This bug was filed from the Socorro interface and is report bp-2566c28d-147d-445d-9d77-919fb2150825. ============================================================= Crashed at deleting something in mozilla::ContentCacheInParent::FlushPendingNotifications(nsIWidget*). The possibility is that IMENotification::mMessage is NOTIFY_IME_OF_SELECTION_CHANGE unexpectedly. This must be caused by bug 1189396, but it's indirectly.
I don't know the reason why this is reproduced only on Mac OS X and the frequency is too high.
Attachment #8652701 - Flags: review?(bugs)
This bug can be reproduced on 42 or later. The actual cause of this regression is bug 1184449.
url: https://hg.mozilla.org/integration/mozilla-inbound/rev/b01fa62c7a5216dc2bb47113492efa8f094929cd changeset: b01fa62c7a5216dc2bb47113492efa8f094929cd user: Masayuki Nakano <firstname.lastname@example.org> date: Wed Aug 26 20:01:05 2015 +0900 description: Bug 1198594 The copy constructor of IMENotification should initialize mMessage before calling Assign() r=smaug
Comment on attachment 8652701 [details] [diff] [review] The copy constructor of IMENotification should initialize mMessage before calling Assign() Approval Request Comment [Feature/regressing bug #]: bug 1184449, but the frequency was increased by bug 1189396 on OS X 10.10.x [User impact if declined]: This is rare crash bug on 42. If it's completely random, this may be reproduced 2~3/UINT32_MAX per an operation with IME. However, the crash reason is double free. So, we should fix this for security. [Describe test coverage new/current, TreeHerder]: Landed on m-c. [Risks and why]: Nothing because this adds a member initializer to the copy constructor. It should be, but I forgot to add at bug 1184449. [String/UUID change made/needed]: Nothing.
Attachment #8652701 - Flags: approval-mozilla-aurora?
Comment on attachment 8652701 [details] [diff] [review] The copy constructor of IMENotification should initialize mMessage before calling Assign() Fix a crash, taking it.
Attachment #8652701 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.