272881 - some rdf related to evil theme from bug 272807 caused crash [@ LiteralImpl::EqualsNode]

Status: RESOLVED INCOMPLETE

(Core Graveyard :: RDF, defect)

Description

[timeless]

Incident ID: 2292697
Stack Signature	LiteralImpl::EqualsNode 5ffa9cc2
Product ID	Firefox10
Build ID	2004110711
Trigger Time	2004-12-01 08:35:23.0
Platform	Win32
Operating System	Windows NT 5.1 build 2600
Module	firefox.exe + (000aa906)
URL visited	
User Comments	I was trying to create a theme for Firefox. Crash occured during
test install of theme.
Since Last Crash	17643 sec
Total Uptime	17643 sec
Trigger Reason	Access violation
Source File, Line No.
d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/rdf/base/src/nsRDFService.cpp,
line 608
Stack Trace 	
LiteralImpl::EqualsNode 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/rdf/base/src/nsRDFService.cpp,
line 608]
XPTC_InvokeByIndex 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp,
line 102]
XPCWrappedNative::CallMethod 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp,
line 2034]
XPC_WN_CallMethod 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp,
line 1287]
js_Invoke 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 941]
js_Interpret 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 2978]
js_Invoke 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 958]
nsXPCWrappedJSClass::CallMethod 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp,
line 1339]
nsXPCWrappedJS::CallMethod 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappedjs.cpp,
line 450]
SharedStub 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp,
line 147]
XPTC_InvokeByIndex 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp,
line 102]
EventHandler 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/xpcom/proxy/src/nsProxyEvent.cpp,
line 545]
shdocvw.dll + 0x150c24 (0x778b0c24)
nsPrintObject::Init 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/base/src/nsPrintObject.cpp,
line 97]
0x8bd6fff8

Comment 1

[neil@parkwaycc.co.uk]

Looks as if EqualsNode isn't null-safe, this also crashes:
Components.classes['@mozilla.org/rdf/rdf-service;1'].getService(Components.interfaces.nsIRDFService).GetLiteral('').EqualsNode(null);

Comment 2

[Axel Hecht]

Actually, just the Resource and Blob impls of the ::EqualsNode impls are nullsafe.
Sadly, they return different results for that. Resource fails and leaves the bool
unchanged, Blob sets it to false and returns NS_OK.
Investigation on call sites required.

Int and Date should do as Blob, Literal should just cast itself to nsIRDFNode and
check (that would handle null, too).
Unless I make up my mind that we should just compare the pointers themselves for
all rdf nodes.

I consider a tightened spec of this behaviour as part of our interface overhaul.

Comment 3

[neil@parkwaycc.co.uk]

I count 53 callers.
52 callers compare a given node (which I assume was null-checked) with a literal
or resource retrived from the RDF service.
The 53rd caller compares two nodes retieved using GetTarget. When one target is
null this will just fail with a JavaScript TypeError: null has no properties.
However the other target is not null-checked thus causing this crash.
Pointer comparisons sound good to me, but then why have EqualsNode?

Comment 4

[Sheila Mooney]

This is still technically a crash. Only a handful for 4 weeks across all versions. It might be worth closing but I am going to leave open for now.