Closed Bug 495444 Opened 15 years ago Closed 15 years ago

nsXULTemplateBuilder::AttributeChanged calls Rebuild when nsContentUtils::IsSafeToRunScripts returns false

Categories

(Core :: XUL, defect)

Product:
Core
Component:
XUL
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking1.9.1 --- .2+
status1.9.1 --- .2-fixed

People

(Reporter: smaug, Assigned: smaug)

Details

(Keywords: verified1.9.0.14, Whiteboard: [sg:moderate?])

Attachments

(3 files, 1 obsolete file)

patch
2.33 KB, patch
enndeakin
: review+
neil
: superreview+
beltzner
: approval1.9.1.2+
Details | Diff | Splinter Review
testcase
921 bytes, application/vnd.mozilla.xul+xml
Details
for 190
3.24 KB, patch
dveditz
: approval1.9.0.14+
Details | Diff | Splinter Review
Attached patch patch (obsolete) — Splinter Review 
#7  0x00002aaab0b55a3e in nsJSContext::EvaluateStringWithValue (this=0x2144780, aScript=@0x7fff28ccedd0, 
    aScopeObject=0x1f88c80, aPrincipal=0x7a09c0, aURL=0x2212548 "chrome://global/content/bindings/listbox.xml", aLineNo=217, 
    aVersion=180, aRetValue=0x7fff28ccedf0, aIsUndefined=0x7fff28ccedfc)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/dom/base/nsJSEnvironment.cpp:1450
#8  0x00002aaab0b1467e in nsXBLProtoImplField::InstallField (this=0x2a64560, aContext=<value optimized out>, 
    aBoundNode=0x1f88c80, aPrincipal=0x7a09c0, aBindingDocURI=<value optimized out>, aDidInstall=0x7fff28ccee8c)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/xbl/src/nsXBLProtoImplField.cpp:135
#9  0x00002aaab0b07bad in XBLResolve (cx=0x21447e0, obj=<value optimized out>, id=<value optimized out>, 
    flags=<value optimized out>, objp=0x7fff28ccef28)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/xbl/src/nsXBLBinding.cpp:211
#10 0x00002aaaaad9efad in js_LookupPropertyWithFlags (cx=0x21447e0, obj=<value optimized out>, id=32533796, flags=5, 
    objp=0x7fff28ccef90, propp=0x7fff28ccef88) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsobj.cpp:3848
#11 0x00002aaaaada706d in js_GetPropertyHelper (cx=0x21447e0, obj=0x1f88c80, id=32533796, cacheResult=1, vp=0x7fff28ccf238)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsobj.cpp:4255
#12 0x00002aaaaad761ea in js_Interpret (cx=0x21447e0) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsinterp.cpp:4441
#13 0x00002aaaaad906a3 in js_Invoke (cx=0x21447e0, argc=1, vp=0x3010a38, flags=<value optimized out>)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsinterp.cpp:1394
#14 0x00002aaab0248275 in nsXPCWrappedJSClass::CallMethod (this=0x215c3e0, wrapper=<value optimized out>, methodIndex=4, 
    info=0x1108600, nativeParams=0x7fff28ccf780)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp:1652
#15 0x00002aaaab2d326e in PrepareAndDispatch (self=0x215c4b0, methodIndex=<value optimized out>, args=<value optimized out>, 
    gpregs=0x7fff28ccf860, fpregs=0x7fff28ccf890)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:153
#16 0x00002aaaab2d260b in SharedStub ()
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/xpcom/reflect/xptinfo/src/xptiprivate.h:383
#17 0x00002aaab0c8f5eb in nsXULTemplateBuilder::Rebuild (this=0x305b980)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/xul/templates/src/nsXULTemplateBuilder.cpp:400
#18 0x00002aaab0c94e05 in nsXULTemplateBuilder::AttributeChanged (this=0x3df8, aDocument=0x303d900, aContent=0x6, 
    aNameSpaceID=-1, aAttribute=0x0, aModType=0, aStateMask=0)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/xul/templates/src/nsXULTemplateBuilder.cpp:1112
#19 0x00002aaab09ccfd2 in nsNodeUtils::AttributeChanged (aContent=0x30afb80, aNameSpaceID=0, aAttribute=0xb8edb8, 
    aModType=2, aStateMask=0) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsNodeUtils.cpp:108
#20 0x00002aaab09bbf75 in nsGenericElement::SetAttrAndNotify (this=0x30afb80, aNamespaceID=0, aName=0xb8edb8, aPrefix=0x0, 
    aOldValue=@0x7fff28ccfd80, aParsedValue=<value optimized out>, aModification=0, aFireMutation=0, aNotify=1, 
    aValueForAfterSetAttr=0x7fff28ccfee0)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsGenericElement.cpp:4369
#21 0x00002aaab09bc301 in nsGenericElement::SetAttr (this=0x30afb80, aNamespaceID=0, aName=0xb8edb8, aPrefix=0x0, 
    aValue=@0x7fff28ccfee0, aNotify=1)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsGenericElement.cpp:4300
#22 0x00002aaab09b5d95 in nsGenericElement::SetAttribute (this=0x30afb80, aName=@0x7fff28ccff00, aValue=@0x7fff28ccfee0)
Attachment #380424 - Flags: superreview?(neil)
Attachment #380424 - Flags: review?
Attachment #380424 - Flags: review? → review?(enndeakin)
nsXULTemplateBuilder.cpp(1113) : error C2664: 'ns_new_runnable_method' : cannot convert parameter 2 from 'nsresult (__stdcall nsXULTemplateBuilder::* )(void)' to 'nsresult (__thiscall nsXULTemplateBuilder::* )(void)'
        Types pointed to are unrelated; conversion requires reinterpret_cast, C-
style cast or function-style cast
nsXULTemplateBuilder.cpp(1124) : error C2664: 'ns_new_runnable_method' : cannot convert parameter 2 from 'nsresult (__stdcall nsXULTemplateBuilder::* )(void)' to 'nsresult (__thiscall nsXULTemplateBuilder::* )(void)'
        Types pointed to are unrelated; conversion requires reinterpret_cast, C-
style cast or function-style cast
gmake: *** [nsXULTemplateBuilder.obj] Error 2
Bah, I'll upload a new patch.
Attached patch patchSplinter Review 

