Bug 640652 - When unsetting an attribute on a XUL element, don't let the script blocker to be removed when the document nested update count is 0, since that can trigger XBL bindings, which may run scripts to do things which would lead into crashes; r=sicking a=sayrer
authorEhsan Akhgari <ehsan@mozilla.com>
Fri, 11 Mar 2011 01:04:44 -0500
changeset 63386 e00e8ee0aeb7d156e65521ee0dd4bf4627c1e337
parent 63385 823105711a3bd08104651bf5971f5f6357c40e47
child 63387 3570861040e98ed5331fdac7a8aa8d8b489eb84d
push id19182
push usereakhgari@mozilla.com
push dateFri, 11 Mar 2011 06:07:01 +0000
treeherdermozilla-central@e00e8ee0aeb7 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssicking, sayrer
bugs640652
milestone2.0b13pre
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 640652 - When unsetting an attribute on a XUL element, don't let the script blocker to be removed when the document nested update count is 0, since that can trigger XBL bindings, which may run scripts to do things which would lead into crashes; r=sicking a=sayrer
content/xul/content/src/nsXULElement.cpp
--- a/content/xul/content/src/nsXULElement.cpp
+++ b/content/xul/content/src/nsXULElement.cpp
@@ -1336,17 +1336,18 @@ nsXULElement::UnsetAttr(PRInt32 aNameSpa
         FindPrototypeAttribute(aNameSpaceID, aName);
     if (protoattr) {
         // We've got an attribute on the prototype, so we need to
         // fully fault and remove the local copy.
         rv = MakeHeavyweight();
         NS_ENSURE_SUCCESS(rv, rv);
     }
 
-    nsAutoRemovableScriptBlocker scriptBlocker;
+    nsIDocument* doc = GetCurrentDoc();
+    mozAutoDocUpdate updateBatch(doc, UPDATE_CONTENT_MODEL, aNotify);
 
     PRBool isId = PR_FALSE;
     if (aName == nsGkAtoms::id && aNameSpaceID == kNameSpaceID_None) {
       // Have to do this before clearing flag. See RemoveFromIdTable
       RemoveFromIdTable();
       isId = PR_TRUE;
     }
 
@@ -1356,19 +1357,16 @@ nsXULElement::UnsetAttr(PRInt32 aNameSpa
                                  "have a normal one");
 
         return NS_OK;
     }
 
     nsAutoString oldValue;
     GetAttr(aNameSpaceID, aName, oldValue);
 
-    nsIDocument* doc = GetCurrentDoc();
-    mozAutoDocUpdate updateBatch(doc, UPDATE_CONTENT_MODEL, aNotify);
-
     // When notifying, make sure to keep track of states whose value
     // depends solely on the value of an attribute.
     nsEventStates stateMask;
     if (aNotify) {
         stateMask = IntrinsicState();
  
         nsNodeUtils::AttributeWillChange(this, aNameSpaceID, aName,
                                          nsIDOMMutationEvent::REMOVAL);