The default bug view has changed. See this FAQ.

CRASH on function days-from-date() with invalid dates (month zero)

RESOLVED FIXED

Status

Core Graveyard
XForms
--
critical
RESOLVED FIXED
10 years ago
9 months ago

People

(Reporter: Kostis Anagnostopoulos, Assigned: Merle Sterling)

Tracking

({fixed1.8.1.12})

Trunk
fixed1.8.1.12

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments, 2 obsolete attachments)

(Reporter)

Description

10 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en; rv:1.8.1.6) Gecko/20070802 Firefox/2.0.0.6
Build Identifier: At least till: Firefox 3 GPAlpha8

Function days-from-date() crashes FF when month outside 1-12.

Not tested other possible invalid date values. 

Aaron identified problems in C++ method:
nsSchemaValidatorUtils::GetMonthShorthand

Originally reported into disussion group:
http://groups.google.com/group/mozilla.dev.tech.xforms/browse_thread/thread/764e96d65a66f6c7/2436a5fa4796d16f#2436a5fa4796d16f

Reproducible: Always

Steps to Reproduce:
An XPath expression containing the next function-call would suffice to crash FF:
date('2007-00-01')
(Test case to be attached)
Actual Results:  
CRASH

Expected Results:  
Issue a xforms-compute-event (SForms 1.0-section 4.5.4)
(Reporter)

Comment 1

10 years ago
Created attachment 285211 [details]
Sample of the days-from-date() function with invalid date that CRASHES FF

WARNING: Firefox with the XForms add-on will CRASH when you visit this attachment.
(Reporter)

Updated

10 years ago
Version: unspecified → Trunk

Comment 2

10 years ago
error "Parsing Error: not well-formed" when I load testcase

Comment 3

10 years ago
Created attachment 285221 [details] [diff] [review]
testcase
Attachment #285211 - Attachment is obsolete: true

Updated

10 years ago
Status: UNCONFIRMED → NEW
Ever confirmed: true

Comment 4

10 years ago
stack trace:

 	xpcom_core.dll!nsACString_internal::AssignASCII(const char * data=0x00636544)  Line 370 + 0x9	C++
 	schemval.dll!nsSchemaValidatorUtils::GetMonthShorthand(unsigned char aMonth=0x00, nsACString_internal & aReturn={...})  Line 796	C++
>	schemval.dll!nsSchemaValidator::ValidateBuiltinTypeDate(const nsAString_internal & aValue={...}, __int64 * aResult=0x0012d5e0)  Line 2502 + 0x10	C++
 	xforms.dll!nsXFormsUtils::GetDaysFromDateTime(const nsAString_internal & aValue={...}, int * aDays=0x0012d6b8)  Line 2754 + 0x31	C++
 	xforms.dll!nsXFormsXPathFunctions::DaysFromDate(const nsAString_internal & aDateTime={...}, double * aResult=0x04c68920)  Line 126 + 0xd	C++
 	xpcom_core.dll!NS_InvokeByIndex_P(nsISupports * that=0x04c68aa8, unsigned int methodIndex=0x00000006, unsigned int paramCount=0x00000002, nsXPTCVariant * params=0x04c68910)  Line 102	C++
 	gklayout.dll!txXPCOMExtensionFunctionCall::evaluate(txIEvalContext * aContext=0x0012d924, txAExprResult * * aResult=0x0012d91c)  Line 522 + 0x2e	C++
 	gklayout.dll!nsXPathExpression::EvaluateWithContext(nsIDOMNode * aContextNode=0x04c8f69c, unsigned int aContextPosition=0x00000001, unsigned int aContextSize=0x00000001, unsigned short aType=0x0000, nsISupports * aInResult=0x00000000, nsISupports * * aResult=0x0012d9b0)  Line 149 + 0x41	C++
 	xforms.dll!nsXFormsUtils::EvaluateXPath(nsIXPathEvaluatorInternal * aEvaluator=0x04c90e0c, const nsAString_internal & aExpression={...}, nsIDOMNode * aContextNode=0x04c8f69c, nsIDOMXPathNSResolver * aResolver=0x04c90e98, nsIXFormsXPathState * aState=0x04c90ff0, unsigned short aResultType=0x0000, int aContextPosition=0x00000001, int aContextSize=0x00000001, nsIDOMXPathResult * aInResult=0x00000000, nsIDOMXPathResult * * aResult=0x0012db50)  Line 634 + 0x44	C++
 	xforms.dll!nsXFormsXPathAnalyzer::AnalyzeRecursively(nsIDOMNode * aContextNode=0x04c8f69c, const nsXFormsXPathNode * aNode=0x04c68a00, unsigned int aIndent=0x00000000, int aCollect=0x00000000)  Line 199 + 0x70	C++
 	xforms.dll!nsXFormsXPathAnalyzer::Analyze(nsIDOMNode * aContextNode=0x04c8f69c, const nsXFormsXPathNode * aNode=0x04c689b0, nsIDOMNSXPathExpression * aExpression=0x04c6896c, const nsAString_internal * aExprString=0x0012e3dc, nsCOMArray<nsIDOMNode> * aSet=0x0012e5ac, unsigned int aPosition=0x00000001, unsigned int aSize=0x00000001, int aIncludeRoot=0x00000000)  Line 95 + 0x18	C++
 	xforms.dll!nsXFormsModelElement::ProcessBind(nsIDOMXPathEvaluator * aEvaluator=0x04c90e08, nsIDOMNode * aContextNode=0x04c8f69c, int aContextPosition=0x00000001, int aContextSize=0x00000001, nsIDOMElement * aBindElement=0x04e0bb64, int aIsOuter=0x00000001)  Line 2514 + 0x5d	C++
 	xforms.dll!nsXFormsModelElement::ProcessBindElements()  Line 2061 + 0x57	C++
 	xforms.dll!nsXFormsModelElement::Rebuild()  Line 1070 + 0xb	C++
 	xforms.dll!nsXFormsModelElement::HandleDefault(nsIDOMEvent * aEvent=0x04e0ca00, int * aHandled=0x0012e990)  Line 948 + 0x10	C++
 	gklayout.dll!nsXTFElementWrapper::PostHandleEvent(nsEventChainPostVisitor & aVisitor={...})  Line 874 + 0x17	C++

