Closed
Bug 236809
Opened 21 years ago
Closed 21 years ago
document.removeBinding(this,anyString) causes crash when called inside XBL binding
Categories
(Core :: XBL, defect)
Core
XBL
Tracking
()
VERIFIED
FIXED
mozilla1.7beta
People
(Reporter: eug957k02, Assigned: bzbarsky)
Details
Attachments
(3 files)
510 bytes,
text/xml
|
Details | |
734 bytes,
text/html
|
Details | |
1.02 KB,
patch
|
jst
:
review+
jst
:
superreview+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 2000) Opera 6.05 [en]
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6) Gecko/20040113
In an XBL binding, in constructor, destructor, method, propertyget/set or handler, the following code causes a crash
document.removeBinding(this,anyString);
note that anyString could be the URL used to attach the binding, or it could be
an empty string, or it coudl be some random string, it makes no differenct
Reproducible: Always
Steps to Reproduce:
1. load a document where an element is bound to a binding containing the code:
<handler event="mouseover">
document.removeBinding(this,"anyString");
</handler>
2. move the pointer over the bound element
Actual Results:
A dialog appears:
---------------------------
mozilla.exe - Application Error
---------------------------
The instruction at "0x01a6e697" referenced memory at "0x00000000". The memory could not be "read".
Click on OK to terminate the program
Click on CANCEL to debug the program
---------------------------
OK Cancel
---------------------------
and mozilla closes
Expected Results:
Either reported an error saying that removeBinding failed, or removed the requested binding.
Comment 1•21 years ago
|
||
Reporter, can you attach a simple small testcase for us?
Comment 4•21 years ago
|
||
I can confirm this under Windows XP with build 2004-03-08-08.
Unfortunately, Talkback didn't come up, so I don't have an incident ID.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 5•21 years ago
|
||
Confirming crash with Moz 1.7a and Firefox 0.8 under WinXP.
It crashes in nsBindingManager.cpp in line 836:
http://lxr.mozilla.org/seamonkey/source/content/xbl/src/nsBindingManager.cpp#836
832 // Make sure that the binding has the URI that is requested to be removed
833 nsIURI* bindingUri = binding->BindingURI();
834
835 PRBool equalUri;
836 nsresult rv = aURL->Equals(bindingUri, &equalUri);
837 NS_ENSURE_SUCCESS(rv, rv);
838 if (!equalUri) {
839 return NS_OK;
840 }
Callstack:
nsBindingManager::RemoveLayeredBinding(nsBindingManager * const 0x02fd9da8,
nsIContent * 0x03001300, nsIURI * 0x00000000) line 832 + 11 bytes
nsDocument::RemoveBinding(nsDocument * const 0x02fd9778, nsIDOMElement *
0x03001320, const nsAString & {...}) line 2416 + 44 bytes
XPTC_InvokeByIndex(nsISupports * 0x02fd9778, unsigned int 6, unsigned int 2,
nsXPTCVariant * 0x0012d700) line 102
XPCWrappedNative::CallMethod(XPCCallContext & {...}, XPCWrappedNative::CallMode
CALL_METHOD) line 2022 + 42 bytes
XPC_WN_CallMethod(JSContext * 0x02fb8440, JSObject * 0x02b72bb0, unsigned int 2,
long * 0x0302b04c, long * 0x0012d9d0) line 1287 + 14 bytes
js_Invoke(JSContext * 0x02fb8440, unsigned int 2, unsigned int 0) line 941 + 23
bytes
js_Interpret(JSContext * 0x02fb8440, long * 0x0012e304) line 2962 + 15 bytes
js_Invoke(JSContext * 0x02fb8440, unsigned int 1, unsigned int 2) line 958 + 13
bytes
js_InternalInvoke(JSContext * 0x02fb8440, JSObject * 0x02d03e00, long 47201832,
unsigned int 0, unsigned int 1, long * 0x0012e57c, long * 0x0012e578) line 1035
+ 20 bytes
JS_CallFunctionValue(JSContext * 0x02fb8440, JSObject * 0x02d03e00, long
47201832, unsigned int 1, long * 0x0012e57c, long * 0x0012e578) line 3592 + 31 bytes
nsJSContext::CallEventHandler(JSObject * 0x02d03e00, JSObject * 0x02d03e28,
unsigned int 1, long * 0x0012e57c, long * 0x0012e578) line 1267 + 33 bytes
nsJSEventListener::HandleEvent(nsJSEventListener * const 0x03026050, nsIDOMEvent
* 0x03029f00) line 174 + 52 bytes
nsXBLPrototypeHandler::ExecuteHandler(nsIDOMEventReceiver * 0x03029f90,
nsIDOMEvent * 0x03029f00) line 461
nsXBLEventHandler::HandleEvent(nsXBLEventHandler * const 0x03008d18, nsIDOMEvent
* 0x03029f00) line 88
nsEventListenerManager::HandleEventSubType(nsListenerStruct * 0x03008e20,
nsIDOMEvent * 0x03029f00, nsIDOMEventTarget * 0x03029f90, unsigned int 16,
unsigned int 7) line 1434 + 20 bytes
nsEventListenerManager::HandleEvent(nsEventListenerManager * const 0x03008d60,
nsIPresContext * 0x02fdc008, nsEvent * 0x0012efcc, nsIDOMEvent * * 0x0012ef90,
nsIDOMEventTarget * 0x03029f90, unsigned int 7, nsEventStatus * 0x0012f018) line
1527 + 56 bytes
nsGenericElement::HandleDOMEvent(nsIPresContext * 0x02fdc008, nsEvent *
0x0012efcc, nsIDOMEvent * * 0x0012ef90, unsigned int 7, nsEventStatus *
0x0012f018) line 1961
nsEventStateManager::DispatchMouseEvent(nsIPresContext * 0x02fdc008, nsGUIEvent
* 0x0012f73c, unsigned int 331, nsIContent * 0x03001300, nsIFrame * &
0x0302409c, nsIContent * 0x02fd6eb0) line 2458
nsEventStateManager::GenerateMouseEnterExit(nsIPresContext * 0x02fdc008,
nsGUIEvent * 0x0012f73c) line 2576
nsEventStateManager::PreHandleEvent(nsEventStateManager * const 0x02fec008,
nsIPresContext * 0x02fdc008, nsEvent * 0x0012f73c, nsIFrame * 0x0302409c,
nsEventStatus * 0x0012f538, nsIView * 0x02ffdcb8) line 436
PresShell::HandleEventInternal(nsEvent * 0x0012f73c, nsIView * 0x02ffdcb8,
unsigned int 1, nsEventStatus * 0x0012f538) line 6083 + 49 bytes
PresShell::HandleEvent(PresShell * const 0x02fdd06c, nsIView * 0x02ffdcb8,
nsGUIEvent * 0x0012f73c, nsEventStatus * 0x0012f538, int 0, int & 1) line 5981 +
25 bytes
nsViewManager::HandleEvent(nsView * 0x02ff9ad8, nsGUIEvent * 0x0012f73c, int 0)
line 2275
nsViewManager::DispatchEvent(nsViewManager * const 0x02fdc948, nsGUIEvent *
0x0012f73c, nsEventStatus * 0x0012f630) line 2014 + 20 bytes
HandleEvent(nsGUIEvent * 0x0012f73c) line 79
nsWindow::DispatchEvent(nsWindow * const 0x02ffda7c, nsGUIEvent * 0x0012f73c,
nsEventStatus & nsEventStatus_eIgnore) line 1064 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f73c) line 1085
nsWindow::DispatchMouseEvent(unsigned int 300, unsigned int 0, nsPoint *
0x00000000) line 5207 + 21 bytes
ChildWindow::DispatchMouseEvent(unsigned int 300, unsigned int 0, nsPoint *
0x00000000) line 5462
nsWindow::ProcessMessage(unsigned int 512, unsigned int 0, long 6357000, long *
0x0012fbe8) line 3981 + 28 bytes
nsWindow::WindowProc(HWND__ * 0x0006032a, unsigned int 512, unsigned int 0, long
6357000) line 1346 + 27 bytes
USER32! 77d43a50()
USER32! 77d43b1f()
USER32! 77d43d79()
USER32! 77d43ddf()
nsAppShellService::Run(nsAppShellService * const 0x00a65050) line 484
main1(int 1, char * * 0x002e2638, nsISupports * 0x00a04dd8) line 1291 + 32 bytes
main(int 1, char * * 0x002e2638) line 1678 + 37 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 77e814c7()
Assignee | ||
Comment 6•21 years ago
|
||
Assignee | ||
Comment 7•21 years ago
|
||
Comment on attachment 143358 [details] [diff] [review]
Doesn't matter where it's called; what matters is it's not passing a URI
We just need to bail out if what we're given is not a URI....
I'm not adding a "resolve relative URIs" thing here, since I have no idea what
the base should be (and the nsIDOMDocumentXBL interface doesn't say what it's
last arg should be).
Attachment #143358 -
Flags: superreview?(jst)
Attachment #143358 -
Flags: review?(jst)
Comment 8•21 years ago
|
||
Hyatt or Hixie may be able to shed light on what a relative URI means.
/be
Surely the base URI is the URI of the current document?
I suppose you have two options in an XBL document
1) the XBL document.
2) the document containing the node to which the binding is bound.
However, since the call is document.removeBinding(obj,URI), then the base
must be the URI of the document object on which this method is called (if one exists).
Changing this to use a full URL still crashes.
Comment 10•21 years ago
|
||
relative URIs should probably just cause the function to bail (or raise an
exception).
Comment 11•21 years ago
|
||
Comment on attachment 143358 [details] [diff] [review]
Doesn't matter where it's called; what matters is it's not passing a URI
r+sr=jst
Attachment #143358 -
Flags: superreview?(jst)
Attachment #143358 -
Flags: superreview+
Attachment #143358 -
Flags: review?(jst)
Attachment #143358 -
Flags: review+
Assignee | ||
Comment 12•21 years ago
|
||
Patch checked in. That patch makes us throw an exception on relative URIs.
pb, I did test absolute URIs with that patch, and couldn't get it to crash. If
you can, please attach a testcase.
Assignee: hyatt → bzbarsky
OS: Windows 2000 → All
Hardware: PC → All
Target Milestone: --- → mozilla1.7beta
Reporter | ||
Comment 13•21 years ago
|
||
Sorry, my mistake. I changed the wrong file.
Assignee | ||
Comment 14•21 years ago
|
||
All good. ;)
Fixed.
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Comment 15•21 years ago
|
||
bz: Do you know which exception? (So I can make the spec say that one rather
than another one.)
Assignee | ||
Comment 16•21 years ago
|
||
At the moment, whatever necko returns, which in this case is
NS_ERROR_MALFORMED_URI (which is not pretty-printed in JS error messages and is
not a DOM-defined exception). If we want to throw something specific, we should
decide what and I can make that change.
Verified FIXED using
http://bugzilla.mozilla.org/attachment.cgi?id=143300&action=view on Windows XP
with build 2004-06-06-09.
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•