You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@xmlbeans.apache.org by "Duane J. May (JIRA)" <xm...@xml.apache.org> on 2006/04/24 16:05:06 UTC
[jira] Commented: (XMLBEANS-115) ArrayIndexOutOfBounds test case
and patch for version 1.0.3
[ http://issues.apache.org/jira/browse/XMLBEANS-115?page=comments#action_12376038 ]
Duane J. May commented on XMLBEANS-115:
---------------------------------------
we were getting this same error during load testing of our application, after upgrading to xmlbeans 1.0.4 we still see the Error, with this stack trace, note line number changes...
Caused by: java.lang.ArrayIndexOutOfBoundsException
at java.lang.System.arraycopy(Native Method)
at org.apache.xmlbeans.impl.store.Saver$TextSaver.replace(Saver.java:2055)
at org.apache.xmlbeans.impl.store.Saver$TextSaver.entitizeContent(Saver.java:1888)
at org.apache.xmlbeans.impl.store.Saver$TextSaver.emitContainer(Saver.java:1367)
at org.apache.xmlbeans.impl.store.Saver.processContainer(Saver.java:775)
at org.apache.xmlbeans.impl.store.Saver.process(Saver.java:518)
at org.apache.xmlbeans.impl.store.Saver$TextSaver.ensure(Saver.java:1658)
at org.apache.xmlbeans.impl.store.Saver$TextSaver.read(Saver.java:2148)
at org.apache.xmlbeans.impl.store.Saver$TextReader.read(Saver.java:2276)
at org.apache.xerces.impl.XMLEntityScanner.load(Unknown Source)
at org.apache.xerces.impl.XMLEntityScanner.scanContent(Unknown Source)
at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanContent(Unknown Source)
at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown Source)
at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
> ArrayIndexOutOfBounds test case and patch for version 1.0.3
> -----------------------------------------------------------
>
> Key: XMLBEANS-115
> URL: http://issues.apache.org/jira/browse/XMLBEANS-115
> Project: XMLBeans
> Type: Bug
> Components: XmlObject
> Versions: Version 1.0.3
> Environment: JDK 1.4.2, Redhat Enterprise Linux 3.0
> Reporter: Joshua Blatt
> Assignee: Yana Kadiyska
> Fix For: Version 1.0.4
> Attachments: xmlbeans_arrayindexoutofbounds_test.tar.gz
>
> We've seen intermittent ArrayIndexOutOfBounds exceptions thrown by xmlbeans version 1.0.3 in our production environment (JDK 1.4.2, Redhat Enterprise Linux 3.0). A typical stack trace looks like this:
>
> Caused by: java.lang.ArrayIndexOutOfBoundsException
> at java.lang.System.arraycopy(Native Method) at org.apache.xmlbeans.impl.store.Saver$TextSaver.replace(Saver.java:2057)
> at org.apache.xmlbeans.impl.store.Saver$TextSaver.entitizeContent(Saver.java:1890)
> at org.apache.xmlbeans.impl.store.Saver$TextSaver.emitContainer(Saver.java:1369)
> at org.apache.xmlbeans.impl.store.Saver.processContainer(Saver.java:777)
> at org.apache.xmlbeans.impl.store.Saver.process(Saver.java:520)
> at org.apache.xmlbeans.impl.store.Saver$TextSaver.ensure(Saver.java:1660)
> at org.apache.xmlbeans.impl.store.Saver$TextSaver.read(Saver.java:2150)
> at org.apache.xmlbeans.impl.store.Saver$TextReader.read(Saver.java:2273)
> at org.apache.xmlbeans.impl.store.Cursor.save(Cursor.java:3130)
> at org.apache.xmlbeans.impl.values.XmlObjectBase.save(XmlObjectBase.java:166)
> at org.apache.xmlbeans.impl.values.XmlObjectBase.save(XmlObjectBase.java:178)
> at com.overture.service.common.xml.Utils.toString(Utils.java:143)
> ... 31 more
>
> Looking at the org.apache.xmlbeans.impl.store.Saver$TextSaver.replace
> implementation, it's pretty clear that there's a bug in this code. When reserved xml characters like '&', '<', etc. are replaced by their "&", "<", etc. equivalents, all the characters in the _buf buffer are shuffled over to make room for the extra characters. The shuffle, however, does not wrap around to the beginning of the buffer if the extra length required would exceed _buf.length. The result is an intermittent buffer overflow that is more likely the more reserved characters are present in the input.
> The output below is from a diagnostic System.err.println added to the TextSaver.replace method running our test case:
>
> [java] _out = 0, _in = 8472, i =7496, _buf.length = 16384, dCch = 9, _free = 7912, replacement = <![CDATA[&
> [java] _out = 8192, _in = 9754, i =9233, _buf.length = 16384, dCch = 9, _free = 14822, replacement = <![CDATA[>
> [java] _out = 8192, _in = 11269, i =10514, _buf.length = 16384, dCch = 9, _free = 13307, replacement = <![CDATA[
> [java] _out = 8192, _in = 12838, i =12029, _buf.length = 16384, dCch = 9, _free = 11738, replacement = <![CDATA[&
> [java] _out = 8192, _in = 14241, i =13598, _buf.length = 16384, dCch = 9, _free = 10335, replacement = <![CDATA[?