        Attachment #380424 -
        Attachment is obsolete: true

        Attachment #380433 -
        Flags: superreview?(neil)

        Attachment #380433 -
        Flags: review?(enndeakin)

        Attachment #380424 -
        Flags: superreview?(neil)

        Attachment #380424 -
        Flags: review?(enndeakin)

    
  

        Attachment #380433 -
        Flags: superreview?(neil) → superreview+

    
    

    
  
Comment on attachment 380433 [details] [diff] [review]
patch

Excellent, this must have been why I was getting an assertion (something to do with suppressing mutation events) opening SeaMonkey Mail.

    
    

    
  
Can you explain why this is needed? Rebuild doesn't call any scripts directly.

    
    

    
  
yes it does if there is a JS-implemented nsIXULBuilderListener

    
  

        Attachment #380433 -
        Flags: review?(enndeakin) → review+

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/34238c425f2a
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Flags: blocking1.9.1?
Flags: blocking1.9.0.13?

    
    

    
  
This bug was nominated for blocking Firefox 3.5, which is due to ship in two days, but no rationale was given. I'm going to assume that Olli meant to flag it as something we want to get into a security and stability release for Firefox, and transfer the flag to 1.9.1.1; if that's wrong, please renominate explaining why this is a stop-ship issue.
Flags: blocking1.9.1? → blocking1.9.1.1?

    
    

    
  
Oh, sorry, I meant 1.9.1.1

    
    

    
  
Can content create a nsIXULBuilderListener, or is it only addons at risk here?
Flags: wanted1.9.1.x+
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.13?
Flags: blocking1.9.0.13+
Whiteboard: [sg:moderate?]

    
    

    
  
(In reply to comment #10)
> Can content create a nsIXULBuilderListener, or is it only addons at risk here?

The listeners can be created by script code, so content code could create one.

    
    

    
  
Not for 1.9.1.1. We'll block on this for 1.9.1.2 though.
Flags: blocking1.9.1.1?
Whiteboard: [sg:moderate?] → [sg:moderate?][1.9.1.2+]
blocking1.9.1: --- → .2+

          status1.9.1:
          --- → wanted

    
    

    
  
Comment on attachment 380433 [details] [diff] [review]
patch

a=beltzner, please land on mozilla-1.9.1 immediately

        Attachment #380433 -
        Flags: approval1.9.1.2+

    
    

    
  
Olli, could you help us verify this bug for 3.5.2?

    
    

    
  
Does this patch work for 1.9.0 as well?
Flags: wanted1.9.1.x+
Whiteboard: [sg:moderate?][1.9.1.2+] → [sg:moderate?]

    
    

    
  
The patch doesn't apply cleanly to 1.9.0 but I'll update it.

I think I have an idea for a testcase...

    
    

    
  

      
      
      
      

        Attached file
          
        testcase
      

    


  
If you get 2 working alerts when loading this, everything is ok.
Without the patch you get non-working alert dialogs (at least on OSX).

    
    

    
  
...at least 2 alerts.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        for 190Splinter Review
      

    


  

        Attachment #392895 -
        Flags: approval1.9.0.14?

        Attachment #392895 -
        Flags: approval1.9.0.14? → approval1.9.0.14+

    
    

    
  
Comment on attachment 392895 [details] [diff] [review]
for 190

Approved for 1.9.0.14, a=dveditz for release-drivers

    
    

    
  
Checking in content/xul/templates/src/nsXULTemplateBuilder.cpp;
/cvsroot/mozilla/content/xul/templates/src/nsXULTemplateBuilder.cpp,v  <--  nsXULTemplateBuilder.cpp
new revision: 1.359; previous revision: 1.358
done
Checking in content/xul/templates/src/nsXULTemplateBuilder.h;
/cvsroot/mozilla/content/xul/templates/src/nsXULTemplateBuilder.h,v  <--  nsXULTemplateBuilder.h
new revision: 1.37; previous revision: 1.36
done
Keywords: fixed1.9.0.14

    
    

    
  
Verified fixed using the attached testcase in 1.9.0.14 (Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.14pre) Gecko/2009081813 GranParadiso/3.0.14pre).
Keywords: fixed1.9.0.14verified1.9.0.14
Group: core-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: