The default bug view has changed. See this FAQ.

Script may run when initializing nsTextBoxFrame

RESOLVED FIXED

Status

()

Core
Layout
--
critical
RESOLVED FIXED
10 years ago
8 years ago

People

(Reporter: smaug, Assigned: smaug)

Tracking

(4 keywords)

Trunk
crash, fixed1.8.0.15, testcase, verified1.8.1.8
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.9 +
blocking1.8.1.8 +
wanted1.8.1.x +
blocking1.8.0.next +
wanted1.8.0.x +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?])

Attachments

(4 attachments)

(Assignee)

Description

10 years ago
Created attachment 271126 [details]
testcase, crashes onload.

During Init() nsTextBoxFrame gets nsIDOMXULLabelElement::accessKey, 
which is implemented as an XBL property.
The stack I get with the testcase is always corrupted.
Flags: blocking1.9?
Blocks: 334450

Updated

10 years ago
Severity: normal → critical
Keywords: crash, testcase
OS: Linux → All
Hardware: PC → All
Whiteboard: [sg:critical?]

Comment 1

10 years ago
Created attachment 271182 [details]
stack trace (mac trunk debug)

This stack doesn't look corrupted to me.
Is fixing bug 372769 here sufficient, or is getting the accesskey inherently bad because we can't guarantee that we're running only our own code to get it?
The latter.  This is running in-page code...

Same thing for any other cases when frame code makes calls out to XBL-implemented interfaces.  :(
Flags: blocking1.9? → blocking1.9+
(Assignee)

Comment 4

10 years ago
Taking. The fix will probably change accesskey handling to happen in a reflowcallback or event.
Assignee: nobody → Olli.Pettay
(Assignee)

Comment 5

10 years ago
Created attachment 275407 [details] [diff] [review]
possible patch

Make accesskey update happen on reflow callback.
I tried not to increase the sizeof nsTextBoxFrame, so using a helper class.
The patch is a bit ugly, but simple.
Attachment #275407 - Flags: review?(roc)
(Assignee)

Updated

10 years ago
Status: NEW → ASSIGNED
Attachment #275407 - Flags: superreview+
Attachment #275407 - Flags: review?(roc)
Attachment #275407 - Flags: review+
(Assignee)

Updated

10 years ago
Status: ASSIGNED → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
(Assignee)

Updated

10 years ago
Depends on: 391708
Crashes on 1.8 branch as well (tested FF1.5.0.12 and FF2.0.0.6)
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.8.1.7?
Flags: blocking1.8.0.14?
Flags: blocking1.8.1.7? → blocking1.8.1.7+
(Assignee)

Comment 7

10 years ago
I'll post branch patch after bug 394120.
Depends on: 394120
(Assignee)

Comment 8

10 years ago
Created attachment 280581 [details] [diff] [review]
for 1.8, contains regression fixes

Because of trunk changes the patch isn't exactly the same.
Marking frame dirty is done differently and reflow callback handling is a bit different.
Attachment #280581 - Flags: superreview?(roc)
Attachment #280581 - Flags: review?(roc)
Attachment #280581 - Flags: superreview?(roc)
Attachment #280581 - Flags: superreview+
Attachment #280581 - Flags: review?(roc)
Attachment #280581 - Flags: review+
(Assignee)

Comment 9

10 years ago
Comment on attachment 280581 [details] [diff] [review]
for 1.8, contains regression fixes

Do we want this also for 1.8.0.x?
Attachment #280581 - Flags: approval1.8.1.7?
Comment on attachment 280581 [details] [diff] [review]
for 1.8, contains regression fixes

approved for 1.8.1.7, a=dveditz for release-drivers
Attachment #280581 - Flags: approval1.8.1.8? → approval1.8.1.8+
Meant 1.8.1.8, of course. when checked in please also mark the regressions bug 391708 and bug 394120 as "fixed1.8.1.8" so QA can verify them on the branch.
(Assignee)

Updated

10 years ago
Keywords: fixed1.8.1.8
Patch was checked in for 1.8.1.8
http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=MOZILLA_1_8_BRANCH&branchtype=match&dir=&file=nsTextBoxFrame.cpp&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=week&mindate=2007-09-25+00%3A00&maxdate=2007-09-25+01%3A00&cvsroot=%2Fcvsroot

and verified fixed 1.8.1.8 using the testcase from this bug and Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.8pre) Gecko/20070929 BonEcho/2.0.0.8pre ID:2007092904 and Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.8pre)Gecko/2007092903 BonEcho/2.0.0.8pre on Fedora F7

- adding verified keyword
Keywords: fixed1.8.1.8 → verified1.8.1.8
Group: security
Flags: in-testsuite?
Flags: blocking1.8.0.14? → blocking1.8.0.15?
Flags: blocking1.8.0.15? → blocking1.8.0.15+

Comment 13

9 years ago
Comment on attachment 280581 [details] [diff] [review]
for 1.8, contains regression fixes

a=asac for 1.8.0.15

(same patch shipped by distros for some time)
Attachment #280581 - Flags: approval1.8.0.15+
fix committed to 1.8.0
Keywords: fixed1.8.0.15

Comment 15

8 years ago
crash test landed
http://hg.mozilla.org/mozilla-central/rev/c3900155298a
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.