> [java] _out = 8192, _in = 15341, i =15002, _buf.length = 16384, dCch = 9, _free = 9235, replacement = <![CDATA[&
> [java] _out = 8192, _in = 16115, i =16101, _buf.length = 16384, dCch = 4, _free = 8461, replacement = &
> [java] _out = 8192, _in = 16119, i =16109, _buf.length = 16384, dCch = 4, _free = 8457, replacement = &
> [java] _out = 8192, _in = 16123, i =16114, _buf.length = 16384, dCch = 3, _free = 8453, replacement = <
> [java] _out = 8192, _in = 16126, i =16118, _buf.length = 16384, dCch = 4, _free = 8450, replacement = &
> [java] _out = 8192, _in = 16130, i =16125, _buf.length = 16384, dCch = 3, _free = 8446, replacement = <
> [java] _out = 8192, _in = 16133, i =16130, _buf.length = 16384, dCch = 4, _free = 8443, replacement = &
> [java] _out = 8192, _in = 16137, i =16136, _buf.length = 16384, dCch = 3, _free = 8439, replacement = <
> [java] _out = 0, _in = 1238, i =505, _buf.length = 16384, dCch = 9, _free = 15146, replacement = <![CDATA[<
> [java] _out = 0, _in = 2140, i =2003, _buf.length = 16384, dCch = 9, _free = 14244, replacement = <![CDATA[
> [java] _out = 0, _in = 3041, i =2904, _buf.length = 16384, dCch = 9, _free = 13343, replacement = <![CDATA[?
> [java] _out = 0, _in = 4658, i =3806, _buf.length = 16384, dCch = 9, _free = 11726, replacement = <![CDATA[&
> [java] _out = 0, _in = 6069, i =5422, _buf.length = 16384, dCch = 9, _free = 10315, replacement = <![CDATA[
> [java] _out = 0, _in = 7485, i =6831, _buf.length = 16384, dCch = 9, _free = 8899, replacement = <![CDATA[&
> [java] _out = 0, _in = 8513, i =8246, _buf.length = 16384, dCch = 9, _free = 7871, replacement = <![CDATA[&
> [java] _out = 8192, _in = 9393, i =9275, _buf.length = 16384, dCch = 9, _free = 15183, replacement = <![CDATA[
> [java] _out = 8192, _in = 10309, i =10154, _buf.length = 16384, dCch = 9, _free = 14267, replacement = <![CDATA[&
> [java] _out = 0, _in = 8732, i =7756, _buf.length = 16384, dCch = 9, _free = 7652, replacement = <![CDATA[&
> [java] _out = 8192, _in = 10014, i =9493, _buf.length = 16384, dCch = 9, _free = 14562, replacement = <![CDATA[>
> [java] _out = 8192, _in = 11529, i =10774, _buf.length = 16384, dCch = 9, _free = 13047, replacement = <![CDATA[
> [java] _out = 8192, _in = 13098, i =12289, _buf.length = 16384, dCch = 9, _free = 11478, replacement = <![CDATA[&
> [java] _out = 8192, _in = 14501, i =13858, _buf.length = 16384, dCch = 9, _free = 10075, replacement = <![CDATA[?
> [java] _out = 8192, _in = 15601, i =15262, _buf.length = 16384, dCch = 9, _free = 8975, replacement = <![CDATA[&
> [java] _out = 8192, _in = 16375, i =16361, _buf.length = 16384, dCch = 4, _free = 8201, replacement = &
> [java] _out = 8192, _in = 16379, i =16369, _buf.length = 16384, dCch = 4, _free = 8197, replacement = &
> [java] _out = 8192, _in = 16383, i =16374, _buf.length = 16384, dCch = 3, _free = 8193, replacement = <
> [java] java.lang.ArrayIndexOutOfBoundsException
> [java] at java.lang.System.arraycopy(Native Method)
> [java] at
> org.apache.xmlbeans.impl.store.Saver$TextSaver.replace(Saver.java:2058)
> [java] at
> org.apache.xmlbeans.impl.store.Saver$TextSaver.entitizeContent(Saver.jav
> a:1886)
> [java] at
> org.apache.xmlbeans.impl.store.Saver$TextSaver.emitContainer(Saver.java:
> 1367)
> [java] at
> org.apache.xmlbeans.impl.store.Saver.processContainer(Saver.java:775)
> [java] at org.apache.xmlbeans.impl.store.Saver.process(Saver.java:518)
> [java] at
> org.apache.xmlbeans.impl.store.Saver$TextSaver.ensure(Saver.java:1658)
> [java] at
> org.apache.xmlbeans.impl.store.Saver$TextSaver.read(Saver.java:2151)
> [java] at
> org.apache.xmlbeans.impl.store.Saver$TextReader.read(Saver.java:2274)
> [java] at org.apache.xmlbeans.impl.store.Cursor.save(Cursor.java:3118)
> [java] at
> org.apache.xmlbeans.impl.values.XmlObjectBase.save(XmlObjectBase.java:16
> 6)
> [java] at
> com.overture.test.XmlBeansTest$WorkerThread.run(XmlBeansTest.java:88)
> [java] died at iteration: 32
>
> Attached is the test case that consistently reproduces this problem.
> Inside the tarball is also a patch that has fixed the problem in our environment. Check out the included README for details on both the test case and the fix.
>
> I think its also possible that this is the cause of this unresolved bug in your bugzilla: http://issues.apache.org/jira/browse/XMLBEANS-87
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@xmlbeans.apache.org
For additional commands, e-mail: dev-help@xmlbeans.apache.org