some rdf related to evil theme from bug 272807 caused crash [@ LiteralImpl::EqualsNode]

NEW
Unassigned

Status

--
critical
14 years ago
2 months ago

People

(Reporter: timeless, Unassigned)

Tracking

({crash})

1.7 Branch
x86
Windows XP
crash

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

(Reporter)

Description

14 years ago
Incident ID: 2292697
Stack Signature	LiteralImpl::EqualsNode 5ffa9cc2
Product ID	Firefox10
Build ID	2004110711
Trigger Time	2004-12-01 08:35:23.0
Platform	Win32
Operating System	Windows NT 5.1 build 2600
Module	firefox.exe + (000aa906)
URL visited	
User Comments	I was trying to create a theme for Firefox. Crash occured during
test install of theme.
Since Last Crash	17643 sec
Total Uptime	17643 sec
Trigger Reason	Access violation
Source File, Line No.
d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/rdf/base/src/nsRDFService.cpp,
line 608
Stack Trace 	
LiteralImpl::EqualsNode 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/rdf/base/src/nsRDFService.cpp,
line 608]
XPTC_InvokeByIndex 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp,
line 102]
XPCWrappedNative::CallMethod 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp,
line 2034]
XPC_WN_CallMethod 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp,
line 1287]
js_Invoke 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 941]
js_Interpret 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 2978]
js_Invoke 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 958]
nsXPCWrappedJSClass::CallMethod 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp,
line 1339]
nsXPCWrappedJS::CallMethod 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappedjs.cpp,
line 450]
SharedStub 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp,
line 147]
XPTC_InvokeByIndex 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp,
line 102]
EventHandler 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/xpcom/proxy/src/nsProxyEvent.cpp,
line 545]
shdocvw.dll + 0x150c24 (0x778b0c24)
nsPrintObject::Init 
[d:/builds/tinderbox/firefox-1.0/WINNT_5.0_Clobber/mozilla/content/base/src/nsPrintObject.cpp,
line 97]
0x8bd6fff8

Comment 1

14 years ago
Looks as if EqualsNode isn't null-safe, this also crashes:
Components.classes['@mozilla.org/rdf/rdf-service;1'].getService(Components.interfaces.nsIRDFService).GetLiteral('').EqualsNode(null);

Comment 2

14 years ago
Actually, just the Resource and Blob impls of the ::EqualsNode impls are nullsafe.
Sadly, they return different results for that. Resource fails and leaves the bool
unchanged, Blob sets it to false and returns NS_OK.
Investigation on call sites required.

Int and Date should do as Blob, Literal should just cast itself to nsIRDFNode and
check (that would handle null, too).
Unless I make up my mind that we should just compare the pointers themselves for
all rdf nodes.

I consider a tightened spec of this behaviour as part of our interface overhaul.
Status: UNCONFIRMED → NEW
Ever confirmed: true

Comment 3

14 years ago
I count 53 callers.
52 callers compare a given node (which I assume was null-checked) with a literal
or resource retrived from the RDF service.
The 53rd caller compares two nodes retieved using GetTarget. When one target is
null this will just fail with a JavaScript TypeError: null has no properties.
However the other target is not null-checked thus causing this crash.
Pointer comparisons sound good to me, but then why have EqualsNode?
(Assignee)

Updated

7 years ago
Crash Signature: [@ LiteralImpl::EqualsNode]

Comment 4

7 years ago
This is still technically a crash. Only a handful for 4 weeks across all versions. It might be worth closing but I am going to leave open for now.

Updated

2 months ago
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.