Closed
Bug 831287
Opened 12 years ago
Closed 12 years ago
Heap-use-after-free in mozilla::WalkAncestorsResetAutoDirection
Categories
(Core :: Layout, defect)
Tracking
()
RESOLVED
FIXED
mozilla21
| Tracking | Status | |
|---|---|---|
| firefox20 | - | fixed |
| firefox21 | --- | fixed |
| firefox-esr17 | --- | unaffected |
| b2g18 | --- | unaffected |
People
(Reporter: inferno, Assigned: smontagu)
References
Details
(5 keywords, Whiteboard: [asan][adv-main20-])
Attachments
(3 files)
|
422 bytes,
text/html
|
Details | |
|
1.23 KB,
patch
|
Details | Diff | Splinter Review | |
|
990 bytes,
patch
|
ehsan.akhgari
:
review+
bajaj
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
Reproduces on trunk, has fixes for other dir=auto bugs.
>==2583== ERROR: AddressSanitizer: heap-use-after-free on address 0x7f66817afcac at pc 0x7f66a5ded003 bp 0x7fff8c2f48b0 sp 0x7fff8c2f48a8
>READ of size 4 at 0x7f66817afcac thread T0
> #0 0x7f66a5ded002 in nsINode::GetBoolFlag(nsINode::BooleanFlag) const src/content/base/public/nsINode.h:1348
> #1 0x7f66a7ca7e8e in nsINode::HasTextNodeDirectionalityMap() const src/../../../dist/include/nsINode.h:1431
> #2 0x7f66a7ca69c7 in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap(nsINode*, mozilla::dom::Element*) src/content/base/src/DirectionalityUtils.cpp:506
> #3 0x7f66a7ca639a in mozilla::WalkAncestorsResetAutoDirection(mozilla::dom::Element*, bool) src/content/base/src/DirectionalityUtils.cpp:611
> #4 0x7f66a7cadcb3 in mozilla::SetDirOnBind(mozilla::dom::Element*, nsIContent*) src/content/base/src/DirectionalityUtils.cpp:902
> #5 0x7f66a82befe0 in mozilla::dom::Element::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) src/content/base/src/Element.cpp:1170
> #6 0x7f66a92582d9 in nsGenericHTMLElement::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) src/content/html/content/src/nsGenericHTMLElement.cpp:603
> #7 0x7f66a839af3a in nsINode::doInsertChildAt(nsIContent*, unsigned int, bool, nsAttrAndChildArray&) src/content/base/src/nsINode.cpp:1325
> #8 0x7f66a878f247 in mozilla::dom::FragmentOrElement::InsertChildAt(nsIContent*, unsigned int, bool) src/content/base/src/FragmentOrElement.cpp:884
> #9 0x7f66a83a3885 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) src/content/base/src/nsINode.cpp:1929
> #10 0x7f66a82eb1fd in nsINode::InsertBefore(nsINode&, nsINode*, mozilla::ErrorResult&) src/../../dist/include/nsINode.h:1538
> #11 0x7f66a82e7692 in nsINode::AppendChild(nsINode&, mozilla::ErrorResult&) src/../../dist/include/nsINode.h:1542
> #12 0x7f66b2f1eb83 in mozilla::dom::NodeBinding::appendChild(JSContext*, JS::Handle<JSObject*>, nsINode*, unsigned int, JS::Value*) src/objdir-ff-asan-sym/dom/bindings/NodeBinding.cpp:568
> #13 0x7f66b2ecad76 in mozilla::dom::NodeBinding::genericMethod(JSContext*, unsigned int, JS::Value*) src/objdir-ff-asan-sym/dom/bindings/NodeBinding.cpp:1390
> #14 0x7f66bba6fa8a in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/jscntxtinlines.h:378
> #15 0x7f66bba6fa8a in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:391
> #16 0x7f66bba2039e in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2385
> #17 0x7f66bb980e5b in js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) src/js/src/jsinterp.cpp:348
> #18 0x7f66bba703de in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:406
> #19 0x7f66bb3013af in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) src/js/src/jsinterp.h:112
> #20 0x7f66bba75859 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:439
