Crash in xsltParseGlobalVariable.

https://bugs.webkit.org/show_bug.cgi?id=75978

Reviewed by Andreas Kling.

Source/WebCore:

The code missed to reset the stylesheet pointer after we fail
to compile the XSLT stylesheet. As a result, the stylesheet gets
reused with a removed document in the next transformToFragment call.

Test: fast/xsl/xslt-transform-to-fragment-crash.html

* xml/XSLTProcessorLibxslt.cpp:
(WebCore::XSLTProcessor::transformToString):

LayoutTests:

* fast/xsl/xslt-transform-to-fragment-crash-expected.txt: Added.
* fast/xsl/xslt-transform-to-fragment-crash.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@105524 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index cb0efaa..6f7a952 100644 (file)
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2012-01-19  Abhishek Arya  <inferno@chromium.org>
+
+        Crash in xsltParseGlobalVariable.
+        https://bugs.webkit.org/show_bug.cgi?id=75978
+
+        Reviewed by Andreas Kling.
+
+        * fast/xsl/xslt-transform-to-fragment-crash-expected.txt: Added.
+        * fast/xsl/xslt-transform-to-fragment-crash.html: Added.
+
 2012-01-20  Csaba Osztrogonác  <ossy@webkit.org>
 
         [Qt][WK2] REGRESSION(r105517): It made 49 tests timeout

diff --git a/LayoutTests/fast/xsl/xslt-transform-to-fragment-crash-expected.txt b/LayoutTests/fast/xsl/xslt-transform-to-fragment-crash-expected.txt
new file mode 100644 (file)
index 0000000..0383162
--- /dev/null
+++ b/LayoutTests/fast/xsl/xslt-transform-to-fragment-crash-expected.txt
@@ -0,0 +1 @@
+Test passes if it does not crash.

diff --git a/LayoutTests/fast/xsl/xslt-transform-to-fragment-crash.html b/LayoutTests/fast/xsl/xslt-transform-to-fragment-crash.html
new file mode 100644 (file)
index 0000000..6f0dae3
--- /dev/null
+++ b/LayoutTests/fast/xsl/xslt-transform-to-fragment-crash.html
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+Test passes if it does not crash.
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+var style = '\
+    <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0"> \
+      <xsl:variable name="test"></xsl:variable> \
+      <xsl:variable name="test"></xsl:variable> \
+    </xsl:stylesheet>';
+var xslp = new XSLTProcessor();
+var foo = new DOMParser().parseFromString(style, "text/xml");
+xslp.importStylesheet(foo);
+xslp.transformToFragment(foo, document);
+xslp.transformToFragment(foo, document);
+</script>
+</html>

diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 99ec308..e8ebc79 100755 (executable)
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,19 @@
+2012-01-19  Abhishek Arya  <inferno@chromium.org>
+
+        Crash in xsltParseGlobalVariable.
+        https://bugs.webkit.org/show_bug.cgi?id=75978
+
+        Reviewed by Andreas Kling.
+
+        The code missed to reset the stylesheet pointer after we fail
+        to compile the XSLT stylesheet. As a result, the stylesheet gets
+        reused with a removed document in the next transformToFragment call.
+
+        Test: fast/xsl/xslt-transform-to-fragment-crash.html
+
+        * xml/XSLTProcessorLibxslt.cpp:
+        (WebCore::XSLTProcessor::transformToString):
+
 2012-01-20  Nikolas Zimmermann  <nzimmermann@rim.com>
 
         REGRESSION (r98852): apple.com navigation bar is broken under full-page zoom

diff --git a/Source/WebCore/xml/XSLTProcessorLibxslt.cpp b/Source/WebCore/xml/XSLTProcessorLibxslt.cpp
index 1704373..076a852 100644 (file)
--- a/Source/WebCore/xml/XSLTProcessorLibxslt.cpp
+++ b/Source/WebCore/xml/XSLTProcessorLibxslt.cpp
@@ -307,6 +307,7 @@ bool XSLTProcessor::transformToString(Node* sourceNode, String& mimeType, String
     xsltStylesheetPtr sheet = xsltStylesheetPointer(m_stylesheet, m_stylesheetRootNode.get());
     if (!sheet) {
         setXSLTLoadCallBack(0, 0, 0);
+        m_stylesheet = 0;
         return false;
     }
     m_stylesheet->clearDocuments();