Closed Bug 398088 Opened 18 years ago Closed 18 years ago

Crash [@ nsXBLPrototypeBinding::AttributeChanged] with DOMAttrModified, <xul:progressmeter mode>

Categories

(Core :: XBL, defect)

Product:
Core
Component:
XBL
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: jruderman, Assigned: smaug)

References

Details

(4 keywords, Whiteboard: [sg:critical])

Crash Data

Attachments

(3 files, 1 obsolete file)

testcase (crashes Firefox when loaded)
409 bytes, application/vnd.mozilla.xul+xml
Details
proposed patch, keep binding alive
2.14 KB, patch
sicking
: review+
sicking
: superreview+
Details | Diff | Splinter Review
for 1.8
1.92 KB, patch
dveditz
: approval1.8.1.12+
asac
: approval1.8.0.next+
Details | Diff | Splinter Review
Loading the testcase makes Firefox crash [@ nsXBLPrototypeBinding::AttributeChanged] calling a random address (often 0, but not always).
Flags: blocking1.9?
Whiteboard: [sg:critical]
I think this is a long-standing problem. xbl:inherits does unsafe attr change stuff that fires mutation events and runs arbitrary script during an AttributeChanged notification. I'm surprised we don't have an existing bug on this....
Assignee: nobody → jonas
Flags: blocking1.9? → blocking1.9+
My bad, I added nsRefPtrs to ::SetAttrs, but forgot ::UnsetAttr.
Assignee: jonas → Olli.Pettay
Status: NEW → ASSIGNED
Attachment #283694 - Flags: superreview?(jonas)
Attachment #283694 - Flags: review?(jonas)
Attachment #283694 - Flags: superreview?(jonas)
Attachment #283694 - Flags: superreview+
Attachment #283694 - Flags: review?(jonas)
Attachment #283694 - Flags: review+
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Flags: blocking1.8.1.9?
Flags: in-testsuite?
Do we need a separate branch patch?
Flags: blocking1.8.1.12? → blocking1.8.1.12+
Attached patch for 1.8 (obsolete) — Splinter Review
This is nsXULElement part of the patch. nsGenericElement::UnsetAttr seems to be safe in 1.8.
Comment on attachment 293902 [details] [diff] [review] for 1.8 er, wait there is still something in nsXULElement
Attachment #293902 - Attachment is obsolete: true
Attached patch for 1.8Splinter Review
This makes 1.8 consistent with trunk.
Attachment #293903 - Flags: approval1.8.1.12?
Comment on attachment 293903 [details] [diff] [review] for 1.8 approved for 1.8.1.12, a=dveditz for release-drivers
Attachment #293903 - Flags: approval1.8.1.12? → approval1.8.1.12+
Keywords: fixed1.8.1.12
Flags: wanted1.8.1.x+
verified fixed using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv:1.9b3pre) Gecko/2008011009 Firefox/3.0b3pre ID:2008011009 and the testcase. No crash on testcase - > Verified
Status: RESOLVED → VERIFIED
I get no crash in branch with this test case using Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.11) Gecko/2007112718 Firefox/2.0.0.11.
verified with Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.12) Gecko/20080128 Firefox/2.0.0.12
Keywords: fixed1.8.1.12verified1.8.1.12
Group: security
distro patches block 1.8.0.15
Flags: blocking1.8.0.15+
Comment on attachment 293903 [details] [diff] [review] for 1.8 a=asac for 1.8.0.15 (unmodified distro patch)
Attachment #293903 - Flags: approval1.8.0.15+
MOZILLA_1_8_0_BRANCH: Checking in content/xul/content/src/nsXULElement.cpp; /cvsroot/mozilla/content/xul/content/src/nsXULElement.cpp,v <-- nsXULElement.cpp new revision: 1.578.2.1.2.13; previous revision: 1.578.2.1.2.12 done
Keywords: fixed1.8.0.15
crash test landed http://hg.mozilla.org/mozilla-central/rev/76a886443196
Flags: in-testsuite? → in-testsuite+
Crash Signature: [@ nsXBLPrototypeBinding::AttributeChanged]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: