Menu

#1688 Infinite Loop in DomNode.insertBefore

Latest SVN
closed
nobody
None
3
2019-04-10
2015-05-22
William Walker
No

Have had HtmlUnit hang up on me executing some web pages. Below is an example url.

https://www.tablespoon.com/profile/RailNewsletterCTA?parentUrl=%252frecipes%252fcookie-stuffed-brownie-cupcakes%252f3d4d01f7-72cc-434a-ac13-f2f19c3379aa%252f%253fnicam2%253dEmail%2526nichn2%253dCore%2526niseg2%253dTBSP%2526nicreatID2%253dTBSP_05_10_2015%2526utm_source%253dEmail_newsletter%2526utm_medium%253demail%2526utm_campaign%253dTBSP_05_10_2015&disablePageView=1

After tracing into code the problem occurs when insertBefore is called and (newChild instanceof DomDocumentFragment)==true AND fragment.getChildren is not empty. In my case, the insertBefore is occuring on the same node list that it is iterating against so the iteration goes on forever.

DomNode.java

969:    public Node insertBefore(final Node newChild, final Node refChild) {
        if (newChild instanceof DomDocumentFragment) {
            final DomDocumentFragment fragment = (DomDocumentFragment) newChild;
            for (final DomNode child : fragment.getChildren()) {
                insertBefore(child, refChild);
            }
        }

Discussion

  • Ahmed Ashour

    Ahmed Ashour - 2015-05-22

    Hi,

    Can you post your complete case, as just getting the mentioned page doesn't go into infinite loop.

    Also, it seems that the newChild is a child of itself, I wonder how is that possible.

    I hope you are using latest version.

     

  • Ahmed Ashour

    Ahmed Ashour - 2015-05-22
    • Description has changed:

    Diff:

    --- old
+++ new
@@ -6,6 +6,7 @@

 DomNode.java

+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 969:    public Node insertBefore(final Node newChild, final Node refChild) {
         if (newChild instanceof DomDocumentFragment) {
             final DomDocumentFragment fragment = (DomDocumentFragment) newChild;
@@ -13,3 +14,4 @@
                 insertBefore(child, refChild);
             }
         }
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     

  • William Walker

    William Walker - 2015-05-22

    I was able to step through it in a debugger when it occurred and newChild was certainly a child of itself. I was using 2.15 at the time but it did not appear that the relevant code had been modified since. I have since updated to 2.16.

    I supposed it comes down to whether or not newChild==this is a possible situation. If this input is possible then the code fragment above could use protection against this case. If it is not possible, then this is much more of a head scratcher and I will do what I can to replicate the issue in a test program. Regrettably, the code is part of a much larger application that is not possible to post at the moment.

     

  • Ahmed Ashour

    Ahmed Ashour - 2015-05-23

    You can put a check in DomNode.basicAppend() and basicInsertBefore(), and throw RuntimeException if the node is 'this' (or parent in basicInsertBefore()), and looking into the stack trace would give an idea.

     

  • RBRi

    RBRi - 2016-10-10

    William, any progress here? We need a way to reproduce this.

     

  • RBRi

    RBRi - 2019-04-10

    Sorry no feedback since years, will close this.

     

  • RBRi

    RBRi - 2019-04-10
    • status: open --> closed
     

Log in to post a comment.