Closed Bug 55265 Opened 25 years ago Closed 24 years ago

Adding "attachto" attribute to XBL event causes Mozilla to crash at shutdown.

Categories

(Core :: XBL, defect, P3)

Product:
Core
Component:
XBL
Platform:
x86
Windows NT
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla0.9

People

(Reporter: markh, Assigned: hyatt)

References

(
URL
)

Details

(Keywords: crash, testcase, Whiteboard: exploit: can crash mail)

From Bugzilla Helper: User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0) BuildID: 20001005 Certain XLB events only work with they are "attachto" another object - such as the window or document. Examples are the "load" event, and all the commandupdater events. No example of an "attachto" attribute can be found in the source tree. Therefore, the "steps to repro" indicate how to crash one of the XBL demos. Unfortunately, these demos do not appear to be in the tree. Reproducible: At least 1 out of 2 attempts on my machine (ie, most, but not every time) Steps: 1. Use the "test2" XBL demo (Debug->XBL Demos->#2 Rollover Madness), and add a trivial "onload" handler. This makes the complete "rollover" binding <binding id="rollover"> <handlers> <handler event="mouseover" action="this.setAttribute('rollover', 'true')"/> <handler event="load" attachto="_window" action="dump('load event called\n');"/> </handlers> </binding> (Note that only the event="load" line was added to the sample) 2. Open this sample in Mozilla, and confirm the 'load event called' message appears in the console. 3. Exit Mozilla. This is reproducible on my machine at least 1 out of 2 attempts Failure in "gkhtml.dll", always when referencing address "0xddddddf1", just after "WEBSHELL- = 3" message, after window has been closed. Callstack: nsXBLEventHandler::MarkForDeath() line 58 + 3 bytes nsXBLEventHandler::MarkForDeath() line 58 + 20 bytes nsXBLEventHandler::MarkForDeath() line 58 + 20 bytes nsXBLBinding::ChangeDocument(nsXBLBinding * const 0x02a14938, nsIDocument * 0x027b3b38, nsIDocument * 0x00000000) line 1027 nsBindingManager::ChangeDocumentFor(nsBindingManager * const 0x02971428, nsIContent * 0x02971be8, nsIDocument * 0x027b3b38, nsIDocument * 0x00000000) line 331 nsGenericElement::SetDocument(nsIDocument * 0x00000000, int 1, int 1) line 1237 nsGenericHTMLElement::SetDocument(nsIDocument * 0x00000000, int 1, int 1) line 933 + 20 bytes nsHTMLDivElement::SetDocument(nsHTMLDivElement * const 0x02971be8, nsIDocument * 0x00000000, int 1, int 1) line 65 + 26 bytes nsGenericElement::SetDocumentInChildrenOf(nsIContent * 0x029713b8, nsIDocument * 0x00000000, int 1) line 1203 nsGenericElement::SetDocument(nsIDocument * 0x00000000, int 1, int 1) line 1261 + 19 bytes nsGenericHTMLElement::SetDocument(nsIDocument * 0x00000000, int 1, int 1) line 933 + 20 bytes nsBodyInner::SetDocument(nsIDocument * 0x00000000, int 1, int 1) line 166 nsHTMLBodyElement::SetDocument(nsHTMLBodyElement * const 0x029713b8, nsIDocument * 0x00000000, int 1, int 1) line 197 + 26 bytes nsGenericElement::SetDocumentInChildrenOf(nsIContent * 0x02978b90, nsIDocument * 0x00000000, int 1) line 1203 nsGenericElement::SetDocument(nsIDocument * 0x00000000, int 1, int 1) line 1261 + 19 bytes nsGenericHTMLElement::SetDocument(nsIDocument * 0x00000000, int 1, int 1) line 933 + 20 bytes nsHTMLHtmlElement::SetDocument(nsHTMLHtmlElement * const 0x02978b90, nsIDocument * 0x00000000, int 1, int 1) line 63 + 26 bytes nsDocument::SetScriptGlobalObject(nsDocument * const 0x027b3b38, nsIScriptGlobalObject * 0x00000000) line 1694 DocumentViewerImpl::~DocumentViewerImpl() line 418 DocumentViewerImpl::`scalar deleting destructor'(unsigned int 1) + 15 bytes DocumentViewerImpl::Release(DocumentViewerImpl * const 0x027af8f8) line 355 + 154 bytes nsCOMPtr<nsIContentViewer>::assign_assuming_AddRef(nsIContentViewer * 0x00000000) line 472 nsCOMPtr<nsIContentViewer>::assign_with_AddRef(nsISupports * 0x00000000) line 849 nsCOMPtr<nsIContentViewer>::operator=(nsIContentViewer * 0x00000000) line 584 nsDocShell::Destroy(nsDocShell * const 0x0286481c) line 1595 nsWebShell::Destroy(nsWebShell * const 0x0286481c) line 1394 nsHTMLFrameInnerFrame::~nsHTMLFrameInnerFrame() line 489 nsHTMLFrameInnerFrame::`scalar deleting destructor'(unsigned int 1) + 15 bytes nsFrame::Destroy(nsFrame * const 0x0285d518, nsIPresContext * 0x01299888) line 425 + 34 bytes nsFrameList::DestroyFrames(nsIPresContext * 0x01299888) line 36 nsContainerFrame::Destroy(nsContainerFrame * const 0x02775a84, nsIPresContext * 0x01299888) line 98 nsFrameList::DestroyFrames(nsIPresContext * 0x01299888) line 36 nsContainerFrame::Destroy(nsContainerFrame * const 0x026ef5c0, nsIPresContext * 0x01299888) line 98 nsBoxFrame::Destroy(nsBoxFrame * const 0x026ef5c0, nsIPresContext * 0x01299888) line 1002 + 13 bytes nsFrameList::DestroyFrames(nsIPresContext * 0x01299888) line 36 nsContainerFrame::Destroy(nsContainerFrame * const 0x026ef530, nsIPresContext * 0x01299888) line 98 nsBoxFrame::Destroy(nsBoxFrame * const 0x026ef530, nsIPresContext * 0x01299888) line 1002 + 13 bytes nsFrameList::DestroyFrames(nsIPresContext * 0x01299888) line 36 nsContainerFrame::Destroy(nsContainerFrame * const 0x026ef06c, nsIPresContext * 0x01299888) line 98 nsBoxFrame::Destroy(nsBoxFrame * const 0x026ef06c, nsIPresContext * 0x01299888) line 1002 + 13 bytes nsFrameList::DestroyFrames(nsIPresContext * 0x01299888) line 36 nsContainerFrame::Destroy(nsContainerFrame * const 0x026eea14, nsIPresContext * 0x01299888) line 98 nsBoxFrame::Destroy(nsBoxFrame * const 0x026eea14, nsIPresContext * 0x01299888) line 1002 + 13 bytes nsFrameList::DestroyFrames(nsIPresContext * 0x01299888) line 36 nsContainerFrame::Destroy(nsContainerFrame * const 0x026ee984, nsIPresContext * 0x01299888) line 98 nsBoxFrame::Destroy(nsBoxFrame * const 0x026ee984, nsIPresContext * 0x01299888) line 1002 + 13 bytes nsFrameList::DestroyFrames(nsIPresContext * 0x01299888) line 36 nsContainerFrame::Destroy(nsContainerFrame * const 0x026ee948, nsIPresContext * 0x01299888) line 98 ViewportFrame::Destroy(ViewportFrame * const 0x026ee948, nsIPresContext * 0x01299888) line 144 FrameManager::~FrameManager() line 405 FrameManager::`scalar deleting destructor'(unsigned int 1) + 15 bytes FrameManager::Release(FrameManager * const 0x01329290) line 384 + 157 bytes PresShell::~PresShell() line 1272 + 27 bytes PresShell::`scalar deleting destructor'() + 15 bytes PresShell::Release(PresShell * const 0x013287b8) line 1188 + 158 bytes nsCOMPtr<nsIPresShell>::~nsCOMPtr<nsIPresShell>() line 490 DocumentViewerImpl::~DocumentViewerImpl() line 447 + 97 bytes DocumentViewerImpl::`scalar deleting destructor'(unsigned int 1) + 15 bytes DocumentViewerImpl::Release(DocumentViewerImpl * const 0x01298a40) line 355 + 154 bytes nsCOMPtr<nsIContentViewer>::assign_assuming_AddRef(nsIContentViewer * 0x00000000) line 472 nsCOMPtr<nsIContentViewer>::assign_with_AddRef(nsISupports * 0x00000000) line 849 nsCOMPtr<nsIContentViewer>::operator=(nsIContentViewer * 0x00000000) line 584 nsDocShell::Destroy(nsDocShell * const 0x011b1ba4) line 1595 nsWebShell::Destroy(nsWebShell * const 0x011b1ba4) line 1394 nsXULWindow::Destroy(nsXULWindow * const 0x011b5b14) line 324 nsWebShellWindow::Destroy(nsWebShellWindow * const 0x011b5b14) line 1750 nsWebShellWindow::Close(nsWebShellWindow * const 0x011b5b70) line 339 nsWebShellWindow::HandleEvent(nsGUIEvent * 0x0012f51c) line 418 nsWindow::DispatchEvent(nsWindow * const 0x011b5ca4, nsGUIEvent * 0x0012f51c, nsEventStatus & nsEventStatus_eIgnore) line 681 + 10 bytes nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f51c) line 702 nsWindow::DispatchStandardEvent(unsigned int 101) line 722 + 15 bytes nsWindow::ProcessMessage(unsigned int 16, unsigned int 0, long 0, long * 0x0012f854) line 2795 nsWindow::WindowProc(HWND__ * 0x00570756, unsigned int 16, unsigned int 0, long 0) line 950 + 27 bytes USER32! 77e13eb0() USER32! 77e1591b() USER32! 77e1595d() NTDLL! 77f9fb83() USER32! 77e169a7() USER32! 77e13eb0() USER32! 77e16469() USER32! 77e1a6f8() nsWindow::WindowProc(HWND__ * 0x00570756, unsigned int 274, unsigned int 61536, long 3605471) line 957 + 31 bytes USER32! 77e13eb0() USER32! 77e1591b() USER32! 77e1595d() NTDLL! 77f9fb83() USER32! 77e169a7() USER32! 77e13eb0() USER32! 77e16469() USER32! 77e1a6f8() nsWindow::WindowProc(HWND__ * 0x00570756, unsigned int 161, unsigned int 20, long 3605471) line 957 + 31 bytes USER32! 77e13eb0() USER32! 77e1401a() USER32! 77e192da() nsAppShellService::Run(nsAppShellService * const 0x00b2f490) line 408 main1(int 2, char * * 0x00317398, nsISupports * 0x00000000) line 1004 + 32 bytes main(int 2, char * * 0x00317398) line 1185 + 37 bytes mainCRTStartup() line 338 + 17 bytes KERNEL32! 77e87903()
I haven't actually reproduced this problem, but I thought I'd run it by hyatt anyway, because the example cited is so well detailed that hyatt should be able to reproduce or diagnose very quickly. This could be indicative of a larger problem, and I want to be sure the owner gets a crack at it before rtm.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash
->moz0.8, assuming this is needed for ActiveState's Komodo project.
Target Milestone: --- → mozilla0.8
To be honest, this one does not block us. There is still an issue that the "this" object in such an event is the window or document object attached to, rather than the XBL binding itself. As we may need many of these bindings on the one form, this limitation prevents us using these events even if they did not crash. In the xbl newsgroups David didn't seem to consider the "this" behaviour a bug, so one is not filed. So if you _do_ want an XBL bug blocking Komodo, then the "this" behaviour qualifies rather than this. Once that limitation is removed, we would _then_ hit this bug and consider it blocking us ;-)
Testcase: http://www.damowmow.com/mozilla/crash/7.html You can't get much simpler than: <?xml version="1.0"?> <bindings xmlns="http://www.mozilla.org/xbl"> <binding id="test"> <handlers> <handler event="click" attachto="document"> </handler> </handlers> </binding> </bindings> As per all XBL bugs, this one can be used to crash mail and (in the Netscape commercial builds) AIM.
URL: http://www.damowmow.com/mozilla/crash...
Keywords: testcase
Whiteboard: exploit: can crash mail
->moz0.9
Target Milestone: mozilla0.8 → mozilla0.9
I am going to disable the attachto capability for mozilla1.0. Patch coming shortly.
Status: NEW → ASSIGNED
Fixed. This feature of XBL has been disabled for Mozilla 1.0. A new bug should be opened for implementing this feature the correct way. :)
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
in-testsuite-: "attachto" no longer exists.
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.