Bug 38376 - Body content stack may not be properly maintained in the faces of exceptions
Summary: Body content stack may not be properly maintained in the faces of exceptions
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 5
Classification: Unclassified
Component: Jasper (show other bugs)
Version: 5.5.14
Hardware: All other
: P2 normal (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-01-25 05:37 UTC by Tony Deigh
Modified: 2006-04-13 13:56 UTC (History)
0 users



Attachments
Change to Generator.java. (848 bytes, patch)
2006-01-25 05:50 UTC, Tony Deigh
Details | Diff
Change to Generator.java for 5.5.x HEAD (831 bytes, patch)
2006-04-13 20:49 UTC, Tony Deigh
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Tony Deigh 2006-01-25 05:37:05 UTC
The code that increments _jspx_push_body_count_XXX[0], which is the count of the
number of outstanding calls to _jspx_page_context.pushBody() within a try block,
is properly within the conditional that is true only if doStartTag() returns
EVAL_BODY_INCLUDE. The corresponding code that decrements the same variable,
however, is not within the corresponding conditional, although the call to
_jspx_page_context.popBody() is. The outstanding count may therefore be wrong,
and the code that pops these extra BodyContents in the finally block pops too
few. In the following Jasper-generated code snippet, note that
_jspx_push_body_count_rwc_dbTry_0[0]++ on the third line is conditional, but
_jspx_push_body_count_rwc_dbTry_0[0]-- on the last line is not.

Jasper-generated code snippet:

if (_jspx_eval_rwc_formPhase_0 != javax.servlet.jsp.tagext.Tag.EVAL_BODY_INCLUDE) {
out = _jspx_page_context.pushBody();
_jspx_push_body_count_rwc_dbTry_0[0]++;
_jspx_th_rwc_formPhase_0.setBodyContent((javax.servlet.jsp.tagext.BodyContent) out);
_jspx_th_rwc_formPhase_0.doInitBody();
}
do {
...

int evalDoAfterBody = _jspx_th_rwc_formPhase_0.doAfterBody();
if (evalDoAfterBody != javax.servlet.jsp.tagext.BodyTag.EVAL_BODY_AGAIN)
break;
} while (true);
if (_jspx_eval_rwc_formPhase_0 != javax.servlet.jsp.tagext.Tag.EVAL_BODY_INCLUDE)
out = _jspx_page_context.popBody();
_jspx_push_body_count_rwc_dbTry_0[0]--;  // THIS SHOULD BE IN THE IF BLOCK!
Comment 1 Tony Deigh 2006-01-25 05:50:59 UTC
Created attachment 17500 [details]
Change to Generator.java.
Comment 2 Yoav Shapira 2006-04-13 20:15:11 UTC
Seems like a good catch.  When I go to implement it, I see Generator.java has
changed since you reported this, and now the line numbers in your patch don't
match.  There are two possible matching sections in the file, one of which seems
to have a proper } closure, the other doesn't, but that second one has what
would become an extra closure outside the if clause.  If you get a chance,
please take a look at the current SVN HEAD version and submit an updated patch.
 Thanks!
Comment 3 Tony Deigh 2006-04-13 20:43:46 UTC
Comment on attachment 17500 [details]
Change to Generator.java.

--- Generator.java.orig 2006-04-13 16:24:25.164043200 -0400
+++ Generator.java	2006-04-13 16:26:05.808763200 -0400
@@ -2278,7 +2278,7 @@
		     out.printin("if (");
		     out.print(tagEvalVar);
		     out.println(
-			 " !=
javax.servlet.jsp.tagext.Tag.EVAL_BODY_INCLUDE)");
+			 " != javax.servlet.jsp.tagext.Tag.EVAL_BODY_INCLUDE)
{");
		     out.pushIndent();
		     out.printil("out = _jspx_page_context.popBody();");
		     if (n.implementsTryCatchFinally()) {
@@ -2289,6 +2289,7 @@
			 out.println("[0]--;");
		     }
		     out.popIndent();
+		     out.printil("}");
		 }

		 out.popIndent(); // EVAL_BODY
Comment 4 Tony Deigh 2006-04-13 20:45:41 UTC
Comment on attachment 17500 [details]
Change to Generator.java.

--- Generator.java.orig 2006-04-13 16:24:25.164043200 -0400
+++ Generator.java	2006-04-13 16:26:05.808763200 -0400
@@ -2278,7 +2278,7 @@
		     out.printin("if (");
		     out.print(tagEvalVar);
		     out.println(
-			 " !=
javax.servlet.jsp.tagext.Tag.EVAL_BODY_INCLUDE)");
+			 " != javax.servlet.jsp.tagext.Tag.EVAL_BODY_INCLUDE)
{");
		     out.pushIndent();
		     out.printil("out = _jspx_page_context.popBody();");
		     if (n.implementsTryCatchFinally()) {
@@ -2289,6 +2289,7 @@
			 out.println("[0]--;");
		     }
		     out.popIndent();
+		     out.printil("}");
		 }

		 out.popIndent(); // EVAL_BODY
Comment 5 Tony Deigh 2006-04-13 20:49:44 UTC
Created attachment 18096 [details]
Change to Generator.java for 5.5.x HEAD

Updated for SVN HEAD as of today.
Comment 6 Yoav Shapira 2006-04-13 20:56:24 UTC
OK, thank you, patch applied.