Bugzilla@Mozilla – Bug 583957
"ASSERTION: killing mutation events" in nsMenuFrame::UpdateMenuType
Last modified: 2011-02-09 09:08:13 PST
Summon comment box
Created attachment 462305 [details] testcase ###!!! ASSERTION: Want to fire mutation events, but it's not safe: '(aNode->IsNodeOfType(nsINode::eCONTENT) && static_cast<nsIContent*>(aNode)-> IsInNativeAnonymousSubtree()) || sScriptBlockerCount == sRemovableScriptBlockerCount', file content/base/src/nsContentUtils.cpp, line 3619 ###!!! ASSERTION: killing mutation events: 'nsContentUtils::IsSafeToRunScript()', file content/base/src/nsContentUtils.cpp, line 6142 ###!!! ASSERTION: This is unsafe! Fix the caller!: 'Error', file content/events/src/nsEventDispatcher.cpp, line 514 Security-sensitive because previous bugs with these assertions (bug 557398, bug 564461) were deemed to be likely-exploitable.
Created attachment 462306 [details] assertion stack traces
Um, nsMenuFrame::AttributeChanged is quite wrong. I blame hyatt.
Created attachment 462387 [details] [review] patch I think we need this. I'll test this some more. if (mType != eMenuType_Normal) check shouldn't be needed since UpdateMenuSpecialState does that too.
(In reply to comment #3) > if (mType != eMenuType_Normal) check shouldn't be needed since > UpdateMenuSpecialState does that too. I don't see UpdateMenuSpecialState checking mType.
it has if (mType != eMenuType_Radio) return and if (mType != eMenuType_Radio || ...) return
In case of eMenuType_Normal, mChecked is probably changed, but mChecked isn't really used with eMenuType_Normal.
But if really wanted I could add the pretty useless mType != eMenuType_Normal back.
Neil needs to respond.
http://hg.mozilla.org/mozilla-central/rev/e4e653196488
Is this bug a regression, or did we just not have those assertions on the branches? In a 1.9.2 debug build I get ###!!! ASSERTION: killing mutation events: 'nsContentUtils::IsSafeToRunScript()', file /Users/daniel/dev/ff192/content/base/src/nsContentUtils.cpp, line 5245 ###!!! ASSERTION: killing mutation events: 'nsContentUtils::IsSafeToRunScript()', file /Users/daniel/dev/ff192/content/base/src/nsContentUtils.cpp, line 5245 but not the scary first and third assertion from comment 0. On the other hand, if you're blaming hyatt (comment 2) I guess this is an old problem.
We don't have all the same assertions on 1.9.2. We should land this to branches too. Sorry that I didn't ask approval, yet.
I need to test whether the patch applies to branches.
Comment on attachment 462387 [details] [review] patch Approved for 1.9.2.11 and 1.9.1.14, a=dveditz for release-drivers
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/6a2ae85c5dbc http://hg.mozilla.org/releases/mozilla-1.9.2/rev/528a466700d8
Crashtest: http://hg.mozilla.org/mozilla-central/rev/ea9ed8b0fe1b