Closed Bug 468176 Opened 16 years ago Closed 16 years ago

Crash [@ nsAttrValue::ToString] with binding, menulist, observes, etc

Categories

(Core :: XUL, defect, P2)

Product:
Core
Component:
XUL
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9.2a1

People

(Reporter: martijn.martijn, Assigned: smaug)

References

Details

(4 keywords, Whiteboard: [sg:critical?])

Crash Data

Attachments

(2 files, 2 obsolete files)

testcase
827 bytes, application/zip
Details
+comments
10.08 KB, patch
beltzner
: approval1.9.1+
Details | Diff | Splinter Review
Attached file testcase 
See zipped up testcase, which crashes current trunk build after 100ms.
You need to open the file named '_crash1_383.xul'.

This doesn't crash Firefox 3, I can look for a regression range, if wanted.

http://crash-stats.mozilla.com/report/index/701e4932-d25c-463b-b4e2-ff2da2081205?p=1
0  	xul.dll  	nsAttrValue::ToString  	 content/base/src/nsAttrValue.cpp:325
1 	xul.dll 	nsXULElement::UnsetAttr 	content/xul/content/src/nsXULElement.cpp:1284
Flags: blocking1.9.1?
Cautiously marking this bug as [sg:critical?] and security-sensitive, because of the similarity to the security-sensitive bug 458531 (as martijn pointed out on that bug)
Group: core-security
Whiteboard: [sg:critical?]
The testcase crashes Linux as well.  Platform --> All/All.
OS: Windows XP → All
Hardware: PC → All
You caught this bug pretty quickly after the regression happened, Martijn. :)  I get this regression range:

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2a1pre) Gecko/20081203 Minefield/3.2a1pre
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2a1pre) Gecko/20081204 Minefield/3.2a1pre
Using binary-search on "hg revert --all -r <changeset_id>" with various changesets in the regression range, I've determined that this was caused by one of the three checkins for bug 430214.

http://hg.mozilla.org/mozilla-central/pushloghtml?startdate=2008-12-03+03%3A12&enddate=2008-12-03+03%3A14
Blocks: 430214
Assignee: nobody → Olli.Pettay
Attached patch recursion limit (obsolete) — Splinter Review 
...but I'll try something else before asking reviews
Attachment #353060 - Flags: review?(enndeakin)
Comment on attachment 353060 [details] [diff] [review]
recursion limit

I think we need to take something like this, because attribute is set after update, and adding
a binding happens just before that. And adding a binding may do whatever, like removing the attribute.
note, document.write has somewhat similar recursion limit (also with max value 20)
Attachment #353060 - Flags: review?(enndeakin)
Comment on attachment 353060 [details] [diff] [review]
recursion limit

Or, I'll try still something else..
Attachment #353060 - Attachment is obsolete: true
Attached patch proposed patch (obsolete) — Splinter Review 
Don't change the attribute when not really needed, but dispatch the
broadcast event whenever attribute has changed on broadcaster.

This fixes also bug 458531.
Attachment #353555 - Flags: review?(enndeakin)
Comment on attachment 353555 [details] [diff] [review]
proposed patch

>+                    nsCOMPtr<nsIContent> l = do_QueryInterface(listenerEl);
>+                    if (listenerEl && l) {

Only a check against 'l' is needed as 'listenerEl' would have to be set if 'l' was.
Attachment #353555 - Flags: superreview?(neil)
Attachment #353555 - Flags: review?(enndeakin)
Attachment #353555 - Flags: review+
Comment on attachment 353555 [details] [diff] [review]
proposed patch

>+                      // We need to update listener only if we're
>+                      // (1) removing an existing attribute,
>+                      // (2) adding a new attribute or
>+                      // (3) changing the value of an attribute.
>+                      PRBool needsAttrChange =
>+                          (!attrSet && hasAttr) ||
>+                          (attrSet && (!hasAttr || !value.Equals(currentValue)));
attrSet != hasAttr || !value.Equals(currentValue) perhaps?
Attachment #353555 - Flags: superreview?(neil) → superreview+
Attached patch +commentsSplinter Review 

        Attachment #353555 -
        Attachment is obsolete: true
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED

    
    

    
  
Fri Dec 19 14:49:28 2008 +0200 (at Fri Dec 19 14:49:28 2008 +0200)
changeset 22938	187d0de784f2
http://hg.mozilla.org/mozilla-central/rev/187d0de784f2

        Attachment #353696 -
        Flags: approval1.9.1?

    
    

    
  
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20081220 Minefield/3.2a1pre
Status: RESOLVED → VERIFIED

        Attachment #353696 -
        Flags: approval1.9.1? → approval1.9.1+
Keywords: fixed1.9.1

    
  
Flags: in-testsuite+
Flags: blocking1.9.1?
Flags: blocking1.9.1+
Priority: -- → P2

    
    

    
  
Verified fixed on 1.9.1 with builds on OS X and Windows:

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4pre) Gecko/20090309 Shiretoko/3.1b4pre ID:20090309020654
Keywords: fixed1.9.1verified1.9.1
Target Milestone: --- → mozilla1.9.2a1
Crash Signature: [@ nsAttrValue::ToString]
Group: core-security

    
    

    
  
Moving to Core:XUL per https://bugzilla.mozilla.org/show_bug.cgi?id=1455336
Component: XP Toolkit/Widgets: XUL → XUL

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: