nsProgressMeterFrame sets and notifies on attributes during frame construction

RESOLVED FIXED

Status

()

RESOLVED FIXED
11 years ago
6 years ago

People

(Reporter: dbaron, Assigned: smaug)

Tracking

(Blocks: 1 bug)

Trunk
x86
Linux
Points:
---
Bug Flags:
blocking1.9 +

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

With the patch to bug 335053, during Firefox startup, I see:

G###!!! ASSERTION: should not execute script during frame construction: 'presContext->LayoutPhaseCount(eLayoutPhase_FrameC) == 0', file content/base/src/nsContentUtils.cpp, line 3718
    nsContentUtils::AssertLayoutSafeForScript(nsIDocument*) (content/base/src/nsContentUtils.cpp:3717)
    nsDocument::BeginUpdate(unsigned int) (content/base/src/nsDocument.cpp:2684)
    mozAutoDocUpdate (/builds/trunk/obj/firefox-debugopt/content/xml/document/src/../../../../dist/include/content/nsIDocument.h:996)
    nsGenericElement::SetAttrAndNotify(int, nsIAtom*, nsIAtom*, nsAString_internal const&, nsAttrValue&, int, int, int) (content/base/src/nsGenericElement.cpp:3601)
    nsGenericElement::SetAttr(int, nsIAtom*, nsIAtom*, nsAString_internal const&, int) (content/base/src/nsGenericElement.cpp:3575)
    nsIContent::SetAttr(int, nsIAtom*, nsAString_internal const&, int) (/builds/trunk/obj/firefox-debugopt/layout/xul/base/src/tree/src/../../../../../../dist/include/content/nsIContent.h:248)
    nsProgressMeterFrame::AttributeChanged(int, nsIAtom*, int) (layout/xul/base/src/nsProgressMeterFrame.cpp:118)
    nsProgressMeterFrame::SetInitialChildList(nsIAtom*, nsIFrame*) (layout/xul/base/src/nsProgressMeterFrame.cpp:81)
    nsCSSFrameConstructor::ConstructXULFrame(nsFrameConstructorState&, nsIContent*, nsIFrame*, nsIAtom*, int, nsStyleContext*, nsFrameItems&, int, int, int*) (layout/base/nsCSSFrameConstructor.cpp:6181)
    nsCSSFrameConstructor::ConstructFrameInternal(nsFrameConstructorState&, nsIContent*, nsIFrame*, nsIAtom*, int, nsStyleContext*, nsFrameItems&, int) (layout/base/nsCSSFrameConstructor.cpp:7623)
    nsCSSFrameConstructor::ConstructFrame(nsFrameConstructorState&, nsIContent*, nsIFrame*, nsFrameItems&) (layout/base/nsCSSFrameConstructor.cpp:7484)
    nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsIFrame*, int, nsFrameItems&, int) (layout/base/nsCSSFrameConstructor.cpp:11240)

This means that callers could have mutation listeners that cause probably-exploitable crashes.
Flags: blocking1.9?
I can take this.
Assignee: nobody → Olli.Pettay
Flags: blocking1.9? → blocking1.9+
Created attachment 283582 [details] [diff] [review]
proposed patch

Initialize child frames/content-objects using a reflow callback.
Attachment #283582 - Flags: superreview?(roc)
Attachment #283582 - Flags: review?(roc)
Attachment #283582 - Flags: superreview?(roc)
Attachment #283582 - Flags: superreview+
Attachment #283582 - Flags: review?(roc)
Attachment #283582 - Flags: review+
Checked in,
should be fixed now :)
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED

Updated

10 years ago
Component: XP Toolkit/Widgets: XUL → XUL
QA Contact: xptoolkit.xul → xptoolkit.widgets
Group: core-security
You need to log in before you can comment on or make changes to this bug.