Closed Bug 55265 Opened 24 years ago Closed 24 years ago

Adding "attachto" attribute to XBL event causes Mozilla to crash at shutdown.

Categories

(Core :: XBL, defect, P3)

Product:
Core
Component:
XBL
Platform:
x86
Windows NT
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla0.9

People

(Reporter: markh, Assigned: hyatt)

References

(
URL
)

Details

(Keywords: crash, testcase, Whiteboard: exploit: can crash mail) 

From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
BuildID:    20001005

Certain XLB events only work with they are "attachto" another object - such as 
the window or document.  Examples are the "load" event, and all the 
commandupdater events.

No example of an "attachto" attribute can be found in the source tree.  
Therefore, the "steps to repro" indicate how to crash one of the XBL demos.  
Unfortunately, these demos do not appear to be in the tree.

Reproducible: At least 1 out of 2 attempts on my machine (ie, most, but not 
every time)

Steps:
1. Use the "test2" XBL demo (Debug->XBL Demos->#2 Rollover Madness), and add a 
trivial "onload" handler.  This makes the complete "rollover" binding

  <binding id="rollover">
    <handlers>
      <handler event="mouseover" action="this.setAttribute('rollover',
'true')"/>
      <handler event="load" attachto="_window" action="dump('load
event called\n');"/>
    </handlers>
  </binding>

(Note that only the event="load" line was added to the sample)

2. Open this sample in Mozilla, and confirm the 'load event called' message 
appears in the console.
3. Exit Mozilla.

This is reproducible on my machine at least 1 out of 2 attempts

Failure in "gkhtml.dll", always when referencing address "0xddddddf1", just 
after "WEBSHELL- = 3" message, after window has been closed.  Callstack:

