Closed Bug 236809 Opened 21 years ago Closed 21 years ago

document.removeBinding(this,anyString) causes crash when called inside XBL binding

Categories

(Core :: XBL, defect)

defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla1.7beta

People

(Reporter: eug957k02, Assigned: bzbarsky)

Details

Attachments

(3 files)

User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 2000) Opera 6.05 [en] Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6) Gecko/20040113 In an XBL binding, in constructor, destructor, method, propertyget/set or handler, the following code causes a crash document.removeBinding(this,anyString); note that anyString could be the URL used to attach the binding, or it could be an empty string, or it coudl be some random string, it makes no differenct Reproducible: Always Steps to Reproduce: 1. load a document where an element is bound to a binding containing the code: <handler event="mouseover"> document.removeBinding(this,"anyString"); </handler> 2. move the pointer over the bound element Actual Results: A dialog appears: --------------------------- mozilla.exe - Application Error --------------------------- The instruction at "0x01a6e697" referenced memory at "0x00000000". The memory could not be "read". Click on OK to terminate the program Click on CANCEL to debug the program --------------------------- OK Cancel --------------------------- and mozilla closes Expected Results: Either reported an error saying that removeBinding failed, or removed the requested binding.
Reporter, can you attach a simple small testcase for us?
Attached file xbl file
I can confirm this under Windows XP with build 2004-03-08-08. Unfortunately, Talkback didn't come up, so I don't have an incident ID.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Confirming crash with Moz 1.7a and Firefox 0.8 under WinXP. It crashes in nsBindingManager.cpp in line 836: http://lxr.mozilla.org/seamonkey/source/content/xbl/src/nsBindingManager.cpp#836 832 // Make sure that the binding has the URI that is requested to be removed 833 nsIURI* bindingUri = binding->BindingURI(); 834 835 PRBool equalUri; 836 nsresult rv = aURL->Equals(bindingUri, &equalUri); 837 NS_ENSURE_SUCCESS(rv, rv); 838 if (!equalUri) { 839 return NS_OK; 840 } Callstack: nsBindingManager::RemoveLayeredBinding(nsBindingManager * const 0x02fd9da8, nsIContent * 0x03001300, nsIURI * 0x00000000) line 832 + 11 bytes nsDocument::RemoveBinding(nsDocument * const 0x02fd9778, nsIDOMElement * 0x03001320, const nsAString & {...}) line 2416 + 44 bytes XPTC_InvokeByIndex(nsISupports * 0x02fd9778, unsigned int 6, unsigned int 2, nsXPTCVariant * 0x0012d700) line 102 XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode CALL_METHOD) line 2022 + 42 bytes XPC_WN_CallMethod(JSContext * 0x02fb8440, JSObject * 0x02b72bb0, unsigned int 2, long * 0x0302b04c, long * 0x0012d9d0) line 1287 + 14 bytes js_Invoke(JSContext * 0x02fb8440, unsigned int 2, unsigned int 0) line 941 + 23 bytes js_Interpret(JSContext * 0x02fb8440, long * 0x0012e304) line 2962 + 15 bytes js_Invoke(JSContext * 0x02fb8440, unsigned int 1, unsigned int 2) line 958 + 13 bytes js_InternalInvoke(JSContext * 0x02fb8440, JSObject * 0x02d03e00, long 47201832, unsigned int 0, unsigned int 1, long * 0x0012e57c, long * 0x0012e578) line 1035 + 20 bytes JS_CallFunctionValue(JSContext * 0x02fb8440, JSObject * 0x02d03e00, long 47201832, unsigned int 1, long * 0x0012e57c, long * 0x0012e578) line 3592 + 31 bytes nsJSContext::CallEventHandler(JSObject * 0x02d03e00, JSObject * 0x02d03e28, unsigned int 1, long * 0x0012e57c, long * 0x0012e578) line 1267 + 33 bytes nsJSEventListener::HandleEvent(nsJSEventListener * const 0x03026050, nsIDOMEvent * 0x03029f00) line 174 + 52 bytes nsXBLPrototypeHandler::ExecuteHandler(nsIDOMEventReceiver * 0x03029f90, nsIDOMEvent * 0x03029f00) line 461 nsXBLEventHandler::HandleEvent(nsXBLEventHandler * const 0x03008d18, nsIDOMEvent * 0x03029f00) line 88 nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x03008e20, nsIDOMEvent * 0x03029f00, nsIDOMEventTarget * 0x03029f90, unsigned int 16, unsigned int 7) line 1434 + 20 bytes nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x03008d60, nsIPresContext * 0x02fdc008, nsEvent * 0x0012efcc, nsIDOMEvent * * 0x0012ef90, nsIDOMEventTarget * 0x03029f90, unsigned int 7, nsEventStatus * 0x0012f018) line 1527 + 56 bytes nsGenericElement::HandleDOMEvent(nsIPresContext * 0x02fdc008, nsEvent * 0x0012efcc, nsIDOMEvent * * 0x0012ef90, unsigned int 7, nsEventStatus * 0x0012f018) line 1961 nsEventStateManager::DispatchMouseEvent(nsIPresContext * 0x02fdc008, nsGUIEvent * 0x0012f73c, unsigned int 331, nsIContent * 0x03001300, nsIFrame * & 0x0302409c, nsIContent * 0x02fd6eb0) line 2458 nsEventStateManager::GenerateMouseEnterExit(nsIPresContext * 0x02fdc008, nsGUIEvent * 0x0012f73c) line 2576 nsEventStateManager::PreHandleEvent(nsEventStateManager * const 0x02fec008, nsIPresContext * 0x02fdc008, nsEvent * 0x0012f73c, nsIFrame * 0x0302409c, nsEventStatus * 0x0012f538, nsIView * 0x02ffdcb8) line 436 PresShell::HandleEventInternal(nsEvent * 0x0012f73c, nsIView * 0x02ffdcb8, unsigned int 1, nsEventStatus * 0x0012f538) line 6083 + 49 bytes PresShell::HandleEvent(PresShell * const 0x02fdd06c, nsIView * 0x02ffdcb8, nsGUIEvent * 0x0012f73c, nsEventStatus * 0x0012f538, int 0, int & 1) line 5981 + 25 bytes nsViewManager::HandleEvent(nsView * 0x02ff9ad8, nsGUIEvent * 0x0012f73c, int 0) line 2275 nsViewManager::DispatchEvent(nsViewManager * const 0x02fdc948, nsGUIEvent * 0x0012f73c, nsEventStatus * 0x0012f630) line 2014 + 20 bytes HandleEvent(nsGUIEvent * 0x0012f73c) line 79 nsWindow::DispatchEvent(nsWindow * const 0x02ffda7c, nsGUIEvent * 0x0012f73c, nsEventStatus & nsEventStatus_eIgnore) line 1064 + 10 bytes nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f73c) line 1085 nsWindow::DispatchMouseEvent(unsigned int 300, unsigned int 0, nsPoint * 0x00000000) line 5207 + 21 bytes ChildWindow::DispatchMouseEvent(unsigned int 300, unsigned int 0, nsPoint * 0x00000000) line 5462 nsWindow::ProcessMessage(unsigned int 512, unsigned int 0, long 6357000, long * 0x0012fbe8) line 3981 + 28 bytes nsWindow::WindowProc(HWND__ * 0x0006032a, unsigned int 512, unsigned int 0, long 6357000) line 1346 + 27 bytes USER32! 77d43a50() USER32! 77d43b1f() USER32! 77d43d79() USER32! 77d43ddf() nsAppShellService::Run(nsAppShellService * const 0x00a65050) line 484 main1(int 1, char * * 0x002e2638, nsISupports * 0x00a04dd8) line 1291 + 32 bytes main(int 1, char * * 0x002e2638) line 1678 + 37 bytes mainCRTStartup() line 338 + 17 bytes KERNEL32! 77e814c7()
Comment on attachment 143358 [details] [diff] [review] Doesn't matter where it's called; what matters is it's not passing a URI We just need to bail out if what we're given is not a URI.... I'm not adding a "resolve relative URIs" thing here, since I have no idea what the base should be (and the nsIDOMDocumentXBL interface doesn't say what it's last arg should be).
Attachment #143358 - Flags: superreview?(jst)
Attachment #143358 - Flags: review?(jst)
Hyatt or Hixie may be able to shed light on what a relative URI means. /be
Surely the base URI is the URI of the current document? I suppose you have two options in an XBL document 1) the XBL document. 2) the document containing the node to which the binding is bound. However, since the call is document.removeBinding(obj,URI), then the base must be the URI of the document object on which this method is called (if one exists). Changing this to use a full URL still crashes.
relative URIs should probably just cause the function to bail (or raise an exception).
Comment on attachment 143358 [details] [diff] [review] Doesn't matter where it's called; what matters is it's not passing a URI r+sr=jst
Attachment #143358 - Flags: superreview?(jst)
Attachment #143358 - Flags: superreview+
Attachment #143358 - Flags: review?(jst)
Attachment #143358 - Flags: review+
Patch checked in. That patch makes us throw an exception on relative URIs. pb, I did test absolute URIs with that patch, and couldn't get it to crash. If you can, please attach a testcase.
Assignee: hyatt → bzbarsky
OS: Windows 2000 → All
Hardware: PC → All
Target Milestone: --- → mozilla1.7beta
Sorry, my mistake. I changed the wrong file.
All good. ;) Fixed.
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
bz: Do you know which exception? (So I can make the spec say that one rather than another one.)
At the moment, whatever necko returns, which in this case is NS_ERROR_MALFORMED_URI (which is not pretty-printed in JS error messages and is not a DOM-defined exception). If we want to throw something specific, we should decide what and I can make that change.
Verified FIXED using http://bugzilla.mozilla.org/attachment.cgi?id=143300&action=view on Windows XP with build 2004-06-06-09.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: