303711 - hang and then crash with XSLTProcessor processing stylesheet with infinite recursion

Status: RESOLVED DUPLICATE of bug 226425

(Core :: XSLT, defect)

Description

[Martin Honnen]

By accident I wrote an XSLT stylesheet with an infinite recursion that crashed
Firefox when run with script and XSLTProcessor::transformToFragment.

When trying to reduce that to a reproducable test case I came up with the test
case at
<http://home.arcor.de/martin.honnen/mozillaBugs/xslt/infiniteRecursionHang1.html>
where the first button loads the stylesheet
<http://home.arcor.de/martin.honnen/mozillaBugs/xslt/infiniteRecursion1Xsl.xml>
and runs it against the current HTML document.

With that stylesheet Firefox (tested with a current nightly Mozilla/5.0
(Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050806 Firefox/1.0+)
reproducable hangs and then when you click somewhere in the browser (e.g. the
location bar or another window like the JavaScript console) crashes.

Some produced talkbacks are here:
<http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=8139697>
<http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=8139425>

I file this on XSLT for now as the hang is caused by using XSLTProcessor, anyone
more competent than me to read stack traces should change the component as needed.

I also tested whether the XSLTProcessor hangs or crashes with any stylesheet
with infinite recursion but that is not the case, the second button in the test
case uses the stylesheet
<http://home.arcor.de/martin.honnen/mozillaBugs/xslt/infiniteRecursion2Xsl.xml>
and then the transformToFragment method throws an exception, no hang or crash
occurs.

Comment 1

[Peter Van der Beken [:peterv]]

So this crashes because we create a tree 20000 elements deep, we probably need
to add a depth limit to the output handlers.

Comment 2

[Peter Van der Beken [:peterv]]

*** This bug has been marked as a duplicate of 226425 ***