Closed Bug 404869 Opened 17 years ago Closed 17 years ago

[FIX]Crash [@ nsXBLBinding::ResolveAllFields]

Categories

(Core :: XBL, defect, P3)

Product:
Core
Component:
XBL
Platform:
x86
macOS
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: jruderman, Assigned: bzbarsky)

References

Details

(Keywords: crash, testcase, Whiteboard: [sg:critical?] post 1.8-branch)

Crash Data

Attachments

(2 files)

testcase (crashes Firefox when loaded)
(deleted), application/vnd.mozilla.xul+xml
Details
Like so
(deleted), patch
sicking
: review+
sicking
: superreview+
sicking
: approval1.9+
Details | Diff | Splinter Review
Loading the testcase causes a crash with one of the following signatures: * Null deref, [@ nsXBLBinding::ResolveAllFields] * Random memory deref, [@ nsXBLPrototypeBinding::ResolveAllFields] * Random memory deref, [@ nsXBLProtoImpl::ResolveAllFields]
Flags: blocking1.9?
Whiteboard: [sg:critical?]
All that's needed is a field whose evaluation will flush the pending style change. Should be possible to write a testcase which doesn't have any XUL in it at all (e.g. have a field do this.ownerDocument.body.offsetHeight or whatnot). Fix coming up.
Assignee: nobody → bzbarsky
Blocks: 372769
Summary: Crash [@ nsXBLBinding::ResolveAllFields] → [FIX]Crash [@ nsXBLBinding::ResolveAllFields]
Attached patch Like so (deleted) — Splinter Review
Just keep the binding alive while we execute script. The behavior will still be weird in this testcase (e.g. we'll install some fields after uninstalling the binding), but I think that's fine for this corner case.
Attachment #289742 - Flags: superreview?(jonas)
Attachment #289742 - Flags: review?(jonas)
Flags: blocking1.9? → blocking1.9+
Priority: -- → P3
Attachment #289742 - Flags: superreview?(jonas)
Attachment #289742 - Flags: superreview+
Attachment #289742 - Flags: review?(jonas)
Attachment #289742 - Flags: review+
Attachment #289742 - Flags: approval1.9+
Checked in. Need to land the crash test. Opening bug up, since this is trunk-only and now fixed.
Group: security
Status: NEW → RESOLVED
Closed: 17 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Flags: wanted1.8.1.x-
Whiteboard: [sg:critical?] → [sg:critical?] post 1.8-branch
Crashtest checked in.
Flags: in-testsuite? → in-testsuite+
no crash on testcase using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9b3pre) Gecko/2007123104 Minefield/3.0b3pre -verified fixed
Status: RESOLVED → VERIFIED
Crash Signature: [@ nsXBLBinding::ResolveAllFields]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: