Closed Bug 404869 Opened 17 years ago Closed 17 years ago

[FIX]Crash [@ nsXBLBinding::ResolveAllFields]

Categories

(Core :: XBL, defect, P3)

Product:
Core
Component:
XBL
Platform:
x86
macOS
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: jruderman, Assigned: bzbarsky)

References

Details

(Keywords: crash, testcase, Whiteboard: [sg:critical?] post 1.8-branch)

Crash Data

Attachments

(2 files)

testcase (crashes Firefox when loaded)
525 bytes, application/vnd.mozilla.xul+xml
Details
Like so
904 bytes, patch
sicking
: review+
sicking
: superreview+
sicking
: approval1.9+
Details | Diff | Splinter Review 
Loading the testcase causes a crash with one of the following signatures:
* Null deref, [@ nsXBLBinding::ResolveAllFields]
* Random memory deref, [@ nsXBLPrototypeBinding::ResolveAllFields]
* Random memory deref, [@ nsXBLProtoImpl::ResolveAllFields]
Flags: blocking1.9?
Whiteboard: [sg:critical?]
All that's needed is a field whose evaluation will flush the pending style change.  Should be possible to write a testcase which doesn't have any XUL in it at all (e.g. have a field do this.ownerDocument.body.offsetHeight or whatnot).

Fix coming up.
Assignee: nobody → bzbarsky
Blocks: 372769
Summary: Crash [@ nsXBLBinding::ResolveAllFields] → [FIX]Crash [@ nsXBLBinding::ResolveAllFields]
Attached patch Like soSplinter Review 
Just keep the binding alive while we execute script.  The behavior will still be weird in this testcase (e.g. we'll install some fields after uninstalling the binding), but I think that's fine for this corner case.
Attachment #289742 - Flags: superreview?(jonas)
Attachment #289742 - Flags: review?(jonas)
Flags: blocking1.9? → blocking1.9+
Priority: -- → P3
Attachment #289742 - Flags: superreview?(jonas)
Attachment #289742 - Flags: superreview+
Attachment #289742 - Flags: review?(jonas)
Attachment #289742 - Flags: review+
Attachment #289742 - Flags: approval1.9+
Checked in.  Need to land the crash test.

Opening bug up, since this is trunk-only and now fixed.
Group: security
Status: NEW → RESOLVED
Closed: 17 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Flags: wanted1.8.1.x-
Whiteboard: [sg:critical?] → [sg:critical?] post 1.8-branch
Crashtest checked in.
Flags: in-testsuite? → in-testsuite+
no crash on testcase using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9b3pre) Gecko/2007123104 Minefield/3.0b3pre -verified fixed
Status: RESOLVED → VERIFIED
Crash Signature: [@ nsXBLBinding::ResolveAllFields]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: