Closed Bug 557398 Opened 12 years ago Closed 12 years ago

"ASSERTION: This is unsafe! Fix the caller!" with <xul:wizard>, XBL, iframe

Categories

(Core :: XBL, defect)

x86
macOS
defect
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: jruderman, Assigned: smaug)

References

Details

(Keywords: assertion, testcase, Whiteboard: [sg:critical?] branch landing needs roll-up patch)

Attachments

(3 files)

Attached file testcase
###!!! ASSERTION: This is unsafe! Fix the caller!: 'Error', file /Users/jruderman/mozilla-central/content/events/src/nsEventDispatcher.cpp, line 490

I'm initially treating this as sg:critical because bug 531176 was sg:critical.
Smaug, can you have a look and decide whether this should remain sg:critical etc?
Assignee: nobody → Olli.Pettay
Oh, this looks very much like sg:critical
The bad thing is
#15 0x00952251 in nsXBLProtoImplAnonymousMethod::Execute (this=0x1e0ee000, aBoundElement=0x1e0df2b0) at /Users/jruderman/mozilla-central/content/xbl/src/nsXBLProtoImplMethod.cpp:329
#16 0x009446cd in nsXBLPrototypeBinding::BindingAttached (this=0x1e0ec170, aBoundElement=0x1e0df2b0) at /Users/jruderman/mozilla-central/content/xbl/src/nsXBLPrototypeBinding.cpp:488
#17 0x0093eb23 in nsXBLBinding::ExecuteAttachedHandler (this=0x1e0ec820) at /Users/jruderman/mozilla-central/content/xbl/src/nsXBLBinding.cpp:976
#18 0x00963f85 in nsBindingManager::ProcessAttachedQueue (this=0x1e09a1e0, aSkipSize=0) at /Users/jruderman/mozilla-central/content/xbl/src/nsBindingManager.cpp:1014
#19 0x0041ee4f in PresShell::InitialReflow (this=0x1e0e28d0, aWidth=600, aHeight=600) at /Users/jruderman/mozilla-central/layout/base/nsPresShell.cpp:2518
#20 0x003e1bb6 in DocumentViewerImpl::InitPresentationStuff (this=0x1e0999b0, aDoInitialReflow=1) at /Users/jruderman/mozilla-central/layout/base/nsDocumentViewer.cpp:750
#21 0x003e2dea in DocumentViewerImpl::Show (this=0x1e0999b0) at /Users/jruderman/mozilla-central/layout/base/nsDocumentViewer.cpp:1979
#22 0x00dfee6a in nsDocShell::SetVisibility (this=0x1dfdc520, aVisibility=1) at /Users/jruderman/mozilla-central/docshell/base/nsDocShell.cpp:4605
#23 0x0070dbb5 in nsFrameLoader::Show (this=0x1dfdbe90, marginWidth=-1, marginHeight=-1, scrollbarPrefX=1, scrollbarPrefY=1, frame=0x4be9720) at /Users/jruderman/mozilla-central/content/base/src/nsFrameLoader.cpp:562
#24 0x0047a549 in nsSubDocumentFrame::ShowViewer (this=0x4be96f0) at /Users/jruderman/mozilla-central/layout/generic/nsFrameFrame.cpp:323
#25 0x0047a7e3 in nsSubDocumentFrame::Init (this=0x4be96f0, aContent=0x1dfdb470, aParent=0x4be9660, aPrevInFlow=0x0) at /Users/jruderman/mozilla-central/layout/generic/nsFrameFrame.cpp:288
#26 0x00398535 in nsCSSFrameConstructor::InitAndRestoreFrame (this=0x1e0cb680, aState=@0xbfffc864, aContent=0x1dfdb470, aParentFrame=0x4be9660, aPrevInFlow=0x0, aNewFrame=0x4be96f0, aAllowCounters=1) at /Users/jruderman/mozilla-central/layout/base/nsCSSFrameConstructor.cpp:4513
#27 0x003a2685 in nsCSSFrameConstructor::ConstructFrameFromItemInternal (this=0x1e0cb680, aItem=@0x1e0e1920, aState=@0xbfffc864, aParentFrame=0x4be9660, aFrameItems=@0xbfffc5dc) at /Users/jruderman/mozilla-central/layout/base/nsCSSFrameConstructor.cpp:3740

We are doing the InitialReflow while constructing frames.

Should we postpone nsFrameLoader::Show to happen when it is safe to run scripts?
Or postpone something else? I'll investigate this during this weekend.
I'm hoping to have this fixed by the end of next week.
Postponing ShowViewer sounds pretty good to me....
I would assume that fixing this takes a day (I just may not all the time before
next week).
Writing the code should take just minutes, but testing hours.
My earlier comments were based on the stack trace.

Now that I'm trying to get the assertion, I'm
having problems to reproduce this - at least on linux.
I'll retry on OSX.
Ok, I can reproduce on OSX.
Group: mozilla-confidential
Attached patch a patchSplinter Review
I uploaded this to try server.
Group: mozilla-confidential
Comment on attachment 438369 [details] [diff] [review]
a patch

Based on tryserver and some (i)frame heavy sites this should work.
Attachment #438369 - Flags: superreview?(roc)
Attachment #438369 - Flags: review?(bzbarsky)
Comment on attachment 438369 [details] [diff] [review]
a patch

Ugh, nsWeakFrame!
Attachment #438369 - Flags: superreview?(roc) → superreview+
Attachment #438369 - Flags: review?(bzbarsky) → review?(dbaron)
Attachment #438369 - Flags: review?(dbaron) → review?(jst)
Attachment #438369 - Flags: review?(jst) → review+
Please check this in ASAP
http://hg.mozilla.org/mozilla-central/rev/ac0109fc6043

Waiting a bit before asking approval for branches.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Depends on: 561981
Branch patches will need to fix the regression bug 561981
Whiteboard: [sg:critical?] → [sg:critical?] branch landing needs roll-up patch
(In reply to comment #14)
> Waiting a bit before asking approval for branches.

Both 1.9.2 and 1.9.1?
The fix for the regression this bug caused (bug 561981) landed on mozilla-central.
Depends on: 605481
Depends on: 616394
Group: core-security
You need to log in before you can comment on or make changes to this bug.