> #21 0x7f66bb1f5be2 in JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) src/js/src/jsapi.cpp:5831
> #22 0x7f66ae133cc5 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJSClass.cpp:1432
> #23 0x7f66ae0d4950 in nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJS.cpp:581
> #24 0x7f66b40622df in PrepareAndDispatch src/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:122
> #25 0x7f66b405efc6 in SharedStub
> #26 0x7f66a8eb3a95 in nsEventListenerManager::HandleEventSubType(nsListenerStruct*, nsIDOMEventListener*, nsIDOMEvent*, nsIDOMEventTarget*, nsCxPusher*) src/content/events/src/nsEventListenerManager.cpp:922
> #27 0x7f66a8eb52a7 in nsEventListenerManager::HandleEventInternal(nsPresContext*, nsEvent*, nsIDOMEvent**, nsIDOMEventTarget*, nsEventStatus*, nsCxPusher*) src/content/events/src/nsEventListenerManager.cpp:989
> #28 0x7f66a90a627a in nsEventListenerManager::HandleEvent(nsPresContext*, nsEvent*, nsIDOMEvent**, nsIDOMEventTarget*, nsEventStatus*, nsCxPusher*) src/content/events/src/nsEventListenerManager.h:278
> #29 0x7f66a909542c in nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor&, bool, nsCxPusher*) src/content/events/src/nsEventDispatcher.cpp:181
> #30 0x7f66a9093693 in nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor&, nsDispatchingCallback*, bool, nsCxPusher*) src/content/events/src/nsEventDispatcher.cpp:310
> #31 0x7f66a909b3c7 in nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, nsEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*, nsCOMArray<nsIDOMEventTarget>*) src/content/events/src/nsEventDispatcher.cpp:678
> #32 0x7f66a909dc19 in nsEventDispatcher::DispatchDOMEvent(nsISupports*, nsEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) src/content/events/src/nsEventDispatcher.cpp:738
> #33 0x7f66a83963d5 in nsINode::DispatchEvent(nsIDOMEvent*, bool*) src/content/base/src/nsINode.cpp:1101
> #34 0x7f66a7e7fe10 in nsContentUtils::DispatchEvent(nsIDocument*, nsISupports*, nsAString_internal const&, bool, bool, bool, bool*) src/content/base/src/nsContentUtils.cpp:3511
> #35 0x7f66a7e7f0e4 in nsContentUtils::DispatchTrustedEvent(nsIDocument*, nsISupports*, nsAString_internal const&, bool, bool, bool*) src/content/base/src/nsContentUtils.cpp:3481
> #36 0x7f66a809f7cf in nsDocument::DispatchContentLoadedEvents() src/content/base/src/nsDocument.cpp:4321
> #37 0x7f66a81a1f92 in nsRunnableMethodImpl<void (nsDocument::*)(), true>::Run() src/../../../dist/include/nsThreadUtils.h:367
> #38 0x7f66b3f2d68f in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:627
> #39 0x7f66b3ba2015 in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:238
> #40 0x7f66b11ad57c in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:82
> #41 0x7f66b4224742 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:215
> #42 0x7f66b4224579 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:208
> #43 0x7f66b422444e in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:182
> #44 0x7f66b0567387 in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:163
> #45 0x7f66af072ad5 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:288
> #46 0x7f66a42da984 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:3823
> #47 0x7f66a42e056a in XREMain::XRE_main(int, char**, nsXREAppData const*) src/toolkit/xre/nsAppRunner.cpp:3890
> #48 0x7f66a42e3340 in XRE_main src/toolkit/xre/nsAppRunner.cpp:4093
> #49 0x41d963 in do_main(int, char**, nsIFile*) src/browser/app/nsBrowserApp.cpp:195
> #50 0x41ac69 in main src/browser/app/nsBrowserApp.cpp:388
> #51 0x7f66c74af76c in
>0x7f66817afcac is located 44 bytes inside of 120-byte region [0x7f66817afc80,0x7f66817afcf8)
>freed by thread T0 here:
> #0 0x40f992 in __interceptor_free
> #1 0x7f66c412f409 in moz_free src/memory/mozalloc/mozalloc.cpp:48
> #2 0x7f66a85ffab0 in operator delete(void*) src/../../../dist/include/mozilla/mozalloc.h:224
> #3 0x7f66a85ffab0 in nsTextNode::~nsTextNode() src/content/base/src/nsTextNode.cpp:117
> #4 0x7f66a84c5bf7 in nsNodeUtils::LastRelease(nsINode*) src/content/base/src/nsNodeUtils.cpp:258
> #5 0x7f66a833f9d0 in nsGenericDOMDataNode::Release() src/content/base/src/nsGenericDOMDataNode.cpp:117
> #6 0x7f66a85fffaa in nsTextNode::Release() src/content/base/src/nsTextNode.cpp:121
> #7 0x7f66a42a446f in nsCOMPtr_base::~nsCOMPtr_base() src/objdir-ff-asan-sym/media/webrtc/signaling/signaling_ecc/../../../../dist/include/nsCOMPtr.h:410
> #8 0x7f66a60a1fdc in nsCOMPtr<nsIContent>::~nsCOMPtr() src/../../dist/include/nsCOMPtr.h:449
> #9 0x7f66a60a1ca9 in nsCOMPtr<nsIContent>::~nsCOMPtr() src/../../dist/include/nsCOMPtr.h:449
> #10 0x7f66a878f65d in mozilla::dom::FragmentOrElement::RemoveChildAt(unsigned int, bool) src/content/base/src/FragmentOrElement.cpp:896
> #11 0x7f66a7e96ffe in nsContentUtils::SetNodeTextContent(nsIContent*, nsAString_internal const&, bool) src/content/base/src/nsContentUtils.cpp:4374
> #12 0x7f66a878fa82 in mozilla::dom::FragmentOrElement::SetTextContentInternal(nsAString_internal const&, mozilla::ErrorResult&) src/content/base/src/FragmentOrElement.cpp:908
> #13 0x7f66a7c9ff9a in nsINode::SetTextContent(nsAString_internal const&, mozilla::ErrorResult&) src/../../dist/include/nsINode.h:1087
> #14 0x7f66b2e9d3bf in mozilla::dom::NodeBinding::set_textContent(JSContext*, JS::Handle<JSObject*>, nsINode*, JS::Value*) src/objdir-ff-asan-sym/dom/bindings/NodeBinding.cpp:417
> #15 0x7f66b2e98e18 in mozilla::dom::NodeBinding::genericSetter(JSContext*, unsigned int, JS::Value*) src/objdir-ff-asan-sym/dom/bindings/NodeBinding.cpp:1458
> #16 0x7f66bba6fa8a in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/jscntxtinlines.h:378
> #17 0x7f66bba6fa8a in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:391
> #18 0x7f66bb3013af in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) src/js/src/jsinterp.h:112
> #19 0x7f66bba75859 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:439
> #20 0x7f66bba7bcd5 in js::InvokeGetterOrSetter(JSContext*, JSObject*, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:512
> #21 0x7f66bbd1e288 in js::Shape::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, bool, JS::MutableHandle<JS::Value>) src/js/src/jsscopeinlines.h:314
> #22 0x7f66bbd59204 in js::baseops::SetPropertyHelper(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<long>, unsigned int, JS::MutableHandle<JS::Value>, int) src/js/src/jsobj.cpp:3841
> #23 0x7f66bbab0338 in js::SetPropertyOperation(JSContext*, unsigned char*, JS::Handle<JS::Value>, JS::Handle<JS::Value>) src/js/src/jsinterpinlines.h:365
> #24 0x7f66bba1024d in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2278
> #25 0x7f66bb980e5b in js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) src/js/src/jsinterp.cpp:348
> #26 0x7f66bba703de in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:406
> #27 0x7f66bb3013af in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) src/js/src/jsinterp.h:112
> #28 0x7f66bba75859 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:439
> #29 0x7f66bb1f5be2 in JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) src/js/src/jsapi.cpp:5831
