Note: There are a few cases of duplicates in user autocompletion which are being worked on.

XPathResult object can crash brower when calling iterateNext() or snapshotItem()

RESOLVED FIXED in mozilla1.9alpha1

Status

()

Core
XSLT
--
critical
RESOLVED FIXED
12 years ago
12 years ago

People

(Reporter: warp56, Assigned: peterv)

Tracking

(4 keywords)

Trunk
mozilla1.9alpha1
x86
Windows XP
crash, fixed1.8.1, testcase, verified1.8.0.2
Points:
---
Bug Flags:
blocking1.8.0.2 +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [rft-dl])

Attachments

(3 attachments)

(Reporter)

Description

12 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5

The XPathResult object returned from a document.evaluate() query can cause the browser to crash when trying to call the XPathResult's iterateNext() or snapshotItem() methods.  This happens when a query that should return a number value (such as "count(//*)") is evaluated and the XPathResult type argument is specifically set to one of the ITERATOR or SNAPSHOT types. Clearly it is an error of the script writer who set the incorrect XPath query or incorrect XPathResult type, but the application should just throw an exception rather than crashing.

Crashes on both Firefox 1.5 and Firefox 1.6a1 on Windows XP.

Reproducible: Always

Steps to Reproduce:
1. Run any of the following Javascript lines in a webpage:
document.evaluate("count(/*)",document,null,XPathResult.UNORDERED_NODE_SNAPSHOT_TYPE,null).snapshotItem(0);
document.evaluate("count(/*)",document,null,XPathResult.UNORDERED_NODE_ITERATOR_TYPE,null).iterateNext();
document.evaluate("count(/*)",document,null,XPathResult.ORDERED_NODE_SNAPSHOT_TYPE,null).snapshotItem(0);
document.evaluate("count(/*)",document,null,XPathResult.ORDERED_NODE_ITERATOR_TYPE,null).iterateNext();
Actual Results:  
Browser crashed.

Expected Results:  
An exception is thrown which can either be caught, or gets logged to the console.

Module crash in firefox.exe.
(Reporter)

Comment 1

12 years ago
Created attachment 209671 [details]
Testcase for XPathResult crash

This is a simple testcase that should show the results of this bug.
Severity: minor → critical
Keywords: crash, testcase
Assignee: nobody → xslt
Component: General → XSLT
Product: Firefox → Core
QA Contact: general → keith
Version: unspecified → Trunk
Created attachment 209696 [details]
stack
The stack above was obtained from a Firefox trunk build from earlier today, on Windows.
(Assignee)

Comment 4

12 years ago
Created attachment 209710 [details] [diff] [review]
v1

We need to throw on impossible conversions (which I think is limited to "not a nodeset to an iterator, snapshot or node").
Attachment #209710 - Flags: review?(bugmail)
Attachment #209710 - Flags: review?(bugmail) → review+
Status: UNCONFIRMED → NEW
Ever confirmed: true
(Assignee)

Updated

12 years ago
Attachment #209710 - Flags: superreview?(jst)
Comment on attachment 209710 [details] [diff] [review]
v1

sr=jst
Attachment #209710 - Flags: superreview?(jst) → superreview+

Updated

12 years ago
Assignee: xslt → peterv
(Assignee)

Updated

12 years ago
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
(Assignee)

Updated

12 years ago
Target Milestone: --- → mozilla1.9alpha
(Assignee)

Comment 6

12 years ago
Comment on attachment 209710 [details] [diff] [review]
v1

Simple crash fix, low risk: just throw on certain conditions instead of crashing later on.
Attachment #209710 - Flags: approval1.8.1?
Attachment #209710 - Flags: approval1.8.0.2?
Attachment #209710 - Flags: approval1.8.1? → branch-1.8.1?(bugmail)
Comment on attachment 209710 [details] [diff] [review]
v1

Peterv is module owner so landing request over to him
Attachment #209710 - Flags: branch-1.8.1?(bugmail) → branch-1.8.1?(peterv)
(Assignee)

Comment 8

12 years ago
Comment on attachment 209710 [details] [diff] [review]
v1

Crash fix.
Attachment #209710 - Flags: branch-1.8.1?(peterv) → branch-1.8.1+
(Assignee)

Updated

12 years ago
Keywords: fixed1.8.1
Flags: blocking1.8.0.2+
Comment on attachment 209710 [details] [diff] [review]
v1

approved for 1.8.0 branch, a=dveditz
Attachment #209710 - Flags: approval1.8.0.2? → approval1.8.0.2+
(Assignee)

Updated

12 years ago
Keywords: fixed1.8.0.2
Marking [rft-dl] (ready for testing in Firefox 1.5.0.2 release candidates)
Whiteboard: [rft-dl]

Comment 11

12 years ago
v.fixed on 1.8.0 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060302 Firefox/1.5.0.1, no crash with testcase.
Keywords: fixed1.8.0.2 → verified1.8.0.2
You need to log in before you can comment on or make changes to this bug.