Closed Bug 312692 Opened 20 years ago Closed 19 years ago

E4X: appendChild() does not copy the child

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.8rc1

People

(Reporter: Seno.Aiko, Assigned: brendan)

Details

(Keywords: crash, testcase, verified1.8)

Attachments

(2 files, 1 obsolete file)

another testcase
214 bytes, text/html
Details
proposed fix
2.20 KB, patch
mrbkap
: review+
shaver
: superreview+
brendan
: approval1.8rc1+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051016 Firefox/1.6a1 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051016 Firefox/1.6a1 appendChild() seems to append the child itself instead of a deep copy of it, which may lead to the same child being present more than once. See testcase for an example. Reproducible: Always Steps to Reproduce: 1. Run testcase Actual Results: Second Second Expected Results: First Second
Attached file testcase (obsolete) —
Status: UNCONFIRMED → NEW
Ever confirmed: true
Attached file another testcase
This is fun: you can even make a XML object its own child. Old reactionary toString doesn't like such incestuous behaviour one bit and crashes as soon as it encounters it.
Keywords: crash, testcase
This is a bug in ECMA-357. It doesn't prevent you from creating such cycles. It should, so that all implementations that conform do so prevent, preventing DOS atacks and unpleasant divergence just because of user error (which might happen only now and then, so not be caught during unit or surface testing). /be
Assignee: general → brendan
Priority: -- → P1
Target Milestone: --- → mozilla1.9alpha
What does Rhino do, btw? /be
Status: NEW → ASSIGNED
OS: Windows XP → All
Hardware: PC → All
mrbkap points out that the ECMA-357 spec says (in its "Overview", but *not* in the corresponding "Semantics"): The appendChild method appends a deep copy of the given child to the end of this XML object’s properties and returns this XML object. So perhaps that's the fix. It would certainly avoid cycles, but it would break many cases that want object reference, not value, semantics. And it does not match insertChildBefore and insertChildAfter, which per spec can also be used to make cycles, and which have no "deep copy" language in their "Overviews". Bletch. I suppose we could add cycle detection. /be
OS: All → Windows XP
Priority: P1 → --
Hardware: All → PC
Target Milestone: mozilla1.9alpha → ---
Cycle detection means insuring that the would-be child can't reach the putative parent via a path in the DAG. Yes, DAG: we allow parent = <p/>; parent.child = "first"; child = parent.child[0]; parent.insertChildBefore(null, child); to create a DAG with two arcs from parent to child, such that parent.child[0] === parent.child[1] Round-tripping through toXMLString and the XML constructor (or eval) results in two distinct (!==) but equal (==) kids. This is how I'd like to fix this bug, and I'll fix all the append/insert cases at the lowest common level. /be
Flags: blocking1.8rc1+
Priority: -- → P1
Target Milestone: --- → mozilla1.8rc1
(In reply to comment #4) > What does Rhino do, btw? Rhino copies in the appendChild case, hangs or crashes in insert*Child cases that mrbkap tried. /be
Attached patch proposed fixSplinter Review
Attachment #200263 - Flags: superreview?(shaver)
Attachment #200263 - Flags: review?(mrbkap)
Comment on attachment 200263 [details] [diff] [review] proposed fix r=mrbkap
Attachment #200263 - Flags: review?(mrbkap) → review+
To clarify: your position is that the 'Overview' text of appendChild/prependChild is incorrect and that these methods should use the child itself, not a copy of it? So, if I really wanted a copy, I'd have to do it myself; for example, instead of |parent.appendChild(child)| I'd write |parent.appendChild(child.copy())| ? Sounds good to me. Just wondering: is a second edition of ECMA-357 being worked on?
(In reply to comment #10) > To clarify: your position is that the 'Overview' text of > appendChild/prependChild is incorrect and that these methods should use the > child itself, not a copy of it? Yes. > So, if I really wanted a copy, I'd have to do it myself; for example, instead of > |parent.appendChild(child)| I'd write |parent.appendChild(child.copy())| ? > Sounds good to me. Good. > Just wondering: is a second edition of ECMA-357 being worked on? Yes, and it's based on the ISO version of ECMA-357, ISO/IEC 22537, and it is almost too late to fix this hole in the spec to do with cycles and "deep copy" verbiage in the Overviews of two methods, but not in the Semantics. But I am pushing for it to be fixed. Otherwise, yet more errata to keep posted at mozilla.org.... /be
Comment on attachment 200263 [details] [diff] [review] proposed fix sr=shaver. We want this for the branch?
Attachment #200263 - Flags: superreview?(shaver) → superreview+
Comment on attachment 200263 [details] [diff] [review] proposed fix Yes, we want this -- just had an ECMA TG1 call today and we talked about this. It's happening for Edition 2 of ECMA-357. /be
Attachment #200263 - Flags: approval1.8rc1+
Fixed on branch and trunk. /be
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Keywords: fixed1.8
Resolution: --- → FIXED
RCS file: /cvsroot/mozilla/js/tests/e4x/XML/13.4.4.3-01.js,v done Checking in 13.4.4.3-01.js; /cvsroot/mozilla/js/tests/e4x/XML/13.4.4.3-01.js,v <-- 13.4.4.3-01.js initial revision: 1.1 done RCS file: /cvsroot/mozilla/js/tests/e4x/XML/13.4.4.3-02.js,v done Checking in 13.4.4.3-02.js; /cvsroot/mozilla/js/tests/e4x/XML/13.4.4.3-02.js,v <-- 13.4.4.3-02.js initial revision: 1.1 done
Flags: testcase+
Attachment #199786 - Attachment is obsolete: true
(In reply to comment #15) Bob, taking Brendan's decision into account, these testcases (and my comment 0) are not correct. The result of the first testcase should be <ul><li>Second</li><li>Second</li></ul> and the second testcase should produce a "Cyclic XML value" error. And it's XML.prettyPrinting, not XML.prettyPrint.
(In reply to comment #16) Checking in 13.4.4.3-01.js; /cvsroot/mozilla/js/tests/e4x/XML/13.4.4.3-01.js,v <-- 13.4.4.3-01.js new revision: 1.2; previous revision: 1.1 done Checking in 13.4.4.3-02.js; /cvsroot/mozilla/js/tests/e4x/XML/13.4.4.3-02.js,v <-- 13.4.4.3-02.js new revision: 1.2; previous revision: 1.1 done thanks for catching my mistakes.
Status: RESOLVED → VERIFIED
OS: Windows XP → All
Hardware: PC → All
verified firefox 1.5 rc2 winxp/linux
Keywords: fixed1.8verified1.8
It looks like according to ECMA-357 the parent() method of an XML object that has been added to multiple parents should return the last parent to which it was added ... does this sound right?
(In reply to comment #19) > It looks like according to ECMA-357 the parent() method of an XML object that > has been added to multiple parents should return the last parent to which it > was added ... does this sound right? Yes. Grepping for '>parent = [^N]' in js/src/jsxml.c shows the places this happens, and cites chapter and verse. /be
Jeff, did the second edition of ECMA-357 (or whatever went to ISO) actually specify that appendChild does not copy? /be
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: