Closed Bug 1401726 Opened 7 years ago Closed 7 years ago

Crash near null [@GetBoolFlag]

Categories

(Core :: DOM: Core & HTML, defect, P1)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla58
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox55 --- unaffected
firefox56 --- wontfix
firefox57 --- fixed
firefox58 --- fixed

People

(Reporter: jkratzer, Assigned: jdai)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Attachments

(3 files)

trigger.html
627 bytes, text/html
Details
Bug 1401726 - Fix crash in nsLabelsNodeList::PopulateSelf.
2.11 KB, patch
smaug
: review+
Details | Diff | Splinter Review
(Beta) Bug 1401726 - Fix crash in nsLabelsNodeList::PopulateSelf.
1.85 KB, patch
jdai
: review+
Sylvestre
: approval-mozilla-beta+
Details | Diff | Splinter Review
Attached file trigger.html 
Testcase found while fuzzing mozilla-central rev a20de99fa3c1.

==16005==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000001c (pc 0x7f440bd8efaa bp 0x7ffef99e5810 sp 0x7ffef99e57e0 T0)
==16005==The signal is caused by a READ memory access.
==16005==Hint: address points to the zero page.
    #0 0x7f440bd8efa9 in GetBoolFlag /builds/worker/workspace/build/src/dom/base/nsINode.h:1615:12
    #1 0x7f440bd8efa9 in IsElement /builds/worker/workspace/build/src/dom/base/nsINode.h:457
    #2 0x7f440bd8efa9 in nsLabelsNodeList::PopulateSelf(unsigned int) /builds/worker/workspace/build/src/dom/base/nsContentList.cpp:1273
    #3 0x7f440bd892b3 in BringSelfUpToDate /builds/worker/workspace/build/src/dom/base/nsContentList.cpp:1049:5
    #4 0x7f440bd892b3 in Length /builds/worker/workspace/build/src/dom/base/nsContentList.cpp:526
    #5 0x7f440bd892b3 in nsContentList::GetLength(unsigned int*) /builds/worker/workspace/build/src/dom/base/nsContentList.cpp:667
    #6 0x7f440c65a854 in Length /builds/worker/workspace/build/src/dom/base/nsINodeList.h:47:5
    #7 0x7f440c65a854 in mozilla::dom::NodeListBinding::get_length(JSContext*, JS::Handle<JSObject*>, nsINodeList*, JSJitGetterCallArgs) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/NodeListBinding.cpp:68
    #8 0x7f440d95a5f6 in mozilla::dom::GenericBindingGetter(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2924:13
    #9 0x7f4413fcda24 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
    #10 0x7f4413fcda24 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495
    #11 0x7f4413fcf45f in InternalCall /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:540:12
    #12 0x7f4413fcf45f in Call /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:559
    #13 0x7f4413fcf45f in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:674
    #14 0x7f4414f7ba65 in CallGetter /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2123:16
    #15 0x7f4414f7ba65 in GetExistingProperty<js::AllowGC::CanGC> /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2171
    #16 0x7f4414f7ba65 in NativeGetPropertyInline<js::AllowGC::CanGC> /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2385
    #17 0x7f4414f7ba65 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2421
    #18 0x7f4414a1de7c in GetProperty /builds/worker/workspace/build/src/js/src/vm/NativeObject.h:1540:12
    #19 0x7f4414a1de7c in JS_ForwardGetPropertyTo(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2652
    #20 0x7f440d95280f in mozilla::dom::GetPropertyOnPrototype(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, bool*, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2097:10
    #21 0x7f440c5de7e6 in mozilla::dom::NodeListBinding::DOMProxyHandler::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) const /builds/worker/workspace/build/src/obj-firefox/dom/bindings/NodeListBinding.cpp:445:8
    #22 0x7f4414cb1ff0 in getInternal /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:338:21
    #23 0x7f4414cb1ff0 in js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:348
    #24 0x7f4413fd7e3b in GetProperty /builds/worker/workspace/build/src/js/src/vm/NativeObject.h:1539:16
    #25 0x7f4413fd7e3b in GetProperty /builds/worker/workspace/build/src/js/src/jsobj.h:834
    #26 0x7f4413fd7e3b in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:4426
    #27 0x7f4413fba6dc in GetPropertyOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:218:12
    #28 0x7f4413fba6dc in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2803
    #29 0x7f4413f9eb4b in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:435:12
    #30 0x7f4413fd0337 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:724:15
    #31 0x7f4413fd0ba2 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:756:12
    #32 0x7f4414a34c79 in ExecuteScript(JSContext*, JS::AutoObjectVector&, JS::Handle<JSScript*>, JS::Value*) /builds/worker/workspace/build/src/js/src/jsapi.cpp:4667:12
    #33 0x7f440bf5d729 in nsJSUtils::ExecutionContext::CompileAndExec(JS::CompileOptions&, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) /builds/worker/workspace/build/src/dom/base/nsJSUtils.cpp:265:8
    #34 0x7f440f6458d8 in mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:2244:25
    #35 0x7f440f640d0c in mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1884:10
    #36 0x7f440f624575 in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1585:10
    #37 0x7f440f620ad8 in mozilla::dom::ScriptElement::MaybeProcessScript() /builds/worker/workspace/build/src/dom/script/ScriptElement.cpp:149:18
    #38 0x7f440ae75b1f in AttemptToExecute /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIScriptElement.h:225:18
    #39 0x7f440ae75b1f in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:701
    #40 0x7f440ae6f46a in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:502:7
    #41 0x7f440ae7959b in nsHtml5ExecutorFlusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5StreamParser.cpp:130:20
    #42 0x7f44092ec91d in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1039:14
    #43 0x7f44092f2658 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:521:10
    #44 0x7f440a0969b1 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #45 0x7f4409ff887b in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #46 0x7f4409ff887b in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #47 0x7f4409ff887b in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #48 0x7f440f7a465f in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
    #49 0x7f4413900271 in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:288:30
    #50 0x7f4413ae0dbb in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4701:22
    #51 0x7f4413ae29b8 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4865:8
    #52 0x7f4413ae3deb in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4960:21
    #53 0x4ebea3 in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:236:22
    #54 0x4ebea3 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:309
    #55 0x7f44270b682f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
    #56 0x41d9f8 in _start (/home/forb1dden/builds/mc-asan/firefox+0x41d9f8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/dom/base/nsINode.h:1615:12 in GetBoolFlag
==16005==ABORTING
Flags: in-testsuite?
This is new code
Flags: needinfo?(jdai)
Assignee: nobody → jdai
Priority: -- → P1
When I wrote crash test about this bug, I saw there are several assertions[1] came from nsINode::SubtreeRoot[2]. It's only happened at debug build, I will put assertion expection in crashtests.list and file another bug to fix this[3].

