Closed
Bug 919585
Opened 11 years ago
Closed 10 years ago
ASSERTION: Want to fire DOMNodeRemoved event, but it's not safe: 'aChild->IsNodeOfType(nsINode::eCONTENT) && static_cast<nsIContent*>(aChild)-> IsInNativeAnonymousSubtree() || IsSafeToRunScript() || sDOMNodeRemovedSuppressCount'
Categories
(Core :: XBL, defect)
Core
XBL
Tracking
()
RESOLVED
DUPLICATE
of bug 736695
People
(Reporter: smaug, Assigned: wchen)
Details
(Keywords: assertion, sec-high)
+++ This bug was initially created as a clone of Bug #712521 +++ The stack trace in bug 712521 is actually rather worrisome. We're running JS while doing UnbindFromTree. That should not be allowed. I thought we execute XBL ctor and dtor using a script runner, but maybe not.
Comment 1•11 years ago
|
||
I think we fire ctor from a script runner, but maybe not dtor. We should try to fix this...
Comment 3•11 years ago
|
||
I'll probably get to this after the summit.
Is this the old "we're doing teardown of bindings the wrong way" bug? IIRC we need to separate "remove things from the DOM" from "run XBL ctor" and do the former synchronously and the latter from a scriptrunner. Or some such, it's been too long :( The really tricky part is that doing this while keeping backwards compatibility with regards to what DOM the ctor sees is going to be RealHard
Comment 5•11 years ago
|
||
(In reply to Blake Kaplan (:mrbkap) from comment #3) > I'll probably get to this after the summit. Have you had a chance to look at this, Blake? Maybe William could investigate this? This bug has sat dead for almost two months.
Comment 7•10 years ago
|
||
I think wchen will be able to get to this before me. William, tell me if I'm wrong!
Assignee: nobody → wchen
Flags: needinfo?(mrbkap)
Assignee | ||
Comment 8•10 years ago
|
||
I haven't been able to reproduce the stack that removes a child node in UnbindFromTree. I'm getting the same result as Blake in Bug 712521 c4, I've tried in both nightly and a build I have from half a year ago.
Flags: needinfo?(wchen)
Comment 10•10 years ago
|
||
I haven't been involved in this bug at all, so I'm not sure why you ask me... But yeah, running this still reproduces the assertion: ./mach mochitest-browser browser/base/content/test/general/browser_aboutHome.js
Flags: needinfo?(matspal)
Comment 11•10 years ago
|
||
Well, you filed bug 712521 back in Dec. 2011, which is the original source. Thanks for checking.
Assignee | ||
Comment 12•10 years ago
|
||
(In reply to Mats Palmgren (:mats) from comment #10) > I haven't been involved in this bug at all, so I'm not sure why you ask me... > But yeah, running this still reproduces the assertion: > ./mach mochitest-browser > browser/base/content/test/general/browser_aboutHome.js That test hits the same assertion but with a different stack. This bug is concerning removing a child while in UnbindFromTree, the assertion from browser_aboutHome.js is due to the parser.
Comment 13•10 years ago
|
||
It seems we don't have a test case for this, but comment 0 and comment 1 sound like there's still something actionable here: make sure that XBL ctor and dtor are executed using a script runner (probably the ctor is but maybe not the dtor?). Can you look into that, William? Thanks.
Assignee | ||
Comment 14•10 years ago
|
||
Upon further investigation it looks like this was fixed in Bug 736695. The stack in bug 712521 shows that the destructor was being executed by a call to nsBindingManager::RemovedFromDocument in nsGenericElement::UnbindFromTree. The call was moved into a script runner here: https://hg.mozilla.org/mozilla-central/rev/ca716959ca2b
Comment 15•10 years ago
|
||
Great! Thanks for the analysis.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Updated•10 years ago
|
Group: core-security
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: dom-core-security, core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•