Closed Bug 602115 Opened 14 years ago Closed 14 years ago

Crash [@ txExecutionState::popTemplateRule]

Categories

(Core :: XSLT, defect)

Product:
Core
Component:
XSLT
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- final+
blocking1.9.2 --- .14+
status1.9.2 --- .14-fixed
blocking1.9.1 --- .17+
status1.9.1 --- .17-fixed

People

(Reporter: jruderman, Assigned: sicking)

References

Details

(4 keywords, Whiteboard: [sg:critical?])

Crash Data

Attachments

(5 files, 1 obsolete file)

testcase (crashes Firefox when loaded)
265 bytes, text/html
Details
stack trace
9.37 KB, text/plain
Details
Patch to fix
8.72 KB, patch
peterv
: review+
Details | Diff | Splinter Review
branch patch
8.70 KB, patch
dveditz
: approval1.9.2.14+
dveditz
: approval1.9.1.17+
Details | Diff | Splinter Review
1.8 version
3.26 KB, patch
Details | Diff | Splinter Review
No description provided.
Group: core-security
Attached file stack trace
Crash address 0xfffffffffffffff8 is kinda scary.
439 NS_IF_RELEASE(mTemplateRules[mTemplateRuleCount].mModeLocalName); mTemplateRuleCount is -1. The popTemplateRule call is coming from end()... but we never called pushTemplateRule, because we bailed out from init() like so: 169 NS_ENSURE_TRUE(document, NS_ERROR_FAILURE); and the caller in txMozillaXSLTProcessor::TransformToDoc didn't check the rv and pressed on.
Whiteboard: [sg:critical?]
Assignee: nobody → jonas
blocking2.0: --- → final+
Jonas, progress here?
Jonas?
I'll start looking at this today
Attached patch Patch to fixSplinter Review
Our error handling here is way busted. We even ignore errors generated from txExecutionState.init. This patch makes us honor that error, and skips the template rule cleanup when the transformation failed for any reason. Instead template rules are properly owned by an nsTArray which simplifies things a lot.
Attachment #492934 - Flags: review?(peterv)
Comment on attachment 492934 [details] [diff] [review] Patch to fix >+ var docType = document.implementation.createDocumentType(undefined, '', ''); >+ var doc = document.implementation.createDocument('', '', null); >+ var xp = new XSLTProcessor; >+ xp.importStylesheet(doc); >+ xp.transformToDocument(docType); >+} >+catch (ex) {} >+ >+try { >+ var docType = document.implementation.createDocumentType(undefined, '', ''); >+ var doc = document.implementation.createDocument('', '', null); >+ var xp = new XSLTProcessor; Don't think you need the |var|s again here. > nsresult This should be void now, it only returns NS_OK. > txExecutionState::pushTemplateRule(txStylesheet::ImportFrame* aFrame,
Attachment #492934 - Flags: review?(peterv) → review+
Checked in http://hg.mozilla.org/mozilla-central/rev/7127fb5bc918
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
This crashes 3.6.x too
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
status1.9.1: --- → wanted
status1.9.2: --- → wanted
blocking1.9.1: ? → .17+
blocking1.9.2: ? → .14+
Blocking branch releases, please work up a back-ported patch if necessary
Attachment #492934 - Flags: approval1.9.2.14?
Attachment #492934 - Flags: approval1.9.1.17?
Comment on attachment 492934 [details] [diff] [review] Patch to fix >- TemplateRule* mTemplateRules; >- PRInt32 mTemplateRulesBufferSize; >- PRInt32 mTemplateRuleCount; >+ AutoInfallibleTArray<TemplateRule, 10> mTemplateRules; Neither branch has AutoInfallibleTArray. Did this compile in your tree?
No, that was the only change I had to make (which also meant returning OOM as needed)
Attached patch branch patch (obsolete) — Splinter Review
Attachment #505007 - Flags: approval1.9.2.14?
Attachment #505007 - Flags: approval1.9.1.17?
Attachment #492934 - Flags: approval1.9.2.14?
Attachment #492934 - Flags: approval1.9.1.17?
Attached patch branch patchSplinter Review
forgot to refresh
Attachment #505007 - Attachment is obsolete: true
Attachment #505009 - Flags: approval1.9.2.14?
Attachment #505009 - Flags: approval1.9.1.17?
Attachment #505007 - Flags: approval1.9.2.14?
Attachment #505007 - Flags: approval1.9.1.17?
Comment on attachment 505009 [details] [diff] [review] branch patch Approved for 1.9.2.14 and 1.9.1.17, a=dveditz
Attachment #505009 - Flags: approval1.9.2.14?
Attachment #505009 - Flags: approval1.9.2.14+
Attachment #505009 - Flags: approval1.9.1.17?
Attachment #505009 - Flags: approval1.9.1.17+
Somehow missed part of the patch when moving it to the 1.9.1 branch. Followup landed (this is in the approved patch above): http://hg.mozilla.org/releases/mozilla-1.9.1/rev/7f3448d65808
Verified fixed for 1.9.2 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.14pre) Gecko/20110120 Namoroka/3.6.14pre. Verified crash in 1.9.2.13. Verified fixed for 1.9.1 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.17pre) Gecko/20110120 Shiretoko/3.5.17pre. Verified crash in 1.9.1.16.
Keywords: verified1.9.1, verified1.9.2
Group: core-security
Blocks: 637226
Crash Signature: [@ txExecutionState::popTemplateRule]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: