Closed Bug 387033 Opened 16 years ago Closed 16 years ago

Script may run when initializing nsTextBoxFrame

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: smaug, Assigned: smaug)

References

Details

(4 keywords, Whiteboard: [sg:critical?])

Attachments

(4 files)

testcase, crashes onload.
929 bytes, application/xhtml+xml
Details
stack trace (mac trunk debug)
5.31 KB, text/plain
Details
possible patch
6.33 KB, patch
roc
: review+
roc
: superreview+
Details | Diff | Splinter Review
for 1.8, contains regression fixes
7.24 KB, patch
roc
: review+
roc
: superreview+
dveditz
: approval1.8.1.8+
asac
: approval1.8.0.next+
Details | Diff | Splinter Review 
During Init() nsTextBoxFrame gets nsIDOMXULLabelElement::accessKey, 
which is implemented as an XBL property.
The stack I get with the testcase is always corrupted.
Flags: blocking1.9?
Blocks: 334450
Severity: normal → critical
Keywords: crash, testcase
OS: Linux → All
Hardware: PC → All
Whiteboard: [sg:critical?]
This stack doesn't look corrupted to me.
Is fixing bug 372769 here sufficient, or is getting the accesskey inherently bad because we can't guarantee that we're running only our own code to get it?
The latter.  This is running in-page code...

Same thing for any other cases when frame code makes calls out to XBL-implemented interfaces.  :(
Flags: blocking1.9? → blocking1.9+
Taking. The fix will probably change accesskey handling to happen in a reflowcallback or event.
Assignee: nobody → Olli.Pettay
Attached patch possible patchSplinter Review 
Make accesskey update happen on reflow callback.
I tried not to increase the sizeof nsTextBoxFrame, so using a helper class.
The patch is a bit ugly, but simple.
Attachment #275407 - Flags: review?(roc)
Status: NEW → ASSIGNED
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Depends on: 391708
Crashes on 1.8 branch as well (tested FF1.5.0.12 and FF2.0.0.6)
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.8.1.7?
Flags: blocking1.8.0.14?
Flags: blocking1.8.1.7? → blocking1.8.1.7+
I'll post branch patch after bug 394120.
Depends on: 394120
Because of trunk changes the patch isn't exactly the same.
Marking frame dirty is done differently and reflow callback handling is a bit different.
Attachment #280581 - Flags: superreview?(roc)
Attachment #280581 - Flags: review?(roc)
Attachment #280581 - Flags: superreview?(roc)
Attachment #280581 - Flags: superreview+
Attachment #280581 - Flags: review?(roc)
Attachment #280581 - Flags: review+
Comment on attachment 280581 [details] [diff] [review]
for 1.8, contains regression fixes

Do we want this also for 1.8.0.x?
Attachment #280581 - Flags: approval1.8.1.7?
Comment on attachment 280581 [details] [diff] [review]
for 1.8, contains regression fixes

approved for 1.8.1.7, a=dveditz for release-drivers
Attachment #280581 - Flags: approval1.8.1.8? → approval1.8.1.8+
Meant 1.8.1.8, of course. when checked in please also mark the regressions bug 391708 and bug 394120 as "fixed1.8.1.8" so QA can verify them on the branch.
Keywords: fixed1.8.1.8
Patch was checked in for 1.8.1.8
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=MOZILLA_1_8_BRANCH&branchtype=match&dir=&file=nsTextBoxFrame.cpp&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=week&mindate=2007-09-25+00%3A00&maxdate=2007-09-25+01%3A00&cvsroot=%2Fcvsroot

and verified fixed 1.8.1.8 using the testcase from this bug and Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.8pre) Gecko/20070929 BonEcho/2.0.0.8pre ID:2007092904 and Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.8pre)Gecko/2007092903 BonEcho/2.0.0.8pre on Fedora F7

- adding verified keyword
Keywords: fixed1.8.1.8verified1.8.1.8
Group: security
Flags: in-testsuite?
Flags: blocking1.8.0.14? → blocking1.8.0.15?
Flags: blocking1.8.0.15? → blocking1.8.0.15+
Comment on attachment 280581 [details] [diff] [review]
for 1.8, contains regression fixes

a=asac for 1.8.0.15

(same patch shipped by distros for some time)
Attachment #280581 - Flags: approval1.8.0.15+
crash test landed
http://hg.mozilla.org/mozilla-central/rev/c3900155298a
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.