crash in libsystem_kernel.dylib@0x16286

RESOLVED FIXED in Firefox 42

Status

()

Product:
Core
Component:
Widget
Type:
defect
Importance:
--
critical
Status:
RESOLVED FIXED
Opened:
4 years ago
Updated:
4 years ago

People

(Reporter: masayuki, Assigned: masayuki)

Tracking

({crash, inputmethod, regression})

Version:
Trunk
Target:
mozilla43
Platform:
Unspecified
macOS
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox41 unaffected, firefox42 fixed, firefox43 fixed)

Details

(crash signature)

Attachments

(1 attachment)

The copy constructor of IMENotification should initialize mMessage before calling Assign()
649 bytes, patch
smaug
: review+
sylvestre
: approval-mozilla-aurora+
Details | Diff | Splinter Review 
This bug was filed from the Socorro interface and is 
report bp-2566c28d-147d-445d-9d77-919fb2150825.
=============================================================

Crashed at deleting something in mozilla::ContentCacheInParent::FlushPendingNotifications(nsIWidget*). The possibility is that IMENotification::mMessage is NOTIFY_IME_OF_SELECTION_CHANGE unexpectedly.

This must be caused by bug 1189396, but it's indirectly.
I don't know the reason why this is reproduced only on Mac OS X and the frequency is too high.
Attachment #8652701 - Flags: review?(bugs)
This bug can be reproduced on 42 or later. The actual cause of this regression is bug 1184449.
Blocks: 1184449
status-firefox41: --- → unaffected
status-firefox42: --- → affected
Attachment #8652701 - Flags: review?(bugs) → review+
url:        https://hg.mozilla.org/integration/mozilla-inbound/rev/b01fa62c7a5216dc2bb47113492efa8f094929cd
changeset:  b01fa62c7a5216dc2bb47113492efa8f094929cd
user:       Masayuki Nakano <masayuki@d-toybox.com>
date:       Wed Aug 26 20:01:05 2015 +0900
description:
Bug 1198594 The copy constructor of IMENotification should initialize mMessage before calling Assign() r=smaug
https://hg.mozilla.org/mozilla-central/rev/b01fa62c7a52
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox43: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla43
Comment on attachment 8652701 [details] [diff] [review]
The copy constructor of IMENotification should initialize mMessage before calling Assign()

Approval Request Comment
[Feature/regressing bug #]: bug 1184449, but the frequency was increased by bug 1189396 on OS X 10.10.x
[User impact if declined]: This is rare crash bug on 42. If it's completely random, this may be reproduced 2~3/UINT32_MAX per an operation with IME. However, the crash reason is double free. So, we should fix this for security.
[Describe test coverage new/current, TreeHerder]: Landed on m-c.
[Risks and why]: Nothing because this adds a member initializer to the copy constructor. It should be, but I forgot to add at bug 1184449.
[String/UUID change made/needed]: Nothing.
Attachment #8652701 - Flags: approval-mozilla-aurora?
Comment on attachment 8652701 [details] [diff] [review]
The copy constructor of IMENotification should initialize mMessage before calling Assign()

Fix a crash, taking it.
Attachment #8652701 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.