> #30 0x7f66ae133cc5 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJSClass.cpp:1432
> #31 0x7f66ae0d4950 in nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJS.cpp:581
>previously allocated by thread T0 here:
> #0 0x40fa72 in malloc
> #1 0x7f66c412f554 in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:54
> #2 0x7f66a85ff2d0 in operator new(unsigned long) src/../../../dist/include/mozilla/mozalloc.h:200
> #3 0x7f66a85ff2d0 in NS_NewTextNode(nsIContent**, nsNodeInfoManager*) src/content/base/src/nsTextNode.cpp:106
> #4 0x7f66abf28cae in nsHtml5TreeOperation::AppendText(unsigned short const*, unsigned int, nsIContent*, nsHtml5TreeOpExecutor*) src/parser/html/nsHtml5TreeOperation.cpp:164
> #5 0x7f66abf33f37 in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**) src/parser/html/nsHtml5TreeOperation.cpp:457
> #6 0x7f66abf52096 in nsHtml5TreeOpExecutor::RunFlushLoop() src/parser/html/nsHtml5TreeOpExecutor.cpp:559
> #7 0x7f66abf900ad in nsHtml5ExecutorFlusher::Run() src/parser/html/nsHtml5StreamParser.cpp:127
> #8 0x7f66b3f2d68f in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:627
> #9 0x7f66b3ba2015 in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:238
> #10 0x7f66b3f2b5a3 in nsThread::Shutdown() src/xpcom/threads/nsThread.cpp:474
> #11 0x7f66b3f54472 in nsRunnableMethodImpl<tag_nsresult (nsIThread::*)(), true>::Run() src/../../dist/include/nsThreadUtils.h:367
> #12 0x7f66b3f2d68f in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:627
> #13 0x7f66b3ba2015 in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:238
> #14 0x7f66b11ad57c in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:82
> #15 0x7f66b4224742 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:215
> #16 0x7f66b4224579 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:208
> #17 0x7f66b422444e in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:182
> #18 0x7f66b0567387 in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:163
> #19 0x7f66af072ad5 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:288
> #20 0x7f66a42da984 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:3823
> #21 0x7f66a42e056a in XREMain::XRE_main(int, char**, nsXREAppData const*) src/toolkit/xre/nsAppRunner.cpp:3890
> #22 0x7f66a42e3340 in XRE_main src/toolkit/xre/nsAppRunner.cpp:4093
> #23 0x41d963 in do_main(int, char**, nsIFile*) src/browser/app/nsBrowserApp.cpp:195
> #24 0x41ac69 in main src/browser/app/nsBrowserApp.cpp:388
>Shadow bytes around the buggy address:
> 0x1fecd02f5f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x1fecd02f5f50: 00 00 00 00 fb fb fb fb fb fb fb fb fb fb fb fb
> 0x1fecd02f5f60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x1fecd02f5f70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 0x1fecd02f5f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>=>0x1fecd02f5f90: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
> 0x1fecd02f5fa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x1fecd02f5fb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 0x1fecd02f5fc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x1fecd02f5fd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 0x1fecd02f5fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Heap righ redzone: fb
> Freed Heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack partial redzone: f4
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> ASan internal: fe
>Stats: 251M malloced (272M for red zones) by 406231 calls
>Stats: 47M realloced by 24222 calls
>Stats: 216M freed by 273892 calls
>Stats: 83M really freed by 193907 calls
>Stats: 472M (472M-0M) mmaped; 118 maps, 0 unmaps
> mmaps by size class: 8:294894; 9:32764; 10:8190; 11:14329; 12:2048; 13:1536; 14:1280; 15:384; 16:1216; 17:1312; 18:48; 19:40; 20:24;
> mallocs by size class: 8:339578; 9:32263; 10:8845; 11:16335; 12:2515; 13:1701; 14:1604; 15:407; 16:1489; 17:1362; 18:69; 19:40; 20:23;
> frees by size class: 8:225362; 9:22259; 10:5111; 11:14068; 12:1481; 13:1241; 14:1432; 15:281; 16:1198; 17:1344; 18:57; 19:38; 20:20;
> rfrees by size class: 8:171380; 9:7877; 10:2170; 11:9472; 12:612; 13:520; 14:456; 15:165; 16:1007; 17:217; 18:26; 19:4; 20:1;
>Stats: malloc large: 1494 small slow: 2384
>Stats: StackDepot: 0 ids; 0M mapped
>==2583== ABORTING
>
>
>
|
||
Updated•12 years ago
|
Keywords: csec-uaf,
sec-critical
Whiteboard: [asan]
|
||
Updated•12 years ago
|
Blocks: 819623
|
|
||
Comment 1•12 years ago
|
||
Assigning to Simon Montagu because he fixed the blocking bug. Feel free to reassign as appropriate.
Assignee: nobody → smontagu
|
||
Comment 2•12 years ago
|
||
Kyle: by marking this blocking bug 819623 were you trying to say this is a regression from that fix? Or just that it's similar to it like the other DirAuto regressions?
status-firefox21:
--- → affected
tracking-firefox21:
--- → +
Flags: sec-bounty?
Flags: needinfo?(khuey)
I believe it is a regression, but I don't remember for sure.
Flags: needinfo?(khuey)
|
Assignee | |
Comment 4•12 years ago
|
||
|
|
Assignee | |
Comment 5•12 years ago
|
||
Need to clear the dir-auto flags when setting dir to an invalid value.
Attachment #706870 -
Flags: review?(ehsan)
|
||
Updated•12 years ago
|
Attachment #706870 -
Flags: review?(ehsan) → review+
|
|
Assignee | |
Comment 6•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/9c863c8b3327
|
||
Comment 7•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/9c863c8b3327
Status: NEW → RESOLVED
Closed: 12 years ago
status-firefox21:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla21
|
|
||
Updated•12 years ago
|
Keywords: regression
|
||
Updated•12 years ago
|
status-b2g18:
--- → unaffected
status-firefox-esr17:
--- → unaffected
|
|
||
Comment 8•11 years ago
|
||
We need this in Firefox 20 as well, right? It'll be easier to get approval to land while that's still on Aurora.
|
|
Assignee | |
Comment 10•11 years ago
|
||
Comment on attachment 706870 [details] [diff] [review] Patch [Approval Request Comment] Bug caused by (feature/regressing bug #): Bug 548206 (or one of its followups) User impact if declined: critical security vulnerability Testing completed (on m-c, etc.): Baked on m-c since 2013-01-28 Risk to taking this patch (and alternatives if risky): Minimal String or UUID changes made by this patch: None
Attachment #706870 -
Flags: approval-mozilla-aurora?
|
|
||
Comment 11•11 years ago
|
||
Comment on attachment 706870 [details] [diff] [review] Patch low risk fix for a sec-critical regression.Approving on aurora.
Attachment #706870 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
|
Assignee | |
Comment 12•11 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/e368c539e1a8
|
||
Updated•11 years ago
|
Whiteboard: [asan] → [asan][adv-main20+]
|
|
||
Updated•11 years ago
|
Whiteboard: [asan][adv-main20+] → [asan][adv-main20-]
|
|
||
Updated•11 years ago
|
Group: core-security
|
|
Assignee | |
Comment 13•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/42299a0abcde
Flags: in-testsuite? → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•