Closed
Bug 400705
Opened 17 years ago
Closed 17 years ago
[FIX]Crash [@ js_StopResolving] with groupbox, removing binding and field that removes window
Categories
(Core :: XBL, defect, P1)
Core
XBL
Tracking
()
VERIFIED
FIXED
mozilla1.9beta1
People
(Reporter: martijn.martijn, Assigned: bzbarsky)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [sg:critical?] regression from 372769)
Crash Data
Attachments
(4 files)
|
587 bytes,
application/vnd.mozilla.xul+xml
|
Details | |
|
298 bytes,
text/html
|
Details | |
|
1.19 KB,
text/html
|
Details | |
|
7.06 KB,
patch
|
sicking
:
review+
sicking
:
superreview+
beltzner
:
approvalM9+
beltzner
:
approval1.9+
|
Details | Diff | Splinter Review |
See testcase, which crashes current trunk and branch builds after 100ms, so I'm marking it security sensitive for now. http://crash-stats.mozilla.com/report/index/f0ebc0f0-80c0-11dc-9225-001a4bd46e84 0 js_StopResolving mozilla/js/src/jscntxt.c:585 1 js_LookupPropertyWithFlags mozilla/js/src/jsobj.c:3422 2 js_LookupProperty mozilla/js/src/jsobj.c:3268 3 js_DeleteProperty mozilla/js/src/jsobj.c:3941 4 JS_DeleteUCProperty2 mozilla/js/src/jsapi.c:3561 5 nsXBLProtoImpl::UndefineFields(JSContext*, JSObject*) mozilla/content/xbl/src/nsXBLProtoImpl.cpp:266 6 nsXBLBinding::ChangeDocument(nsIDocument*, nsIDocument*) mozilla/content/xbl/src/nsXBLBinding.cpp:1065 7 nsXBLService::FlushStyleBindings(nsIContent*) mozilla/content/xbl/src/nsXBLService.cpp:618 8 nsXBLService::LoadBindings(nsIContent*, nsIURI*, nsIPrincipal*, int, nsXBLBinding**, int*) mozilla/content/xbl/src/nsXBLService.cpp:522 9 nsCSSFrameConstructor::ConstructFrameInternal(nsFrameConstructorState&, nsIContent*, nsIFrame*, nsIAtom*, int, nsStyleContext*, nsFrameItems&, int) mozilla/layout/base/nsCSSFrameConstructor.cpp:7639 10 nsCSSFrameConstructor::ConstructFrame(nsFrameConstructorState&, nsIContent*, nsIFrame*, nsFrameItems&) mozilla/layout/base/nsCSSFrameConstructor.cpp:7594 etc...
|
Reporter | |
Comment 1•17 years ago
|
||
|
|
Reporter | |
Comment 2•17 years ago
|
||
Apparently, it doesn't crash online. It crashes however, when you close the tab, and then do "undo close tab". Probably, using data urls, would make it crash online, directly.
|
|
Reporter | |
Comment 3•17 years ago
|
||
|
Assignee | |
Comment 4•17 years ago
|
||
For what it's worth, branch and trunk have to be crashing for somewhat different reasons: the code in the stack in comment 0 doesn't exist on branch.
Blocks: 400780
|
|
Assignee | |
Comment 5•17 years ago
|
||
OK, so on branch, we're crashing because the initial binding attachment blows away the content. That's bug 372769. On trunk, binding _attachment_ is ok, but binding _detachment_ can run script because deleting a property resolves it. I'll put up a fix for that.
|
|
Assignee | |
Comment 6•17 years ago
|
||
Assignee: nobody → bzbarsky
Status: NEW → ASSIGNED
Attachment #285837 -
Flags: superreview?(jonas)
Attachment #285837 -
Flags: review?(jonas)
|
|
Assignee | |
Comment 7•17 years ago
|
||
That fixes bug 400780 too. Or rather the testcase in that bug.
Flags: blocking1.9?
