Closed
Bug 1418177
Opened 6 years ago
Closed 6 years ago
AddressSanitizer: use-after-poison /builds/worker/workspace/build/src/layout/painting/nsDisplayList.h:2626:12 in IsReused
Categories
(Core :: Web Painting, defect)
Core
Web Painting
Tracking
()
RESOLVED
FIXED
mozilla59
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox57 | --- | unaffected |
firefox58 | - | disabled |
firefox59 | - | fixed |
People
(Reporter: jkratzer, Assigned: mtseng)
References
(Blocks 2 open bugs)
Details
(Keywords: crash, regression, testcase)
Attachments
(3 files, 2 obsolete files)
1.31 KB,
text/html
|
Details | |
2.13 KB,
patch
|
mattwoodrow
:
review+
|
Details | Diff | Splinter Review |
8.43 KB,
patch
|
mtseng
:
review+
|
Details | Diff | Splinter Review |
Found while fuzzing mozilla-central rev a3f183201f7f. Testcase is currently reducing. Will update once complete. ==4004==ERROR: AddressSanitizer: use-after-poison on address 0x6250006f28fa at pc 0x7fce703a5a4d bp 0x7ffe302e4310 sp 0x7ffe302e4308 READ of size 1 at 0x6250006f28fa thread T0 (file:// Content) #0 0x7fce703a5a4c in IsReused /builds/worker/workspace/build/src/layout/painting/nsDisplayList.h:2626:12 #1 0x7fce703a5a4c in RetainedDisplayListBuilder::MergeDisplayLists(nsDisplayList*, nsDisplayList*, nsDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&) /builds/worker/workspace/build/src/layout/painting/RetainedDisplayListBuilder.cpp:410 #2 0x7fce703a8e61 in RetainedDisplayListBuilder::AttemptPartialUpdate(unsigned int) /builds/worker/workspace/build/src/layout/painting/RetainedDisplayListBuilder.cpp:853:5 #3 0x7fce6fbebfe7 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:3827:35 #4 0x7fce6fae1c34 in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:6507:5 #5 0x7fce6f29f076 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/workspace/build/src/view/nsViewManager.cpp:480:19 #6 0x7fce6f29df1b in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/workspace/build/src/view/nsViewManager.cpp:412:33 #7 0x7fce6f2a1755 in nsViewManager::ProcessPendingUpdates() /builds/worker/workspace/build/src/view/nsViewManager.cpp:1102:5 #8 0x7fce6fa3cf05 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:2027:11 #9 0x7fce6fa4839b in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:336:13 #10 0x7fce6fa4839b in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:306 #11 0x7fce6fa48096 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:328:5 #12 0x7fce6fa4a5eb in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:769:5 #13 0x7fce6fa4a5eb in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:682 #14 0x7fce6fa4a1f6 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:583:9 #15 0x7fce702a3e62 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:68:16 #16 0x7fce69d91c31 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:155:20 #17 0x7fce69c5e1b8 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1815:28 #18 0x7fce698b5239 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2119:25 #19 0x7fce698b224f in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2049:17 #20 0x7fce698b3984 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1895:5 #21 0x7fce698b3fd8 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1928:15 #22 0x7fce68aca016 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14 #23 0x7fce68ae4b18 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10 #24 0x7fce6f14bfc7 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:3110:31)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:323:25 #25 0x7fce6f14bfc7 in mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::BodyExtractorBase const*) /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:3110 #26 0x7fce6f14d4bc in mozilla::dom::XMLHttpRequestMainThread::Send(JSContext*, mozilla::dom::Nullable<mozilla::dom::DocumentOrBlobOrArrayBufferViewOrArrayBufferOrFormDataOrURLSearchParamsOrUSVString> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:2895:11 #27 0x7fce6cca835b in mozilla::dom::XMLHttpRequestBinding::send(JSContext*, JS::Handle<JSObject*>, mozilla::dom::XMLHttpRequest*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/XMLHttpRequestBinding.cpp:1249:9 #28 0x7fce6d46b6a0 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3040:13 #29 0x2500da52e425 (<unknown module>) 0x6250006f28fa is located 4090 bytes inside of 8192-byte region [0x6250006f1900,0x6250006f3900) allocated by thread T0 (file:// Content) here: #0 0x4bbc7c in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3 #1 0x7fce68a7d97f in AllocateChunk /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:209:15 #2 0x7fce68a7d97f in InternalAllocate /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:244 #3 0x7fce68a7d97f in Allocate /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:74 #4 0x7fce68a7d97f in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:79 #5 0x7fce6fccd382 in operator new /builds/worker/workspace/build/src/layout/painting/nsDisplayList.h:3417:3 #6 0x7fce6fccd382 in nsFrame::DisplayBorderBackgroundOutline(nsDisplayListBuilder*, nsDisplayListSet const&, bool) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:2364 #7 0x7fce6fd103f8 in nsBlockFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6704:3 #8 0x7fce6fcb90ce in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, unsigned int) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:3707:14 #9 0x7fce6fd14135 in DisplayLine(nsDisplayListBuilder*, nsRect const&, nsLineList_iterator&, int, int&, nsDisplayListSet const&, nsBlockFrame*, mozilla::css::TextOverflow*, unsigned int) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6667:13 #10 0x7fce6fd11131 in nsBlockFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6749:9 #11 0x7fce6fcb90ce in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, unsigned int) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:3707:14 #12 0x7fce6fd346db in nsCanvasFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) /builds/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:605:5 #13 0x7fce6fcb90ce in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, unsigned int) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:3707:14 #14 0x7fce6fe288a3 in mozilla::ScrollFrameHelper::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:3563:15 #15 0x7fce6fcb90ce in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, unsigned int) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:3707:14 #16 0x7fce6fcb48eb in mozilla::ViewportFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:66:5 #17 0x7fce6fd892c5 in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsDisplayList*, bool*) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:2964:5 #18 0x7fce6fbebcf7 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:3847:17 #19 0x7fce6fae1c34 in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:6507:5 #20 0x7fce6f29f076 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/workspace/build/src/view/nsViewManager.cpp:480:19 #21 0x7fce6f29df1b in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/workspace/build/src/view/nsViewManager.cpp:412:33 #22 0x7fce6f2a1755 in nsViewManager::ProcessPendingUpdates() /builds/worker/workspace/build/src/view/nsViewManager.cpp:1102:5 #23 0x7fce6fa3cf05 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:2027:11 #24 0x7fce6fa43899 in nsRefreshDriver::FinishedWaitingForTransaction() /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:2135:5 #25 0x7fce6aeb3420 in mozilla::layers::ClientLayerManager::DidComposite(unsigned long, mozilla::TimeStamp const&, mozilla::TimeStamp const&) /builds/worker/workspace/build/src/gfx/layers/client/ClientLayerManager.cpp:520:32 #26 0x7fce6eba8d0a in mozilla::dom::TabChild::DidComposite(unsigned long, mozilla::TimeStamp const&, mozilla::TimeStamp const&) /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp:3231:7 #27 0x7fce6af9644b in mozilla::layers::CompositorBridgeChild::RecvDidComposite(unsigned long const&, unsigned long const&, mozilla::TimeStamp const&, mozilla::TimeStamp const&) /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorBridgeChild.cpp:546:14 #28 0x7fce6a008662 in mozilla::layers::PCompositorBridgeChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PCompositorBridgeChild.cpp:1441:20 #29 0x7fce698b5239 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2119:25 #30 0x7fce698b224f in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2049:17 #31 0x7fce698b3984 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1895:5 #32 0x7fce698b3fd8 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1928:15 #33 0x7fce68aa47d1 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:396:25 SUMMARY: AddressSanitizer: use-after-poison /builds/worker/workspace/build/src/layout/painting/nsDisplayList.h:2626:12 in IsReused Shadow bytes around the buggy address: 0x0c4a800d64c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a800d64d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a800d64e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a800d64f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a800d6500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c4a800d6510: 00 00 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7[f7] 0x0c4a800d6520: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c4a800d6530: f7 f7 f7 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a800d6540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a800d6550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a800d6560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==4004==ABORTING
Flags: in-testsuite?
Reporter | ||
Comment 1•6 years ago
|
||
Reporter | ||
Comment 2•6 years ago
|
||
Bisects to: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=47752e9824da5125cb99c9d8160795b59adcc407&tochange=fc194660762d1b92e1679d860a8bf41116d0f54f
Updated•6 years ago
|
Group: core-security → layout-core-security
Updated•6 years ago
|
Component: Layout: View Rendering → Layout: Web Painting
Comment 3•6 years ago
|
||
(In reply to Jason Kratzer [:jkratzer] from comment #2) > Bisects to: > > https://hg.mozilla.org/integration/autoland/ > pushloghtml?fromchange=47752e9824da5125cb99c9d8160795b59adcc407&tochange=fc19 > 4660762d1b92e1679d860a8bf41116d0f54f The inbound merge in this range clearly has the interesting commits from Matt. Setting 58 to affected since this looks relevant to the SHIELD studies we wanted to run for retained DL.
Has Regression Range: --- → yes
status-firefox57:
--- → unaffected
status-firefox58:
--- → affected
status-firefox59:
--- → affected
status-firefox-esr52:
--- → unaffected
tracking-firefox58:
--- → ?
tracking-firefox59:
--- → ?
Flags: needinfo?(matt.woodrow)
Comment 4•6 years ago
|
||
Extract from the display list: https://pastebin.mozilla.org/9073802 Lines 11-28 are 3 copies of basically the same display items. This looks to be the same as bug 1419917, except with nsDisplayBlendMode and nsDisplayBlendContainer. Want to take this one as well Morris? Thanks! Thanks for filing this Jason! Feel free to cc me on anything that sounds display list related :)
Blocks: 1352499
Flags: needinfo?(matt.woodrow) → needinfo?(mtseng)
Assignee | ||
Updated•6 years ago
|
Assignee: nobody → mtseng
Flags: needinfo?(mtseng)
Assignee | ||
Comment 5•6 years ago
|
||
MozReview-Commit-ID: G4dwfweH8D3
Attachment #8933239 -
Flags: review?(matt.woodrow)
Comment 6•6 years ago
|
||
Comment on attachment 8933239 [details] [diff] [review] Add nsDisplayTableBlendMode and nsDisplayTableBlendContainer. Review of attachment 8933239 [details] [diff] [review]: ----------------------------------------------------------------- Looks good! Want to land this testcase as a crashtest while we're at it? ::: layout/painting/nsDisplayList.h @@ +5045,5 @@ > + virtual nsIFrame* FrameForInvalidation() const override { return mAncestorFrame; } > + > + virtual uint32_t GetPerFrameKey() const override { > + return (static_cast<uint8_t>(mTableType) << TYPE_BITS) | > + nsDisplayItem::GetPerFrameKey(); We need to take mIndex into account here too, same as we do for nsDisplayTableFixedPosition;:GetPerFrameKey. Copy that and you should be good to go.
Attachment #8933239 -
Flags: review?(matt.woodrow) → review+
Assignee | ||
Comment 8•6 years ago
|
||
MozReview-Commit-ID: G4dwfweH8D3
Attachment #8934075 -
Flags: review+
Assignee | ||
Updated•6 years ago
|
Attachment #8933239 -
Attachment is obsolete: true
Assignee | ||
Comment 9•6 years ago
|
||
MozReview-Commit-ID: EADOkkqo6Dj
Attachment #8934076 -
Flags: review?(matt.woodrow)
Assignee | ||
Comment 10•6 years ago
|
||
try: https://treeherder.mozilla.org/#/jobs?repo=try&revision=24eb000c5e5d541dadf141540125bb99b709e1fc
Assignee | ||
Comment 11•6 years ago
|
||
Fix build fail. MozReview-Commit-ID: G4dwfweH8D3
Attachment #8934091 -
Flags: review+
Assignee | ||
Updated•6 years ago
|
Attachment #8934075 -
Attachment is obsolete: true
Assignee | ||
Comment 12•6 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=58259da83bee6946493e06a7901e9631fc7d297e
Updated•6 years ago
|
Attachment #8934076 -
Flags: review?(matt.woodrow) → review+
Comment 13•6 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/5b59b633493c https://hg.mozilla.org/mozilla-central/rev/ae6557856c92
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
Comment 14•6 years ago
|
||
this doesn't seem to have a rating or sec-approval?
Flags: needinfo?(mtseng)
Flags: needinfo?(dveditz)
Updated•6 years ago
|
Group: layout-core-security → core-security-release
Comment 15•6 years ago
|
||
Please request Beta approval on this when you get a chance.
Flags: in-testsuite? → in-testsuite+
Updated•6 years ago
|
Group: core-security-release → layout-core-security
Flags: needinfo?(dveditz)
Keywords: regression,
sec-moderate
Comment 16•6 years ago
|
||
Morris: please follow the security bug approval process BEFORE landing https://wiki.mozilla.org/Security/Bug_Approval_Process. Since we don't know the rating or impact please ask for approval retroactively and fill out the questions that show up. Matt: What object is being dereferenced here? It's reported as a use-after-poison... are nsDisplayItem objects allocated out of single-use poisoned pools like various nsIFrame objects that we can consider mitigated by framepoisoning? Or is it a pool of mixed objects that we should treat as a regular use-after-free?
Group: layout-core-security → core-security-release
Flags: needinfo?(matt.woodrow)
Keywords: regression,
sec-moderate
Updated•6 years ago
|
Keywords: regression
Comment 17•6 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #16) > Matt: What object is being dereferenced here? It's reported as a > use-after-poison... are nsDisplayItem objects allocated out of single-use > poisoned pools like various nsIFrame objects that we can consider mitigated > by framepoisoning? Or is it a pool of mixed objects that we should treat as > a regular use-after-free? It's an nsDisplayItem being dereferenced. It's a mixed object pool (all display item subclasses and nsDisplayClipChain) bucketed by sizeof() rounded up to the nearest power of 2. This code is only enabled for Nightly, and 50% of Beta (via a shield study), we haven't shipped it to a release yet.
Flags: needinfo?(matt.woodrow)
Comment 18•6 years ago
|
||
I'll mark this as disabled in 58 as layout.display-list.retain is going to be off in 58 release, AIUI.
Updated•6 years ago
|
Group: core-security-release
Updated•5 years ago
|
Flags: needinfo?(mephisto41)
Updated•4 years ago
|
Blocks: asan-maintenance
You need to log in
before you can comment on or make changes to this bug.
Description
•