Bug 1430818 - Crash in URIUtils::ResetWithSource. r=bz.

We want to create the source fragment before trying to use it in URIUtils::ResetWithSource. The testcase triggers an assertion related to unbalanced onload blocking/unblocking, fixing that by blocking onload on the new document we're setting in OnTransformDone and unblocking onload on the old document. --HG-- extra : rebase_source : 8bbdb9ce6a38dc6b76d13dfb2c3c7d67f78ecefe
dothq · Feb 5, 2018 · 20e677d · 20e677d
1 parent 9c8b6a8
commit 20e677d
Show file tree

Hide file tree

Showing 5 changed files with 72 additions and 4 deletions.
diff --git a/dom/xml/nsXMLContentSink.cpp b/dom/xml/nsXMLContentSink.cpp
@@ -324,9 +324,9 @@ nsXMLContentSink::DidBuildModel(bool aTerminated)
     mIsDocumentObserver = false;
 
     mDocument->EndLoad();
-  }
 
-  DropParserAndPerfHint();
+    DropParserAndPerfHint();
+  }
 
   return NS_OK;
 }
@@ -368,6 +368,13 @@ nsXMLContentSink::OnTransformDone(nsresult aResult,
   }
 
   nsCOMPtr<nsIDocument> originalDocument = mDocument;
+  bool blockingOnload = mIsBlockingOnload;
+  if (!mRunsToCompletion) {
+    // This BlockOnload call corresponds to the UnblockOnload call in
+    // nsContentSink::DropParserAndPerfHint.
+    aResultDocument->BlockOnload();
+    mIsBlockingOnload = true;
+  }
   // Transform succeeded, or it failed and we have an error document to display.
   mDocument = aResultDocument;
   nsCOMPtr<nsIHTMLDocument> htmlDoc = do_QueryInterface(mDocument);
@@ -394,6 +401,13 @@ nsXMLContentSink::OnTransformDone(nsresult aResult,
   ScrollToRef();
 
   originalDocument->EndLoad();
+  if (blockingOnload) {
+    // This UnblockOnload call corresponds to the BlockOnload call in
+    // nsContentSink::WillBuildModelImpl.
+    originalDocument->UnblockOnload(true);
+  }
+
+  DropParserAndPerfHint();
 
   return NS_OK;
 }

diff --git a/dom/xslt/crashtests/1430818.sjs b/dom/xslt/crashtests/1430818.sjs
@@ -0,0 +1,49 @@
+function getFileStream(filename)
+{
+  let self = Components.classes["@mozilla.org/file/local;1"]
+                       .createInstance(Components.interfaces.nsIFile);
+  self.initWithPath(getState("__LOCATION__"));
+  let file = self.parent;
+  file.append(filename);
+  let stream  = Components.classes['@mozilla.org/network/file-input-stream;1']
+                          .createInstance(Components.interfaces.nsIFileInputStream);
+  stream.init(file, -1, -1, false);
+  return stream;
+}
+
+function handleRequest(request, response)
+{
+  response.processAsync();
+  response.setStatusLine(null, 200, "OK");
+  response.setHeader("Content-Type", "text/xml", false);
+
+  switch (request.queryString) {
+    case "stylesheet":
+    {
+      let timer = Components.classes["@mozilla.org/timer;1"]
+                            .createInstance(Components.interfaces.nsITimer);
+      timer.initWithCallback(() => {
+        setState("xslt", "loaded");
+        response.finish();
+        timer.cancel();
+      }, 1000 /* milliseconds */, Components.interfaces.nsITimer.TYPE_REPEATING_SLACK);
+      break;
+    }
+    default:
+    {
+      let stream = getFileStream("1430818.xml");
+      response.bodyOutputStream.writeFrom(stream,
+                                          stream.available());
+      stream.close();
+      let timer = Components.classes["@mozilla.org/timer;1"]
+                            .createInstance(Components.interfaces.nsITimer);
+      timer.initWithCallback(() => {
+        if (getState("xslt") == "loaded") {
+          response.finish();
+          timer.cancel();
+        }
+      }, 100 /* milliseconds */, Components.interfaces.nsITimer.TYPE_REPEATING_SLACK);
+      break;
+    }
+  }
+}
diff --git a/dom/xslt/crashtests/1430818.xml b/dom/xslt/crashtests/1430818.xml
@@ -0,0 +1,4 @@
+<?xml version="1.0"?>
+<?xml-stylesheet type="text/xsl" href="?stylesheet"?>
+<root>
+</root>
diff --git a/dom/xslt/crashtests/crashtests.list b/dom/xslt/crashtests/crashtests.list
@@ -25,3 +25,4 @@ load 1336830.html
 load 1336832.html
 load 1338277.html
 load 1361892.html
+HTTP load 1430818.sjs
diff --git a/dom/xslt/xslt/txMozillaXSLTProcessor.cpp b/dom/xslt/xslt/txMozillaXSLTProcessor.cpp
@@ -377,13 +377,13 @@ nsresult
 txMozillaXSLTProcessor::SetSourceContentModel(nsIDocument* aDocument,
                                               const nsTArray<nsCOMPtr<nsIContent>>& aSource)
 {
+    mSource = aDocument->CreateDocumentFragment();
+
     if (NS_FAILED(mTransformResult)) {
         notifyError();
         return NS_OK;
     }
 
-    mSource = aDocument->CreateDocumentFragment();
-
     ErrorResult rv;
     for (nsIContent* child : aSource) {
         // XPath data model doesn't have DocumentType nodes.