Closed
Bug 397955
Opened 17 years ago
Closed 17 years ago
nsProgressMeterFrame sets and notifies on attributes during frame construction
Categories
(Core :: XUL, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: dbaron, Assigned: smaug)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
3.73 KB,
patch
|
roc
:
review+
roc
:
superreview+
|
Details | Diff | Splinter Review |
With the patch to bug 335053, during Firefox startup, I see: G###!!! ASSERTION: should not execute script during frame construction: 'presContext->LayoutPhaseCount(eLayoutPhase_FrameC) == 0', file content/base/src/nsContentUtils.cpp, line 3718 nsContentUtils::AssertLayoutSafeForScript(nsIDocument*) (content/base/src/nsContentUtils.cpp:3717) nsDocument::BeginUpdate(unsigned int) (content/base/src/nsDocument.cpp:2684) mozAutoDocUpdate (/builds/trunk/obj/firefox-debugopt/content/xml/document/src/../../../../dist/include/content/nsIDocument.h:996) nsGenericElement::SetAttrAndNotify(int, nsIAtom*, nsIAtom*, nsAString_internal const&, nsAttrValue&, int, int, int) (content/base/src/nsGenericElement.cpp:3601) nsGenericElement::SetAttr(int, nsIAtom*, nsIAtom*, nsAString_internal const&, int) (content/base/src/nsGenericElement.cpp:3575) nsIContent::SetAttr(int, nsIAtom*, nsAString_internal const&, int) (/builds/trunk/obj/firefox-debugopt/layout/xul/base/src/tree/src/../../../../../../dist/include/content/nsIContent.h:248) nsProgressMeterFrame::AttributeChanged(int, nsIAtom*, int) (layout/xul/base/src/nsProgressMeterFrame.cpp:118) nsProgressMeterFrame::SetInitialChildList(nsIAtom*, nsIFrame*) (layout/xul/base/src/nsProgressMeterFrame.cpp:81) nsCSSFrameConstructor::ConstructXULFrame(nsFrameConstructorState&, nsIContent*, nsIFrame*, nsIAtom*, int, nsStyleContext*, nsFrameItems&, int, int, int*) (layout/base/nsCSSFrameConstructor.cpp:6181) nsCSSFrameConstructor::ConstructFrameInternal(nsFrameConstructorState&, nsIContent*, nsIFrame*, nsIAtom*, int, nsStyleContext*, nsFrameItems&, int) (layout/base/nsCSSFrameConstructor.cpp:7623) nsCSSFrameConstructor::ConstructFrame(nsFrameConstructorState&, nsIContent*, nsIFrame*, nsFrameItems&) (layout/base/nsCSSFrameConstructor.cpp:7484) nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsIFrame*, int, nsFrameItems&, int) (layout/base/nsCSSFrameConstructor.cpp:11240) This means that callers could have mutation listeners that cause probably-exploitable crashes.
Flags: blocking1.9?
Flags: blocking1.9? → blocking1.9+
Assignee | ||
Comment 2•17 years ago
|
||
Initialize child frames/content-objects using a reflow callback.
Attachment #283582 -
Flags: superreview?(roc)
Attachment #283582 -
Flags: review?(roc)
Attachment #283582 -
Flags: superreview?(roc)
Attachment #283582 -
Flags: superreview+
Attachment #283582 -
Flags: review?(roc)
Attachment #283582 -
Flags: review+
Assignee | ||
Updated•17 years ago
|
Attachment #283582 -
Flags: approval1.9?
Assignee | ||
Updated•17 years ago
|
Attachment #283582 -
Flags: approval1.9?
Assignee | ||
Comment 3•17 years ago
|
||
Checked in, should be fixed now :)
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Component: XP Toolkit/Widgets: XUL → XUL
QA Contact: xptoolkit.xul → xptoolkit.widgets
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•