Closed
Bug 1486521
Opened 6 years ago
Closed 6 years ago
use-after-poison in [@ mozilla::PresShell::ScrollFrameRectIntoView]
Categories
(Core :: Layout, defect, P3)
Core
Layout
Tracking
()
VERIFIED
FIXED
mozilla66
People
(Reporter: tsmith, Assigned: TYLin)
References
(Blocks 2 open bugs)
Details
(4 keywords, Whiteboard: [post-critsmash-triage][adv-main66-])
Attachments
(5 files)
==17726==ERROR: AddressSanitizer: use-after-poison on address 0x625000e31b90 at pc 0x7f22018f4560 bp 0x7ffd4f7567d0 sp 0x7ffd4f7567c8
READ of size 8 at 0x625000e31b90 thread T0
#0 0x7f22018f455f in mozilla::PresShell::ScrollFrameRectIntoView(nsIFrame*, nsRect const&, nsIPresShell::ScrollAxis, nsIPresShell::ScrollAxis, unsigned int) src/layout/base/PresShell.cpp:3687:33
#1 0x7f2201fc7ffc in ScrollToFrame src/layout/forms/nsListControlFrame.cpp:1971:7
#2 0x7f2201fc7ffc in nsListControlFrame::ScrollToIndex(int) src/layout/forms/nsListControlFrame.cpp:1959
#3 0x7f2201fcb612 in OnOptionSelected src/layout/forms/nsListControlFrame.cpp:1029:5
#4 0x7f2201fcb612 in non-virtual thunk to nsListControlFrame::OnOptionSelected(int, bool) src/layout/forms/nsListControlFrame.cpp
#5 0x7f21ff208acf in mozilla::dom::HTMLSelectElement::OnOptionSelected(nsISelectControlFrame*, int, bool, bool, bool) src/dom/html/HTMLSelectElement.cpp:745:19
#6 0x7f21ff207c5e in mozilla::dom::HTMLSelectElement::SetOptionsSelectedByIndex(int, int, unsigned int) src/dom/html/HTMLSelectElement.cpp:881:11
#7 0x7f21ff20d509 in mozilla::dom::HTMLSelectElement::SetSelectedIndexInternal(int, bool) src/dom/html/HTMLSelectElement.cpp:700:3
#8 0x7f21ff1c8f6d in SetSelectedIndex src/obj-firefox/dist/include/mozilla/dom/HTMLSelectElement.h:228:11
#9 0x7f21ff1c8f6d in mozilla::dom::HTMLOptionsCollection::SetSelectedIndex(int, mozilla::ErrorResult&) src/dom/html/HTMLOptionsCollection.cpp:197
#10 0x7f21fe212112 in mozilla::dom::HTMLOptionsCollection_Binding::set_selectedIndex(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLOptionsCollection*, JSJitSetterCallArgs) src/obj-firefox/dom/bindings/HTMLOptionsCollectionBinding.cpp:264:9
#11 0x7f21fe55ba77 in bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::NormalThisPolicy>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3240:8
#12 0x7f220584fa4b in CallJSNative src/js/src/vm/Interpreter.cpp:449:15
#13 0x7f220584fa4b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:537
#14 0x7f2205854d29 in InternalCall src/js/src/vm/Interpreter.cpp:588:12
#15 0x7f2205854d29 in Call src/js/src/vm/Interpreter.cpp:607
#16 0x7f2205854d29 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) src/js/src/vm/Interpreter.cpp:741
#17 0x7f2206782101 in SetExistingProperty(JSContext*, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyResult>, JS::ObjectOpResult&) src/js/src/vm/NativeObject.cpp:2744:10
#18 0x7f2206779e31 in bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) src/js/src/vm/NativeObject.cpp:2783:20
#19 0x7f22063853a3 in SetProperty src/js/src/vm/NativeObject.h:1722:12
#20 0x7f22063853a3 in js::SetPropertyIgnoringNamedGetter(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyDescriptor>, JS::ObjectOpResult&) src/js/src/proxy/BaseProxyHandler.cpp:182
#21 0x7f21fe58b393 in mozilla::dom::DOMProxyHandler::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) const src/dom/bindings/DOMJSProxyHandler.cpp:266:10
#22 0x7f22063a6fee in setInternal src/js/src/proxy/Proxy.cpp:406:21
#23 0x7f22063a6fee in js::Proxy::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) src/js/src/proxy/Proxy.cpp:416
#24 0x7f2205831047 in SetProperty src/js/src/vm/NativeObject.h:1721:16
#25 0x7f2205831047 in SetPropertyOperation src/js/src/vm/Interpreter.cpp:271
#26 0x7f2205831047 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3037
#27 0x7f220581ef1e in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:429:12
#28 0x7f220585055e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:561:15
#29 0x7f22058522f2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:607:10
#30 0x7f22062e851d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2921:12
#31 0x7f21fdb5e13a in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:264:37
#32 0x7f21fee21b4e in void mozilla::dom::EventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
#33 0x7f21fee1f017 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) src/dom/events/JSEventHandler.cpp:214:12
#34 0x7f21fedd2cb7 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1111:52
#35 0x7f21fedd4db7 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1342:20
#36 0x7f21fedb8879 in HandleEvent src/obj-firefox/dist/include/mozilla/EventListenerManager.h:390:5
#37 0x7f21fedb8879 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:420
#38 0x7f21fedb6b33 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:637:16
#39 0x7f21fedbd31e in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1112:9
#40 0x7f2201a1682f in nsDocumentViewer::LoadComplete(nsresult) src/layout/base/nsDocumentViewer.cpp:1169:7
#41 0x7f220478831c in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) src/docshell/base/nsDocShell.cpp:7055:21
#42 0x7f2204782faa in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp:6848:7
#43 0x7f220478cc27 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp
#44 0x7f21f9d258b5 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) src/uriloader/base/nsDocLoader.cpp:1313:3
#45 0x7f21f9d244dc in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:856:14
#46 0x7f21f9d1ffe1 in nsDocLoader::DocLoaderIsEmpty(bool) src/uriloader/base/nsDocLoader.cpp:745:9
#47 0x7f21f9d22ac8 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp:631:5
#48 0x7f21f9d24004 in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp
#49 0x7f21f77fcfc7 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:629:28
#50 0x7f21faf43a30 in imgRequestProxy::RemoveFromLoadGroup() src/image/imgRequestProxy.cpp:441:15
#51 0x7f21faf4cade in imgRequestProxy::OnLoadComplete(bool) src/image/imgRequestProxy.cpp:1110:7
#52 0x7f21faf3a33c in operator() src/image/ProgressTracker.cpp:358:13
#53 0x7f21faf3a33c in void mozilla::image::ImageObserverNotifier<mozilla::image::ObserverTable const*>::operator()<void mozilla::image::SyncNotifyInternal<mozilla::image::ObserverTable const*>(mozilla::image::ObserverTable const* const&, bool, unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&)::{lambda(mozilla::image::IProgressObserver*)#7}>(void mozilla::image::SyncNotifyInternal<mozilla::image::ObserverTable const*>(mozilla::image::ObserverTable const* const&, bool, unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&)::{lambda(mozilla::image::IProgressObserver*)#7}) src/image/ProgressTracker.cpp:283
#54 0x7f21faf37c16 in void mozilla::image::SyncNotifyInternal<mozilla::image::ObserverTable const*>(mozilla::image::ObserverTable const* const&, bool, unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) src/image/ProgressTracker.cpp:357:5
#55 0x7f21fae84a44 in operator() src/image/ProgressTracker.cpp:378:5
#56 0x7f21fae84a44 in Read<(lambda at /builds/worker/workspace/build/src/image/ProgressTracker.cpp:377:19)> src/image/CopyOnWrite.h:179
#57 0x7f21fae84a44 in mozilla::image::ProgressTracker::SyncNotifyProgress(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) src/image/ProgressTracker.cpp:377
#58 0x7f21faedbee6 in mozilla::image::VectorImage::OnSVGDocumentLoaded() src/image/VectorImage.cpp:1469:23
#59 0x7f21faf1c3e4 in mozilla::image::SVGLoadEventListener::HandleEvent(mozilla::dom::Event*) src/image/VectorImage.cpp:229:15
#60 0x7f21fedd2cb7 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1111:52
#61 0x7f21fedd4db7 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1342:20
#62 0x7f21fedb8879 in HandleEvent src/obj-firefox/dist/include/mozilla/EventListenerManager.h:390:5
#63 0x7f21fedb8879 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:420
#64 0x7f21fedb6b33 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:637:16
#65 0x7f21fedbd31e in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1112:9
#66 0x7f21fedc06c6 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) src/dom/events/EventDispatcher.cpp
#67 0x7f21fb6f18b4 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) src/dom/base/nsINode.cpp:1110:5
#68 0x7f21fede8369 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&) src/dom/events/EventTarget.cpp:205:13
#69 0x7f21fed36898 in mozilla::AsyncEventDispatcher::Run() src/dom/events/AsyncEventDispatcher.cpp:72:12
#70 0x7f21f7594850 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1167:14
#71 0x7f21f759d565 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10
#72 0x7f21f877c87e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
#73 0x7f21f867e4cc in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
#74 0x7f21f867e4cc in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
#75 0x7f21f867e4cc in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
#76 0x7f220119e316 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:158:27
#77 0x7f22052629ab in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:290:30
#78 0x7f220551c9d6 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:4780:22
#79 0x7f220551fa9d in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:4925:8
#80 0x7f220552124e in XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:5017:21
#81 0x4f591c in do_main src/browser/app/nsBrowserApp.cpp:233:22
#82 0x4f591c in main src/browser/app/nsBrowserApp.cpp:311
#83 0x7f221ad0182f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#84 0x424edc in _start (/home/ubuntu/firefox/firefox+0x424edc)
0x625000e31b90 is located 4752 bytes inside of 8192-byte region [0x625000e30900,0x625000e32900)
allocated by thread T0 here:
#0 0x4c5623 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
#1 0x7f21f7528163 in AllocateChunk src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:193:15
#2 0x7f21f7528163 in InternalAllocate src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:228
#3 0x7f21f7528163 in Allocate src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:75
#4 0x7f21f7528163 in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:80
#5 0x7f2201f0dfda in AllocateByFrameID src/layout/base/nsPresArena.h:39:12
#6 0x7f2201f0dfda in AllocateFrame src/layout/base/nsIPresShell.h:206
#7 0x7f2201f0dfda in operator new src/layout/generic/nsTextFrame.cpp:4619
#8 0x7f2201f0dfda in NS_NewTextFrame(nsIPresShell*, mozilla::ComputedStyle*) src/layout/generic/nsTextFrame.cpp:4616
#9 0x7f22019b51ec in nsCSSFrameConstructor::ConstructTextFrame(nsCSSFrameConstructor::FrameConstructionData const*, nsFrameConstructorState&, nsIContent*, nsContainerFrame*, mozilla::ComputedStyle*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:3418:24
#10 0x7f22019c6916 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:5936:5
#11 0x7f220199e37a in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:9964:5
#12 0x7f22019d8c94 in nsCSSFrameConstructor::ContentAppended(nsIContent*, nsCSSFrameConstructor::InsertionKind) src/layout/base/nsCSSFrameConstructor.cpp:7153:3
#13 0x7f2201946247 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) src/layout/base/RestyleManager.cpp:1442:27
#14 0x7f22019570f3 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) src/layout/base/RestyleManager.cpp:3057:9
#15 0x7f22018f980c in ProcessPendingRestyles src/layout/base/RestyleManager.cpp:3134:3
#16 0x7f22018f980c in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4297
#17 0x7f220186c4d4 in FlushPendingNotifications src/layout/base/nsIPresShell.h:577:5
#18 0x7f220186c4d4 in nsRefreshDriver::Tick(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:1900
#19 0x7f220187e932 in TickDriver src/layout/base/nsRefreshDriver.cpp:324:13
#20 0x7f220187e932 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:299
#21 0x7f220187e451 in mozilla::RefreshDriverTimer::Tick(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:316:5
#22 0x7f2201881a41 in RunRefreshDrivers src/layout/base/nsRefreshDriver.cpp:755:5
#23 0x7f2201881a41 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:671
#24 0x7f220187b929 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() src/layout/base/nsRefreshDriver.cpp:512:20
#25 0x7f21f7594850 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1167:14
#26 0x7f21f759d565 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10
#27 0x7f21f877c87e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
#28 0x7f21f867e4cc in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
#29 0x7f21f867e4cc in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
#30 0x7f21f867e4cc in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
#31 0x7f220119e316 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:158:27
Flags: in-testsuite?
