Closed Bug 1232273 Opened 4 years ago Closed 4 years ago

use-after-free in nsRefreshDriver::Tick with CSS animations

Categories

(Core :: Layout, defect)

44 Branch
defect
Not set

Tracking

()

RESOLVED FIXED
Tracking Status
firefox45 --- verified
firefox46 --- verified
firefox-esr38 --- unaffected
firefox-esr45 --- verified

People

(Reporter: nils, Unassigned)

References

Details

(5 keywords, Whiteboard: [post-critsmash-triage]fix in 1232829)

Attachments

(1 file)

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0
Build ID: 20151203163240

Steps to reproduce:

Loading the attached testcase in the latest asan build of Firefox (BuildID=20151020145443) results in a crash. The testcase will take ~15 seconds to trigger and is more reliable with the trigger being opened in multiple (>8) tabs. E.g.

$ ./firefox/firefox crash.html crash.html crash.html crash.html crash.html crash.html crash.html crash.html 



Actual results:

ASAN output:

=================================================================
==31250==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000069eb8 at pc 0x7fb43bb8da54 bp 0x7ffe3cd30db0 sp 0x7ffe3cd30da8
READ of size 8 at 0x60d000069eb8 thread T0 (Web Content)
    #0 0x7fb43bb8da53 in AddRefTraitsAddRefHelper /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/layout/base/../../dist/include/mozilla/RefPtr.h:357:0
    #1 0x7fb43bb8da53 in AddRef /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/layout/base/../../dist/include/mozilla/RefPtr.h:369:0
    #2 0x7fb43bb8da53 in GetNext /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/layout/base/../../dist/include/mozilla/RefPtr.h:89:0
    #3 0x7fb43bb8da53 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsRefreshDriver.cpp:1528:0
    #4 0x7fb43bba1b26 in TickDriver /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsRefreshDriver.cpp:196:0
    #5 0x7fb43bba1b26 in mozilla::InactiveRefreshDriverTimer::TickOne() /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsRefreshDriver.cpp:588:0
    #6 0x7fb435c0c58f in nsTimerImpl::Fire() /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsTimerImpl.cpp:530:0
    #7 0x7fb435be82cc in nsTimerEvent::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/TimerThread.cpp:267:0
    #8 0x7fb435bf416f in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:972:0
    #9 0x7fb435c6d54a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:297:0
    #10 0x7fb436518af8 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:127:0
    #11 0x7fb4364870ec in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234:0
    #12 0x7fb4364870ec in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:227:0
    #13 0x7fb4364870ec in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201:0
    #14 0x7fb43b557ec7 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseAppShell.cpp:156:0
    #15 0x7fb43d3bf1a2 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:785:0
    #16 0x7fb4364870ec in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234:0
    #17 0x7fb4364870ec in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:227:0
    #18 0x7fb4364870ec in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201:0
    #19 0x7fb43d3be88c in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:621:0
    #20 0x48d740 in content_process_main(int, char**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:237:0
    #21 0x7fb43357ab44 in __libc_start_main /build/glibc-I9DIZl/glibc-2.19/csu/libc-start.c:287:0
    #22 0x48ca9c in _start ??:0:0

0x60d000069eb8 is located 104 bytes inside of 136-byte region [0x60d000069e50,0x60d000069ed8)
freed by thread T0 (Web Content) here:
    #0 0x474eb1 in __interceptor_free _asan_rtl_:0
    #1 0x7fb435ae0248 in SnowWhiteKiller::~SnowWhiteKiller() /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:2655:0
    #2 0x7fb435adfe6e in nsCycleCollector::FreeSnowWhite(bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:2823:0
    #3 0x7fb436f59ae9 in AsyncFreeSnowWhite::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/xpconnect/src/XPCJSRuntime.cpp:144:0
    #4 0x7fb435bf416f in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:972:0
    #5 0x7fb435c6d54a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:297:0
    #6 0x7fb436518b19 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:95:0
    #7 0x7fb4364870ec in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234:0
    #8 0x7fb4364870ec in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:227:0
    #9 0x7fb4364870ec in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201:0
    #10 0x7fb43b557ec7 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseAppShell.cpp:156:0
    #11 0x7fb43d3bf1a2 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:785:0
    #12 0x7fb4364870ec in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234:0
    #13 0x7fb4364870ec in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:227:0
    #14 0x7fb4364870ec in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201:0
    #15 0x7fb43d3be88c in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:621:0
    #16 0x48d740 in content_process_main(int, char**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:237:0
    #17 0x7fb43357ab44 in __libc_start_main /build/glibc-I9DIZl/glibc-2.19/csu/libc-start.c:287:0