Comment 5

10 years ago
I guess the problem is nsSchemaValidator::IsValidSchemaDate() returns true for '2007-00-01' date which seems to be invalid.
(Assignee)

Comment 6

9 years ago
nsSchemaValidatorUtils::GetMaximumDayInMonthFor(PRUint32 aYearValue, PRUint8 aMonthValue) will return 28 as the maximum day of the month if the month is < 1 or > 12. For a date of '2007-00-01' 01 is <= than 28 so IsValidSchemaDate will return true.

Ideally we need the schema validator to be fixed because there is no good way to work around the problem without duplicating all of the date validation code. 
(Assignee)

Comment 7

9 years ago
Created attachment 291979 [details] [diff] [review]
patch

Check for invalid month and day values in ParseSchemaDate.
(Assignee)

Updated

9 years ago
Attachment #291979 - Flags: review?(doronr)

Updated

9 years ago
Attachment #291979 - Flags: review?(doronr) → review+
(Assignee)

Updated

9 years ago
Attachment #291979 - Flags: review?(Olli.Pettay)

Comment 8

9 years ago
Comment on attachment 291979 [details] [diff] [review]
patch

looks ok, even GetMaximumDayInMonthFor() assumes that month can be greater than 12 but per http://www.w3.org/TR/xmlschema-2/#isoformats it seems not valid date.
Attachment #291979 - Flags: review+

Updated

9 years ago
Assignee: nobody → msterlin
Attachment #291979 - Flags: review?(Olli.Pettay) → review+

Updated

9 years ago
Blocks: 410239

Comment 9

9 years ago
Created attachment 295821 [details]
testcase2

current testcase is bad xforms.  Uses @ref on xf:bind instead of @nodeset.  Also was applying multiple calculates to the same data node.  This testcase has both of those fixed.
Attachment #285221 - Attachment is obsolete: true

Comment 10

9 years ago
checked into trunk for msterlin
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
Whiteboard: xf-to-branch

Comment 11

9 years ago
checked into 1.8 branch for msterlin
Keywords: fixed1.8.1.12
Whiteboard: xf-to-branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.