|
Reporter | |
Comment 1•6 years ago
|
||
|
||
Updated•6 years ago
|
Priority: -- → P1
|
||
Updated•6 years ago
|
Keywords: csectype-framepoisoning,
sec-low
|
||
Comment 2•6 years ago
|
||
AccessibleCaretManager::FlushLayout() does a FlushLayout
which destroys the frame we're currently scrolling in:
#39 in nsListControlFrame::ScrollToFrame
|
|
||
Comment 3•6 years ago
|
||
We crash on "sf->LastScrollDestination()" because ScrollToShowRect
on the line before destroyed "sf" (in #37 in earlier stack).
|
|
||
Comment 4•6 years ago
|
||
I think "layout.accessiblecaret.enabled = true" is required to trigger
this crash. That's a hidden pref that is normally false, except on
Android (I think).
In any case, frame-poisoning should make this non-exploitable.
I think we have other bugs open on AccessibleCaretManager::FlushLayout()
being a problem.
|
|
||
Comment 5•6 years ago
|
||
Also, the risk of this crash occurring as a result of normal
browsing activity by the user is likely very low. So I don't
think it's urgent to fix it for that reason.
|
||
Comment 6•6 years ago
|
||
I'm so glad that I asked the fuzzing team to fuzz AccessibleCaret :)
|
Assignee | |
Updated•6 years ago
|
|
|
Reporter | |
Comment 8•6 years ago
|
||
Is it worth landing the crash test since bug 1445794 does not have one?
Flags: needinfo?(aethanyc)
|
|
Assignee | |
Comment 9•6 years ago
|
||
Yes, it's worth landing.
Even with bug 1445794, the test case still crashes with different stack because AccessibleCaretManager::DispatchCaretStateChangedEvent() calls Selection::Stringify() which flushes frames [1]...
Status: RESOLVED → REOPENED
Flags: needinfo?(aethanyc)
Resolution: DUPLICATE → ---
|
|
Assignee | |
Comment 10•6 years ago
|
||
The added crashtest still crashes on Android verify runs (TV) for
unknown reasons, so skip it.
|
|
Assignee | |
Updated•6 years ago
|
Assignee: nobody → aethanyc
Status: REOPENED → ASSIGNED
|
||
Comment 11•6 years ago
|
||
Group: layout-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 6 years ago → 6 years ago
status-firefox64:
--- → wontfix
status-firefox65:
--- → wontfix
status-firefox66:
--- → fixed
status-firefox-esr60:
--- → wontfix
Flags: in-testsuite? → in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla66
|
||
Updated•6 years ago
|
Flags: qe-verify+
Whiteboard: [post-critsmash-triage]
|
||
Comment 12•6 years ago
|
||
Verified on Nightly 67(20190129103321) and Beta 66.0b3(20190128143734), that the crash is not reproducible using the attached testcase.
|
||
Updated•6 years ago
|
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main66-]
|
|
||
Comment 13•6 years ago
|
||
(In reply to Ting-Yu Lin [:TYLin] (UTC-7) from comment #10)
The added crashtest still crashes on Android verify runs (TV) for
unknown reasons, so skip it.
Did anyone file a follow-up bug for this? If not, please do so
so we don't forget about it. (mark it security-sensitive just
in case, until we know what the issue is on that platform)
Flags: needinfo?(aethanyc)
|
|
Assignee | |
Comment 14•6 years ago
|
||
Mats, thank you for the reminder. Filed bug 1535187.
Flags: needinfo?(aethanyc)
|
|
||
Updated•5 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•