Closed
Bug 1243327
Opened 8 years ago
Closed 8 years ago
Assertion failure "doc->GetReadyStateEnum() == READYSTATE_INTERACTIVE" and crash
Categories
(Core :: XSLT, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1205163
People
(Reporter: nicolas.gregoire, Unassigned)
References
()
Details
(Keywords: sec-low)
No description provided.
Reporter | ||
Comment 1•8 years ago
|
||
Tested on latest Firefox 44 compiled with ASan+debug Description: the crash happens if 1) a "xsl:output" element with an attribute of name "method" and value "text" is used 2) transformation is done via transformToDocument() and not transformToFragment(). XSLT: <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> <xsl:output method="text"/> </xsl:stylesheet> Output: Assertion failure: doc->GetReadyStateEnum() == nsIDocument::READYSTATE_INTERACTIVE (Bad readyState), at /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:696 ================================================================= ==40157==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fd6b0eb55cd sp 0x7fff058dbe00 bp 0x7fff058dc2f0 T0) #0 0x7fd6b0eb55cc in txMozillaXSLTProcessor::TransformToDoc(nsIDOMDocument**, bool) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:697 #1 0x7fd6b0eb8793 in txMozillaXSLTProcessor::TransformToDocument(nsINode&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:1329 #2 0x7fd6af6e9860 in mozilla::dom::XSLTProcessorBinding::transformToDocument(JSContext*, JS::Handle<JSObject*>, txMozillaXSLTProcessor*, JSJitMethodCallArgs const&) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/obj-firefox/dom/bindings/./XSLTProcessorBinding.cpp:153 #3 0x7fd6afd731ce in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/dom/bindings/BindingUtils.cpp:2691 #4 0x7fd6b40ed142 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/jscntxtinlines.h:235 #5 0x7fd6b40b39ac in js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/vm/Interpreter.cpp:772:16 #6 0x7fd6b40dfadd in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/vm/Interpreter.cpp:3105 #7 0x7fd6b40cb990 in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/vm/Interpreter.cpp:725 #8 0x7fd6b40eee42 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/vm/Interpreter.cpp:1000 #9 0x7fd6b40ef9ab in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/vm/Interpreter.cpp:1034 #10 0x7fd6b3d98c4c in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/jsapi.cpp:4598 #11 0x7fd6b3d98992 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/jsapi.cpp:4624 #12 0x7fd6ad9b57d4 in ProcessFile(mozilla::dom::AutoJSAPI&, char const*, _IO_FILE*, bool) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/xpconnect/src/XPCShellImpl.cpp:876 #13 0x7fd6ad9b5a73 in Process(mozilla::dom::AutoJSAPI&, char const*, bool) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/xpconnect/src/XPCShellImpl.cpp:929 #14 0x7fd6ad95612f in ProcessArgs(mozilla::dom::AutoJSAPI&, char**, int, XPCShellDirProvider*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/xpconnect/src/XPCShellImpl.cpp:1128 #15 0x7fd6ad9537c2 in XRE_XPCShellMain /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/xpconnect/src/XPCShellImpl.cpp:1546 #16 0x48a94f in main /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/xpconnect/shell/xpcshell.cpp:54 #17 0x7fd6a708cec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) #18 0x48a6cc in _start (/home/user/ff-44/xpcshell+0x48a6cc) Live demo at http://nicob.net/firefox-aeshooT3/Bug-1/launcher.html
Reporter | ||
Updated•8 years ago
|
Reporter | ||
Updated•8 years ago
|
Group: core-security
Updated•8 years ago
|
Group: core-security → dom-core-security
Updated•8 years ago
|
Flags: sec-bounty?
Comment 2•8 years ago
|
||
Peter: the null crash doesn't worry me but I don't know if this assertion indicates a security problem or not. Please weigh in.
Flags: needinfo?(peterv)
Comment 3•8 years ago
|
||
This is a dupe of bug 1205163.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Flags: needinfo?(peterv)
Resolution: --- → DUPLICATE
Updated•8 years ago
|
Flags: sec-bounty? → sec-bounty-
Updated•6 years ago
|
Group: dom-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•