Closed Bug 1198594 Opened 10 years ago Closed 10 years ago

crash in libsystem_kernel.dylib@0x16286

Categories

(Core :: Widget, defect)

Product:
Core
Component:
Widget
Platform:
Unspecified
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla43
Tracking Flags:
Tracking Status
firefox41 --- unaffected
firefox42 --- fixed
firefox43 --- fixed

People

(Reporter: masayuki, Assigned: masayuki)

References

Details

(Keywords: crash, inputmethod, regression)

Crash Data

Attachments

(1 file)

The copy constructor of IMENotification should initialize mMessage before calling Assign()
649 bytes, patch
smaug
: review+
Sylvestre
: approval-mozilla-aurora+
Details | Diff | Splinter Review
This bug was filed from the Socorro interface and is report bp-2566c28d-147d-445d-9d77-919fb2150825. ============================================================= Crashed at deleting something in mozilla::ContentCacheInParent::FlushPendingNotifications(nsIWidget*). The possibility is that IMENotification::mMessage is NOTIFY_IME_OF_SELECTION_CHANGE unexpectedly. This must be caused by bug 1189396, but it's indirectly.
I don't know the reason why this is reproduced only on Mac OS X and the frequency is too high.
Attachment #8652701 - Flags: review?(bugs)
This bug can be reproduced on 42 or later. The actual cause of this regression is bug 1184449.
Blocks: 1184449
status-firefox41: --- → unaffected
status-firefox42: --- → affected
Attachment #8652701 - Flags: review?(bugs) → review+
url: https://hg.mozilla.org/integration/mozilla-inbound/rev/b01fa62c7a5216dc2bb47113492efa8f094929cd changeset: b01fa62c7a5216dc2bb47113492efa8f094929cd user: Masayuki Nakano <masayuki@d-toybox.com> date: Wed Aug 26 20:01:05 2015 +0900 description: Bug 1198594 The copy constructor of IMENotification should initialize mMessage before calling Assign() r=smaug
https://hg.mozilla.org/mozilla-central/rev/b01fa62c7a52
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
status-firefox43: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla43
Comment on attachment 8652701 [details] [diff] [review] The copy constructor of IMENotification should initialize mMessage before calling Assign() Approval Request Comment [Feature/regressing bug #]: bug 1184449, but the frequency was increased by bug 1189396 on OS X 10.10.x [User impact if declined]: This is rare crash bug on 42. If it's completely random, this may be reproduced 2~3/UINT32_MAX per an operation with IME. However, the crash reason is double free. So, we should fix this for security. [Describe test coverage new/current, TreeHerder]: Landed on m-c. [Risks and why]: Nothing because this adds a member initializer to the copy constructor. It should be, but I forgot to add at bug 1184449. [String/UUID change made/needed]: Nothing.
Attachment #8652701 - Flags: approval-mozilla-aurora?
Comment on attachment 8652701 [details] [diff] [review] The copy constructor of IMENotification should initialize mMessage before calling Assign() Fix a crash, taking it.
Attachment #8652701 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: