Closed Bug 1198594 Opened 5 years ago Closed 5 years ago

crash in libsystem_kernel.dylib@0x16286

Categories

(Core :: Widget, defect)

Product:
Core
Component:
Widget
Platform:
Unspecified
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla43
Tracking Flags:
Tracking Status
firefox41 --- unaffected
firefox42 --- fixed
firefox43 --- fixed

People

(Reporter: masayuki, Assigned: masayuki)

References

Details

(Keywords: crash, inputmethod, regression)

Crash Data

Attachments

(1 file)

The copy constructor of IMENotification should initialize mMessage before calling Assign()
649 bytes, patch
smaug
: review+
Sylvestre
: approval-mozilla-aurora+
Details | Diff | Splinter Review 
This bug was filed from the Socorro interface and is 
report bp-2566c28d-147d-445d-9d77-919fb2150825.
=============================================================

Crashed at deleting something in mozilla::ContentCacheInParent::FlushPendingNotifications(nsIWidget*). The possibility is that IMENotification::mMessage is NOTIFY_IME_OF_SELECTION_CHANGE unexpectedly.

This must be caused by bug 1189396, but it's indirectly.
I don't know the reason why this is reproduced only on Mac OS X and the frequency is too high.
Attachment #8652701 - Flags: review?(bugs)
This bug can be reproduced on 42 or later. The actual cause of this regression is bug 1184449.
Blocks: 1184449
status-firefox41: --- → unaffected
status-firefox42: --- → affected
Attachment #8652701 - Flags: review?(bugs) → review+
url:        https://hg.mozilla.org/integration/mozilla-inbound/rev/b01fa62c7a5216dc2bb47113492efa8f094929cd
changeset:  b01fa62c7a5216dc2bb47113492efa8f094929cd
user:       Masayuki Nakano <masayuki@d-toybox.com>
date:       Wed Aug 26 20:01:05 2015 +0900
description:
Bug 1198594 The copy constructor of IMENotification should initialize mMessage before calling Assign() r=smaug
https://hg.mozilla.org/mozilla-central/rev/b01fa62c7a52
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox43: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla43
Comment on attachment 8652701 [details] [diff] [review]
The copy constructor of IMENotification should initialize mMessage before calling Assign()

Approval Request Comment
[Feature/regressing bug #]: bug 1184449, but the frequency was increased by bug 1189396 on OS X 10.10.x
[User impact if declined]: This is rare crash bug on 42. If it's completely random, this may be reproduced 2~3/UINT32_MAX per an operation with IME. However, the crash reason is double free. So, we should fix this for security.
[Describe test coverage new/current, TreeHerder]: Landed on m-c.
[Risks and why]: Nothing because this adds a member initializer to the copy constructor. It should be, but I forgot to add at bug 1184449.
[String/UUID change made/needed]: Nothing.
Attachment #8652701 - Flags: approval-mozilla-aurora?
Comment on attachment 8652701 [details] [diff] [review]
The copy constructor of IMENotification should initialize mMessage before calling Assign()

Fix a crash, taking it.
Attachment #8652701 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.