Closed Bug 397955 Opened 17 years ago Closed 17 years ago

nsProgressMeterFrame sets and notifies on attributes during frame construction

Categories

(Core :: XUL, defect)

Product:
Core
Component:
XUL
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: dbaron, Assigned: smaug)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

proposed patch
3.73 KB, patch
roc
: review+
roc
: superreview+
Details | Diff | Splinter Review 
With the patch to bug 335053, during Firefox startup, I see:

G###!!! ASSERTION: should not execute script during frame construction: 'presContext->LayoutPhaseCount(eLayoutPhase_FrameC) == 0', file content/base/src/nsContentUtils.cpp, line 3718
    nsContentUtils::AssertLayoutSafeForScript(nsIDocument*) (content/base/src/nsContentUtils.cpp:3717)
    nsDocument::BeginUpdate(unsigned int) (content/base/src/nsDocument.cpp:2684)
    mozAutoDocUpdate (/builds/trunk/obj/firefox-debugopt/content/xml/document/src/../../../../dist/include/content/nsIDocument.h:996)
    nsGenericElement::SetAttrAndNotify(int, nsIAtom*, nsIAtom*, nsAString_internal const&, nsAttrValue&, int, int, int) (content/base/src/nsGenericElement.cpp:3601)
    nsGenericElement::SetAttr(int, nsIAtom*, nsIAtom*, nsAString_internal const&, int) (content/base/src/nsGenericElement.cpp:3575)
    nsIContent::SetAttr(int, nsIAtom*, nsAString_internal const&, int) (/builds/trunk/obj/firefox-debugopt/layout/xul/base/src/tree/src/../../../../../../dist/include/content/nsIContent.h:248)
    nsProgressMeterFrame::AttributeChanged(int, nsIAtom*, int) (layout/xul/base/src/nsProgressMeterFrame.cpp:118)
    nsProgressMeterFrame::SetInitialChildList(nsIAtom*, nsIFrame*) (layout/xul/base/src/nsProgressMeterFrame.cpp:81)
    nsCSSFrameConstructor::ConstructXULFrame(nsFrameConstructorState&, nsIContent*, nsIFrame*, nsIAtom*, int, nsStyleContext*, nsFrameItems&, int, int, int*) (layout/base/nsCSSFrameConstructor.cpp:6181)
    nsCSSFrameConstructor::ConstructFrameInternal(nsFrameConstructorState&, nsIContent*, nsIFrame*, nsIAtom*, int, nsStyleContext*, nsFrameItems&, int) (layout/base/nsCSSFrameConstructor.cpp:7623)
    nsCSSFrameConstructor::ConstructFrame(nsFrameConstructorState&, nsIContent*, nsIFrame*, nsFrameItems&) (layout/base/nsCSSFrameConstructor.cpp:7484)
    nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsIFrame*, int, nsFrameItems&, int) (layout/base/nsCSSFrameConstructor.cpp:11240)

This means that callers could have mutation listeners that cause probably-exploitable crashes.
Flags: blocking1.9?
I can take this.
Assignee: nobody → Olli.Pettay
Flags: blocking1.9? → blocking1.9+
Attached patch proposed patchSplinter Review 
Initialize child frames/content-objects using a reflow callback.
Attachment #283582 - Flags: superreview?(roc)
Attachment #283582 - Flags: review?(roc)
Attachment #283582 - Flags: superreview?(roc)
Attachment #283582 - Flags: superreview+
Attachment #283582 - Flags: review?(roc)
Attachment #283582 - Flags: review+
Attachment #283582 - Flags: approval1.9?
Attachment #283582 - Flags: approval1.9?
Checked in,
should be fixed now :)
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Component: XP Toolkit/Widgets: XUL → XUL
QA Contact: xptoolkit.xul → xptoolkit.widgets
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: