[xsl] MSXML 4.0 SP2 crashes when copying an ownerless element

Subject: [xsl] MSXML 4.0 SP2 crashes when copying an ownerless element
From: gutman@xxxxxxxxxxxxxxxx
Date: Tue, 6 May 2003 19:14:49 +0700
Hello, friends.

First, I thank MS for an excellent product!
MSXML 4.0 SP2 is very fast and quite robust.
It was rather difficult for me to crash it,
but, unfortunately, I succeeded in this.

In a certain situation, MSXML 4.0 SP2 crashes
when trying to copy an ownerless element.

(I do understand that employing ownerless elements
is not quite correct, but anyway a crash
is not a quite correct reaction on this.)

To reproduce the problem, save the following code
as "test.xslt":

  <xsl:transform version="1.0"

    <ms:script language="JScript" implements-prefix="xsl">
      var ver = '4.0';
      function ownerlessElement(){
        return (new ActiveXObject('Msxml2.DOMDocument.'+ver))
      function makeTemplate(){
        var xslt =
          new ActiveXObject('Msxml2.FreeThreadedDOMDocument.'+ver);
        xslt.load('test.xslt'); // Or any other with ms:script
        var template = new ActiveXObject('Msxml2.XSLTemplate.'+ver);
        // The following line causes a crash:
        template.stylesheet = xslt.documentElement;
        return true;

    <xsl:template match="/">
      <xsl:for-each select="xsl:ownerlessElement()">
        <xsl:if test="xsl:makeTemplate()"/>


and transform any XML via it by using MSXML 4.0 SP2.
As a result you will obtain the following error message:

  The instruction at "0x69b391ea" referenced memory
  at "0x0000000c". The memory could not be "read".

The same will occur if you replace "xslt.load('test.xslt')"
with "xslt.load('another.xslt')", where "another.xslt"
is any XSLT file with an "ms:script" block.

I do not ask for a workaround. I just inform about a bug.

Alexander E. Gutman

 XSL-List info and archive:  http://www.mulberrytech.com/xsl/xsl-list

Current Thread