nsXBLEventHandler::MarkForDeath() line 58 + 3 bytes
nsXBLEventHandler::MarkForDeath() line 58 + 20 bytes
nsXBLEventHandler::MarkForDeath() line 58 + 20 bytes
nsXBLBinding::ChangeDocument(nsXBLBinding * const 0x02a14938, nsIDocument * 
0x027b3b38, nsIDocument * 0x00000000) line 1027
nsBindingManager::ChangeDocumentFor(nsBindingManager * const 0x02971428, 
nsIContent * 0x02971be8, nsIDocument * 0x027b3b38, nsIDocument * 0x00000000) 
line 331
nsGenericElement::SetDocument(nsIDocument * 0x00000000, int 1, int 1) line 1237
nsGenericHTMLElement::SetDocument(nsIDocument * 0x00000000, int 1, int 1) line 
933 + 20 bytes
nsHTMLDivElement::SetDocument(nsHTMLDivElement * const 0x02971be8, nsIDocument 
* 0x00000000, int 1, int 1) line 65 + 26 bytes
nsGenericElement::SetDocumentInChildrenOf(nsIContent * 0x029713b8, nsIDocument 
* 0x00000000, int 1) line 1203
nsGenericElement::SetDocument(nsIDocument * 0x00000000, int 1, int 1) line 1261 
+ 19 bytes
nsGenericHTMLElement::SetDocument(nsIDocument * 0x00000000, int 1, int 1) line 
933 + 20 bytes
nsBodyInner::SetDocument(nsIDocument * 0x00000000, int 1, int 1) line 166
nsHTMLBodyElement::SetDocument(nsHTMLBodyElement * const 0x029713b8, 
nsIDocument * 0x00000000, int 1, int 1) line 197 + 26 bytes
nsGenericElement::SetDocumentInChildrenOf(nsIContent * 0x02978b90, nsIDocument 
* 0x00000000, int 1) line 1203
nsGenericElement::SetDocument(nsIDocument * 0x00000000, int 1, int 1) line 1261 
+ 19 bytes
nsGenericHTMLElement::SetDocument(nsIDocument * 0x00000000, int 1, int 1) line 
933 + 20 bytes
nsHTMLHtmlElement::SetDocument(nsHTMLHtmlElement * const 0x02978b90, 
nsIDocument * 0x00000000, int 1, int 1) line 63 + 26 bytes
nsDocument::SetScriptGlobalObject(nsDocument * const 0x027b3b38, 
nsIScriptGlobalObject * 0x00000000) line 1694
DocumentViewerImpl::~DocumentViewerImpl() line 418
DocumentViewerImpl::`scalar deleting destructor'(unsigned int 1) + 15 bytes
DocumentViewerImpl::Release(DocumentViewerImpl * const 0x027af8f8) line 355 + 
154 bytes
nsCOMPtr<nsIContentViewer>::assign_assuming_AddRef(nsIContentViewer * 
0x00000000) line 472
nsCOMPtr<nsIContentViewer>::assign_with_AddRef(nsISupports * 0x00000000) line 
849
nsCOMPtr<nsIContentViewer>::operator=(nsIContentViewer * 0x00000000) line 584
nsDocShell::Destroy(nsDocShell * const 0x0286481c) line 1595
nsWebShell::Destroy(nsWebShell * const 0x0286481c) line 1394
nsHTMLFrameInnerFrame::~nsHTMLFrameInnerFrame() line 489
nsHTMLFrameInnerFrame::`scalar deleting destructor'(unsigned int 1) + 15 bytes
nsFrame::Destroy(nsFrame * const 0x0285d518, nsIPresContext * 0x01299888) line 
425 + 34 bytes
nsFrameList::DestroyFrames(nsIPresContext * 0x01299888) line 36
nsContainerFrame::Destroy(nsContainerFrame * const 0x02775a84, nsIPresContext * 
0x01299888) line 98
nsFrameList::DestroyFrames(nsIPresContext * 0x01299888) line 36
nsContainerFrame::Destroy(nsContainerFrame * const 0x026ef5c0, nsIPresContext * 
0x01299888) line 98
nsBoxFrame::Destroy(nsBoxFrame * const 0x026ef5c0, nsIPresContext * 0x01299888) 
line 1002 + 13 bytes
nsFrameList::DestroyFrames(nsIPresContext * 0x01299888) line 36
nsContainerFrame::Destroy(nsContainerFrame * const 0x026ef530, nsIPresContext * 
0x01299888) line 98
nsBoxFrame::Destroy(nsBoxFrame * const 0x026ef530, nsIPresContext * 0x01299888) 
line 1002 + 13 bytes
nsFrameList::DestroyFrames(nsIPresContext * 0x01299888) line 36
nsContainerFrame::Destroy(nsContainerFrame * const 0x026ef06c, nsIPresContext * 
0x01299888) line 98
nsBoxFrame::Destroy(nsBoxFrame * const 0x026ef06c, nsIPresContext * 0x01299888) 
line 1002 + 13 bytes
nsFrameList::DestroyFrames(nsIPresContext * 0x01299888) line 36
nsContainerFrame::Destroy(nsContainerFrame * const 0x026eea14, nsIPresContext * 
0x01299888) line 98
nsBoxFrame::Destroy(nsBoxFrame * const 0x026eea14, nsIPresContext * 0x01299888) 
line 1002 + 13 bytes
nsFrameList::DestroyFrames(nsIPresContext * 0x01299888) line 36
nsContainerFrame::Destroy(nsContainerFrame * const 0x026ee984, nsIPresContext * 
0x01299888) line 98
nsBoxFrame::Destroy(nsBoxFrame * const 0x026ee984, nsIPresContext * 0x01299888) 
line 1002 + 13 bytes
nsFrameList::DestroyFrames(nsIPresContext * 0x01299888) line 36
nsContainerFrame::Destroy(nsContainerFrame * const 0x026ee948, nsIPresContext * 
0x01299888) line 98
ViewportFrame::Destroy(ViewportFrame * const 0x026ee948, nsIPresContext * 
0x01299888) line 144
FrameManager::~FrameManager() line 405
FrameManager::`scalar deleting destructor'(unsigned int 1) + 15 bytes
FrameManager::Release(FrameManager * const 0x01329290) line 384 + 157 bytes
PresShell::~PresShell() line 1272 + 27 bytes
PresShell::`scalar deleting destructor'() + 15 bytes
PresShell::Release(PresShell * const 0x013287b8) line 1188 + 158 bytes
nsCOMPtr<nsIPresShell>::~nsCOMPtr<nsIPresShell>() line 490
DocumentViewerImpl::~DocumentViewerImpl() line 447 + 97 bytes
DocumentViewerImpl::`scalar deleting destructor'(unsigned int 1) + 15 bytes
DocumentViewerImpl::Release(DocumentViewerImpl * const 0x01298a40) line 355 + 
154 bytes
nsCOMPtr<nsIContentViewer>::assign_assuming_AddRef(nsIContentViewer * 
0x00000000) line 472
nsCOMPtr<nsIContentViewer>::assign_with_AddRef(nsISupports * 0x00000000) line 
849
nsCOMPtr<nsIContentViewer>::operator=(nsIContentViewer * 0x00000000) line 584
nsDocShell::Destroy(nsDocShell * const 0x011b1ba4) line 1595
nsWebShell::Destroy(nsWebShell * const 0x011b1ba4) line 1394
nsXULWindow::Destroy(nsXULWindow * const 0x011b5b14) line 324
nsWebShellWindow::Destroy(nsWebShellWindow * const 0x011b5b14) line 1750
nsWebShellWindow::Close(nsWebShellWindow * const 0x011b5b70) line 339
nsWebShellWindow::HandleEvent(nsGUIEvent * 0x0012f51c) line 418
nsWindow::DispatchEvent(nsWindow * const 0x011b5ca4, nsGUIEvent * 0x0012f51c, 
nsEventStatus & nsEventStatus_eIgnore) line 681 + 10 bytes
nsWindow::DispatchWindowEvent(nsGUIEvent * 0x0012f51c) line 702
nsWindow::DispatchStandardEvent(unsigned int 101) line 722 + 15 bytes
nsWindow::ProcessMessage(unsigned int 16, unsigned int 0, long 0, long * 
0x0012f854) line 2795
nsWindow::WindowProc(HWND__ * 0x00570756, unsigned int 16, unsigned int 0, long 
0) line 950 + 27 bytes
USER32! 77e13eb0()
USER32! 77e1591b()
USER32! 77e1595d()
NTDLL! 77f9fb83()
USER32! 77e169a7()
USER32! 77e13eb0()
USER32! 77e16469()
USER32! 77e1a6f8()
nsWindow::WindowProc(HWND__ * 0x00570756, unsigned int 274, unsigned int 61536, 
long 3605471) line 957 + 31 bytes
USER32! 77e13eb0()
USER32! 77e1591b()
USER32! 77e1595d()
NTDLL! 77f9fb83()
USER32! 77e169a7()
USER32! 77e13eb0()
USER32! 77e16469()
USER32! 77e1a6f8()
nsWindow::WindowProc(HWND__ * 0x00570756, unsigned int 161, unsigned int 20, 
long 3605471) line 957 + 31 bytes
USER32! 77e13eb0()
USER32! 77e1401a()
USER32! 77e192da()
nsAppShellService::Run(nsAppShellService * const 0x00b2f490) line 408
main1(int 2, char * * 0x00317398, nsISupports * 0x00000000) line 1004 + 32 bytes
main(int 2, char * * 0x00317398) line 1185 + 37 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 77e87903()
I haven't actually reproduced this problem, but I thought I'd run it by hyatt
anyway, because the example cited is so well detailed that hyatt should be able
to reproduce or diagnose very quickly.  This could be indicative of a larger
problem, and I want to be sure the owner gets a crack at it before rtm.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash
->moz0.8, assuming this is needed for ActiveState's Komodo project.
Target Milestone: --- → mozilla0.8
To be honest, this one does not block us.  There is still an issue that 
the "this" object in such an event is the window or document object attached 
to, rather than the XBL binding itself.  As we may need many of these bindings 
on the one form, this limitation prevents us using these events even if they 
did not crash.

In the xbl newsgroups David didn't seem to consider the "this" behaviour a bug, 
so one is not filed.

So if you _do_ want an XBL bug blocking Komodo, then the "this" behaviour 
qualifies rather than this.  Once that limitation is removed, we would _then_ 
hit this bug and consider it blocking us ;-)

Testcase:
   http://www.damowmow.com/mozilla/crash/7.html

You can't get much simpler than:
   <?xml version="1.0"?>
   <bindings xmlns="http://www.mozilla.org/xbl">
     <binding id="test">
       <handlers>
         <handler event="click" attachto="document">
         </handler>
       </handlers>
     </binding>
   </bindings>

As per all XBL bugs, this one can be used to crash mail and (in the Netscape 
commercial builds) AIM.
URL: http://www.damowmow.com/mozilla/crash...
Keywords: testcase
Whiteboard: exploit: can crash mail
->moz0.9
Target Milestone: mozilla0.8 → mozilla0.9
I am going to disable the attachto capability for mozilla1.0.  Patch coming shortly.
Status: NEW → ASSIGNED
Fixed.  This feature of XBL has been disabled for Mozilla 1.0.  A new bug should
be opened for implementing this feature the correct way. :)
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
in-testsuite-: "attachto" no longer exists.
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.