[ http://issues.apache.org/jira/browse/XMLBEANS-115?page=comments#action_12376042 ]
John Marx commented on XMLBEANS-115: ------------------------------------ If the dates are correct, I note that this issue was fixed in SVN - Yana Kadiyska. Checking in patch of Jira-115 on 3/18/05. The latest 1.0.4 builds at http://apache.downlod.in/xmlbeans/binaries/ are dated 2/23/05. > ArrayIndexOutOfBounds test case and patch for version 1.0.3 > ----------------------------------------------------------- > > Key: XMLBEANS-115 > URL: http://issues.apache.org/jira/browse/XMLBEANS-115 > Project: XMLBeans > Type: Bug > Components: XmlObject > Versions: Version 1.0.3 > Environment: JDK 1.4.2, Redhat Enterprise Linux 3.0 > Reporter: Joshua Blatt > Assignee: Yana Kadiyska > Fix For: Version 1.0.4 > Attachments: xmlbeans_arrayindexoutofbounds_test.tar.gz > > We've seen intermittent ArrayIndexOutOfBounds exceptions thrown by xmlbeans > version 1.0.3 in our production environment (JDK 1.4.2, Redhat Enterprise > Linux 3.0). A typical stack trace looks like this: > > Caused by: java.lang.ArrayIndexOutOfBoundsException > at java.lang.System.arraycopy(Native Method) at > org.apache.xmlbeans.impl.store.Saver$TextSaver.replace(Saver.java:2057) > at > org.apache.xmlbeans.impl.store.Saver$TextSaver.entitizeContent(Saver.java:1890) > > at > org.apache.xmlbeans.impl.store.Saver$TextSaver.emitContainer(Saver.java:1369) > at org.apache.xmlbeans.impl.store.Saver.processContainer(Saver.java:777) > at org.apache.xmlbeans.impl.store.Saver.process(Saver.java:520) > at org.apache.xmlbeans.impl.store.Saver$TextSaver.ensure(Saver.java:1660) > at org.apache.xmlbeans.impl.store.Saver$TextSaver.read(Saver.java:2150) > at org.apache.xmlbeans.impl.store.Saver$TextReader.read(Saver.java:2273) > at org.apache.xmlbeans.impl.store.Cursor.save(Cursor.java:3130) > at org.apache.xmlbeans.impl.values.XmlObjectBase.save(XmlObjectBase.java:166) > at org.apache.xmlbeans.impl.values.XmlObjectBase.save(XmlObjectBase.java:178) > at com.overture.service.common.xml.Utils.toString(Utils.java:143) > ... 31 more > > Looking at the org.apache.xmlbeans.impl.store.Saver$TextSaver.replace > implementation, it's pretty clear that there's a bug in this code. When > reserved xml characters like '&', '<', etc. are replaced by their "&", > "<", etc. equivalents, all the characters in the _buf buffer are shuffled > over to make room for the extra characters. The shuffle, however, does not > wrap around to the beginning of the buffer if the extra length required would > exceed _buf.length. The result is an intermittent buffer overflow that is > more likely the more reserved characters are present in the input. > The output below is from a diagnostic System.err.println added to the > TextSaver.replace method running our test case: > > [java] _out = 0, _in = 8472, i =7496, _buf.length = 16384, dCch = 9, _free = > 7912, replacement = <![CDATA[& > [java] _out = 8192, _in = 9754, i =9233, _buf.length = 16384, dCch = 9, _free > = 14822, replacement = <![CDATA[> > [java] _out = 8192, _in = 11269, i =10514, _buf.length = 16384, dCch = 9, > _free = 13307, replacement = <![CDATA[ > [java] _out = 8192, _in = 12838, i =12029, _buf.length = 16384, dCch = 9, > _free = 11738, replacement = <![CDATA[& > [java] _out = 8192, _in = 14241, i =13598, _buf.length = 16384, dCch = 9, > _free = 10335, replacement = <![CDATA[? > [java] _out = 8192, _in = 15341, i =15002, _buf.length = 16384, dCch = 9, > _free = 9235, replacement = <![CDATA[& > [java] _out = 8192, _in = 16115, i =16101, _buf.length = 16384, dCch = 4, > _free = 8461, replacement = & > [java] _out = 8192, _in = 16119, i =16109, _buf.length = 16384, dCch = 4, > _free = 8457, replacement = & > [java] _out = 8192, _in = 16123, i =16114, _buf.length = 16384, dCch = 3, > _free = 8453, replacement = < > [java] _out = 8192, _in = 16126, i =16118, _buf.length = 16384, dCch = 4, > _free = 8450, replacement = & > [java] _out = 8192, _in = 16130, i =16125, _buf.length = 16384, dCch = 3, > _free = 8446, replacement = < > [java] _out = 8192, _in = 16133, i =16130, _buf.length = 16384, dCch = 4, > _free = 8443, replacement = & > [java] _out = 8192, _in = 16137, i =16136, _buf.length = 16384, dCch = 3, > _free = 8439, replacement = < > [java] _out = 0, _in = 1238, i =505, _buf.length = 16384, dCch = 9, _free = > 15146, replacement = <![CDATA[< > [java] _out = 0, _in = 2140, i =2003, _buf.length = 16384, dCch = 9, _free = > 14244, replacement = <![CDATA[ > [java] _out = 0, _in = 3041, i =2904, _buf.length = 16384, dCch = 9, _free = > 13343, replacement = <![CDATA[? > [java] _out = 0, _in = 4658, i =3806, _buf.length = 16384, dCch = 9, _free = > 11726, replacement = <![CDATA[& > [java] _out = 0, _in = 6069, i =5422, _buf.length = 16384, dCch = 9, _free = > 10315, replacement = <![CDATA[ > [java] _out = 0, _in = 7485, i =6831, _buf.length = 16384, dCch = 9, _free = > 8899, replacement = <![CDATA[& > [java] _out = 0, _in = 8513, i =8246, _buf.length = 16384, dCch = 9, _free = > 7871, replacement = <![CDATA[& > [java] _out = 8192, _in = 9393, i =9275, _buf.length = 16384, dCch = 9, _free > = 15183, replacement = <![CDATA[ > [java] _out = 8192, _in = 10309, i =10154, _buf.length = 16384, dCch = 9, > _free = 14267, replacement = <![CDATA[& > [java] _out = 0, _in = 8732, i =7756, _buf.length = 16384, dCch = 9, _free = > 7652, replacement = <![CDATA[& > [java] _out = 8192, _in = 10014, i =9493, _buf.length = 16384, dCch = 9, > _free = 14562, replacement = <![CDATA[> > [java] _out = 8192, _in = 11529, i =10774, _buf.length = 16384, dCch = 9, > _free = 13047, replacement = <![CDATA[ > [java] _out = 8192, _in = 13098, i =12289, _buf.length = 16384, dCch = 9, > _free = 11478, replacement = <![CDATA[& > [java] _out = 8192, _in = 14501, i =13858, _buf.length = 16384, dCch = 9, > _free = 10075, replacement = <![CDATA[? > [java] _out = 8192, _in = 15601, i =15262, _buf.length = 16384, dCch = 9, > _free = 8975, replacement = <![CDATA[& > [java] _out = 8192, _in = 16375, i =16361, _buf.length = 16384, dCch = 4, > _free = 8201, replacement = & > [java] _out = 8192, _in = 16379, i =16369, _buf.length = 16384, dCch = 4, > _free = 8197, replacement = & > [java] _out = 8192, _in = 16383, i =16374, _buf.length = 16384, dCch = 3, > _free = 8193, replacement = < > [java] java.lang.ArrayIndexOutOfBoundsException > [java] at java.lang.System.arraycopy(Native Method) > [java] at > org.apache.xmlbeans.impl.store.Saver$TextSaver.replace(Saver.java:2058) > [java] at > org.apache.xmlbeans.impl.store.Saver$TextSaver.entitizeContent(Saver.jav > a:1886) > [java] at > org.apache.xmlbeans.impl.store.Saver$TextSaver.emitContainer(Saver.java: > 1367) > [java] at > org.apache.xmlbeans.impl.store.Saver.processContainer(Saver.java:775) > [java] at org.apache.xmlbeans.impl.store.Saver.process(Saver.java:518) > [java] at > org.apache.xmlbeans.impl.store.Saver$TextSaver.ensure(Saver.java:1658) > [java] at > org.apache.xmlbeans.impl.store.Saver$TextSaver.read(Saver.java:2151) > [java] at > org.apache.xmlbeans.impl.store.Saver$TextReader.read(Saver.java:2274) > [java] at org.apache.xmlbeans.impl.store.Cursor.save(Cursor.java:3118) > [java] at > org.apache.xmlbeans.impl.values.XmlObjectBase.save(XmlObjectBase.java:16 > 6) > [java] at > com.overture.test.XmlBeansTest$WorkerThread.run(XmlBeansTest.java:88) > [java] died at iteration: 32 > > Attached is the test case that consistently reproduces this problem. > Inside the tarball is also a patch that has fixed the problem in our > environment. Check out the included README for details on both the test case > and the fix. > > I think its also possible that this is the cause of this unresolved bug in > your bugzilla: http://issues.apache.org/jira/browse/XMLBEANS-87 -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