previously allocated by thread T0 (Web Content) here:
    #0 0x4750b1 in __interceptor_malloc _asan_rtl_:0
    #1 0x48dd5d in moz_xmalloc /builds/slave/m-cen-l64-asan-000000000000000/build/src/memory/mozalloc/mozalloc.cpp:83:0
    #2 0x7fb4380354b5 in operator new /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/base/../../dist/include/mozilla/mozalloc.h:186:0
    #3 0x7fb4380354b5 in nsDocument::Timeline() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsDocument.cpp:3246:0
    #4 0x7fb43b95a5ee in nsAnimationManager::CheckAnimationRule(nsStyleContext*, mozilla::dom::Element*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsAnimationManager.cpp:416:0
    #5 0x7fb43bb37435 in nsStyleSet::GetContext(nsStyleContext*, nsRuleNode*, nsRuleNode*, nsIAtom*, nsCSSPseudoElements::Type, mozilla::dom::Element*, unsigned int) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsStyleSet.cpp:987:0
    #6 0x7fb43bb3bc8b in nsStyleSet::ResolveStyleFor(mozilla::dom::Element*, nsStyleContext*, TreeMatchContext&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsStyleSet.cpp:1389:0
    #7 0x7fb43bca9317 in nsCSSFrameConstructor::ResolveStyleContext(nsStyleContext*, nsIContent*, nsFrameConstructorState*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:4756:0
    #8 0x7fb43bca6073 in ResolveStyleContext /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:4725:0
    #9 0x7fb43bca6073 in ResolveStyleContext /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:4741:0
    #10 0x7fb43bca6073 in nsCSSFrameConstructor::AddFrameConstructionItems(nsFrameConstructorState&, nsIContent*, bool, nsCSSFrameConstructor::InsertionPoint const&, nsCSSFrameConstructor::FrameConstructionItemList&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:5369:0
    #11 0x7fb43bcb99da in nsCSSFrameConstructor::ContentAppended(nsIContent*, nsIContent*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:7155:0
    #12 0x7fb43bcb48be in nsCSSFrameConstructor::CreateNeededFrames(nsIContent*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:6830:0
    #13 0x7fb43bcbaf89 in nsCSSFrameConstructor::CreateNeededFrames() /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:6852:0
    #14 0x7fb43bc1ec4e in mozilla::RestyleManager::ProcessPendingRestyles() /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:1726:0
    #15 0x7fb43be501ed in PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsPresShell.cpp:4096:0
    #16 0x7fb43806ffac in nsDocument::FlushPendingNotifications(mozFlushType) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsDocument.cpp:8253:0
    #17 0x7fb43be48bc3 in PresShell::ScrollContentIntoView(nsIContent*, nsIPresShell::ScrollAxis, nsIPresShell::ScrollAxis, unsigned int) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsPresShell.cpp:3430:0
    #18 0x7fb43be471e2 in PresShell::GoToAnchor(nsAString_internal const&, bool, unsigned int) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsPresShell.cpp:3058:0
    #19 0x7fb43ca27d3e in nsDocShell::ScrollToAnchor(nsACString_internal&, nsACString_internal&, unsigned int) /builds/slave/m-cen-l64-asan-000000000000000/build/src/docshell/base/nsDocShell.cpp:10993:0
    #20 0x7fb43c9cf1e0 in nsDocShell::InternalLoad(nsIURI*, nsIURI*, bool, nsIURI*, unsigned int, nsISupports*, unsigned int, char16_t const*, char const*, nsAString_internal const&, nsIInputStream*, nsIInputStream*, unsigned int, nsISHEntry*, bool, nsAString_internal const&, nsIDocShell*, nsIURI*, nsIDocShell**, nsIRequest**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/docshell/base/nsDocShell.cpp:10045:0
    #21 0x7fb43c9c71bc in nsDocShell::LoadURI(nsIURI*, nsIDocShellLoadInfo*, unsigned int, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/docshell/base/nsDocShell.cpp:1552:0
    #22 0x7fb438169cfb in nsLocation::SetURI(nsIURI*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsLocation.cpp:272:0
    #23 0x7fb43816b15f in nsLocation::SetHash(nsAString_internal const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsLocation.cpp:356:0
    #24 0x7fb4386cd30e in SetHash /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsLocation.h:156:0
    #25 0x7fb4386cd30e in mozilla::dom::LocationBinding::set_hash(JSContext*, JS::Handle<JSObject*>, nsLocation*, JSJitSetterCallArgs) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./LocationBinding.cpp:831:0
    #26 0x7fb439c60eae in mozilla::dom::GenericBindingSetter(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/bindings/BindingUtils.cpp:2657:0
    #27 0x7fb43f29c4db in CallJSNative /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:235:0
    #28 0x7fb43f29c4db in js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:772:0
    #29 0x7fb43f2e722d in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:839:0
    #30 0x7fb43f2e8111 in js::InvokeSetter(JSContext*, JS::Value const&, JS::Value, JS::Handle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:957:0
    #31 0x7fb43f383638 in SetExistingProperty /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/NativeObject.cpp:2274:0
    #32 0x7fb43f383638 in js::NativeSetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::QualifiedBool, JS::ObjectOpResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/NativeObject.cpp:2308:0
    #33 0x7fb43f175ad2 in SetProperty /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/NativeObject.h:1450:0
    #34 0x7fb43f175ad2 in js::DirectProxyHandler::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) const /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/proxy/DirectProxyHandler.cpp:241:0
    #35 0x7fb43f15dc0c in js::CrossCompartmentWrapper::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) const /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:177:0
    #36 0x7fb43f17b26b in js::Proxy::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/proxy/Proxy.cpp:345:0

SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ??
Shadow bytes around the buggy address:
  0x0c1a80005380: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa
  0x0c1a80005390: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
  0x0c1a800053a0: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
  0x0c1a800053b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1a800053c0: fd fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
=>0x0c1a800053d0: fd fd fd fd fd fd fd[fd]fd fd fd fa fa fa fa fa
  0x0c1a800053e0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1a800053f0: 00 00 00 00 00 fa fa fa fa fa fa fa fa fa 00 00
  0x0c1a80005400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c1a80005410: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c1a80005420: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==31250==ABORTING





Expected results:

no crash
Attachment #8697977 - Attachment description: crash.html (minimized testcase) → minimized testcase: requires Jesse's dom fuzzing addon. open multiple tabs.
Jesse's gc script is being used here.

It can be downloaded from:
https://www.squarefree.com/extensions/domFuzzLite3.xpi
Group: firefox-core-security → core-security
Keywords: crash, sec-high, testcase
Product: Firefox → Core
Component: Untriaged → Layout
Group: core-security → layout-core-security
Taking a stab at vporof and https://hg.mozilla.org/mozilla-central/rev/f95c614295a0 because that change involves nsRefreshDriver::Tick, RefPtr, and timelines, but it could be a different change. nailing down the regression window would help (note: testcase requires ASAN builds and Jesse's fuzzing add-on).
Flags: needinfo?(vporof)
Hmm, this is Timeline... reminds be of some recent crash fix.
Reminds me of Bug 1232829, which is in fact a regression from Bug 1195180 which is in FF44.
Flags: needinfo?(bbirtles)
The fact that the test uses document.write() and manipulates history sounds very much like bug 1232829.

Also, looking at comment 0, it seems like we trying to reach the document timeline from the refresh driver after it has been destroyed. That's consistent with the symptoms of bug 1232829 where we would destroy the timeline without disassociating it from the refresh driver.

I've requested aurora and beta approval for the patch for bug 1232829 for now in the hope that fixes this (and since it will take me quite a while to get an asan build up and running here).
Flags: needinfo?(vporof)
Flags: needinfo?(bbirtles)
Bug 1232829 has been uplifted to Fx44+. Can you please see if this bug still reproduces on a current revision?
Flags: needinfo?(nils)
The testcases doesn't reproduce on the latest build from https://ftp.mozilla.org/pub/firefox/tinderbox-builds/mozilla-central-linux64-asan/1452078145/ anymore for me.
Flags: needinfo?(nils)
Good to hear that bug 1232829 fixed this! Duping this over in that case.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1232829
Blocks: 1195180
Flags: sec-bounty?
Keywords: regression
Resolution: DUPLICATE → FIXED
Whiteboard: fix in 1232829
Depends on: 1232829
Group: layout-core-security → core-security-release
Flags: sec-bounty? → sec-bounty+
Whiteboard: fix in 1232829 → [post-critsmash-triage]fix in 1232829
Reproduced the original issue using fx44.0a1 buildID: 20151020031317
* https://archive.mozilla.org/pub/firefox/nightly/2015/10/2015-10-20-03-13-17-mozilla-central/

Installed Jesse's gc script as mentioned in comment # 1 and ran through the poc that's attached in comment #0. Once the poc was opened several times, received the following asan crash:

* https://pastebin.mozilla.org/8868453 (reproduced asan crash)

Went through verification using the following builds:
* https://archive.mozilla.org/pub/firefox/nightly/2016/04/2016-04-21-03-03-02-mozilla-central/
* https://archive.mozilla.org/pub/firefox/nightly/2016/04/2016-04-21-00-40-15-mozilla-aurora/
* https://tools.taskcluster.net/index/artifacts/#gecko.v2.mozilla-beta.latest.firefox/gecko.v2.mozilla-beta.latest.firefox.linux64-debug
* https://tools.taskcluster.net/index/artifacts/#gecko.v2.mozilla-release.latest.firefox/gecko.v2.mozilla-release.latest.firefox.linux64-asan

I went through the above builds without any issues. I didn't check ESR as I don't think there's asan builds created for ESR. If there are builds, let me know and I'll go through verification on the ESR build.
Thanks Ryan!

I went through verification using the build Ryan provided in comment #10 and didn't run into the asan crash.

Test Case:

* install the domFuzzLite3.xpi add-on
* once installed, open the poc in several tabs via "./firefox crash.html crash.html etc.."
** opened about 10 poc several times without receiving the original asan crash
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.