Try: https://treeherder.mozilla.org/#/jobs?repo=try&revision=77a067f5498c19daa2f2dac4666b731d39fd707a&filter-tier=1&group_state=expanded

[1] Assertion meeages is "These should always be in sync!: 'slowNode == node'"
[2] https://searchfox.org/mozilla-central/rev/2ef8bd8a46a02c68ddbb1d5f25fa254dd7be1fbd/dom/base/nsINode.cpp#308
[3] Call stack:
[Child 2553, Main Thread] ###!!! ASSERTION: These should always be in sync!: 'slowNode == node', file /home/john/workspace/john/workspace/firefox/dom/base/nsINode.cpp, line 308
#01: nsINode::SubtreeRoot() const (/home/john/workspace/john/workspace/firefox/dom/base/nsINode.cpp:308 (discriminator 1))
#02: nsGenericHTMLElement::UnbindFromTree(bool, bool) (/home/john/workspace/john/workspace/firefox/dom/html/nsGenericHTMLElement.cpp:534)
#03: nsGenericHTMLFormElement::UnbindFromTree(bool, bool) (/home/john/workspace/john/workspace/firefox/dom/html/nsGenericHTMLElement.cpp:1942)
#04: mozilla::dom::HTMLButtonElement::UnbindFromTree(bool, bool) (/home/john/workspace/john/workspace/firefox/dom/html/HTMLButtonElement.cpp:350)
#05: mozilla::dom::Element::UnbindFromTree(bool, bool) (/home/john/workspace/john/workspace/firefox/dom/base/Element.cpp:1988 (discriminator 2))
#06: nsGenericHTMLElement::UnbindFromTree(bool, bool) (/home/john/workspace/john/workspace/firefox/dom/html/nsGenericHTMLElement.cpp:538)
#07: mozilla::dom::HTMLSharedElement::UnbindFromTree(bool, bool) (/home/john/workspace/john/workspace/firefox/dom/html/HTMLSharedElement.cpp:292)
#08: nsINode::doRemoveChildAt(unsigned int, bool, nsIContent*, nsAttrAndChildArray&) (/home/john/workspace/john/workspace/firefox/dom/base/nsINode.cpp:1923)
#09: mozilla::dom::FragmentOrElement::RemoveChildAt(unsigned int, bool) (/home/john/workspace/john/workspace/firefox/dom/base/FragmentOrElement.cpp:1365)
#10: nsINode::RemoveChild(nsINode&, mozilla::ErrorResult&) (/home/john/workspace/john/workspace/firefox/dom/base/nsINode.cpp:605)
#11: nsRange::SurroundContents(nsINode&, mozilla::ErrorResult&) (/home/john/workspace/john/workspace/firefox/dom/base/nsRange.cpp:3014)
#12: mozilla::dom::RangeBinding::surroundContents(JSContext*, JS::Handle<JSObject*>, nsRange*, JSJitMethodCallArgs const&) (/home/john/workspace/john/workspace/firefox/obj-x86_64-pc-linux-gnu/dom/bindings/RangeBinding.cpp:1103)
#13: mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) (/home/john/workspace/john/workspace/firefox/dom/bindings/BindingUtils.cpp:3055)
#14: js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (/home/john/workspace/john/workspace/firefox/js/src/jscntxtinlines.h:293)
#15: js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (/home/john/workspace/john/workspace/firefox/js/src/vm/Interpreter.cpp:495)
#16: InternalCall(JSContext*, js::AnyInvokeArgs const&) (/home/john/workspace/john/workspace/firefox/js/src/vm/Interpreter.cpp:541)
#17: js::CallFromStack(JSContext*, JS::CallArgs const&) (/home/john/workspace/john/workspace/firefox/js/src/vm/Interpreter.cpp:547)
#18: Interpret(JSContext*, js::RunState&) (/home/john/workspace/john/workspace/firefox/js/src/vm/Interpreter.cpp:3084)
#19: js::RunScript(JSContext*, js::RunState&) (/home/john/workspace/john/workspace/firefox/js/src/vm/Interpreter.cpp:435)
#20: js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) (/home/john/workspace/john/workspace/firefox/js/src/vm/Interpreter.cpp:724)
#21: js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) (/home/john/workspace/john/workspace/firefox/js/src/vm/Interpreter.cpp:757)
#22: ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) (/home/john/workspace/john/workspace/firefox/js/src/jsapi.cpp:4648)
#23: ExecuteScript(JSContext*, JS::AutoObjectVector&, JS::Handle<JSScript*>, JS::Value*) (/home/john/workspace/john/workspace/firefox/js/src/jsapi.cpp:4667)
#24: JS_ExecuteScript(JSContext*, JS::AutoObjectVector&, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) (/home/john/workspace/john/workspace/firefox/js/src/jsapi.cpp:4689)
#25: nsJSUtils::ExecutionContext::CompileAndExec(JS::CompileOptions&, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) (/home/john/workspace/john/workspace/firefox/dom/base/nsJSUtils.cpp:265)
#26: mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*) (/home/john/workspace/john/workspace/firefox/dom/script/ScriptLoader.cpp:2244)
#27: mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) (/home/john/workspace/john/workspace/firefox/dom/script/ScriptLoader.cpp:1884)
#28: mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) (/home/john/workspace/john/workspace/firefox/dom/script/ScriptLoader.cpp:1585)
#29: mozilla::dom::ScriptElement::MaybeProcessScript() (/home/john/workspace/john/workspace/firefox/dom/script/ScriptElement.cpp:149)
#30: nsIScriptElement::AttemptToExecute() (/home/john/workspace/john/workspace/firefox/obj-x86_64-pc-linux-gnu/dist/include/nsIScriptElement.h:225)
#31: nsHtml5TreeOpExecutor::RunScript(nsIContent*) (/home/john/workspace/john/workspace/firefox/parser/html/nsHtml5TreeOpExecutor.cpp:701)
#32: nsHtml5TreeOpExecutor::RunFlushLoop() (/home/john/workspace/john/workspace/firefox/parser/html/nsHtml5TreeOpExecutor.cpp:505)
#33: nsHtml5ExecutorFlusher::Run() (/home/john/workspace/john/workspace/firefox/parser/html/nsHtml5StreamParser.cpp:132)
#34: mozilla::SchedulerGroup::Runnable::Run() (/home/john/workspace/john/workspace/firefox/xpcom/threads/SchedulerGroup.cpp:396)
#35: nsThread::ProcessNextEvent(bool, bool*) (/home/john/workspace/john/workspace/firefox/xpcom/threads/nsThread.cpp:1035)
#36: NS_ProcessNextEvent(nsIThread*, bool) (/home/john/workspace/john/workspace/firefox/xpcom/threads/nsThreadUtils.cpp:521)
#37: mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) (/home/john/workspace/john/workspace/firefox/ipc/glue/MessagePump.cpp:125)
#38: mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) (/home/john/workspace/john/workspace/firefox/ipc/glue/MessagePump.cpp:302)
#39: MessageLoop::RunInternal() (/home/john/workspace/john/workspace/firefox/ipc/chromium/src/base/message_loop.cc:327)
#40: MessageLoop::RunHandler() (/home/john/workspace/john/workspace/firefox/ipc/chromium/src/base/message_loop.cc:320)
#41: MessageLoop::Run() (/home/john/workspace/john/workspace/firefox/ipc/chromium/src/base/message_loop.cc:298)
#42: nsBaseAppShell::Run() (/home/john/workspace/john/workspace/firefox/widget/nsBaseAppShell.cpp:160)
#43: XRE_RunAppShell() (/home/john/workspace/john/workspace/firefox/toolkit/xre/nsEmbedFunctions.cpp:880)
#44: mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) (/home/john/workspace/john/workspace/firefox/ipc/glue/MessagePump.cpp:269)
#45: MessageLoop::RunInternal() (/home/john/workspace/john/workspace/firefox/ipc/chromium/src/base/message_loop.cc:327)
#46: MessageLoop::RunHandler() (/home/john/workspace/john/workspace/firefox/ipc/chromium/src/base/message_loop.cc:320)
#47: MessageLoop::Run() (/home/john/workspace/john/workspace/firefox/ipc/chromium/src/base/message_loop.cc:298)
#48: XRE_InitChildProcess(int, char**, XREChildData const*) (/home/john/workspace/john/workspace/firefox/toolkit/xre/nsEmbedFunctions.cpp:709)
#49: mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) (/home/john/workspace/john/workspace/firefox/toolkit/xre/Bootstrap.cpp:66)
#50: content_process_main(mozilla::Bootstrap*, int, char**) (/home/john/workspace/john/workspace/firefox/browser/app/../../ipc/contentproc/plugin-container.cpp:63)
#51: main (/home/john/workspace/john/workspace/firefox/browser/app/nsBrowserApp.cpp:285)
#52: __libc_start_main (/build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:325)
#53: _start (/home/john/workspace/john/workspace/firefox/obj-x86_64-pc-linux-gnu/dist/bin/firefox)
#54: ??? (???:???)
Flags: needinfo?(jdai)
Attachment #8910661 - Flags: review?(bugs)
"These should always be in sync!: 'slowNode == node'" is bad.
Comment on attachment 8910661 [details] [diff] [review]
Bug 1401726 - Fix crash in nsLabelsNodeList::PopulateSelf.

But I think that assertion is sort of transitional or how to say, since SubtreeRoot is called during UnbindFromTree. But definitely something to fix, asap.
Attachment #8910661 - Flags: review?(bugs) → review+
(In reply to Olli Pettay [:smaug] from comment #4)
> Comment on attachment 8910661 [details] [diff] [review]
> Bug 1401726 - Fix crash in nsLabelsNodeList::PopulateSelf.
> 
> But I think that assertion is sort of transitional or how to say, since
> SubtreeRoot is called during UnbindFromTree. But definitely something to
> fix, asap.

Thanks for your review. I'll fix them ASAP. File bug 1401915 for tracking.
Keywords: checkin-needed
Flags: in-testsuite? → in-testsuite+
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/8e8def4061c5
Fix crash in nsLabelsNodeList::PopulateSelf. r=smaug
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/8e8def4061c5
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox58: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
Please request Beta approval on this when you get a chance.
Blocks: 556743
status-firefox55: --- → unaffected
status-firefox56: affectedwontfix
status-firefox-esr52: --- → unaffected
Flags: needinfo?(jdai)
Approval Request Comment
[Feature/Bug causing the regression]: Bug 1401726
[User impact if declined]: Crashes on trying to use .labels.
[Is this code covered by automated tests?]: Yes.
[Has the fix been verified in Nightly?]: Yes.
[Needs manual test from QE? If yes, steps to reproduce]: No.
[List of other uplifts needed for the feature/fix]:  None.
[Is the change risky?]: No.
[Why is the change risky/not risky?]: It's only one line null check change.
[String changes made/needed]: None.
Flags: needinfo?(jdai)
Attachment #8911688 - Flags: review+
Attachment #8911688 - Flags: approval-mozilla-beta?
Comment on attachment 8911688 [details] [diff] [review]
(Beta) Bug 1401726 - Fix crash in nsLabelsNodeList::PopulateSelf.

Fix a crash, taking it.
Should be in 57b3
Attachment #8911688 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: