Closed Bug 1243327 Opened 8 years ago Closed 8 years ago

Assertion failure "doc->GetReadyStateEnum() == READYSTATE_INTERACTIVE" and crash

Categories

(Core :: XSLT, defect)

44 Branch
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1205163

People

(Reporter: nicolas.gregoire, Unassigned)

References

()

Details

(Keywords: sec-low)

      No description provided.
Tested on latest Firefox 44 compiled with ASan+debug

Description: the crash happens if 1) a "xsl:output" element with an attribute of name "method" and value "text" is used 2) transformation is done via transformToDocument() and not transformToFragment().

XSLT:

<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:output method="text"/>
</xsl:stylesheet>

Output:

Assertion failure: doc->GetReadyStateEnum() == nsIDocument::READYSTATE_INTERACTIVE (Bad readyState), at /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:696
=================================================================
==40157==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fd6b0eb55cd sp 0x7fff058dbe00 bp 0x7fff058dc2f0 T0)
    #0 0x7fd6b0eb55cc in txMozillaXSLTProcessor::TransformToDoc(nsIDOMDocument**, bool) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:697
    #1 0x7fd6b0eb8793 in txMozillaXSLTProcessor::TransformToDocument(nsINode&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:1329
    #2 0x7fd6af6e9860 in mozilla::dom::XSLTProcessorBinding::transformToDocument(JSContext*, JS::Handle<JSObject*>, txMozillaXSLTProcessor*, JSJitMethodCallArgs const&) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/obj-firefox/dom/bindings/./XSLTProcessorBinding.cpp:153
    #3 0x7fd6afd731ce in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/dom/bindings/BindingUtils.cpp:2691
    #4 0x7fd6b40ed142 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/jscntxtinlines.h:235
    #5 0x7fd6b40b39ac in js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/vm/Interpreter.cpp:772:16
    #6 0x7fd6b40dfadd in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/vm/Interpreter.cpp:3105
    #7 0x7fd6b40cb990 in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/vm/Interpreter.cpp:725
    #8 0x7fd6b40eee42 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/vm/Interpreter.cpp:1000
    #9 0x7fd6b40ef9ab in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/vm/Interpreter.cpp:1034
    #10 0x7fd6b3d98c4c in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/jsapi.cpp:4598
    #11 0x7fd6b3d98992 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/jsapi.cpp:4624
    #12 0x7fd6ad9b57d4 in ProcessFile(mozilla::dom::AutoJSAPI&, char const*, _IO_FILE*, bool) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/xpconnect/src/XPCShellImpl.cpp:876
    #13 0x7fd6ad9b5a73 in Process(mozilla::dom::AutoJSAPI&, char const*, bool) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/xpconnect/src/XPCShellImpl.cpp:929
    #14 0x7fd6ad95612f in ProcessArgs(mozilla::dom::AutoJSAPI&, char**, int, XPCShellDirProvider*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/xpconnect/src/XPCShellImpl.cpp:1128
    #15 0x7fd6ad9537c2 in XRE_XPCShellMain /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/xpconnect/src/XPCShellImpl.cpp:1546
    #16 0x48a94f in main /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/xpconnect/shell/xpcshell.cpp:54
    #17 0x7fd6a708cec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #18 0x48a6cc in _start (/home/user/ff-44/xpcshell+0x48a6cc)

Live demo at http://nicob.net/firefox-aeshooT3/Bug-1/launcher.html
Group: core-security
Group: core-security → dom-core-security
Flags: sec-bounty?
Peter: the null crash doesn't worry me but I don't know if this assertion indicates a security problem or not. Please weigh in.
Flags: needinfo?(peterv)
This is a dupe of bug 1205163.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Flags: needinfo?(peterv)
Resolution: --- → DUPLICATE
Flags: sec-bounty? → sec-bounty-
Keywords: sec-low
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.