nsXULTemplateBuilder::AttributeChanged calls Rebuild when nsContentUtils::IsSafeToRunScripts returns false

RESOLVED FIXED

Status

()

Core
XUL
RESOLVED FIXED
8 years ago
8 years ago

People

(Reporter: smaug, Assigned: smaug)

Tracking

({verified1.9.0.14})

Trunk
x86
Linux
verified1.9.0.14
Points:
---
Bug Flags:
blocking1.9.0.14 +
wanted1.9.0.x +

Firefox Tracking Flags

(blocking1.9.1 .2+, status1.9.1 .2-fixed)

Details

(Whiteboard: [sg:moderate?])

Attachments

(3 attachments, 1 obsolete attachment)

2.33 KB, patch
Neil Deakin (not available until Aug 9)
: review+
neil@parkwaycc.co.uk
: superreview+
Details | Diff | Splinter Review
921 bytes, application/vnd.mozilla.xul+xml
Details
3.24 KB, patch
Details | Diff | Splinter Review
(Assignee)

Description

8 years ago
Created attachment 380424 [details] [diff] [review]
patch

#7  0x00002aaab0b55a3e in nsJSContext::EvaluateStringWithValue (this=0x2144780, aScript=@0x7fff28ccedd0, 
    aScopeObject=0x1f88c80, aPrincipal=0x7a09c0, aURL=0x2212548 "chrome://global/content/bindings/listbox.xml", aLineNo=217, 
    aVersion=180, aRetValue=0x7fff28ccedf0, aIsUndefined=0x7fff28ccedfc)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/dom/base/nsJSEnvironment.cpp:1450
#8  0x00002aaab0b1467e in nsXBLProtoImplField::InstallField (this=0x2a64560, aContext=<value optimized out>, 
    aBoundNode=0x1f88c80, aPrincipal=0x7a09c0, aBindingDocURI=<value optimized out>, aDidInstall=0x7fff28ccee8c)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/xbl/src/nsXBLProtoImplField.cpp:135
#9  0x00002aaab0b07bad in XBLResolve (cx=0x21447e0, obj=<value optimized out>, id=<value optimized out>, 
    flags=<value optimized out>, objp=0x7fff28ccef28)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/xbl/src/nsXBLBinding.cpp:211
#10 0x00002aaaaad9efad in js_LookupPropertyWithFlags (cx=0x21447e0, obj=<value optimized out>, id=32533796, flags=5, 
    objp=0x7fff28ccef90, propp=0x7fff28ccef88) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsobj.cpp:3848
#11 0x00002aaaaada706d in js_GetPropertyHelper (cx=0x21447e0, obj=0x1f88c80, id=32533796, cacheResult=1, vp=0x7fff28ccf238)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsobj.cpp:4255
#12 0x00002aaaaad761ea in js_Interpret (cx=0x21447e0) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsinterp.cpp:4441
#13 0x00002aaaaad906a3 in js_Invoke (cx=0x21447e0, argc=1, vp=0x3010a38, flags=<value optimized out>)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/jsinterp.cpp:1394
#14 0x00002aaab0248275 in nsXPCWrappedJSClass::CallMethod (this=0x215c3e0, wrapper=<value optimized out>, methodIndex=4, 
    info=0x1108600, nativeParams=0x7fff28ccf780)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp:1652
#15 0x00002aaaab2d326e in PrepareAndDispatch (self=0x215c4b0, methodIndex=<value optimized out>, args=<value optimized out>, 
    gpregs=0x7fff28ccf860, fpregs=0x7fff28ccf890)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:153
#16 0x00002aaaab2d260b in SharedStub ()
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/xpcom/reflect/xptinfo/src/xptiprivate.h:383
#17 0x00002aaab0c8f5eb in nsXULTemplateBuilder::Rebuild (this=0x305b980)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/xul/templates/src/nsXULTemplateBuilder.cpp:400
#18 0x00002aaab0c94e05 in nsXULTemplateBuilder::AttributeChanged (this=0x3df8, aDocument=0x303d900, aContent=0x6, 
    aNameSpaceID=-1, aAttribute=0x0, aModType=0, aStateMask=0)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/xul/templates/src/nsXULTemplateBuilder.cpp:1112
#19 0x00002aaab09ccfd2 in nsNodeUtils::AttributeChanged (aContent=0x30afb80, aNameSpaceID=0, aAttribute=0xb8edb8, 
    aModType=2, aStateMask=0) at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsNodeUtils.cpp:108
#20 0x00002aaab09bbf75 in nsGenericElement::SetAttrAndNotify (this=0x30afb80, aNamespaceID=0, aName=0xb8edb8, aPrefix=0x0, 
    aOldValue=@0x7fff28ccfd80, aParsedValue=<value optimized out>, aModification=0, aFireMutation=0, aNotify=1, 
    aValueForAfterSetAttr=0x7fff28ccfee0)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsGenericElement.cpp:4369
#21 0x00002aaab09bc301 in nsGenericElement::SetAttr (this=0x30afb80, aNamespaceID=0, aName=0xb8edb8, aPrefix=0x0, 
    aValue=@0x7fff28ccfee0, aNotify=1)
    at /home/smaug/mozilla/mozilla_cvs/hg/mozilla/content/base/src/nsGenericElement.cpp:4300
#22 0x00002aaab09b5d95 in nsGenericElement::SetAttribute (this=0x30afb80, aName=@0x7fff28ccff00, aValue=@0x7fff28ccfee0)
Attachment #380424 - Flags: superreview?(neil)
Attachment #380424 - Flags: review?
(Assignee)

Updated

8 years ago
Attachment #380424 - Flags: review? → review?(enndeakin)

Comment 1

8 years ago
nsXULTemplateBuilder.cpp(1113) : error C2664: 'ns_new_runnable_method' : cannot convert parameter 2 from 'nsresult (__stdcall nsXULTemplateBuilder::* )(void)' to 'nsresult (__thiscall nsXULTemplateBuilder::* )(void)'
        Types pointed to are unrelated; conversion requires reinterpret_cast, C-
style cast or function-style cast
nsXULTemplateBuilder.cpp(1124) : error C2664: 'ns_new_runnable_method' : cannot convert parameter 2 from 'nsresult (__stdcall nsXULTemplateBuilder::* )(void)' to 'nsresult (__thiscall nsXULTemplateBuilder::* )(void)'
        Types pointed to are unrelated; conversion requires reinterpret_cast, C-
style cast or function-style cast
gmake: *** [nsXULTemplateBuilder.obj] Error 2
(Assignee)

Comment 2

8 years ago
Bah, I'll upload a new patch.
(Assignee)

Comment 3

8 years ago
Created attachment 380433 [details] [diff] [review]
patch
Attachment #380424 - Attachment is obsolete: true
Attachment #380433 - Flags: superreview?(neil)
Attachment #380433 - Flags: review?(enndeakin)
Attachment #380424 - Flags: superreview?(neil)
Attachment #380424 - Flags: review?(enndeakin)

Updated

8 years ago
Attachment #380433 - Flags: superreview?(neil) → superreview+

Comment 4

8 years ago
Comment on attachment 380433 [details] [diff] [review]
patch

Excellent, this must have been why I was getting an assertion (something to do with suppressing mutation events) opening SeaMonkey Mail.
Can you explain why this is needed? Rebuild doesn't call any scripts directly.
(Assignee)

Comment 6

8 years ago
yes it does if there is a JS-implemented nsIXULBuilderListener
Attachment #380433 - Flags: review?(enndeakin) → review+
(Assignee)

Comment 7

8 years ago
http://hg.mozilla.org/mozilla-central/rev/34238c425f2a
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
(Assignee)

Updated

8 years ago
Flags: blocking1.9.1?
Flags: blocking1.9.0.13?
This bug was nominated for blocking Firefox 3.5, which is due to ship in two days, but no rationale was given. I'm going to assume that Olli meant to flag it as something we want to get into a security and stability release for Firefox, and transfer the flag to 1.9.1.1; if that's wrong, please renominate explaining why this is a stop-ship issue.
Flags: blocking1.9.1? → blocking1.9.1.1?
(Assignee)

Comment 9

8 years ago
Oh, sorry, I meant 1.9.1.1
Can content create a nsIXULBuilderListener, or is it only addons at risk here?
Flags: wanted1.9.1.x+
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.13?
Flags: blocking1.9.0.13+
Whiteboard: [sg:moderate?]
(In reply to comment #10)
> Can content create a nsIXULBuilderListener, or is it only addons at risk here?

The listeners can be created by script code, so content code could create one.
Not for 1.9.1.1. We'll block on this for 1.9.1.2 though.
Flags: blocking1.9.1.1?
Whiteboard: [sg:moderate?] → [sg:moderate?][1.9.1.2+]
blocking1.9.1: --- → .2+
status1.9.1: --- → wanted
Comment on attachment 380433 [details] [diff] [review]
patch

a=beltzner, please land on mozilla-1.9.1 immediately
Attachment #380433 - Flags: approval1.9.1.2+
(Assignee)

Comment 14

8 years ago
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/d4114e4d3670
(Assignee)

Updated

8 years ago
status1.9.1: wanted → .2-fixed
Olli, could you help us verify this bug for 3.5.2?
Does this patch work for 1.9.0 as well?
Flags: wanted1.9.1.x+
Whiteboard: [sg:moderate?][1.9.1.2+] → [sg:moderate?]
(Assignee)

Comment 17

8 years ago
The patch doesn't apply cleanly to 1.9.0 but I'll update it.

I think I have an idea for a testcase...
(Assignee)

Comment 18

8 years ago
Created attachment 392893 [details]
testcase

If you get 2 working alerts when loading this, everything is ok.
Without the patch you get non-working alert dialogs (at least on OSX).
(Assignee)

Comment 19

8 years ago
...at least 2 alerts.
(Assignee)

Comment 20

8 years ago
Created attachment 392895 [details] [diff] [review]
for 190
Attachment #392895 - Flags: approval1.9.0.14?
Attachment #392895 - Flags: approval1.9.0.14? → approval1.9.0.14+
Comment on attachment 392895 [details] [diff] [review]
for 190

Approved for 1.9.0.14, a=dveditz for release-drivers
(Assignee)

Comment 22

8 years ago
Checking in content/xul/templates/src/nsXULTemplateBuilder.cpp;
/cvsroot/mozilla/content/xul/templates/src/nsXULTemplateBuilder.cpp,v  <--  nsXULTemplateBuilder.cpp
new revision: 1.359; previous revision: 1.358
done
Checking in content/xul/templates/src/nsXULTemplateBuilder.h;
/cvsroot/mozilla/content/xul/templates/src/nsXULTemplateBuilder.h,v  <--  nsXULTemplateBuilder.h
new revision: 1.37; previous revision: 1.36
done
Keywords: fixed1.9.0.14
Verified fixed using the attached testcase in 1.9.0.14 (Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.14pre) Gecko/2009081813 GranParadiso/3.0.14pre).
Keywords: fixed1.9.0.14 → verified1.9.0.14
Group: core-security
You need to log in before you can comment on or make changes to this bug.