Closed
Bug 476245
Opened 15 years ago
Closed 15 years ago
Crash [@ nsObjectFrame::Init] with XBL, GC, -moz-column, QuickTime
Categories
(Core :: XBL, defect, P2)
Core
XBL
Tracking
()
VERIFIED
FIXED
mozilla1.9.2a1
People
(Reporter: jruderman, Assigned: bzbarsky)
References
Details
(Keywords: crash, testcase, verified1.9.1, Whiteboard: [sg:critical?])
Crash Data
Attachments
(4 files, 1 obsolete file)
1.05 KB,
application/xhtml+xml
|
Details | |
7.18 KB,
text/plain
|
Details | |
13.59 KB,
patch
|
smaug
:
review+
|
Details | Diff | Splinter Review |
6.82 KB,
patch
|
Details | Diff | Splinter Review |
Temporarily install https://www.squarefree.com/extensions/quitter.xpi to make the testcase's "pleaseGC" function work.
Would be great if you could attach a stack
Reporter | ||
Comment 2•15 years ago
|
||
Assignee | ||
Comment 3•15 years ago
|
||
So the GetCurrentDoc() of the node passed to nsObjectFrame::Init is null in this case. It has a non-null GetOwnerDoc(). It looks to me like we're taking the anon content, sticking it into the main DOM, then unbinding it when the gc() tears down the binding. Or something. Then we end up with nodes that are in the document but have been unbound. That's really bad.
Flags: blocking1.9.1?
Comment 4•15 years ago
|
||
Sicking and Shaver made big frowny faces during triage --> blocking and setting security-sensitive.
Group: core-security
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P2
Sounds like a DOM bug.
Component: Layout → DOM
QA Contact: layout → general
Although maybe it's a layout anonymous content bug, so I'll take it back.
Component: DOM → Layout
QA Contact: general → layout
Assignee | ||
Comment 7•15 years ago
|
||
I suspect it's really an XBL bug at heart... The fact that you can move the anon content out of the binding like that is just completely broken; we should be throwing when someone tries that. Imo.
I installed Quitter, but I don't crash on the testcase. I just get WARNING: *** XBL doc with no root element! Something went horribly wrong! ***: file /Users/roc/mozilla-trunk/content/xbl/src/nsXBLService.cpp, line 475 JavaScript error: https://bug476245.bugzilla.mozilla.org/attachment.cgi?id=359876&t=0bb8sQlfXO, line 20: document.getAnonymousNodes(v) is null WARNING: *** XBL doc with no root element! Something went horribly wrong! ***: file /Users/roc/mozilla-trunk/content/xbl/src/nsXBLService.cpp, line 475 Breaking at that line, I see that bindingDocument and mBoundDocument are two different documents (the former nsXMLDocument, the latter nsHTMLDocument), which makes no sense. This reminds me of bug 445232, where I can't get XBL to work in testcases that Jesse does...
Component: Layout → XBL
QA Contact: layout → xbl
Assignee | ||
Comment 9•15 years ago
|
||
Odd... The crash worked just fine for me...
Updated•15 years ago
|
Whiteboard: [sg:critical?]
Comment 10•15 years ago
|
||
Can't reproduce this (installed Quitter). Should some pref be enabled?
Comment 11•15 years ago
|
||
Need an owner here. Takers?
Reporter | ||
Comment 12•15 years ago
|
||
Still crashes for me. I had to save the file from Bugzilla because of Bugzilla's new token/redirect thing for authenticating access to attachments. Be sure to save it with an .xhtml extension.
Comment 13•15 years ago
|
||
bz, can you take this one (as you have no other blockers that I know :)? If not, let me know and I'll find someone else.
Assignee: nobody → bzbarsky
Target Milestone: --- → mozilla1.9.1
Assignee | ||
Comment 14•15 years ago
|
||
OK, so the situation is a bit more complicated than I thought, actually. Normally we do NOT allow removal of anon content from the DOM via DOM APIs, because we check its index in its parent and then bail. But in this case, the removal of the bound node from the document triggers an UninstallAnonymousContent from nsXBLBinding::ChangeDocument. Then ~nsXBLBinding does another UninstallAnonymousContent on mContent. In between, the script grabbed the now-unbound anon content and stuck it into the main page DOM.
Comment 15•15 years ago
|
||
Would it help if we had a flag to tell that UninstallAnonymousContent is already called, or perhaps UninstallAnonymousContent could clear mContent?
Assignee | ||
Comment 16•15 years ago
|
||
I considered that, but I'd rather enforce our invariants about anon content roots. To that end, I think I'm going to change things so that NODE_IS_ANONYMOUS is set for all anon content subtree roots, not just native ones, and check for this flag in nsGenericElement::doReplaceOrInsertBefore. Still compiling with the changes and need to test, but I think that should do the trick.
Comment 17•15 years ago
|
||
Setting NODE_IS_ANONYMOUS will make it impossible for non-chrome code to touch that node once bug 475864 is fixed.
Assignee | ||
Comment 18•15 years ago
|
||
Why, exactly? I'm keeping the distinction between IsRootOfAnonymousSubtree(), IsRootOfNativeAnonymousSubtree(), IsNativeAnonymous(), etc...
Comment 19•15 years ago
|
||
Sorry, my bad, too many flags. NODE_IS_IN_ANONYMOUS_SUBTREE is the flag that will have that effect.
Assignee | ||
Comment 20•15 years ago
|
||
This makes the testcase throw on the appendChild(anon) call. I'll try to write a mochitest for this once we settle whether this is the behavior we want.
Attachment #363250 -
Flags: superreview?
Attachment #363250 -
Flags: review?(Olli.Pettay)
Assignee | ||
Updated•15 years ago
|
Attachment #363250 -
Flags: superreview? → superreview?(jst)
Comment 21•15 years ago
|
||
Comment on attachment 363250 [details] [diff] [review] Like so, perhaps If this is taken to branch, also Bug 476097 (or the nsIContent change) is needed. The patch changes svg:use behavior. Perhaps you could have SetFlags(NODE_IS_ANONYMOUS) in BindToTree so that the flag is set whenever parent == bindingparent? Or put SetFlags to CSSFC to keep the current svg:use behavior. Either way, r=me
Attachment #363250 -
Flags: review?(Olli.Pettay) → review+
Assignee | ||
Comment 22•15 years ago
|
||
Ah, <use> would actually trigger the assert I added in IsRootOfAnonymousSubtree(), indeed. I'll add a SetFlags(NODE_IS_ANONYMOUS) to the CSSFC code. Good catch there. I knoew I asked the right folks for review. ;)
Updated•15 years ago
|
Attachment #363250 -
Flags: superreview?(jst) → superreview+
Updated•15 years ago
|
Whiteboard: [sg:critical?] → [sg:critical?] needs landing
Assignee | ||
Comment 23•15 years ago
|
||
Pushed <http://hg.mozilla.org/mozilla-central/rev/a328b5ae57e0>. I guess I should hold the test until after we open up this bug?
Status: NEW → RESOLVED
Closed: 15 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Assignee | ||
Comment 24•15 years ago
|
||
Pushed http://hg.mozilla.org/releases/mozilla-1.9.1/rev/08453f810585
Keywords: fixed1.9.1
This got backed out of m-c for breaking test_videocontrols.html and 1.9.1 for leaks. (bz said he'd update the bug, but I'm commenting quickly so it doesn't get lost.)
Assignee | ||
Comment 26•15 years ago
|
||
The 1.9.1 issue was actually not leaks; it was us failing an assert on the leak test (which runs with fatal asserts) because bug 476097 never landed on branch. So I'll just add the nsIContent change from that to the branch patch for this bug. Looking into the videocontrols issue.
Assignee | ||
Comment 27•15 years ago
|
||
OK, so this is failing because video.currentTime comes out to 2.066 while the expectedTime is 1.9165 (because videoDuration is 3.833). The test asserts that the currentTime and expectedTime differ by no more than 0.1. In a build without this patch, the duration and expected time are identical, but video.currentTime is 1.999, which is within the 0.1 tolerance. It's not clear to me why this patch would affect the video.currentTime in this testcase. I guess I'll dig into that, but any ideas would be much appreciated... Oh, with the patch it looks like the progress bar for the video doesn't show anything either.
Assignee | ||
Comment 28•15 years ago
|
||
OK, so the problem is that if XBL is used to bind anonymous content to a native anonymous node all that anonymous content is marked with NODE_IS_IN_ANONYMOUS_SUBTREE. Then since we mark the root XBL-bound nodes with NODE_IS_ANONYMOUS they look like native anonymous content roots. This probably changes the way event retargeting works, or something, thus confusing something in the video controls. Options seem to be: 1) Sort out exactly what the video controls issue is and fix it. 2) Don't mark XBL-bound anon kids of a native anon node with NODE_IS_IN_ANONYMOUS_SUBTREE. This would fail the asserts we now have in nsIContent::IsInNativeAnonymousSubtree, so might not be that desirable, since it would cause user sheets to apply to this XBL-bound content. Then again, maybe we want them to? It might also fix bug 470852. 3) Don't mark XBL-bound anon kids of a native anon node with NODE_IS_ANONYMOUS. That is, don't apply this bug's fix to those nodes; just assume that content can't get at them and that the code that can won't do bad things. This is probably the safest fix. It'll require also changing IsRootOfAnonymousSubtree to deal with this special case. Smaug, thoughts? In particular, will option 2 be OK in terms of what happens to event targets and originalTargets? I've tested that both option 2 and option 3 fix the videocontrols test.
Comment 29•15 years ago
|
||
The seeking threshold in the test is there because the seek sometimes isn't deterministic. Even seeking to 0.0 sometimes ended up at a non-zero position. Dunno why, filed bug 477434. It sure seems surprising that this patch would affect that, makes me wonder if there's some random uninitialized data getting into the mix (such that this patch pushes something around and causes a different result).
Assignee | ||
Comment 30•15 years ago
|
||
Given comment 28, I suspect it's just a matter of what nodes are event targets. I suppose there's also an option 4: 4) Change the IsRootOfAnonymousSubtree() check to check whether the parent is native anonymous too. This would mean that native anon roots whose parent is native anon wouldn't test to be roots. I don't think we should do it.
Comment 31•15 years ago
|
||
(In reply to comment #28) > This probably > changes the way event retargeting works, or something, thus confusing > something in the video controls. Retargeting happens when event propagates from native anon root to its parent. Same thing happens when propagation goes from XBL-anon to binding parent. But at least mouse event handling changes if something becomes native anon, because we don't want to propagate mouseover and mouseout events when they occur within the same native anon subtree. > Options seem to be: > > 1) Sort out exactly what the video controls issue is and fix it. > 2) Don't mark XBL-bound anon kids of a native anon node with > NODE_IS_IN_ANONYMOUS_SUBTREE. This would fail the asserts we now have in > nsIContent::IsInNativeAnonymousSubtree, so might not be that desirable, > since it would cause user sheets to apply to this XBL-bound content. Right. I really don't like this option. Some nodes in native anon wouldn't be native anon after all... > Then > again, maybe we want them to? Why would we want that? >It might also fix bug 470852. > 3) Don't mark XBL-bound anon kids of a native anon node with > NODE_IS_ANONYMOUS. That is, don't apply this bug's fix to those nodes; > just assume that content can't get at them and that the code that can won't > do bad things. This is probably the safest fix. It'll require also > changing IsRootOfAnonymousSubtree to deal with this special case. This is ugly, but possible. > > Smaug, thoughts? In particular, will option 2 be OK in terms of what happens > to event targets and originalTargets? In terms of event handling 2 and 3 should be ok. > 4) Change the IsRootOfAnonymousSubtree() check to check whether the parent is > native anonymous too. This would mean that native anon roots whose parent > is > native anon wouldn't test to be roots. I don't think we should do it. I believe this would break mouse event handling on form elements, like <input type="file"> and perhaps also <select size>1 >
Assignee | ||
Comment 32•15 years ago
|
||
I guess there is also: 5) Add a third flag to indicate what I want to indicate here, since two flags are not enough to draw all the distinctions we want to draw. I'm going to go with solution 3, as the safest one of the bunch (barring 5, which eats up an extra flag bit).
Comment 33•15 years ago
|
||
Well, there are still plenty of bits left.
Assignee | ||
Comment 34•15 years ago
|
||
This includes the an iid rev for nsINode, since I'm changing the values of a bunch of flags.
Attachment #364127 -
Flags: review?(Olli.Pettay)
Assignee | ||
Comment 35•15 years ago
|
||
Attachment #363250 -
Attachment is obsolete: true
Updated•15 years ago
|
Attachment #364127 -
Flags: review?(Olli.Pettay) → review+
Assignee | ||
Comment 36•15 years ago
|
||
Pushed http://hg.mozilla.org/mozilla-central/rev/1963ead6e19b
Status: REOPENED → RESOLVED
Closed: 15 years ago → 15 years ago
Resolution: --- → FIXED
Whiteboard: [sg:critical?] needs landing → [sg:critical?]
Assignee | ||
Comment 37•15 years ago
|
||
Pushed http://hg.mozilla.org/releases/mozilla-1.9.1/rev/53ef73297533
Keywords: fixed1.9.1
Comment 38•15 years ago
|
||
Verified fixed with: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090310 Minefield/3.2a1pre ID:20090310044308 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b4pre) Gecko/20090309 Shiretoko/3.1b4pre (.NET CLR 3.5.30729) ID:20090309034003
Status: RESOLVED → VERIFIED
OS: Mac OS X → All
Hardware: x86 → All
Target Milestone: mozilla1.9.1 → mozilla1.9.2a1
Updated•15 years ago
|
Keywords: fixed1.9.1 → verified1.9.1
Updated•13 years ago
|
Crash Signature: [@ nsObjectFrame::Init]
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•