (signum=11) at nsSigHandlers.cpp:132
#3  0x41a7e939 in nsProfileLock::FatalSignalHandler(int) (signo=11) at
nsProfileLock.cpp:208
#4  0x4028ec2d in __pthread_sighandler () from /lib/libpthread.so.0
#5  0x40682d58 in __libc_sigaction () from /lib/libc.so.6
#6  0x4187ddec in rdf_BlockingWrite (stream=0x88e9550,
    buf=0xbfff8540 "p;amp;gt&gt&gt>lt; 2; j++) {alert(j)}",
size=1631256628) at nsRDFXMLSerializer.cpp:189
#7  0x4187de60 in rdf_BlockingWrite (stream=0x88e9550, s=@0xbfff8528) at
nsRDFXMLSerializer.cpp:201
#8  0x4188150f in nsRDFXMLSerializer::SerializeMember(nsIOutputStream*,
nsIRDFResource*, nsIRDFNode*) (this=0x8413c60,
    aStream=0x88e9550, aContainer=0x82ba0f8, aMember=0x8880eb8) at
nsRDFXMLSerializer.cpp:830
#9  0x41882072 in nsRDFXMLSerializer::SerializeContainer(nsIOutputStream*,
nsIRDFResource*) (this=0x8413c60,
    aStream=0x88e9550, aContainer=0x82ba0f8) at nsRDFXMLSerializer.cpp:969
#10 0x4188302a in nsRDFXMLSerializer::Serialize(nsIOutputStream*)
(this=0x8413c60, aStream=0x88e9550)
    at nsRDFXMLSerializer.cpp:1171
#11 0x41877797 in RDFXMLDataSourceImpl::Serialize(nsIOutputStream*)
(this=0x81f8728, aStream=0x88e9550)
    at nsRDFXMLDataSource.cpp:1201
#12 0x41876603 in RDFXMLDataSourceImpl::rdfXMLFlush(nsIURI*) (this=0x81f8728,
aURI=0x8246df8) at nsRDFXMLDataSource.cpp:832
#13 0x418768da in RDFXMLDataSourceImpl::Flush() (this=0x81f8728) at
nsRDFXMLDataSource.cpp:885
#14 0x41885386 in LocalStoreImpl::Flush() (this=0x8241ef0) at nsLocalStore.cpp:354
#15 0x4142af17 in ~nsXULDocument (this=0x888a178) at nsXULDocument.cpp:404
#16 0x411cf1bb in nsDocument::Release() (this=0x888a178) at nsDocument.cpp:674
#17 0x413ef8d7 in nsXMLDocument::Release() (this=0x888a178) at nsXMLDocument.cpp:210
#18 0x4142b383 in nsXULDocument::Release() (this=0x888a178) at nsXULDocument.cpp:477
#19 0x4090ed83 in XPCJSRuntime::GCCallback(JSContext*, JSGCStatus)
(cx=0x878fa80, status=JSGC_END) at xpcjsruntime.cpp:556
#20 0x4146d725 in DOMGCCallback (cx=0x878fa80, status=JSGC_END) at
nsJSEnvironment.cpp:1994
#21 0x401b7126 in js_GC (cx=0x878fa80, gcflags=0) at jsgc.c:1440
#22 0x401b6396 in js_ForceGC (cx=0x878fa80, gcflags=0) at jsgc.c:1024
#23 0x40182f8a in JS_GC (cx=0x878fa80) at jsapi.c:1744
#24 0x4146d5be in nsJSContext::Notify(nsITimer*) (this=0x88847d8,
timer=0x888d768) at nsJSEnvironment.cpp:1947
#25 0x4010e4ea in nsTimerImpl::Fire() (this=0x888d768) at nsTimerImpl.cpp:386
#26 0x4010e6b0 in handleTimerEvent(TimerEventType*) (event=0x42300570) at
nsTimerImpl.cpp:448
#27 0x4010612c in PL_HandleEvent (self=0x42300570) at plevent.c:692
#28 0x4010687a in PL_ProcessEventsBeforeID (aSelf=0x8881ab0, aID=17344) at
plevent.c:1697
#29 0x419dd93d in processQueue(void*, void*) (aElement=0x8881ab0, aData=0x43c0)
at nsAppShell.cpp:417
#30 0x400ba4d0 in nsVoidArray::EnumerateForwards(int (*)(void*, void*), void*)
(this=0x81430d0,
    aFunc=0x419dd910 <processQueue(void*, void*)>, aData=0x43c0) at
nsVoidArray.cpp:648
#31 0x419dd97e in nsAppShell::ProcessBeforeID(unsigned long) (aID=17344) at
nsAppShell.cpp:425
#32 0x419ebf32 in handle_gdk_event(_GdkEvent*, void*) (event=0x820cad4,
data=0x0) at nsGtkEventHandler.cpp:871

This may be a smoketest blocker.
(Reporter)

Comment 1

14 years ago
I did not crash with
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8a5) Gecko/20041027

CTho did crash with:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a5) Gecko/20041028

OS -> All
OS: Linux → All

Comment 2

14 years ago
Using a CVS trunk debug build of firefox on Linux, I cannot reproduce this crash.
(Reporter)

Comment 3

14 years ago
Correction to steps to reproduce:  Clicking the URL link here apparently doesn't
produce a crash.  But entering the URL manually into the location bar does, and
it does crash my 10/27 build.

Comment 4

14 years ago
I cannot recreate this with a 20041022 cvs build. Neither does it happen with an
optimized 20041031 cvs build.

Even when entering the javascript into the location bar.

Comment 5

14 years ago
I tried clicking the link and I also tried entering the URL manually into the
URL bar.  In both cases I did not experience a crash.
(Assignee)

Comment 6

14 years ago
Created attachment 164286 [details] [diff] [review]
add missing break;
(Assignee)

Updated

14 years ago
Assignee: nobody → axel
Status: NEW → ASSIGNED
(Assignee)

Updated

14 years ago
Attachment #164286 - Flags: superreview?(darin)
Attachment #164286 - Flags: review?(bsmedberg)

Updated

14 years ago
Attachment #164286 - Flags: review?(bsmedberg) → review+

Updated

14 years ago
Attachment #164286 - Flags: superreview?(darin) → superreview+
(Assignee)

Comment 7

14 years ago
Fix landed on the trunk. The offending code isn't on the branch, so no problem 
on that front.
Status: ASSIGNED → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → FIXED
Verified FIXED with build 2004-11-12-04 on Windows XP, even with the ammended
steps in comment 3.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.