Last Comment Bug 324746 - XPathResult object can crash brower when calling iterateNext() or snapshotItem()
: XPathResult object can crash brower when calling iterateNext() or snapshotItem()
Status: RESOLVED FIXED
[rft-dl]
: crash, fixed1.8.1, testcase, verified1.8.0.2
Product: Core
Classification: Components
Component: XSLT (show other bugs)
: Trunk
: x86 Windows XP
: -- critical (vote)
: mozilla1.9alpha1
Assigned To: Peter Van der Beken [:peterv]
: Keith Visco
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2006-01-25 20:46 PST by warp56
Modified: 2006-03-02 15:50 PST (History)
3 users (show)
dveditz: blocking1.8.0.2+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Testcase for XPathResult crash (171 bytes, text/html)
2006-01-25 20:51 PST, warp56
no flags Details
stack (4.88 KB, text/plain)
2006-01-26 06:12 PST, :Gavin Sharp [email: gavin@gavinsharp.com]
no flags Details
v1 (950 bytes, patch)
2006-01-26 08:49 PST, Peter Van der Beken [:peterv]
jonas: review+
jst: superreview+
peterv: approval‑branch‑1.8.1+
dveditz: approval1.8.0.2+
Details | Diff | Review

Description warp56 2006-01-25 20:46:31 PST
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5

The XPathResult object returned from a document.evaluate() query can cause the browser to crash when trying to call the XPathResult's iterateNext() or snapshotItem() methods.  This happens when a query that should return a number value (such as "count(//*)") is evaluated and the XPathResult type argument is specifically set to one of the ITERATOR or SNAPSHOT types. Clearly it is an error of the script writer who set the incorrect XPath query or incorrect XPathResult type, but the application should just throw an exception rather than crashing.

Crashes on both Firefox 1.5 and Firefox 1.6a1 on Windows XP.

Reproducible: Always

Steps to Reproduce:
1. Run any of the following Javascript lines in a webpage:
document.evaluate("count(/*)",document,null,XPathResult.UNORDERED_NODE_SNAPSHOT_TYPE,null).snapshotItem(0);
document.evaluate("count(/*)",document,null,XPathResult.UNORDERED_NODE_ITERATOR_TYPE,null).iterateNext();
document.evaluate("count(/*)",document,null,XPathResult.ORDERED_NODE_SNAPSHOT_TYPE,null).snapshotItem(0);
document.evaluate("count(/*)",document,null,XPathResult.ORDERED_NODE_ITERATOR_TYPE,null).iterateNext();
Actual Results:  
Browser crashed.

Expected Results:  
An exception is thrown which can either be caught, or gets logged to the console.

Module crash in firefox.exe.
Comment 1 warp56 2006-01-25 20:51:23 PST
Created attachment 209671 [details]
Testcase for XPathResult crash

This is a simple testcase that should show the results of this bug.
Comment 2 :Gavin Sharp [email: gavin@gavinsharp.com] 2006-01-26 06:12:08 PST
Created attachment 209696 [details]
stack
Comment 3 :Gavin Sharp [email: gavin@gavinsharp.com] 2006-01-26 06:23:07 PST
The stack above was obtained from a Firefox trunk build from earlier today, on Windows.
Comment 4 Peter Van der Beken [:peterv] 2006-01-26 08:49:07 PST
Created attachment 209710 [details] [diff] [review]
v1

We need to throw on impossible conversions (which I think is limited to "not a nodeset to an iterator, snapshot or node").
Comment 5 Johnny Stenback (:jst, jst@mozilla.com) 2006-01-26 15:34:11 PST
Comment on attachment 209710 [details] [diff] [review]
v1

sr=jst
Comment 6 Peter Van der Beken [:peterv] 2006-01-27 03:09:07 PST
Comment on attachment 209710 [details] [diff] [review]
v1

Simple crash fix, low risk: just throw on certain conditions instead of crashing later on.
Comment 7 Jonas Sicking (:sicking) 2006-01-31 10:30:09 PST
Comment on attachment 209710 [details] [diff] [review]
v1

Peterv is module owner so landing request over to him
Comment 8 Peter Van der Beken [:peterv] 2006-02-09 06:27:13 PST
Comment on attachment 209710 [details] [diff] [review]
v1

Crash fix.
Comment 9 Daniel Veditz [:dveditz] 2006-02-22 00:56:44 PST
Comment on attachment 209710 [details] [diff] [review]
v1

approved for 1.8.0 branch, a=dveditz
Comment 10 Dave Liebreich [:davel] 2006-03-02 10:46:11 PST
Marking [rft-dl] (ready for testing in Firefox 1.5.0.2 release candidates)
Comment 11 Jay Patel [:jay] 2006-03-02 15:50:24 PST
v.fixed on 1.8.0 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060302 Firefox/1.5.0.1, no crash with testcase.

Note You need to log in before you can comment on or make changes to this bug.