New issue
Advanced search Search tips

Issue 833544 link

Starred by 2 users
Status: Available
Owner: ----
Cc:
susan.boorgula@chromium.org
dcheng@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug-Regression



Sign in to add a comment

XSLT apply-templates stack recursion

Reported by guyinb...@gmail.com, Apr 16 2018 
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36

Steps to reproduce the problem:
supply this xsl to the window:

<?xml version="1.0"?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
<xsl:template match="child::node()">
<xsl:apply-imports/>
<xsl:apply-templates select="current()"/>
</xsl:template>
</xsl:stylesheet>

you can do it in the link:
https://www.w3schools.com/xml/tryxslt.asp?xmlfile=cdcatalog&xsltfile=cdcatalog

just paste the xsl into the right window and click transform for the crash

What is the expected behavior?
probably limit the amount of possible recursion of libxsl or add a try/catch clause to handle this kind of case

What went wrong?
the libxslt engine went on with infinite stack recursion and crashed

Crashed report ID: 

How much crashed? Just one tab

Is it a problem with a plugin? N/A 

Did this work before? N/A 

Chrome version: 65.0.3325.181  Channel: stable
OS Version: 10.0
Flash Version:

Comment 1 by susan.boorgula@chromium.org, Apr 17 2018

Cc: susan.boorgula@chromium.org
Components: Blink>XML
Labels: -Type-Bug -Pri-2 RegressedIn-63 M-68 FoundIn-67 FoundIn-66 Target-67 Target-66 Target-65 FoundIn-65 FoundIn-68 Target-68 Pri-1 Type-Bug-Regression
Status: Untriaged (was: Unconfirmed)
guyinbara@ Thanks for the issue.

Able to reproduce this issue on Windows 10 on the latest Canary 68.0.3398.0 and reported version 65.0.3325.181 as per the original comment.
Issue is not observed on Mac OS 10.13.3. and Ubuntu 14.04.

Bisect Information:
===================
Good Build: 63.0.3208.0 (Revision - 499829)
Bad Build : 63.0.3209.0 (Revision - 500160)

Crash Report ID 5453cc2f4420fa4e (Local Crash ID: 169d8cc1-d4fc-4a77-b179-fe96fcb73578)
Crash Report ID e48a449e723d8171 (Local Crash ID: aa3e0054-6044-4d8c-ad83-6bb4bed146c5)

Unable to provide Changelog URL by executing the per-revision bisect script as all Good builds are invoked. Tried increasing the range and executing the script as well, but still no luck.
Hence below is the Manual Changelog URL from Omahaproxy.
https://chromium.googlesource.com/chromium/src/+log/63.0.3208.0..63.0.3209.0?pretty=fuller&n=10000

Marking this issue as Untriaged as unable to find the right suspect from the above Changelog.
Hence adding component 'Blink>XML' and requesting the team to look into the issue and help further.

Thanks.

Comment 2 by susan.boorgula@chromium.org, Apr 17 2018

Labels: Triaged-ET Needs-Triage-M65

Comment 3 by ajha@chromium.org, Apr 18 2018

Cc: dcheng@chromium.org
Labels: -Target-65
Cc'ing dcheng@ as per https://cs.chromium.org/chromium/src/third_party/blink/renderer/core/xml/OWNERS?q=blink%3Exml&sq=package:chromium&l=3 for more inputs on this.

Comment 4 by schenney@chromium.org, Jul 25

Labels: -Pri-1 Pri-2
Status: Available (was: Untriaged)
This doesn't seem like a high priority. Stack overflow crashes don't threaten security.

Sign in to add a comment