crash in libsystem_kernel.dylib@0x16286

RESOLVED FIXED in Firefox 42

Status

()

Product:
Core
Component:
Widget
Type:
defect
Importance:
--
critical
Status:
RESOLVED FIXED
Reported:
4 years ago
Modified:
4 years ago

People

(Reporter: masayuki, Assigned: masayuki)

Tracking

({crash, inputmethod, regression})

Version:
Trunk
Target:
mozilla43
Platform:
Unspecified
macOS
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox41 unaffected, firefox42 fixed, firefox43 fixed)

Details

(crash signature)

Attachments

(1 attachment)

The copy constructor of IMENotification should initialize mMessage before calling Assign()
649 bytes, patch
smaug
: review+
sylvestre
: approval-mozilla-aurora+
Details | Diff | Splinter Review
Assignee

Description

4 years ago 
This bug was filed from the Socorro interface and is 
report bp-2566c28d-147d-445d-9d77-919fb2150825.
=============================================================

Crashed at deleting something in mozilla::ContentCacheInParent::FlushPendingNotifications(nsIWidget*). The possibility is that IMENotification::mMessage is NOTIFY_IME_OF_SELECTION_CHANGE unexpectedly.

This must be caused by bug 1189396, but it's indirectly.
Assignee

Comment 1

4 years ago 
I don't know the reason why this is reproduced only on Mac OS X and the frequency is too high.
Attachment #8652701 - Flags: review?(bugs)
Assignee

Comment 2

4 years ago 
This bug can be reproduced on 42 or later. The actual cause of this regression is bug 1184449.
Blocks: 1184449
status-firefox41: --- → unaffected
status-firefox42: --- → affected
Attachment #8652701 - Flags: review?(bugs) → review+
 Assignee

Comment 3

4 years ago 
url:        https://hg.mozilla.org/integration/mozilla-inbound/rev/b01fa62c7a5216dc2bb47113492efa8f094929cd
changeset:  b01fa62c7a5216dc2bb47113492efa8f094929cd
user:       Masayuki Nakano <masayuki@d-toybox.com>
date:       Wed Aug 26 20:01:05 2015 +0900
description:
Bug 1198594 The copy constructor of IMENotification should initialize mMessage before calling Assign() r=smaug

Comment 4

4 years ago 
https://hg.mozilla.org/mozilla-central/rev/b01fa62c7a52
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
status-firefox43: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla43
 Assignee

Comment 5

4 years ago 
Comment on attachment 8652701 [details] [diff] [review]
The copy constructor of IMENotification should initialize mMessage before calling Assign()

Approval Request Comment
[Feature/regressing bug #]: bug 1184449, but the frequency was increased by bug 1189396 on OS X 10.10.x
[User impact if declined]: This is rare crash bug on 42. If it's completely random, this may be reproduced 2~3/UINT32_MAX per an operation with IME. However, the crash reason is double free. So, we should fix this for security.
[Describe test coverage new/current, TreeHerder]: Landed on m-c.
[Risks and why]: Nothing because this adds a member initializer to the copy constructor. It should be, but I forgot to add at bug 1184449.
[String/UUID change made/needed]: Nothing.
Attachment #8652701 - Flags: approval-mozilla-aurora?

Comment 6

4 years ago 
Comment on attachment 8652701 [details] [diff] [review]
The copy constructor of IMENotification should initialize mMessage before calling Assign()

Fix a crash, taking it.
Attachment #8652701 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.