Closed Bug 387033 Opened 17 years ago Closed 17 years ago

Script may run when initializing nsTextBoxFrame


(Core :: Layout, defect)

Not set





(Reporter: smaug, Assigned: smaug)



(4 keywords, Whiteboard: [sg:critical?])


(4 files)

During Init() nsTextBoxFrame gets nsIDOMXULLabelElement::accessKey, 
which is implemented as an XBL property.
The stack I get with the testcase is always corrupted.
Flags: blocking1.9?
Severity: normal → critical
Keywords: crash, testcase
OS: Linux → All
Hardware: PC → All
Whiteboard: [sg:critical?]
This stack doesn't look corrupted to me.
Is fixing bug 372769 here sufficient, or is getting the accesskey inherently bad because we can't guarantee that we're running only our own code to get it?
The latter.  This is running in-page code...

Same thing for any other cases when frame code makes calls out to XBL-implemented interfaces.  :(
Flags: blocking1.9? → blocking1.9+
Taking. The fix will probably change accesskey handling to happen in a reflowcallback or event.
Assignee: nobody → Olli.Pettay
Attached patch possible patchSplinter Review
Make accesskey update happen on reflow callback.
I tried not to increase the sizeof nsTextBoxFrame, so using a helper class.
The patch is a bit ugly, but simple.
Attachment #275407 - Flags: review?(roc)
Closed: 17 years ago
Resolution: --- → FIXED
Depends on: 391708
Crashes on 1.8 branch as well (tested FF1.5.0.12 and FF2.0.0.6)
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.8.1.7?
Flags: blocking1.8.0.14?
Flags: blocking1.8.1.7? → blocking1.8.1.7+
I'll post branch patch after bug 394120.
Depends on: 394120
Because of trunk changes the patch isn't exactly the same.
Marking frame dirty is done differently and reflow callback handling is a bit different.
Attachment #280581 - Flags: superreview?(roc)
Attachment #280581 - Flags: review?(roc)
Attachment #280581 - Flags: superreview?(roc)
Attachment #280581 - Flags: superreview+
Attachment #280581 - Flags: review?(roc)
Attachment #280581 - Flags: review+
Comment on attachment 280581 [details] [diff] [review]
for 1.8, contains regression fixes

Do we want this also for 1.8.0.x?
Attachment #280581 - Flags: approval1.8.1.7?
Comment on attachment 280581 [details] [diff] [review]
for 1.8, contains regression fixes

approved for, a=dveditz for release-drivers
Attachment #280581 - Flags: approval1.8.1.8? → approval1.8.1.8+
Meant, of course. when checked in please also mark the regressions bug 391708 and bug 394120 as "fixed1.8.1.8" so QA can verify them on the branch.
Keywords: fixed1.8.1.8
Patch was checked in for

and verified fixed using the testcase from this bug and Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv: Gecko/20070929 BonEcho/ ID:2007092904 and Mozilla/5.0 (X11; U; Linux i686; en-US; rv: BonEcho/ on Fedora F7

- adding verified keyword
Group: security
Flags: in-testsuite?
Flags: blocking1.8.0.14? → blocking1.8.0.15?
Flags: blocking1.8.0.15? → blocking1.8.0.15+
Comment on attachment 280581 [details] [diff] [review]
for 1.8, contains regression fixes

a=asac for

(same patch shipped by distros for some time)
Attachment #280581 - Flags: approval1.8.0.15+
crash test landed
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.