From f454c06c79fea0ab154deb705a3e3cb3f2b570a0 Mon Sep 17 00:00:00 2001 From: "inferno@chromium.org" Date: Fri, 20 Jan 2012 18:17:47 +0000 Subject: [PATCH] Crash in xsltParseGlobalVariable. https://bugs.webkit.org/show_bug.cgi?id=75978 Reviewed by Andreas Kling. Source/WebCore: The code missed to reset the stylesheet pointer after we fail to compile the XSLT stylesheet. As a result, the stylesheet gets reused with a removed document in the next transformToFragment call. Test: fast/xsl/xslt-transform-to-fragment-crash.html * xml/XSLTProcessorLibxslt.cpp: (WebCore::XSLTProcessor::transformToString): LayoutTests: * fast/xsl/xslt-transform-to-fragment-crash-expected.txt: Added. * fast/xsl/xslt-transform-to-fragment-crash.html: Added. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@105524 268f45cc-cd09-0410-ab3c-d52691b4dbfc --- LayoutTests/ChangeLog | 10 ++++++++++ .../xsl/xslt-transform-to-fragment-crash-expected.txt | 1 + .../fast/xsl/xslt-transform-to-fragment-crash.html | 19 +++++++++++++++++++ Source/WebCore/ChangeLog | 16 ++++++++++++++++ Source/WebCore/xml/XSLTProcessorLibxslt.cpp | 1 + 5 files changed, 47 insertions(+) create mode 100644 LayoutTests/fast/xsl/xslt-transform-to-fragment-crash-expected.txt create mode 100644 LayoutTests/fast/xsl/xslt-transform-to-fragment-crash.html diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog index cb0efaa..6f7a952 100644 --- a/LayoutTests/ChangeLog +++ b/LayoutTests/ChangeLog @@ -1,3 +1,13 @@ +2012-01-19 Abhishek Arya + + Crash in xsltParseGlobalVariable. + https://bugs.webkit.org/show_bug.cgi?id=75978 + + Reviewed by Andreas Kling. + + * fast/xsl/xslt-transform-to-fragment-crash-expected.txt: Added. + * fast/xsl/xslt-transform-to-fragment-crash.html: Added. + 2012-01-20 Csaba Osztrogonác [Qt][WK2] REGRESSION(r105517): It made 49 tests timeout diff --git a/LayoutTests/fast/xsl/xslt-transform-to-fragment-crash-expected.txt b/LayoutTests/fast/xsl/xslt-transform-to-fragment-crash-expected.txt new file mode 100644 index 0000000..0383162 --- /dev/null +++ b/LayoutTests/fast/xsl/xslt-transform-to-fragment-crash-expected.txt @@ -0,0 +1 @@ +Test passes if it does not crash. diff --git a/LayoutTests/fast/xsl/xslt-transform-to-fragment-crash.html b/LayoutTests/fast/xsl/xslt-transform-to-fragment-crash.html new file mode 100644 index 0000000..6f0dae3 --- /dev/null +++ b/LayoutTests/fast/xsl/xslt-transform-to-fragment-crash.html @@ -0,0 +1,19 @@ + + +Test passes if it does not crash. + + diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog index 99ec308..e8ebc79 100755 --- a/Source/WebCore/ChangeLog +++ b/Source/WebCore/ChangeLog @@ -1,3 +1,19 @@ +2012-01-19 Abhishek Arya + + Crash in xsltParseGlobalVariable. + https://bugs.webkit.org/show_bug.cgi?id=75978 + + Reviewed by Andreas Kling. + + The code missed to reset the stylesheet pointer after we fail + to compile the XSLT stylesheet. As a result, the stylesheet gets + reused with a removed document in the next transformToFragment call. + + Test: fast/xsl/xslt-transform-to-fragment-crash.html + + * xml/XSLTProcessorLibxslt.cpp: + (WebCore::XSLTProcessor::transformToString): + 2012-01-20 Nikolas Zimmermann REGRESSION (r98852): apple.com navigation bar is broken under full-page zoom diff --git a/Source/WebCore/xml/XSLTProcessorLibxslt.cpp b/Source/WebCore/xml/XSLTProcessorLibxslt.cpp index 1704373..076a852 100644 --- a/Source/WebCore/xml/XSLTProcessorLibxslt.cpp +++ b/Source/WebCore/xml/XSLTProcessorLibxslt.cpp @@ -307,6 +307,7 @@ bool XSLTProcessor::transformToString(Node* sourceNode, String& mimeType, String xsltStylesheetPtr sheet = xsltStylesheetPointer(m_stylesheet, m_stylesheetRootNode.get()); if (!sheet) { setXSLTLoadCallBack(0, 0, 0); + m_stylesheet = 0; return false; } m_stylesheet->clearDocuments(); -- 2.7.4