From 4ca74861f62f831f2f0a3915da653d36714c82b4 Mon Sep 17 00:00:00 2001
From: Peter Van der Beken <peterv@propagandism.org>
Date: Sun, 15 Nov 2009 11:57:49 +0100
Subject: [PATCH] Fix for bug 528300. r=sicking, a=blocking1.9.2+.

---
 content/xslt/crashtests/528300.xml            | 22 +++++++++++++++
 content/xslt/crashtests/528488.xml            | 19 +++++++++++++
 content/xslt/crashtests/crashtests.list       |  2 ++
 content/xslt/src/xpath/txCoreFunctionCall.cpp | 28 ++++++++++++++-----
 content/xslt/src/xpath/txExpr.h               |  3 +-
 content/xslt/src/xpath/txFunctionCall.cpp     | 12 +++++---
 .../src/xpath/txXPCOMExtensionFunction.cpp    |  6 +++-
 content/xslt/src/xslt/txExecutionState.cpp    |  7 +++--
 .../src/xslt/txFormatNumberFunctionCall.cpp   |  5 ++--
 content/xslt/src/xslt/txVariableMap.h         |  9 ++++++
 10 files changed, 96 insertions(+), 17 deletions(-)
 create mode 100644 content/xslt/crashtests/528300.xml
 create mode 100644 content/xslt/crashtests/528488.xml

diff --git a/content/xslt/crashtests/528300.xml b/content/xslt/crashtests/528300.xml
new file mode 100644
index 000000000000..8902bb373e80
--- /dev/null
+++ b/content/xslt/crashtests/528300.xml
@@ -0,0 +1,22 @@
+<?xml version="1.0"?>
+<?xml-stylesheet type="text/xml" href="#bug"?>
+<!DOCTYPE doc [
+<!ATTLIST xsl:transform
+  id	ID	#REQUIRED>
+]>
+<doc>
+<xsl:transform
+  xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+  version="2.0"
+  id="bug">
+  <xsl:variable name="v0">
+    <xsl:for-each select="$v0" />
+  </xsl:variable>
+  <xsl:template name="t2" match="/">
+    <xsl:copy-of select="number($v0)" />
+  </xsl:template>
+</xsl:transform>
+
+<e1 />
+
+</doc>
diff --git a/content/xslt/crashtests/528488.xml b/content/xslt/crashtests/528488.xml
new file mode 100644
index 000000000000..904b34561230
--- /dev/null
+++ b/content/xslt/crashtests/528488.xml
@@ -0,0 +1,19 @@
+<?xml version="1.0"?>
+<?xml-stylesheet type="text/xml" href="#bug"?>
+<!DOCTYPE doc [
+<!ATTLIST xsl:transform
+  id	ID	#REQUIRED>
+]>
+<doc>
+  <xsl:transform 
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:exslstrings="http://exslt.org/strings"
+    version="2.0"
+    id="bug">
+    <xsl:variable name="v0" select="$v0" /> 
+    <xsl:template name="t2" match="/">
+      <xsl:param name="p0" select="exslstrings:tokenize('1234','foobar')" />
+      <xsl:copy-of select="round($v0)" /> 
+    </xsl:template>
+  </xsl:transform>
+</doc>
diff --git a/content/xslt/crashtests/crashtests.list b/content/xslt/crashtests/crashtests.list
index b6c5c98307e0..4b0350c88a86 100644
--- a/content/xslt/crashtests/crashtests.list
+++ b/content/xslt/crashtests/crashtests.list
@@ -6,3 +6,5 @@ load 406106-1.html
 load 483444.xml
 load 485217.xml
 load 485286.xml
+load 528300.xml
+load 528488.xml
diff --git a/content/xslt/src/xpath/txCoreFunctionCall.cpp b/content/xslt/src/xpath/txCoreFunctionCall.cpp
index 03ce61a74069..46236cb53fc3 100644
--- a/content/xslt/src/xpath/txCoreFunctionCall.cpp
+++ b/content/xslt/src/xpath/txCoreFunctionCall.cpp
@@ -387,7 +387,9 @@ txCoreFunctionCall::evaluate(txIEvalContext* aContext, txAExprResult** aResult)
             rv = mParams[0]->evaluateToString(aContext, src);
             NS_ENSURE_SUCCESS(rv, rv);
 
-            double start = evaluateToNumber(mParams[1], aContext);
+            double start;
+            rv = evaluateToNumber(mParams[1], aContext, &start);
+            NS_ENSURE_SUCCESS(rv, rv);
 
             // check for NaN or +/-Inf
             if (Double::isNaN(start) ||
@@ -402,8 +404,10 @@ txCoreFunctionCall::evaluate(txIEvalContext* aContext, txAExprResult** aResult)
 
             double end;
             if (mParams.Length() == 3) {
-                end = start + evaluateToNumber(mParams[2],
-                                               aContext);
+                rv = evaluateToNumber(mParams[2], aContext, &end);
+                NS_ENSURE_SUCCESS(rv, rv);
+
+                end += start;
                 if (Double::isNaN(end) || end < 0) {
                     aContext->recycler()->getEmptyStringResult(aResult);
 
@@ -531,7 +535,8 @@ txCoreFunctionCall::evaluate(txIEvalContext* aContext, txAExprResult** aResult)
         {
             double res;
             if (!mParams.IsEmpty()) {
-                res = evaluateToNumber(mParams[0], aContext);
+                rv = evaluateToNumber(mParams[0], aContext, &res);
+                NS_ENSURE_SUCCESS(rv, rv);
             }
             else {
                 nsAutoString resultStr;
@@ -543,7 +548,10 @@ txCoreFunctionCall::evaluate(txIEvalContext* aContext, txAExprResult** aResult)
         }
         case ROUND:
         {
-            double dbl = evaluateToNumber(mParams[0], aContext);
+            double dbl;
+            rv = evaluateToNumber(mParams[0], aContext, &dbl);
+            NS_ENSURE_SUCCESS(rv, rv);
+
             if (!Double::isNaN(dbl) && !Double::isInfinite(dbl)) {
                 if (Double::isNeg(dbl) && dbl >= -0.5) {
                     dbl *= 0;
@@ -557,7 +565,10 @@ txCoreFunctionCall::evaluate(txIEvalContext* aContext, txAExprResult** aResult)
         }
         case FLOOR:
         {
-            double dbl = evaluateToNumber(mParams[0], aContext);
+            double dbl;
+            rv = evaluateToNumber(mParams[0], aContext, &dbl);
+            NS_ENSURE_SUCCESS(rv, rv);
+
             if (!Double::isNaN(dbl) &&
                 !Double::isInfinite(dbl) &&
                 !(dbl == 0 && Double::isNeg(dbl))) {
@@ -568,7 +579,10 @@ txCoreFunctionCall::evaluate(txIEvalContext* aContext, txAExprResult** aResult)
         }
         case CEILING:
         {
-            double dbl = evaluateToNumber(mParams[0], aContext);
+            double dbl;
+            rv = evaluateToNumber(mParams[0], aContext, &dbl);
+            NS_ENSURE_SUCCESS(rv, rv);
+
             if (!Double::isNaN(dbl) && !Double::isInfinite(dbl)) {
                 if (Double::isNeg(dbl) && dbl > -1) {
                     dbl *= 0;
diff --git a/content/xslt/src/xpath/txExpr.h b/content/xslt/src/xpath/txExpr.h
index 26d8cd4013ff..a859c660d70f 100644
--- a/content/xslt/src/xpath/txExpr.h
+++ b/content/xslt/src/xpath/txExpr.h
@@ -330,7 +330,8 @@ protected:
     /*
      * Evaluates the given Expression and converts its result to a number.
      */
-    static double evaluateToNumber(Expr* aExpr, txIEvalContext* aContext);
+    static nsresult evaluateToNumber(Expr* aExpr, txIEvalContext* aContext,
+                                     double* aResult);
 
     /*
      * Evaluates the given Expression and converts its result to a NodeSet.
diff --git a/content/xslt/src/xpath/txFunctionCall.cpp b/content/xslt/src/xpath/txFunctionCall.cpp
index 2e6df285f090..d3d8d0a08aa7 100644
--- a/content/xslt/src/xpath/txFunctionCall.cpp
+++ b/content/xslt/src/xpath/txFunctionCall.cpp
@@ -52,15 +52,19 @@
 /*
  * Evaluates the given Expression and converts its result to a number.
  */
-double FunctionCall::evaluateToNumber(Expr* aExpr, txIEvalContext* aContext)
+// static
+nsresult
+FunctionCall::evaluateToNumber(Expr* aExpr, txIEvalContext* aContext,
+                               double* aResult)
 {
     NS_ASSERTION(aExpr, "missing expression");
     nsRefPtr<txAExprResult> exprResult;
     nsresult rv = aExpr->evaluate(aContext, getter_AddRefs(exprResult));
-    if (NS_FAILED(rv))
-        return Double::NaN;
+    NS_ENSURE_SUCCESS(rv, rv);
 
