Closed Bug 88263 Opened 24 years ago Closed 24 years ago

Range selectNodeContents(null) crashes browser

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
Windows 98
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla0.9.3

People

(Reporter: jasonkarldavis, Assigned: anthonyd)

Details

(Keywords: crash, Whiteboard: nsBranch+, PDT+)

Attachments

(4 files)

testcase
168 bytes, text/html
Details
stacktrace
4.19 KB, text/plain
Details
patch
545 bytes, patch
Details | Diff | Splinter Review
patch with NS_ENSURE_ARG_POINTER
508 bytes, patch
Details | Diff | Splinter Review
From Bugzilla Helper: BuildID: 2001060703 Today I noticed a fatal error, I had accidentally tried using selectNodeContents with an undefined argument (a childNode which didn't exist in this case). So I experimented some, and found that: var range=document.createRange(); range.selectNodeContents(null) will crash the browser, as well as: range.selectNodeContents(undefined) will. The error always appears to happen in GKCONTENT.DLL (according to the error message Windows gives me before it crashes). Other improper arguments merely throw an exception, including a lack of an argument. Reproducible: Always Steps to Reproduce: 1. Within <script> tags, or in the Javascript console: 2. var range=document.createRange(); 3. range.selectNodeContents(null); 4. Restart Mozilla, declare range again, execute: 5. range.selectNodeContents(undefined); Actual Results: Windows 98 told me Mozilla performed an illegal operation and will be shut down, because of an error in GKCONTENT.DLL Expected Results: Any exception about an invalid argument. What Win98 says: MOZILLA caused an invalid page fault in module GKCONTENT.DLL at 0167:01daafc5. Registers: EAX=00000000 CS=0167 EIP=01daafc5 EFLGS=00010246 EBX=02861610 SS=016f ESP=0068f490 EBP=0068f4ac ECX=00000000 DS=016f ESI=00000000 FS=6a9f EDX=0068f488 ES=016f EDI=00000000 GS=0000 Bytes at CS:EIP: 8b 06 8d 4d 0c 51 56 89 7d 0c ff 50 20 be 00 00 Stack dump: 0068f5d8 0068f4e0 01887012 60edc458 00000000 00000000 60ecceb8 0068f4bc 60eccec8 00000000 00000000 0068f5bc 60bafe84 02861610 00000011 00000001
Attached file testcase
The attached testcase definitely crashes. My talkback agent isn't reporting Ids, but the bug number is in the talkback.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Attached file stacktrace
Keywords: crash
Attached patch patchSplinter Review
I'm not sure whether we want to do this, or to throw a NS_ERROR_DOM_RANGE_INVALID_NODE_TYPE_ERR this matches the rest of the code.
Keywords: patch
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla0.9.3
the patch looks good, r=anthonyd, sfraser for sr= and need approval from beth. anthonyd
Whiteboard: need sr=sfraser and a=beppe
manager reviewed the need for the fix and agrees, approval for checkin to the trunk and branch after fix has received an r= and sr=, adding nsBranch keyword
Keywords: nsBranch
I have a minor preference for NS_ENSURE_ARG_POINTER(aN); but sr=sfraser either way.
checked into truunk, need branch permission. anthonyd
Keywords: vtrunk
bae
Whiteboard: need sr=sfraser and a=beppe → nsBranch+
per conversation with selmer, adding PDT+
Whiteboard: nsBranch+ → nsBranch+, PDT+
forgot to remove vrunk
Keywords: vtrunk
checked into branch anthonyd
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Was this bug specific to Win98 only? Build 2001-07-13-06-0.9.2 branch build. Clicking on the testcase does not cause a crash. The testcase opens, but the results on the browser page is blank. Is this correct?
verified fixed branch and trunk, mac/linux/win32 7/20 trunk and 7/21 branch builds. For various bogus args (undefined, null, true, false, literals, functions, arrays, objects), an exception is thrown. Ideally, it should be a DOM value, but that's a different issue (i.e., what does 'invalid pointer' mean in a script language environment). <html> <head> <title> bug 88263 </title> <script> function crashme(arg) { try { var range = document.createRange(); range.selectNodeContents(arg); alert('arg is "' + arg + '"; range is: "' + range + '"'); } catch (e) { alert('Caught exception: ' + e); } } function f() {} var ary = [1, 2, 3]; var obj = new Object(); </script> </head> <body> <form> <input type=button value="with |null|" onclick="crashme(null);"><br> <input type=button value="with |undefined|" onclick="crashme(undefined);"><br> <input type=button value="with |false|" onclick="crashme(false);"><br> <input type=button value="with |true|" onclick="crashme(true);"><br> <input type=button value="with |''|" onclick="crashme('');"><br> <input type=button value="with |2|" onclick="crashme(2);"><br> <input type=button value="with |f()|" onclick="crashme(f);"><br> <input type=button value="with |ary|" onclick="crashme(ary);"><br> <input type=button value="with |obj|" onclick="crashme(obj);"><br> <input type=button value="with |Node|" onclick="crashme(document.getElementById('foopy'));"><br> </form> <p id="foopy">This is a paragraph P, ID "foopy".</p> </body> </html>
Status: RESOLVED → VERIFIED
Component: DOM: Traversal-Range → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: