271560 - Amazon Web Service crashing us using WSDL Proxying. [@ nsArrayEncoder::Decode]

Status: VERIFIED FIXED

(Core Graveyard :: Web Services, defect)

Description

[Doron Rosenberg (IBM)]

Use http://www.mozilla.org/projects/webservices/examples/mozilla-wsdl/index.html
and Mozilla (1.7 and trunk) crashes.

Stack is:

#5  <signal handler called>
#6  0x07d1361d in nsArrayEncoder::Decode (this=0x9a460c8, aEncoding=0x9c09f70,
aSource=0x9a841f4, aSchemaType=0x9c51230, aAttachments=0x0, _retval=0xfeed21a0)
at
/home/doron/mozbuilds/trunk/mozilla/extensions/webservices/soap/src/nsDefaultSOAPEncoder.cpp:2973
#7  0x07d0bfb3 in nsDefaultEncoder::Decode (this=0x0, aEncoding=0x9c09f70,
aSource=0x9a841f4, aSchemaType=0x9a5056c, aAttachments=0x0, _retval=0xfeed21a0)
at
/home/doron/mozbuilds/trunk/mozilla/extensions/webservices/soap/src/nsDefaultSOAPEncoder.cpp:2097
#8  0x07d21b89 in nsSOAPEncoding::Decode (this=0x9c09f70, aSource=0x9a841f4,
aSchemaType=0x9a5056c, aAttachments=0x0, _retval=0xfeed21a0) at
/home/doron/mozbuilds/trunk/mozilla/extensions/webservices/soap/src/nsSOAPEncoding.cpp:336
#9  0x07d0ca78 in DecodeStructParticle (aEncoding=0x9c09f70, aElement=0x9a841f4,
aParticle=0xfeed2170, aAttachments=0x0, aDestination=0x9ad79e8,
_retElement=0xfeed26f0) at
/home/doron/mozbuilds/trunk/mozilla/extensions/webservices/soap/src/nsDefaultSOAPEncoder.cpp:2204
#10 0x07d0d01f in DecodeStructParticle (aEncoding=0x9c09f70, aElement=0x9c4403c,
aParticle=0xfeed26e0, aAttachments=0x0, aDestination=0x9ad79e8,
_retElement=0xfeed2a10) at
/home/doron/mozbuilds/trunk/mozilla/extensions/webservices/soap/src/nsDefaultSOAPEncoder.cpp:2263
#11 0x07d0dd87 in nsStructEncoder::Decode (this=0x998b278, aEncoding=0x9c09f70,
aSource=0x98f9ad4, aSchemaType=0x9b3528c, aAttachments=0x0, _retval=0x9b2a110)
at
/home/doron/mozbuilds/trunk/mozilla/extensions/webservices/soap/src/nsDefaultSOAPEncoder.cpp:2409
#12 0x07d0c5fd in nsAnyTypeEncoder::Decode (this=0x9a46128, aEncoding=0x9c09f70,
aSource=0x98f9ad4, aSchemaType=0x9b3528c, aAttachments=0x0, _retval=0x9b2a110)
at
/home/doron/mozbuilds/trunk/mozilla/extensions/webservices/soap/src/nsDefaultSOAPEncoder.cpp:2139
#13 0x07d0bfb3 in nsDefaultEncoder::Decode (this=0x0, aEncoding=0x9c09f70,
aSource=0x98f9ad4, aSchemaType=0x9b3528c, aAttachments=0x0, _retval=0x9b2a110)
at
/home/doron/mozbuilds/trunk/mozilla/extensions/webservices/soap/src/nsDefaultSOAPEncoder.cpp:2097
#14 0x07d21b89 in nsSOAPEncoding::Decode (this=0x9c09f70, aSource=0x98f9ad4,
aSchemaType=0x9b3528c, aAttachments=0x0, _retval=0x9b2a110) at
/home/doron/mozbuilds/trunk/mozilla/extensions/webservices/soap/src/nsSOAPEncoding.cpp:336
#15 0x07d1e2e9 in nsSOAPBlock::GetValue (this=0x9b2a0d0, aValue=0xfeed3800) at
/home/doron/mozbuilds/trunk/mozilla/extensions/webservices/soap/src/nsSOAPBlock.cpp:171
#16 0x07d2ad83 in nsSOAPParameter::GetValue (this=0x9b2a0d0, aValue=0xfeed3800)
at nsSOAPParameter.h:59
#17 0x07d529f5 in WSPCallContext::CallCompletionListener (this=0x9c0a188) at
/home/doron/mozbuilds/trunk/mozilla/extensions/webservices/proxy/src/wspcallcontext.cpp:355
#18 0x07d51c34 in WSPCallContext::HandleResponse (this=0x9c0a188,
aResponse=0x9c0a8ec, aCall=0x99e7094, status=0, aLast=1, _retval=0x0) at
/home/doron/mozbuilds/trunk/mozilla/extensions/webservices/proxy/src/wspcallcontext.cpp:153
#19 0x07d1babf in nsHTTPSOAPTransportCompletion::HandleEvent (this=0x98fa4b8,
aEvent=0x9bd84e8) at
/home/doron/mozbuilds/trunk/mozilla/extensions/webservices/soap/src/nsHTTPSOAPTransport.cpp:533
#20 0x013e82bf in nsXMLHttpRequest::NotifyEventListeners (this=0x9c4fd58,
aHandler=0x0, aListeners=0x9c063b0, aEvent=0x9bd84e8) at
/home/doron/mozbuilds/trunk/mozilla/extensions/xmlextras/base/src/nsXMLHttpRequest.cpp:812
#21 0x013ea1e9 in nsXMLHttpRequest::RequestCompleted (this=0x9c4fd58) at
/home/doron/mozbuilds/trunk/mozilla/extensions/xmlextras/base/src/nsXMLHttpRequest.cpp:1360
#22 0x013e9f88 in nsXMLHttpRequest::OnStopRequest (this=0x9c4fd58,
request=0x9bdb848, ctxt=0x0, status=0) at
/home/doron/mozbuilds/trunk/mozilla/extensions/xmlextras/base/src/nsXMLHttpRequest.cpp:1303
#23 0x0109621c in nsStreamListenerTee::OnStopRequest (this=0x9ba9138,
request=0x9bdb848, context=0x0, status=0) at
../../../../netwerk/base/src/nsStreamListenerTee.cpp:65
#24 0x01117c12 in nsHttpChannel::OnStopRequest (this=0x9bdb848,
request=0x9b51c30, ctxt=0x0, status=0) at
/home/doron/mozbuilds/trunk/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp:3757
#25 0x01072cf5 in nsInputStreamPump::OnStateStop (this=0x9b51c30) at
../../../../netwerk/base/src/nsInputStreamPump.cpp:504
#26 0x01072708 in nsInputStreamPump::OnInputStreamReady (this=0x9b51c30,
stream=0x9bab76c) at ../../../../netwerk/base/src/nsInputStreamPump.cpp:341
#27 0x00f8433b in nsInputStreamReadyEvent::EventHandler (plevent=0x0) at
/home/doron/mozbuilds/trunk/mozilla/xpcom/io/nsStreamUtils.cpp:118
#28 0x00fa1ca5 in PL_HandleEvent (self=0x9a9f0bc) at
/home/doron/mozbuilds/trunk/mozilla/xpcom/threads/plevent.c:692
#29 0x00fa1b7b in PL_ProcessPendingEvents (self=0x938a498) at
/home/doron/mozbuilds/trunk/mozilla/xpcom/threads/plevent.c:627
#30 0x00fa465b in nsEventQueueImpl::ProcessPendingEvents (this=0x938a470) at
/home/doron/mozbuilds/trunk/mozilla/xpcom/threads/nsEventQueue.cpp:398
#31 0x0117c496 in event_processor_callback (source=0x94b4280, condition=G_IO_IN,
data=0x9c51230) at
/home/doron/mozbuilds/trunk/mozilla/widget/src/gtk2/nsAppShell.cpp:67
#32 0x001fb79f in g_vasprintf () from /usr/lib/libglib-2.0.so.0
#33 0x001d61e2 in g_main_depth () from /usr/lib/libglib-2.0.so.0
#34 0x001d72d8 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#35 0x001d7610 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#36 0x001d7c53 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#37 0x003b878e in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
#38 0x0117ca46 in nsAppShell::Run (this=0x93dcbf8) at
/home/doron/mozbuilds/trunk/mozilla/widget/src/gtk2/nsAppShell.cpp:142
#39 0x078b9fb5 in nsAppStartup::Run (this=0x93dc7f0) at
/home/doron/mozbuilds/trunk/mozilla/xpfe/components/startup/src/nsAppStartup.cpp:215
#40 0x080513b4 in main1 (argc=3, argv=0xfeed44f4, nativeApp=0x936ac00) at
/home/doron/mozbuilds/trunk/mozilla/xpfe/bootstrap/nsAppRunner.cpp:1321
#41 0x08051d97 in main (argc=3, argv=0xfeed44f4) at
/home/doron/mozbuilds/trunk/mozilla/xpfe/bootstrap/nsAppRunner.cpp:1799

in that method, unhandles is |1|.

Comment 1

[Boris Zbarsky [:bzbarsky]]

Doron, is that stack from 1.7 or trunk?

Also, I can't seem to get trunk to crash (I searched for "book" and got a bunch
of results and some asserts, but no crash).  What are the detailed reproduction
steps?

Comment 2

[Doron Rosenberg (IBM)]

the stack is from trunk, and I crash on seamonkey trunk.  I tried my fresh
firefox trunk build in case it was any thing I did and it also crashes.

Comment 3

[Boris Zbarsky [:bzbarsky]]

So what are the exact steps then?  And do you have any local changes in that tree?

I do see some weirdness in the DECODE_ARRAY impl and how it's called here (eg
we're addrefing a[p] in Free, but that only happens once, so if it's meant to
happen for all the variants it's failing....)

Comment 4

[Doron Rosenberg (IBM)]

Using a fresh firefox trunk build, setting
signed.applets.codebase_principal_support to true and going to
http://www.mozilla.org/projects/webservices/examples/mozilla-wsdl/amazonwsdl.html
and entering "mozilla" and pressing the search button crashes.  The firefox tree
is brand new and has no source changes.  This is linux/gtk2.  Going to try to
debug it later.

I crash with this stack:

#5  <signal handler called>
#6  0x01be5d3d in nsArrayEncoder::Decode (this=0xa436588, aEncoding=0xa60b900,
aSource=0xa6b67f4, aSchemaType=0x0, aAttachments=0x0, _retval=0xfee5ab50) at
/home/doron/mozbuilds/firefox-trunk/mozilla/extensions/webservices/soap/src/nsDefaultSOAPEncoder.cpp:2973
#7  0x01bde6d3 in nsDefaultEncoder::Decode (this=0x0, aEncoding=0xa60b900,
aSource=0xa6b67f4, aSchemaType=0xa56698c, aAttachments=0x0, _retval=0xfee5ab50)
at
/home/doron/mozbuilds/firefox-trunk/mozilla/extensions/webservices/soap/src/nsDefaultSOAPEncoder.cpp:2097
#8  0x01bf439b in nsSOAPEncoding::Decode (this=0xa60b900, aSource=0xa6b67f4,
aSchemaType=0xa56698c, aAttachments=0x0, _retval=0xfee5ab50) at
/home/doron/mozbuilds/firefox-trunk/mozilla/extensions/webservices/soap/src/nsSOAPEncoding.cpp:336
#9  0x01bdf198 in DecodeStructParticle (aEncoding=0xa60b900, aElement=0xa6b67f4,
aParticle=0xfee5ab20, aAttachments=0x0, aDestination=0xa64c238,
_retElement=0xfee5b0a0) at
/home/doron/mozbuilds/firefox-trunk/mozilla/extensions/webservices/soap/src/nsDefaultSOAPEncoder.cpp:2204
#10 0x01bdf73f in DecodeStructParticle (aEncoding=0xa60b900, aElement=0xa43634c,
aParticle=0xfee5b090, aAttachments=0x0, aDestination=0xa64c238,
_retElement=0xfee5b3c0) at
/home/doron/mozbuilds/firefox-trunk/mozilla/extensions/webservices/soap/src/nsDefaultSOAPEncoder.cpp:2263
#11 0x01be04a7 in nsStructEncoder::Decode (this=0xa6488b0, aEncoding=0xa60b900,
aSource=0xa6af8ac, aSchemaType=0xa0cdd54, aAttachments=0x0, _retval=0xa6aa738)
at
/home/doron/mozbuilds/firefox-trunk/mozilla/extensions/webservices/soap/src/nsDefaultSOAPEncoder.cpp:2409
#12 0x01bded1d in nsAnyTypeEncoder::Decode (this=0xa648918, aEncoding=0xa60b900,
aSource=0xa6af8ac, aSchemaType=0xa0cdd54, aAttachments=0x0, _retval=0xa6aa738)
at
/home/doron/mozbuilds/firefox-trunk/mozilla/extensions/webservices/soap/src/nsDefaultSOAPEncoder.cpp:2139
#13 0x01bde6d3 in nsDefaultEncoder::Decode (this=0x0, aEncoding=0xa60b900,
aSource=0xa6af8ac, aSchemaType=0xa0cdd54, aAttachments=0x0, _retval=0xa6aa738)
at
/home/doron/mozbuilds/firefox-trunk/mozilla/extensions/webservices/soap/src/nsDefaultSOAPEncoder.cpp:2097
#14 0x01bf439b in nsSOAPEncoding::Decode (this=0xa60b900, aSource=0xa6af8ac,
aSchemaType=0xa0cdd54, aAttachments=0x0, _retval=0xa6aa738) at
/home/doron/mozbuilds/firefox-trunk/mozilla/extensions/webservices/soap/src/nsSOAPEncoding.cpp:336
#15 0x01bf0ed9 in nsSOAPBlock::GetValue (this=0xa6aa6f8, aValue=0xfee5c1b0) at
/home/doron/mozbuilds/firefox-trunk/mozilla/extensions/webservices/soap/src/nsSOAPBlock.cpp:171
#16 0x01bfe30b in nsSOAPParameter::GetValue (this=0xa6aa6f8, aValue=0xfee5c1b0)
at nsSOAPParameter.h:59
#17 0x01c26069 in WSPCallContext::CallCompletionListener (this=0xa6b27d8) at
/home/doron/mozbuilds/firefox-trunk/mozilla/extensions/webservices/proxy/src/wspcallcontext.cpp:355
#18 0x01c252a8 in WSPCallContext::HandleResponse (this=0xa6b27d8,
aResponse=0xa60bc74, aCall=0xa55e024, status=0, aLast=1, _retval=0x0) at
/home/doron/mozbuilds/firefox-trunk/mozilla/extensions/webservices/proxy/src/wspcallcontext.cpp:153
#19 0x01bee7b5 in nsHTTPSOAPTransportCompletion::HandleEvent (this=0xa5f09e8,
aEvent=0xa64bbd0) at
/home/doron/mozbuilds/firefox-trunk/mozilla/extensions/webservices/soap/src/nsHTTPSOAPTransport.cpp:533
#20 0x04b97949 in nsXMLHttpRequest::NotifyEventListeners (this=0xa61fa10,
aHandler=0xfee5c6f0, aListeners=0xa6ba698, aEvent=0xa64bbd0) at
/home/doron/mozbuilds/firefox-trunk/mozilla/extensions/xmlextras/base/src/nsXMLHttpRequest.cpp:812
#21 0x04b9986f in nsXMLHttpRequest::RequestCompleted (this=0xa61fa10) at
/home/doron/mozbuilds/firefox-trunk/mozilla/extensions/xmlextras/base/src/nsXMLHttpRequest.cpp:1360
#22 0x04b9960e in nsXMLHttpRequest::OnStopRequest (this=0xa61fa10,
request=0xa6a7960, ctxt=0x0, status=0) at
/home/doron/mozbuilds/firefox-trunk/mozilla/extensions/xmlextras/base/src/nsXMLHttpRequest.cpp:1303
#23 0x0108ef78 in nsStreamListenerTee::OnStopRequest (this=0xa4540a8,
request=0xa6a7960, context=0x0, status=0) at
/home/doron/mozbuilds/firefox-trunk/mozilla/netwerk/base/src/nsStreamListenerTee.cpp:65
#24 0x01110008 in nsHttpChannel::OnStopRequest (this=0xa6a7960,
request=0xa668bc0, ctxt=0x0, status=0) at
/home/doron/mozbuilds/firefox-trunk/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp:3757
#25 0x0106c561 in nsInputStreamPump::OnStateStop (this=0xa668bc0) at
/home/doron/mozbuilds/firefox-trunk/mozilla/netwerk/base/src/nsInputStreamPump.cpp:504
#26 0x0106bf74 in nsInputStreamPump::OnInputStreamReady (this=0xa668bc0,
stream=0xa6b04b4) at
/home/doron/mozbuilds/firefox-trunk/mozilla/netwerk/base/src/nsInputStreamPump.cpp:341
#27 0x008e3c63 in nsInputStreamReadyEvent::EventHandler (plevent=0x0) at
/home/doron/mozbuilds/firefox-trunk/mozilla/xpcom/io/nsStreamUtils.cpp:118
#28 0x009019d1 in PL_HandleEvent (self=0xa54266c) at
/home/doron/mozbuilds/firefox-trunk/mozilla/xpcom/threads/plevent.c:692
#29 0x009018a7 in PL_ProcessPendingEvents (self=0x9e64410) at
/home/doron/mozbuilds/firefox-trunk/mozilla/xpcom/threads/plevent.c:627
#30 0x00904389 in nsEventQueueImpl::ProcessPendingEvents (this=0x9e57610) at
/home/doron/mozbuilds/firefox-trunk/mozilla/xpcom/threads/nsEventQueue.cpp:398
#31 0x012ad4b6 in event_processor_callback (source=0xa0f34f8, condition=G_IO_IN,
data=0xa576450) at
/home/doron/mozbuilds/firefox-trunk/mozilla/widget/src/gtk2/nsAppShell.cpp:67
#32 0x0048379f in g_vasprintf () from /usr/lib/libglib-2.0.so.0
#33 0x0045e1e2 in g_main_depth () from /usr/lib/libglib-2.0.so.0
#34 0x0045f2d8 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#35 0x0045f610 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#36 0x0045fc53 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#37 0x0029078e in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
#38 0x012ada66 in nsAppShell::Run (this=0x9f5a6d0) at
/home/doron/mozbuilds/firefox-trunk/mozilla/widget/src/gtk2/nsAppShell.cpp:142
#39 0x02cbb997 in nsAppStartup::Run (this=0x9f5a968) at
/home/doron/mozbuilds/firefox-trunk/mozilla/toolkit/components/startup/src/nsAppStartup.cpp:155
#40 0x0805518f in xre_main (argc=47265096, argv=0xfee5ccd0, aAppData=0x806782c)
at /home/doron/mozbuilds/firefox-trunk/mozilla/toolkit/xre/nsAppRunner.cpp:2072
#41 0x0804f2bb in main (argc=1, argv=0xfee5d274) at
/home/doron/mozbuilds/firefox-trunk/mozilla/browser/app/nsBrowserApp.cpp:59

