Last Comment Bug 202765 - Crash when doing document.write[ln] in an XSLT stylesheet [@ txMozillaXMLOutput::endHTMLElement]
: Crash when doing document.write[ln] in an XSLT stylesheet [@ txMozillaXMLOutp...
Status: RESOLVED FIXED
read URL for workaround
: crash, testcase
Product: Core
Classification: Components
Component: XSLT (show other bugs)
: Trunk
: All All
: -- critical with 5 votes (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
Mentors:
http://www.mozilla.org/projects/xslt/...
: 207358 211503 234107 243863 248259 248550 259730 276910 278617 281683 281771 289113 292378 297149 336709 (view as bug list)
Depends on:
Blocks: 293347
  Show dependency treegraph
 
Reported: 2003-04-21 02:32 PDT by Martin Honnen
Modified: 2014-04-26 02:25 PDT (History)
32 users (show)
jst: wanted‑next+
jst: blocking1.9.2-
jst: wanted1.9.2+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
alpha1+


Attachments
XSLT stylesheet causing the crash (837 bytes, text/xml)
2003-04-21 02:34 PDT, Martin Honnen
no flags Details
test case (load and Mozilla 1.3 and 1.4a crash) (211 bytes, text/xml)
2003-04-21 02:37 PDT, Martin Honnen
no flags Details
function(){throw localized not supported during transform;} (5.90 KB, patch)
2003-06-02 14:30 PDT, Axel Hecht
no flags Details | Diff | Splinter Review

Description Martin Honnen 2003-04-21 02:32:07 PDT
I will upload the XML and XSLT files causing the crash.
Crash happens with Mozilla 1.3 release and Mozilla 1.4a release on Win 98.
There should be talkback data as I filled out the talkback dialogs when the
browsers crashed.
The XML is transformed and rendered without problems in IE6.
Comment 1 Martin Honnen 2003-04-21 02:34:31 PDT
Created attachment 121175 [details]
XSLT stylesheet causing the crash
Comment 2 Martin Honnen 2003-04-21 02:37:10 PDT
Created attachment 121177 [details]
test case (load and Mozilla 1.3 and 1.4a crash)
Comment 3 Martin Honnen 2003-04-21 02:49:03 PDT
Talkback ids: TB19347247Z, TB19347081H
Comment 4 Olivier Cahagne 2003-04-21 03:11:02 PDT
crash using nightly 2003042005 on Linux and a debug build (CVS 20030420):

###!!! ASSERTION: QueryInterface needed: 'query_result.get() == mRawPtr', file
../../dist/include/xpcom/nsCOMPtr.h, line 508
Break: at file ../../dist/include/xpcom/nsCOMPtr.h, line 508
pldhash: for the table at address 0xbfffeaf0, the given entrySize of 48 probably
favors chaining over double hashing.
Error loading URL
http://bugzilla.mozilla.org/attachment.cgi?id=121177&action=view : 804b0002
###!!! ASSERTION: Please remove this from the document properly: '!mDocument',
file nsGenericElement.cpp, line 745
Break: at file nsGenericElement.cpp, line 745
###!!! ASSERTION: Please remove this from the document properly: '!mDocument',
file nsGenericElement.cpp, line 745
Break: at file nsGenericElement.cpp, line 745
###!!! ASSERTION: Unbalanced startElement and endElement calls!:
'nodeName.Equals(aName, nsCaseInsensitiveStringComparator())', file
txMozillaXMLOutput.cpp, line 237
Break: at file txMozillaXMLOutput.cpp, line 237
###!!! ASSERTION: Unbalanced startElement and endElement calls!:
'nodeName.Equals(aName, nsCaseInsensitiveStringComparator())', file
txMozillaXMLOutput.cpp, line 237
Break: at file txMozillaXMLOutput.cpp, line 237
###!!! ASSERTION: endElement'ing non-element: 'element', file
txMozillaXMLOutput.cpp, line 247
Break: at file txMozillaXMLOutput.cpp, line 247
###!!! ASSERTION: Can't QI to nsIContent: 'content', file
txMozillaXMLOutput.cpp, line 534
Break: at file txMozillaXMLOutput.cpp, line 534
###!!! ASSERTION: You can't dereference a NULL nsCOMPtr with operator->().:
'mRawPtr != 0', file ../../../../dist/include/xpcom/nsCOMPtr.h, line 691
Break: at file ../../../../dist/include/xpcom/nsCOMPtr.h, line 691

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1024 (LWP 1796)]
0x420c11dd in txMozillaXMLOutput::endHTMLElement (this=0x827a078,
    aElement=0x0, aXHTML=0) at txMozillaXMLOutput.cpp:537
537         content->GetTag(*getter_AddRefs(atom));
(gdb) p atom
$1 = {mRawPtr = 0x0}
(gdb) bt
#0  0x420c11dd in txMozillaXMLOutput::endHTMLElement (this=0x827a078,
    aElement=0x0, aXHTML=0) at txMozillaXMLOutput.cpp:537
#1  0x420bf588 in txMozillaXMLOutput::endElement (this=0x827a078,
    aName=@0xbfffe900, aNsID=0) at txMozillaXMLOutput.cpp:248
#2  0x420b65a6 in txEndElement::execute (this=0x8a73ff0, aEs=@0xbfffea30)
    at txInstructions.cpp:487
#3  0x420d75ca in txXSLTProcessor::execute (aEs=@0xbfffea30)
    at txXSLTProcessor.cpp:108
#4  0x420bd890 in txMozillaXSLTProcessor::DoTransform (this=0x89df838)
    at txMozillaXSLTProcessor.cpp:346
#5  0x420be51e in txMozillaXSLTProcessor::setStylesheet (this=0x89df838,
    aStylesheet=0x8a2dc60) at txMozillaXSLTProcessor.cpp:591
#6  0x420b8cc4 in txCompileObserver::onDoneCompiling (this=0x8a43fd0,
    aCompiler=0x8a2db88, aResult=0) at txMozillaStylesheetCompiler.cpp:261
#7  0x420d045e in txStylesheetCompiler::maybeDoneCompiling (this=0x8a2db88)
    at txStylesheetCompiler.cpp:510
#8  0x420d0028 in txStylesheetCompiler::doneLoading (this=0x8a2db88)
    at txStylesheetCompiler.cpp:399
#9  0x420b89aa in txStylesheetSink::DidBuildModel (this=0x8a8fde8,
    aQualityLevel=0) at txMozillaStylesheetCompiler.cpp:188
#10 0x415cdf5c in nsExpatDriver::DidBuildModel (this=0x89a8690, anErrorCode=0,
    aNotifySink=1, aParser=0x8a2e7b8, aSink=0x8a8fde8)
    at nsExpatDriver.cpp:1027
[...]
Comment 5 Jonas Sicking (:sicking) No longer reading bugmail consistently 2003-04-21 08:34:33 PDT
We're most likly falling on the document.write. document.write is not supported
(and there are currently no schedule for if/when it will be), but we should of
course make sure we don't crash.
Comment 6 Greg K. 2003-04-21 20:07:18 PDT
Reproduced using FizzillaMach/2003-04-21-08-trunk, generating TB240513H. Setting
Hardware=All.
Comment 7 Greg K. 2003-05-28 09:30:04 PDT
*** Bug 207358 has been marked as a duplicate of this bug. ***
Comment 8 Axel Hecht 2003-06-02 14:28:30 PDT
taking, I have a patch.
I merely do rewire document.write and writeln to functions that throw() a
string I get from our string bundle.
After the transform, I delete those functions, which re-exposes the native code.
That was kinda easy.
Comment 9 Axel Hecht 2003-06-02 14:30:23 PDT
Created attachment 124764 [details] [diff] [review]
function(){throw localized not supported during transform;}
Comment 10 Jonas Sicking (:sicking) No longer reading bugmail consistently 2003-06-03 11:57:25 PDT
I'm not so sure I like this way of inserting scripts by having the js-engine
evaluate strings, and then deleting them by doing the same thing again. Is this
done anywhere else in mozilla?

I'm definitly fine with doing this on the branch just to patch the crasher. But
on the trunk we should IMHO fix document.write to not crash, and possibly throw
the exception there. XHTML needs something similar iirc since document.write
doesn't work while an XHTML document is being parsed.
Comment 11 Axel Hecht 2003-07-07 04:24:21 PDT
document.write is completely disabled for XHTML.
XSLT needs to do this just during transformation. Seems to be something different.

I see three ways to achieve this:
- hack in the js context, like attachement 124764 does.
- create a nsPIHTMLDocument, with just a CanDocumentWrite(PRBool aBool) method
- hack into nsIDocument, possibly changing IsCaseSensitive to something like
  SetFeature(PRUint32 aFeature, PRBool aEnabled) and HasFeature(PRUint32 aFeature)
  and merging casesensitivity and document.write into a bitfield.

jst, any opinion on this?

adjusting topic, obviously didn't block 1.4, if we get a plan together, we 
might improve 1.4.x
Comment 12 Axel Hecht 2003-07-07 04:44:53 PDT
*** Bug 211503 has been marked as a duplicate of this bug. ***
Comment 13 Jonas Sicking (:sicking) No longer reading bugmail consistently 2003-07-07 11:42:26 PDT
i think i would prefer to see CanDocumentWrite (or something like it) to
nsIHTMLDocument
Comment 14 Axel Hecht 2003-08-05 07:03:06 PDT
Comment on attachment 124764 [details] [diff] [review]
function(){throw localized not supported during transform;}

obviously nobody likes this
Comment 15 José Jeria 2004-02-13 02:44:10 PST
*** Bug 234107 has been marked as a duplicate of this bug. ***
Comment 16 Jonas Sicking (:sicking) No longer reading bugmail consistently 2004-04-16 09:06:46 PDT
*** Bug 240592 has been marked as a duplicate of this bug. ***
Comment 17 HARUNAGA Hirotoshi 2004-05-17 20:52:12 PDT
*** Bug 243863 has been marked as a duplicate of this bug. ***
Comment 18 XFox 2004-06-07 17:11:43 PDT
document.write('<xsl:value-of />') will cause Mozilla to hang and all other tabs
will not respond. But the DOM Inspector shoes interesting results.
Comment 19 Axel Hecht 2004-06-08 00:16:28 PDT
(In reply to comment #18)
> document.write('<xsl:value-of />') will cause Mozilla to hang and all other tabs
> will not respond. But the DOM Inspector shoes interesting results.

You deserve a cookie for creativity.
.adtech.de      TRUE    /       FALSE   1398440457      JEB2    02DD2501A03A7265
8D14369430041571
Comment 20 Axel Hecht 2004-06-15 23:45:38 PDT
I don't have the cycles nor the idea to do this.
Comment 21 Peter Van der Beken [:peterv] 2004-06-23 00:48:53 PDT
*** Bug 248259 has been marked as a duplicate of this bug. ***
Comment 22 Axel Hecht 2004-06-24 15:35:11 PDT
*** Bug 248550 has been marked as a duplicate of this bug. ***
Comment 23 Adam 2004-06-24 21:33:19 PDT
Seeing this on Windows XP Pro SP1..
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040624
Firefox/0.9.0+

The testcase locks up Firefox. Tabs can still be closed, but other than that,
the browser isn't functional. The window closed, but firefox was still running.
I needed to ctrl+alt+del to bring up the task manager and kill it before being
able to reopen the browser.

Any takers?
Comment 24 Per 2004-07-23 00:17:24 PDT
Adding xmlns="http://www.w3.org/TR/xhtml1/strict" to the header prevents from
crashing but it seems as if transformation halts.
Comment 25 Axel Hecht 2004-09-27 04:45:45 PDT
*** Bug 259730 has been marked as a duplicate of this bug. ***
Comment 26 Benjamin Erb 2005-01-03 13:58:30 PST
*** Bug 276910 has been marked as a duplicate of this bug. ***
Comment 27 José Jeria 2005-01-16 11:37:05 PST
*** Bug 278617 has been marked as a duplicate of this bug. ***
Comment 28 Frank Wein [:mcsmurf] 2005-02-10 02:16:00 PST
*** Bug 281771 has been marked as a duplicate of this bug. ***
Comment 29 Martijn Wargers [:mwargers] (not working for Mozilla) 2005-02-14 11:26:53 PST
*** Bug 281683 has been marked as a duplicate of this bug. ***
Comment 30 Axel Hecht 2005-04-05 07:20:56 PDT
*** Bug 289113 has been marked as a duplicate of this bug. ***
Comment 31 Uri Bernstein (Google) 2005-04-30 01:35:26 PDT
*** Bug 292378 has been marked as a duplicate of this bug. ***
Comment 32 PikeUK 2005-06-09 00:54:42 PDT
*** Bug 297149 has been marked as a duplicate of this bug. ***
Comment 33 Hideo Oshima 2005-11-19 03:37:22 PST
2005111804-trunk/Linux doesn't crash but loading
doesn't finish.
Is this another bug?
Comment 34 Jonas Sicking (:sicking) No longer reading bugmail consistently 2006-05-05 11:05:04 PDT
*** Bug 336709 has been marked as a duplicate of this bug. ***
Comment 35 Declan Naughton 2006-05-15 16:50:17 PDT
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3

Doesn't crash - loading doesn't finish just liks what Hideo said.
Comment 36 raymi_coevan 2008-12-29 06:03:36 PST
Is it still the case with Firefox 3.0.5 or is it just me ?
Comment 37 Jonas Sicking (:sicking) No longer reading bugmail consistently 2008-12-29 10:52:51 PST
If you can't reproduce I'd say we should close it as things have changed a lot since this bug was filed
Comment 38 raymi_coevan 2008-12-29 23:48:41 PST
I can reproduce whenever you want. Tell me what you expect as debug or dump file and I will provide.
Comment 39 Jesse Ruderman 2009-09-13 12:21:42 PDT
Bug 293347 has a reproducible testcase.  It doesn't crash in quite the same way, but that doesn't matter as long as we think the right solution is to disable document.write in XSLT (comment 11, comment 13).  Let's do that!
Comment 40 Johnny Stenback (:jst, jst@mozilla.com) 2009-09-22 18:09:14 PDT
Sure! But I'm not going to hold the release for this.
Comment 41 Jesse Ruderman 2009-12-23 18:07:31 PST
The patch in bug 293347 fixed this by not allowing document.write in pages created using XSLT.

Note You need to log in before you can comment on or make changes to this bug.