nsXULTemplateBuilder::AttributeChanged calls Rebuild when nsContentUtils::IsSafeToRunScripts returns false




10 years ago
9 years ago


(Reporter: smaug, Assigned: smaug)



Bug Flags:
blocking1.9.0.14 +
wanted1.9.0.x +

Firefox Tracking Flags

(blocking1.9.1 .2+, status1.9.1 .2-fixed)


(Whiteboard: [sg:moderate?])


(3 attachments, 1 obsolete attachment)

Created attachment 380424 [details] [diff] [review]

#7  0x00002aaab0b55a3e in nsJSContext::EvaluateStringWithValue (this=0x2144780, aScript=@0x7fff28ccedd0, 
    aScopeObject=0x1f88c80, aPrincipal=0x7a09c0, aURL=0x2212548 "chrome://global/content/bindings/listbox.xml", aLineNo=217, 
    aVersion=180, aRetValue=0x7fff28ccedf0, aIsUndefined=0x7fff28ccedfc)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/dom/base/nsJSEnvironment.cpp:1450
#8  0x00002aaab0b1467e in nsXBLProtoImplField::InstallField (this=0x2a64560, aContext=<value optimized out>, 
    aBoundNode=0x1f88c80, aPrincipal=0x7a09c0, aBindingDocURI=<value optimized out>, aDidInstall=0x7fff28ccee8c)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/xbl/src/nsXBLProtoImplField.cpp:135
#9  0x00002aaab0b07bad in XBLResolve (cx=0x21447e0, obj=<value optimized out>, id=<value optimized out>, 
    flags=<value optimized out>, objp=0x7fff28ccef28)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/xbl/src/nsXBLBinding.cpp:211
#10 0x00002aaaaad9efad in js_LookupPropertyWithFlags (cx=0x21447e0, obj=<value optimized out>, id=32533796, flags=5, 
    objp=0x7fff28ccef90, propp=0x7fff28ccef88) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsobj.cpp:3848
#11 0x00002aaaaada706d in js_GetPropertyHelper (cx=0x21447e0, obj=0x1f88c80, id=32533796, cacheResult=1, vp=0x7fff28ccf238)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsobj.cpp:4255
#12 0x00002aaaaad761ea in js_Interpret (cx=0x21447e0) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsinterp.cpp:4441
#13 0x00002aaaaad906a3 in js_Invoke (cx=0x21447e0, argc=1, vp=0x3010a38, flags=<value optimized out>)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsinterp.cpp:1394
#14 0x00002aaab0248275 in nsXPCWrappedJSClass::CallMethod (this=0x215c3e0, wrapper=<value optimized out>, methodIndex=4, 
    info=0x1108600, nativeParams=0x7fff28ccf780)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp:1652
#15 0x00002aaaab2d326e in PrepareAndDispatch (self=0x215c4b0, methodIndex=<value optimized out>, args=<value optimized out>, 
    gpregs=0x7fff28ccf860, fpregs=0x7fff28ccf890)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:153
#16 0x00002aaaab2d260b in SharedStub ()
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/xpcom/reflect/xptinfo/src/xptiprivate.h:383
#17 0x00002aaab0c8f5eb in nsXULTemplateBuilder::Rebuild (this=0x305b980)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/xul/templates/src/nsXULTemplateBuilder.cpp:400
#18 0x00002aaab0c94e05 in nsXULTemplateBuilder::AttributeChanged (this=0x3df8, aDocument=0x303d900, aContent=0x6, 
    aNameSpaceID=-1, aAttribute=0x0, aModType=0, aStateMask=0)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/xul/templates/src/nsXULTemplateBuilder.cpp:1112
#19 0x00002aaab09ccfd2 in nsNodeUtils::AttributeChanged (aContent=0x30afb80, aNameSpaceID=0, aAttribute=0xb8edb8, 
    aModType=2, aStateMask=0) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsNodeUtils.cpp:108
#20 0x00002aaab09bbf75 in nsGenericElement::SetAttrAndNotify (this=0x30afb80, aNamespaceID=0, aName=0xb8edb8, aPrefix=0x0, 
    aOldValue=@0x7fff28ccfd80, aParsedValue=<value optimized out>, aModification=0, aFireMutation=0, aNotify=1, 
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsGenericElement.cpp:4369
#21 0x00002aaab09bc301 in nsGenericElement::SetAttr (this=0x30afb80, aNamespaceID=0, aName=0xb8edb8, aPrefix=0x0, 
    aValue=@0x7fff28ccfee0, aNotify=1)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsGenericElement.cpp:4300
#22 0x00002aaab09b5d95 in nsGenericElement::SetAttribute (this=0x30afb80, aName=@0x7fff28ccff00, aValue=@0x7fff28ccfee0)
Attachment #380424 - Flags: superreview?(neil)
Attachment #380424 - Flags: review?
Attachment #380424 - Flags: review? → review?(enndeakin)
nsXULTemplateBuilder.cpp(1113) : error C2664: 'ns_new_runnable_method' : cannot convert parameter 2 from 'nsresult (__stdcall nsXULTemplateBuilder::* )(void)' to 'nsresult (__thiscall nsXULTemplateBuilder::* )(void)'
        Types pointed to are unrelated; conversion requires reinterpret_cast, C-
style cast or function-style cast
nsXULTemplateBuilder.cpp(1124) : error C2664: 'ns_new_runnable_method' : cannot convert parameter 2 from 'nsresult (__stdcall nsXULTemplateBuilder::* )(void)' to 'nsresult (__thiscall nsXULTemplateBuilder::* )(void)'
        Types pointed to are unrelated; conversion requires reinterpret_cast, C-
style cast or function-style cast
gmake: *** [nsXULTemplateBuilder.obj] Error 2
Bah, I'll upload a new patch.
Created attachment 380433 [details] [diff] [review]
Attachment #380424 - Attachment is obsolete: true
Attachment #380433 - Flags: superreview?(neil)
Attachment #380433 - Flags: review?(enndeakin)
Attachment #380424 - Flags: superreview?(neil)
Attachment #380424 - Flags: review?(enndeakin)


10 years ago
Attachment #380433 - Flags: superreview?(neil) → superreview+
Comment on attachment 380433 [details] [diff] [review]

Excellent, this must have been why I was getting an assertion (something to do with suppressing mutation events) opening SeaMonkey Mail.

Comment 5

10 years ago
Can you explain why this is needed? Rebuild doesn't call any scripts directly.
yes it does if there is a JS-implemented nsIXULBuilderListener


10 years ago
Attachment #380433 - Flags: review?(enndeakin) → review+
Last Resolved: 10 years ago
Resolution: --- → FIXED
Flags: blocking1.9.1?
Flags: blocking1.9.0.13?
This bug was nominated for blocking Firefox 3.5, which is due to ship in two days, but no rationale was given. I'm going to assume that Olli meant to flag it as something we want to get into a security and stability release for Firefox, and transfer the flag to; if that's wrong, please renominate explaining why this is a stop-ship issue.
Flags: blocking1.9.1? → blocking1.9.1.1?
Oh, sorry, I meant
Can content create a nsIXULBuilderListener, or is it only addons at risk here?
Flags: wanted1.9.1.x+
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.13?
Flags: blocking1.9.0.13+
Whiteboard: [sg:moderate?]

Comment 11

10 years ago
(In reply to comment #10)
> Can content create a nsIXULBuilderListener, or is it only addons at risk here?

The listeners can be created by script code, so content code could create one.
Not for We'll block on this for though.
Flags: blocking1.9.1.1?
Whiteboard: [sg:moderate?] → [sg:moderate?][]
blocking1.9.1: --- → .2+
status1.9.1: --- → wanted
Comment on attachment 380433 [details] [diff] [review]

a=beltzner, please land on mozilla-1.9.1 immediately
Attachment #380433 - Flags: approval1.9.1.2+
status1.9.1: wanted → .2-fixed
Olli, could you help us verify this bug for 3.5.2?
Does this patch work for 1.9.0 as well?
Flags: wanted1.9.1.x+
Whiteboard: [sg:moderate?][] → [sg:moderate?]
The patch doesn't apply cleanly to 1.9.0 but I'll update it.

I think I have an idea for a testcase...
Created attachment 392893 [details]

If you get 2 working alerts when loading this, everything is ok.
Without the patch you get non-working alert dialogs (at least on OSX).
...at least 2 alerts.
Created attachment 392895 [details] [diff] [review]
for 190
Attachment #392895 - Flags: approval1.9.0.14?
Attachment #392895 - Flags: approval1.9.0.14? → approval1.9.0.14+
Comment on attachment 392895 [details] [diff] [review]
for 190

Approved for, a=dveditz for release-drivers
Checking in content/xul/templates/src/nsXULTemplateBuilder.cpp;
/cvsroot/mozilla/content/xul/templates/src/nsXULTemplateBuilder.cpp,v  <--  nsXULTemplateBuilder.cpp
new revision: 1.359; previous revision: 1.358
Checking in content/xul/templates/src/nsXULTemplateBuilder.h;
/cvsroot/mozilla/content/xul/templates/src/nsXULTemplateBuilder.h,v  <--  nsXULTemplateBuilder.h
new revision: 1.37; previous revision: 1.36
Keywords: fixed1.9.0.14
Verified fixed using the attached testcase in (Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv: Gecko/2009081813 GranParadiso/3.0.14pre).
Keywords: fixed1.9.0.14 → verified1.9.0.14
Group: core-security
You need to log in before you can comment on or make changes to this bug.