-    return exprResult->numberValue();
+    *aResult = exprResult->numberValue();
+
+    return NS_OK;
 }
 
 /*
diff --git a/content/xslt/src/xpath/txXPCOMExtensionFunction.cpp b/content/xslt/src/xpath/txXPCOMExtensionFunction.cpp
index 8975aa55c44f..f7822b5b1040 100644
--- a/content/xslt/src/xpath/txXPCOMExtensionFunction.cpp
+++ b/content/xslt/src/xpath/txXPCOMExtensionFunction.cpp
@@ -479,7 +479,11 @@ txXPCOMExtensionFunctionCall::evaluate(txIEvalContext* aContext,
             }
             case eNUMBER:
             {
-                invokeParam.val.d = evaluateToNumber(expr, aContext);
+                double dbl;
+                rv = evaluateToNumber(mParams[0], aContext, &dbl);
+                NS_ENSURE_SUCCESS(rv, rv);
+
+                invokeParam.val.d = dbl;
                 break;
             }
             case eSTRING:
diff --git a/content/xslt/src/xslt/txExecutionState.cpp b/content/xslt/src/xslt/txExecutionState.cpp
index 7952a673dc0d..d8f5ec76d1df 100644
--- a/content/xslt/src/xslt/txExecutionState.cpp
+++ b/content/xslt/src/xslt/txExecutionState.cpp
@@ -99,10 +99,13 @@ txExecutionState::txExecutionState(txStylesheet* aStylesheet,
       mKeyHash(aStylesheet->getKeyMap()),
       mDisableLoads(aDisableLoads)
 {
+    MOZ_COUNT_CTOR(txExecutionState);
 }
 
 txExecutionState::~txExecutionState()
 {
+    MOZ_COUNT_DTOR(txExecutionState);
+
     delete mResultHandler;
     delete mLocalVariables;
     delete mEvalContext;
@@ -271,9 +274,9 @@ txExecutionState::getVariable(PRInt32 aNamespace, nsIAtom* aLName,
         txVariableMap* oldVars = mLocalVariables;
         mLocalVariables = nsnull;
         rv = var->mExpr->evaluate(getEvalContext(), &aResult);
-        NS_ENSURE_SUCCESS(rv, rv);
-
         mLocalVariables = oldVars;
+
+        NS_ENSURE_SUCCESS(rv, rv);
     }
     else {
         nsAutoPtr<txRtfHandler> rtfHandler(new txRtfHandler);
diff --git a/content/xslt/src/xslt/txFormatNumberFunctionCall.cpp b/content/xslt/src/xslt/txFormatNumberFunctionCall.cpp
index ac9fd8edce1f..93ca46ea64e2 100644
--- a/content/xslt/src/xslt/txFormatNumberFunctionCall.cpp
+++ b/content/xslt/src/xslt/txFormatNumberFunctionCall.cpp
@@ -84,10 +84,11 @@ txFormatNumberFunctionCall::evaluate(txIEvalContext* aContext,
     double value;
     txExpandedName formatName;
 
-    value = evaluateToNumber(mParams[0], aContext);
+    nsresult rv = evaluateToNumber(mParams[0], aContext, &value);
+    NS_ENSURE_SUCCESS(rv, rv);
 
     nsAutoString formatStr;
-    nsresult rv = mParams[1]->evaluateToString(aContext, formatStr);
+    rv = mParams[1]->evaluateToString(aContext, formatStr);
     NS_ENSURE_SUCCESS(rv, rv);
 
     if (mParams.Length() == 3) {
diff --git a/content/xslt/src/xslt/txVariableMap.h b/content/xslt/src/xslt/txVariableMap.h
index e99d7646b2bd..889b6ff01f43 100644
--- a/content/xslt/src/xslt/txVariableMap.h
+++ b/content/xslt/src/xslt/txVariableMap.h
@@ -46,6 +46,7 @@
 
 class txVariableMap {
 public:
+    txVariableMap();
     ~txVariableMap();
     
     nsresult bindVariable(const txExpandedName& aName, txAExprResult* aValue);
@@ -59,9 +60,17 @@ private:
 };
 
 
+inline
+txVariableMap::txVariableMap()
+{
+    MOZ_COUNT_CTOR(txVariableMap);
+}
+
 inline
 txVariableMap::~txVariableMap()
 {
+    MOZ_COUNT_DTOR(txVariableMap);
+
     txExpandedNameMap<txAExprResult>::iterator iter(mMap);
     while (iter.next()) {
         txAExprResult* res = iter.value();