OS: Windows XP → All
Priority: -- → P1
Hardware: PC → All
Summary: Crash [@ js_StopResolving] with groupbox, removing binding and field that removes window → [FIX]Crash [@ js_StopResolving] with groupbox, removing binding and field that removes window
Target Milestone: --- → mozilla1.9 M10
|
|
Assignee | |
Updated•17 years ago
|
Attachment #285837 -
Flags: approval1.9?
Comment on attachment 285837 [details] [diff] [review] Like so Alternatively, could you instead check if the property is set before undefining it? Or would that be a perf problem?
Attachment #285837 -
Flags: superreview?(jonas)
Attachment #285837 -
Flags: superreview+
Attachment #285837 -
Flags: review?(jonas)
Attachment #285837 -
Flags: review+
|
|
Assignee | |
Comment 9•17 years ago
|
||
Checking whether the property is set means trying to resolve it, which means executing the field in the case of fields. There is no public JS API for checking whether a property is set in just the scope of the object in question (which is ideally exactly what we would do).
|
||
Comment 10•17 years ago
|
||
(In reply to comment #9) > Checking whether the property is set means trying to resolve it, which means > executing the field in the case of fields. > > There is no public JS API for checking whether a property is set in just the > scope of the object in question (which is ideally exactly what we would do). So you want JS_HasOwnProperty, etc. Please file a JS engine bug and a followup XBL bug blocked by it. /be
|
|
Assignee | |
Comment 11•17 years ago
|
||
Filed bug 400793 and bug 400794.
|
|
Assignee | |
Comment 12•17 years ago
|
||
Comment on attachment 285837 [details] [diff] [review] Like so Fixes crash regression from the "actually detach bindings" change. Also makes us not execute fields when we tear down the binding, which can only be a good thing. Risk is very low, I think.
Attachment #285837 -
Flags: approvalM9?
|
||
Comment 13•17 years ago
|
||
Comment on attachment 285837 [details] [diff] [review] Like so a=endgame drivers for M9 landing
Attachment #285837 -
Flags: approvalM9?
Attachment #285837 -
Flags: approvalM9+
Attachment #285837 -
Flags: approval1.9?
Attachment #285837 -
Flags: approval1.9+
|
|
||
Updated•17 years ago
|
Flags: blocking1.9? → blocking1.9+
|
|
Assignee | |
Comment 14•17 years ago
|
||
Checked in.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Target Milestone: mozilla1.9 M10 → mozilla1.9 M9
|
||
Comment 15•17 years ago
|
||
verified fixed 1.9.0 linux/macppc/winxp on attachment 285745 [details] and attachment 285746 [details].
Status: RESOLVED → VERIFIED
|
||
Comment 16•17 years ago
|
||
http://mxr.mozilla.org/mozilla/source/content/xbl/test/test_bug400705.xhtml
Flags: in-testsuite+
|
||
Updated•17 years ago
|
Whiteboard: [sg:critical?]
|
|
||
Comment 17•17 years ago
|
||
Given comment 5, do we only need bug 372769 on the 1.8 branch or will we need this fix as well?
Flags: wanted1.8.1.x?
Flags: blocking1.8.1.12?
|
|
Assignee | |
Comment 18•17 years ago
|
||
It depends on how we fix bug 372769... If we take sicking's fix (which does all the implementation-attachment stuff in EndUpdate) we shouldn't need this change.
|
|
||
Comment 19•17 years ago
|
||
(In reply to comment #18) > It depends on how we fix bug 372769... Given still-open regressions we're unlikely to take the fix in bug 372769 on the branch any time soon. Can we take this one instead?
|
|
Assignee | |
Comment 20•17 years ago
|
||
I think I failed to communicate there... The patch in this bug fixes a regression from bug 372769. That was the trunk crash. The branch crash is just a duplicate of bug 372769. So we only need this patch on branch if we take bug 372769 on branch (which I agree we shouldn't do).
|
|
||
Updated•17 years ago
|
Flags: blocking1.8.1.12?
Keywords: regression
Whiteboard: [sg:critical?] → [sg:critical?] regression from 372769
|
||
Updated•13 years ago
|
Crash Signature: [@ js_StopResolving]
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•