Comment 5

[Boris Zbarsky [:bzbarsky]]

Ah, "searching for 'mozilla'" is key.  That crashes, but other search terms I
tried (eg "search" and "book") do not...

Comment 6

[Boris Zbarsky [:bzbarsky]]

So the deal here is that the DECODE_ARRAY loop can terminate early if
DecodeArrayPosition() fails (well, other possibilities too, but I suspect that's
the one we're hitting here).

In that case, it'll set rc to NS_ERROR_ILLEGAL_VALUE (which is what it's set to
in this testcase), and break the loop, leaving the remainder of the array filled
in with zeros.  Then line 2975 will try to call NS_RELEASE on said zeros.  It
should be doing NS_IF_RELEASE.

Comment 7

[Doron Rosenberg (IBM)]

Attachment: make it not crash

Comment 8

[Doron Rosenberg (IBM)]

This fixes the crash, the real issue is why aSchemaType goes null from frame 7
to frame 6.

Comment 9

[Boris Zbarsky [:bzbarsky]]

So the NS_IF_ADDREF can just stay NS_ADDREF.  That pointer will never be null in
this code, assuming aEncoding->Decode() doesn't screw up and return NS_OK and
null (is that a bad assumption?)

The next thing to check is what actually fails here, I guess...  Again, rc is
ending up with NS_ERROR_ILLEGAL_VALUE.

Comment 10

[Boris Zbarsky [:bzbarsky]]

And the only way to get that retval is if DecodeArrayPosition() returns a bogus
value.  So either that function is broken, or the data we're sent is broken.

Comment 11

[Boris Zbarsky [:bzbarsky]]

Oh, and I don't see this "goes null" thing.  That sounds like stack corruption
or a gdb bug.

Comment 12

[Dan Mosedale (:dmosedale, :dmose)]

Seems like having this work for 1.1 would be a fine thing.

Comment 13

[Doron Rosenberg (IBM)]

can't figure this one out, reassigning to default owner.

Comment 14

[Dan Mosedale (:dmosedale, :dmose)]

Whoops, intended a blocking? not a blocking+, as I'm not a driver.

Comment 15

[timeless]

+
{,,xpcom_core.dll}(*(AtomImpl*){,,gklayout.dll}(((*((((*(nsGenericElement*)(&*(nsXMLElement*){*}((result).mRawPtr)))).mNodeInfo).mRawPtr)).mInner).mName)).mString
0x0367654c "UsedPrice"	char [1]
	rc	0x00000001	unsigned int

  if (NS_SUCCEEDED(rc)  //  If there were elements left over, then we failed to
decode everything.
      && result)
    rc = SOAP_EXCEPTION(NS_ERROR_ILLEGAL_VALUE,"SOAP_LEFTOVERS","Decoded struct
contained extra items not mentioned in the content model.");


>	websrvcs.dll!nsStructEncoder::Decode(nsISOAPEncoding * aEncoding=0x03899970,
nsIDOMElement * aSource=0x0383164c, nsISchemaType * aSchemaType=0x03765bfc,
nsISOAPAttachments * aAttachments=0x00000000, nsIVariant * * _retval=0x0012c298)
 Line 2427	C++
 	websrvcs.dll!nsAnyTypeEncoder::Decode(nsISOAPEncoding * aEncoding=0x03899970,
nsIDOMElement * aSource=0x0383164c, nsISchemaType * aSchemaType=0x03765bfc,
nsISOAPAttachments * aAttachments=0x00000000, nsIVariant * * _retval=0x0012c298)
 Line 2155 + 0x34	C++
 	websrvcs.dll!nsDefaultEncoder::Decode(nsISOAPEncoding * aEncoding=0x03899970,
nsIDOMElement * aSource=0x0383164c, nsISchemaType * aSchemaType=0x03765bfc,
nsISOAPAttachments * aAttachments=0x00000000, nsIVariant * * _retval=0x0012c298)
 Line 2113 + 0x39	C++
 	websrvcs.dll!nsSOAPEncoding::Decode(nsIDOMElement * aSource=0x0383164c,
nsISchemaType * aSchemaType=0x03765bfc, nsISOAPAttachments *
aAttachments=0x00000000, nsIVariant * * _retval=0x0012c298)  Line 337 + 0x2b	C++
 	websrvcs.dll!nsArrayEncoder::Decode(nsISOAPEncoding * aEncoding=0x03899970,
nsIDOMElement * aSource=0x037c85a4, nsISchemaType * aSchemaType=0x0362a53c,
nsISOAPAttachments * aAttachments=0x00000000, nsIVariant * * _retval=0x0012e12c)
 Line 2990 + 0x240	C++
 	websrvcs.dll!nsDefaultEncoder::Decode(nsISOAPEncoding * aEncoding=0x03899970,
nsIDOMElement * aSource=0x037c85a4, nsISchemaType * aSchemaType=0x0362a53c,
nsISOAPAttachments * aAttachments=0x00000000, nsIVariant * * _retval=0x0012e12c)
 Line 2113 + 0x39	C++
 	websrvcs.dll!nsSOAPEncoding::Decode(nsIDOMElement * aSource=0x037c85a4,
nsISchemaType * aSchemaType=0x0362a53c, nsISOAPAttachments *
aAttachments=0x00000000, nsIVariant * * _retval=0x0012e12c)  Line 337 + 0x2b	C++
 	websrvcs.dll!DecodeStructParticle(nsISOAPEncoding * aEncoding=0x03899970,
nsIDOMElement * aElement=0x037c85a4, nsISchemaParticle * aParticle=0x0362a3a4,
nsISOAPAttachments * aAttachments=0x00000000, nsISOAPPropertyBagMutator *
aDestination=0x03768cc8, nsIDOMElement * * _retElement=0x0012e5d4)  Line 2219
+ 0x3e	C++
 	websrvcs.dll!DecodeStructParticle(nsISOAPEncoding * aEncoding=0x03899970,
nsIDOMElement * aElement=0x0381ec44, nsISchemaParticle * aParticle=0x03625144,
nsISOAPAttachments * aAttachments=0x00000000, nsISOAPPropertyBagMutator *
aDestination=0x03768cc8, nsIDOMElement * * _retElement=0x0012e888)  Line 2278
+ 0x47	C++
 	websrvcs.dll!nsStructEncoder::Decode(nsISOAPEncoding * aEncoding=0x03899970,
nsIDOMElement * aSource=0x037a871c, nsISchemaType * aSchemaType=0x01a07ecc,
nsISOAPAttachments * aAttachments=0x00000000, nsIVariant * * _retval=0x019ff0d8)
 Line 2424 + 0x40	C++
 	websrvcs.dll!nsAnyTypeEncoder::Decode(nsISOAPEncoding * aEncoding=0x03899970,
nsIDOMElement * aSource=0x037a871c, nsISchemaType * aSchemaType=0x01a07ecc,
nsISOAPAttachments * aAttachments=0x00000000, nsIVariant * * _retval=0x019ff0d8)
 Line 2155 + 0x34	C++
 	websrvcs.dll!nsDefaultEncoder::Decode(nsISOAPEncoding * aEncoding=0x03899970,
nsIDOMElement * aSource=0x037a871c, nsISchemaType * aSchemaType=0x01a07ecc,
nsISOAPAttachments * aAttachments=0x00000000, nsIVariant * * _retval=0x019ff0d8)
 Line 2113 + 0x39	C++
 	websrvcs.dll!nsSOAPEncoding::Decode(nsIDOMElement * aSource=0x037a871c,
nsISchemaType * aSchemaType=0x01a07ecc, nsISOAPAttachments *
aAttachments=0x00000000, nsIVariant * * _retval=0x019ff0d8)  Line 337 + 0x2b	C++
 	websrvcs.dll!nsSOAPBlock::GetValue(nsIVariant * * aValue=0x0012f388)  Line
173 + 0x59	C++
 	websrvcs.dll!nsSOAPParameter::GetValue(nsIVariant * * aValue=0x0012f388)  Line
59 + 0x10	C++
 	websrvcs.dll!WSPCallContext::CallCompletionListener()  Line 355 + 0x41	C++
 	websrvcs.dll!WSPCallContext::HandleResponse(nsISOAPResponse *
aResponse=0x019482ec, nsISOAPCall * aCall=0x038998e4, unsigned int
status=0x00000000, int aLast=0x00000001, int * _retval=0x0012f704)  Line 156	C++
 	websrvcs.dll!nsHTTPSOAPTransportCompletion::HandleEvent(nsIDOMEvent *
aEvent=0x0363b910)  Line 534	C++
 	xmlextras.dll!nsXMLHttpRequest::NotifyEventListeners(nsIDOMEventListener *
aHandler=0x00000000, nsISupportsArray * aListeners=0x03787340, nsIDOMEvent *
aEvent=0x0363b910)  Line 820	C++
 	xmlextras.dll!nsXMLHttpRequest::RequestCompleted()  Line 1381	C++
 	xmlextras.dll!nsXMLHttpRequest::OnStopRequest(nsIRequest * request=0x0350d0f8,
nsISupports * ctxt=0x00000000, unsigned int status=0x00000000)  Line 1323	C++
 	necko.dll!nsStreamListenerTee::OnStopRequest(nsIRequest * request=0x0350d0f8,
nsISupports * context=0x00000000, unsigned int status=0x00000000)  Line 66	C++
 	necko.dll!nsHttpChannel::OnStopRequest(nsIRequest * request=0x038a17b8,
nsISupports * ctxt=0x00000000, unsigned int status=0x00000000)  Line 3828	C++
 	necko.dll!nsInputStreamPump::OnStateStop()  Line 507	C++
 	necko.dll!nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream *
stream=0x037bd8e8)  Line 343 + 0xb	C++
 	xpcom_core.dll!nsInputStreamReadyEvent::EventHandler(PLEvent *
plevent=0x0371da7c)  Line 119	C++
 	xpcom_core.dll!PL_HandleEvent(PLEvent * self=0x0371da7c)  Line 698 + 0xa	C
 	xpcom_core.dll!PL_ProcessPendingEvents(PLEventQueue * self=0x01161320)  Line
633 + 0x9	C
 	xpcom_core.dll!nsEventQueueImpl::ProcessPendingEvents()  Line 413 + 0xc	C++
 	gkwidget.dll!nsWindow::DispatchPendingEvents()  Line 4110	C++
 	gkwidget.dll!nsWindow::ProcessMessage(unsigned int msg=0x00000200, unsigned
int wParam=0x00000000, long lParam=0x014e0211, long * aRetValue=0x0012fd50) 
Line 4403	C++
 	gkwidget.dll!nsWindow::WindowProc(HWND__ * hWnd=0x001426fe, unsigned int
msg=0x00000200, unsigned int wParam=0x00000000, long lParam=0x014e0211)  Line
1442 + 0x1b	C++
 	user32.dll!_InternalCallWinProc@20()  + 0x28	
 	user32.dll!_UserCallWinProcCheckWow@32()  + 0xb7	
 	user32.dll!_DispatchMessageWorker@8()  + 0xdc	
 	user32.dll!_DispatchMessageA@4()  + 0xf	
 	mfc71d.dll!AfxInternalPumpMessage()  Line 188	C++
 	mfc71d.dll!CWinThread::PumpMessage()  Line 916	C++
 	mfc71d.dll!CWinThread::Run()  Line 637 + 0xb	C++
 	mfc71d.dll!CWinApp::Run()  Line 701	C++
 	mfc71d.dll!AfxWinMain(HINSTANCE__ * hInstance=0x00400000, HINSTANCE__ *
hPrevInstance=0x00000000, char * lpCmdLine=0x00142384, int nCmdShow=0x0000000a)
 Line 49 + 0xb	C++
 	mfcembed.exe!WinMain(HINSTANCE__ * hInstance=0x00400000, HINSTANCE__ *
hPrevInstance=0x00000000, char * lpCmdLine=0x00142384, int nCmdShow=0x0000000a)
 Line 25	C++
 	mfcembed.exe!WinMainCRTStartup()  Line 390 + 0x39	C
 	kernel32.dll!_BaseProcessStart@4()  + 0x23	

Comment 16

[Doron Rosenberg (IBM)]

Reduced testcase: http://www.nexgenmedia.net/bugs/271560/amazon.html

Comment 17

[timeless]

*** Bug 278415 has been marked as a duplicate of this bug. ***

Comment 18

[Doron Rosenberg (IBM)]

Debugging the reduced testcase, I found the following:
  - the wsdl says:
    <xsd:all>
      <a/>
      <b/>
    </xsd:all>
  
  and amazon sends:
    <b/>
    <a/>

which is valid per schema.

The reason is that:
http://lxr.mozilla.org/seamonkey/source/extensions/webservices/soap/src/nsDefaultSOAPEncoder.cpp#2261

DecodeStructParticle returns success even if it couldn't decode the particle
based on the given nsISchemaParticle.  So after is still aElement, and we hit
the if (NS_SUCCEEDED(rc)) {} segment

So I added a |&& next != after| check, so that it walks the particle array to
look for the right schema particle.

However, the next if block is:

2267               if (rc != NS_ERROR_NOT_AVAILABLE) {
2268                 break;
2269               }

which kicks us out of the if loop.  removing that break fixes the minimal
testcase, but not the live version.

The issue here is we need to better track if we decoded correctly or not and
fail if after the for loop is done we failed to do so.
  

Comment 19

[Doron Rosenberg (IBM)]

Attachment: Makes it not crash and work correctly

This patch fixes amazon for me.  going to clean it up and comment it up a bit
too.

Comment 20

[timeless]

Comment on attachment 178378 [details] [diff] [review]
Makes it not crash and work correctly

>+          if (NS_SUCCEEDED(rc) && decoded) {
>             *_retElement = next;
>             NS_IF_ADDREF(*_retElement);
>           }
could you insert an |else| here to aid poor readers, reviewers and compilers
>           if (minOccurs == 0 && rc == NS_ERROR_NOT_AVAILABLE) {  //  If we succeeded or failed recoverably, but we were permitted to, then return success
>             *_retElement = aElement;
>             NS_IF_ADDREF(*_retElement);
>             rc = NS_OK;
>           }

Comment 21

[Doron Rosenberg (IBM)]

Attachment: Cleaned up the function a bit (newlines, added extensive comments)

Comment 22

[Doron Rosenberg (IBM)]

Attachment: removed unused variable

Comment 23

[Doron Rosenberg (IBM)]

I left in the NS_IF_RELEASE change in, even though it isn't required.  Should it
be kept or not?

Comment 24

[timeless]

*** Bug 284343 has been marked as a duplicate of this bug. ***

Comment 25

[Chris Rauschuber]

Is there a target release for this fix?

Comment 26

[Doron Rosenberg (IBM)]

This will hopefully make Mozilla 1.8

Comment 27

[Chris Beard]

Not blocking 1.5, but would take a fix if this is still an issue.

Comment 28

[Doron Rosenberg (IBM)]

Still an issue, just need sr.

Comment 29

[Johnny Stenback (:jst)]

Comment on attachment 178409 [details] [diff] [review]
removed unused variable

sr=jst

Comment 30

[Doron Rosenberg (IBM)]

Comment on attachment 178409 [details] [diff] [review]
removed unused variable

asking for 1.8b4 approval.  Fixes a crash in Amazon webservices.

Comment 31

[Doron Rosenberg (IBM)]

Checked into trunk.  Branch approval pending.

Comment 32

[Doron Rosenberg (IBM)]

checked into branch

Comment 33

[Jay Patel [:jay]]

v.fixed with 9/27 trunk and branch builds, doron's reduced testcase in comment
#16  does not crash for me on Win32.