Closed Bug 162352 Opened 23 years ago Closed 23 years ago

Browser crash [@ AttributeValueTemplate::evaluate] on styling XML with XSLT that contains <item attribute="{$a}" />

Categories

(Core :: XSLT, defect)

Product:
Core
Component:
XSLT
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: inigosurguy, Assigned: peterv)

Details

(Keywords: crash)

Crash Data

Attachments

(2 files)

Crashing XSLT file
605 bytes, text/xml
Details
XML file - causes crash
117 bytes, text/xml
Details
From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.1b) Gecko/20020805 BuildID: 2002080508 Styling the XML document <root/> crashes the browser when using the stylesheet <xsl:template match="root"> <item attribute="{$a}" /> </xsl:template> Anything along the same lines crashes too - for example <item attribute="{$translate(., ' ', '_')}()" /> or <item attribute="{$substring('abc', 'b')}" /> or <item attribute="{$notsubstring('abc', 'b')}" /> Admittedly, this isn't working XSLT, but it's code that's easy to write by mistake (I did, after all :) and shouldn't cause a crash. Reproducible: Always Steps to Reproduce: 1. Open page 2. Browser crashes
Attached file Crashing XSLT file
I don't crash on a build from today. Reporter, could you try a build from today or provide a talkback id?
Talkback IDs TB9261289M and TB9262511E. I'm downloading the latest nightly now - it'll be a while since I've got a slow modem connection. I'll update the bug when I have it.
Tried again with the latest nightly - everything works fine.
Status: UNCONFIRMED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
v
Status: RESOLVED → VERIFIED
For the record (and future querying), this was the stack: Incident #9262511 ------------------ Build ID 2002080508 Operating System Windows NT 5.0 build 2195 User Comments Clicking attachment in bug 162352 in Bugzilla Stack Trace AttributeValueTemplate::evaluate [c:/builds/seamonkey/mozilla/extensions/transformiix/source/xpath/AttributeValueTemplate.cpp, line 69] ProcessorState::processAttrValueTemplate [c:/builds/seamonkey/mozilla/extensions/transformiix/source/xslt/ProcessorState.cpp, line 689] XSLTProcessor::processAction [c:/builds/seamonkey/mozilla/extensions/transformiix/source/xslt/XSLTProcessor.cpp, line 1081] XSLTProcessor::processTemplate [c:/builds/seamonkey/mozilla/extensions/transformiix/source/xslt/XSLTProcessor.cpp, line 1832] XSLTProcessor::processMatchedTemplate [c:/builds/seamonkey/mozilla/extensions/transformiix/source/xslt/XSLTProcessor.cpp, line 1880] XSLTProcessor::processDefaultTemplate [c:/builds/seamonkey/mozilla/extensions/transformiix/source/xslt/XSLTProcessor.cpp, line 1920] XSLTProcessor::processMatchedTemplate [c:/builds/seamonkey/mozilla/extensions/transformiix/source/xslt/XSLTProcessor.cpp, line 1885] XSLTProcessor::process [c:/builds/seamonkey/mozilla/extensions/transformiix/source/xslt/XSLTProcessor.cpp, line 1025] XSLTProcessor::startTransform [c:/builds/seamonkey/mozilla/extensions/transformiix/source/xslt/XSLTProcessor.cpp, line 2077] XSLTProcessor::TransformDocument [c:/builds/seamonkey/mozilla/extensions/transformiix/source/xslt/XSLTProcessor.cpp, line 2454] nsTransformMediator::TryToTransform [c:/builds/seamonkey/mozilla/content/xsl/document/src/nsTransformMediator.cpp, line 109] nsTransformMediator::SetStyleSheetContentModel [c:/builds/seamonkey/mozilla/content/xsl/document/src/nsTransformMediator.cpp, line 144] nsXSLContentSink::DidBuildModel [c:/builds/seamonkey/mozilla/content/xsl/document/src/nsXSLContentSink.cpp, line 141] nsExpatDriver::DidBuildModel [c:/builds/seamonkey/mozilla/htmlparser/src/nsExpatDriver.cpp, line 939] nsParser::DidBuildModel [c:/builds/seamonkey/mozilla/htmlparser/src/nsParser.cpp, line 1263] nsParser::ResumeParse [c:/builds/seamonkey/mozilla/htmlparser/src/nsParser.cpp, line 1805] nsParser::OnStopRequest [c:/builds/seamonkey/mozilla/htmlparser/src/nsParser.cpp, line 2434] nsStreamListenerTee::OnStopRequest [c:/builds/seamonkey/mozilla/netwerk/base/src/nsStreamListenerTee.cpp, line 66] nsHttpChannel::OnStopRequest [c:/builds/seamonkey/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp, line 2931] nsOnStopRequestEvent::HandleEvent [c:/builds/seamonkey/mozilla/netwerk/base/src/nsRequestObserverProxy.cpp, line 213] PL_HandleEvent [c:/builds/seamonkey/mozilla/xpcom/threads/plevent.c, line 597] PL_ProcessPendingEvents [c:/builds/seamonkey/mozilla/xpcom/threads/plevent.c, line 530] _md_EventReceiverProc [c:/builds/seamonkey/mozilla/xpcom/threads/plevent.c, line 1078] nsAppShellService::Run [c:/builds/seamonkey/mozilla/xpfe/appshell/src/nsAppShellService.cpp, line 452] main1 [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1534] main [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1881] WinMain [c:/builds/seamonkey/mozilla/xpfe/bootstrap/nsAppRunner.cpp, line 1899] WinMainCRTStartup() KERNEL32.DLL + 0x17d08 (0x77e97d08)
Keywords: crash
Summary: Browser crash on styling XML with XSLT that contains <item attribute="{$a}" /> → Browser crash [@ AttributeValueTemplate::evaluate] on styling XML with XSLT that contains <item attribute="{$a}" />
The problem was that the old VariableRefExpr::evaluate code returned null in errorcases, which we have several clients of ::evaluate that can't deal with. The new code however returns a StringResult("error") so we should be safe as long as we don't run out of memory
Crash Signature: [@ AttributeValueTemplate::evaluate]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: