1975961 - AddressSanitizer: heap-buffer-overflow [@ Type] with READ of size 1

Status: VERIFIED FIXED

(Core :: DOM: Core & HTML, defect)

Description

[Jason Kratzer [:jkratzer]]

Testcase found while fuzzing mozilla-central rev 58b3d4ba196f (built with: --enable-address-sanitizer --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch --build 58b3d4ba196f --asan --fuzzing  -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

AddressSanitizer: heap-buffer-overflow [@ Type] with READ of size 1

    =================================================================
    ==941097==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x512000001976 at pc 0x7d0b0b06bcaf bp 0x7ffec65537d0 sp 0x7ffec65537c8
    READ of size 1 at 0x512000001976 thread T0 (Isolated Web Co)
        #0 0x7d0b0b06bcae in Type /layout/base/nsPresContext.h:211:43
        #1 0x7d0b0b06bcae in nsIFrame::IsFocusable(mozilla::IsFocusableFlags) /layout/generic/nsIFrame.cpp:11510:22
        #2 0x7d0b03f6b8fd in nsFocusManager::GetNextTabbableContent(mozilla::PresShell*, nsIContent*, nsIContent*, nsIContent*, bool, int, bool, bool, bool, bool, bool, nsIContent**) /dom/base/nsFocusManager.cpp:4370:39
        #3 0x7d0b03f4f043 in nsFocusManager::DetermineElementToMoveFocus(nsPIDOMWindowOuter*, nsIContent*, int, bool, bool, nsIContent**) /dom/base/nsFocusManager.cpp:3611:21
        #4 0x7d0b03f4ca34 in nsFocusManager::MoveFocus(mozIDOMWindowProxy*, mozilla::dom::Element*, unsigned int, unsigned int, mozilla::dom::Element**) /dom/base/nsFocusManager.cpp:546:17
        #5 0x7d0b06cec2e8 in mozilla::dom::HTMLLegendElement::Focus(mozilla::dom::FocusOptions const&, mozilla::dom::CallerType, mozilla::ErrorResult&) /dom/html/HTMLLegendElement.cpp:90:16
        #6 0x7d0b05865b4b in mozilla::dom::HTMLElement_Binding::focus(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./HTMLElementBinding.cpp:11081:24
        #7 0x7d0b05988d9f in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3306:13
        #8 0x7d0b0c70f857 in CallJSNative /js/src/vm/Interpreter.cpp:501:13
        #9 0x7d0b0c70f857 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:597:12
        #10 0x7d0b0c72e2c8 in InternalCall /js/src/vm/Interpreter.cpp:664:10
        #11 0x7d0b0c72e2c8 in CallFromStack /js/src/vm/Interpreter.cpp:669:10
        #12 0x7d0b0c72e2c8 in js::Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3287:16
        #13 0x7d0b0c70e639 in MaybeEnterInterpreterTrampoline /js/src/vm/Interpreter.cpp:395:10
        #14 0x7d0b0c70e639 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:471:13
        #15 0x7d0b0c70f9cd in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:629:13
        #16 0x7d0b0c7116d1 in InternalCall /js/src/vm/Interpreter.cpp:664:10
        #17 0x7d0b0c7116d1 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:696:8
        #18 0x7d0b0c853cfa in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:119:10
        #19 0x7d0b05711392 in mozilla::dom::Function::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./FunctionBinding.cpp:50:8
        #20 0x7d0b03e815a0 in void mozilla::dom::Function::Call<nsCOMPtr<nsIGlobalObject>>(nsCOMPtr<nsIGlobalObject> const&, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObjectBase::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/FunctionBinding.h:71:12
        #21 0x7d0b03e8127c in mozilla::dom::CallbackTimeoutHandler::Call(char const*) /dom/base/TimeoutHandler.cpp:158:29
        #22 0x7d0b038bc997 in nsGlobalWindowInner::RunTimeoutHandler(mozilla::dom::Timeout*) /dom/base/nsGlobalWindowInner.cpp:6345:38
        #23 0x7d0b03e7c218 in mozilla::dom::TimeoutManager::RunTimeout(mozilla::TimeStamp const&, mozilla::TimeStamp const&, bool) /dom/base/TimeoutManager.cpp:945:39
        #24 0x7d0b03e7afe3 in mozilla::dom::TimeoutExecutor::MaybeExecute() /dom/base/TimeoutExecutor.cpp:179:11
        #25 0x7d0b03e7e0fa in Notify /dom/base/TimeoutExecutor.cpp:246:5
        #26 0x7d0b03e7e0fa in non-virtual thunk to mozilla::dom::TimeoutExecutor::Notify(nsITimer*) /dom/base/TimeoutExecutor.cpp
        #27 0x7d0affc9f5b4 in operator() /xpcom/threads/nsTimerImpl.cpp:687:44
        #28 0x7d0affc9f5b4 in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at /xpcom/threads/nsTimerImpl.cpp:687:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:688:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:691:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:692:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:309:16
        #29 0x7d0affc9f5b4 in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at /xpcom/threads/nsTimerImpl.cpp:686:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:687:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:688:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:691:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:692:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:318:14
        #30 0x7d0affc9f5b4 in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at /xpcom/threads/nsTimerImpl.cpp:686:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:687:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:688:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:691:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:692:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:910:12
        #31 0x7d0affc9f5b4 in match<(lambda at /xpcom/threads/nsTimerImpl.cpp:686:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:687:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:688:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:691:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:692:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:865:12
        #32 0x7d0affc9f5b4 in nsTimerImpl::Fire(unsigned long) /xpcom/threads/nsTimerImpl.cpp:685:22
        #33 0x7d0affc9df5d in nsTimerEvent::Run() /xpcom/threads/TimerThread.cpp:565:11
        #34 0x7d0affcd4364 in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /xpcom/threads/ThrottledEventQueue.cpp:254:22
        #35 0x7d0affccdbdf in mozilla::ThrottledEventQueue::Inner::Executor::Run() /xpcom/threads/ThrottledEventQueue.cpp:81:15
        #36 0x7d0affc82bea in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:703:16
        #37 0x7d0affc70658 in mozilla::TaskController::RunTask(mozilla::Task*) /xpcom/threads/TaskController.cpp:196:19
        #38 0x7d0affc7773d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:1310:20
        #39 0x7d0affc75278 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:1133:15
        #40 0x7d0affc75896 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:639:36
        #41 0x7d0affc939c4 in operator() /xpcom/threads/TaskController.cpp:336:37
        #42 0x7d0affc939c4 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /xpcom/threads/nsThreadUtils.h:548:5
        #43 0x7d0affcb284b in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1159:16
        #44 0x7d0affcbd1c8 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:480:10
        #45 0x7d0b01358643 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:107:5
        #46 0x7d0b0123c4a4 in RunInternal /ipc/chromium/src/base/message_loop.cc:369:10
        #47 0x7d0b0123c4a4 in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
        #48 0x7d0b0123c4a4 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
        #49 0x7d0b0a4f7da6 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
        #50 0x7d0b0a6cb47b in nsAppShell::Run() /widget/gtk/nsAppShell.cpp:471:33
        #51 0x7d0b0c45161d in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:647:20
        #52 0x7d0b0123c4a4 in RunInternal /ipc/chromium/src/base/message_loop.cc:369:10
        #53 0x7d0b0123c4a4 in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
        #54 0x7d0b0123c4a4 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
        #55 0x7d0b0c44fbee in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:585:34
        #56 0x5ba92fc6fee1 in main /browser/app/nsBrowserApp.cpp:397:22
        #57 0x7d0b23ac01c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #58 0x7d0b23ac028a in __libc_start_main csu/../csu/libc-start.c:360:3
        #59 0x5ba92fb8fc88 in _start (/home/jkratzer/builds/m-c-20250706213835-fuzzing-asan-opt/firefox+0xc7c88) (BuildId: 1af34dcfe85c73e7d5761927a5271e634958d6bc)
    
    0x512000001976 is located 46 bytes after 264-byte region [0x512000001840,0x512000001948)
    allocated by thread T0 (Isolated Web Co) here:
        #0 0x5ba92fc2d699 in calloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:75:3
        #1 0x7d0b2359aff5 in ExpandMonitorCache /nsprpub/pr/src/threads/prcmon.c:105:40
        #2 0x7d0b23567713 in _PR_InitStuff /nsprpub/pr/src/misc/prinit.c:184:3
        #3 0x7d0b23567713 in _PR_ImplicitInitialization /nsprpub/pr/src/misc/prinit.c:201:3
        #4 0x7d0b2356ec36 in PR_GetEnv /nsprpub/pr/src/misc/prenv.c:73:5
        #5 0x7d0b0a6c90fb in __cxx_global_var_init /widget/gtk/WaylandBuffer.cpp:43:5
        #6 0x7d0b0a6c90fb in _GLOBAL__sub_I_Unified_cpp_widget_gtk1.cpp /builds/worker/workspace/obj-build/widget/gtk/Unified_cpp_widget_gtk1.cpp
        #7 0x7d0b2408971e in call_init elf/dl-init.c:74:3
        #8 0x7d0b24089823 in call_init elf/dl-init.c:120:14
        #9 0x7d0b24089823 in _dl_init elf/dl-init.c:121:5
        #10 0x7d0b240855b1 in _dl_catch_exception elf/dl-catch.c:211:7
        #11 0x7d0b24090d7b in dl_open_worker elf/dl-open.c:829:5
        #12 0x7d0b24090d7b in dl_open_worker elf/dl-open.c:792:1
        #13 0x7d0b2408551b in _dl_catch_exception elf/dl-catch.c:237:8
        #14 0x7d0b24091163 in _dl_open elf/dl-open.c:905:17
        #15 0x7d0b23b2e1a3 in dlopen_doit dlfcn/dlopen.c:56:15
        #16 0x7d0b2408551b in _dl_catch_exception elf/dl-catch.c:237:8
        #17 0x7d0b24085668 in _dl_catch_error elf/dl-catch.c:256:19
        #18 0x7d0b23b2dc82 in _dlerror_run dlfcn/dlerror.c:138:17
        #19 0x7d0b23b2e25e in dlopen_implementation dlfcn/dlopen.c:71:10
        #20 0x7d0b23b2e25e in dlopen dlfcn/dlopen.c:81:12
        #21 0x5ba92fbf34b2 in dlopen /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:6352:15
        #22 0x5ba92fc73ee8 in GetLibHandle /xpcom/glue/standalone/nsXPCOMGlue.cpp:93:29
        #23 0x5ba92fc73ee8 in ReadDependentCB /xpcom/glue/standalone/nsXPCOMGlue.cpp:148:3
        #24 0x5ba92fc73ee8 in XPCOMGlueLoad /xpcom/glue/standalone/nsXPCOMGlue.cpp:312:9
        #25 0x5ba92fc73ee8 in mozilla::GetBootstrap(char const*, mozilla::LibLoadingStrategy) /xpcom/glue/standalone/nsXPCOMGlue.cpp:394:3
        #26 0x5ba92fc70a58 in InitXPCOMGlue(mozilla::LibLoadingStrategy) /browser/app/nsBrowserApp.cpp:247:7
        #27 0x5ba92fc6fe82 in main /browser/app/nsBrowserApp.cpp:378:19
        #28 0x7d0b23ac01c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #29 0x7d0b23ac028a in __libc_start_main csu/../csu/libc-start.c:360:3
        #30 0x5ba92fb8fc88 in _start (/home/jkratzer/builds/m-c-20250706213835-fuzzing-asan-opt/firefox+0xc7c88) (BuildId: 1af34dcfe85c73e7d5761927a5271e634958d6bc)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /layout/base/nsPresContext.h:211:43 in Type
    Shadow bytes around the buggy address:
      0x512000001680: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x512000001700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x512000001780: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
      0x512000001800: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x512000001880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x512000001900: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa[fa]fa
      0x512000001980: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x512000001a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x512000001a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
      0x512000001b00: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x512000001b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==941097==ABORTING

Comment 1

[Jason Kratzer [:jkratzer]]

Attachment: Detailed Crash Information

Comment 2

[Jason Kratzer [:jkratzer]]

Attachment: Testcase

Comment 3

[Andrew McCreight [:mccr8]]

It looks like the crash is on this line in nsFocusManager::GetNextTabbableContent:

int32_t tabIndex = frame->IsFocusable().mTabIndex;

I'm not sure how this could result in a buffer overflow, unless something in there is junk. The allocation stack doesn't make much sense, either.

It looks like this is in code around focus manager support for popover, so it is rather layout-y. Emilio, what do you think the next steps here might be?

Comment 4

[Andrew McCreight [:mccr8]]

I'll assume this is sec-high until proven otherwise.

Comment 5

[Emilio Cobos Álvarez [:emilio]]

A pernosco session would be ideal?

Comment 6

[Emilio Cobos Álvarez [:emilio]]

Attachment: (secure)

Comment 7

[Emilio Cobos Álvarez [:emilio]]

Attachment: (secure)

Comment 8

[Emilio Cobos Álvarez [:emilio]]

Ok I debugged it, nasty. It's a missing null-check, but I think it's the kind of missing null-check that gets optimized to a type confusion.

GetPrimaryFrame() returns mPrimaryFrame when non-null, which is a union with mSubtreeRootPointer. In this case GetPrimaryFrame should return null, but the compiler optimizes the checks away and returns mSubtreeRootPointer, which then gets interpreted as a frame rather than an element.

Comment 9

[Andrew McCreight [:mccr8]]

Thanks. Hopefully we don't have any of the places like this. There are over 500 places that call this method, so auditing and/or changing the API like I did in bug 1952465 will be a big pain.

Comment 10

[Emilio Cobos Álvarez [:emilio]]

So I looked around and clang does have some nullability annotations. I was hoping they would catch something like this, but they don't seem to: https://godbolt.org/z/bje9x5E4d

Comment 11

[Emilio Cobos Álvarez [:emilio]]

Comment on attachment 9498997 [details]
(secure)

Security Approval Request

• How easily could an exploit be constructed based on the patch?: Not clear, it takes some thinking and knowing about GetPrimaryFrame reading from a union to see it might be exploitable.
• Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
• Which branches (beta, release, and/or ESR) are affected by this flaw, and do the release status flags reflect this affected/unaffected state correctly?: All
• If not all supported branches, which bug introduced the flaw?: None
• Do you have backports for the affected branches?: Yes
• If not, how different, hard to create, and risky will they be?: Should apply cleanly
• How likely is this patch to cause regressions; how much testing does it need?: not likely
• Is the patch ready to land after security approval is given?: Yes
• Is Android affected?: Yes

Comment 12

[Emilio Cobos Álvarez [:emilio]]

I'll land https://phabricator.services.mozilla.com/D256321 only on nightly once sec-approval is granted, if that's fine? Or in a separate bug.

Comment 13

[Jason Kratzer [:jkratzer]]

Verified bug as reproducible on mozilla-central 20250707161850-32587445152c.
The bug appears to have been introduced in the following build range:

Start: 324a320c87e98f4d668da7a8fb0efcfee0bd53dd (20250617161930)
End: 011876a25442004c2eb4a278859b549211765857 (20250617182935)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=324a320c87e98f4d668da7a8fb0efcfee0bd53dd&tochange=011876a25442004c2eb4a278859b549211765857

Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.

Comment 14

[Andrew McCreight [:mccr8]]

Bug 1936411 looks the most relevant in that range, but from Emilio's patch it feels like maybe this is just a preexisting issue that is now easier to trigger?

Comment 15

[Bugmon [:jkratzer for issues]]

A pernosco session for this bug can be found here.

Comment 16

[Tom Ritter [:tjr] (OOTO until April)]

Comment on attachment 9498997 [details]
(secure)

Approved to land and request uplift

Comment 17

[Tom Ritter [:tjr] (OOTO until April)]

(In reply to Emilio Cobos Álvarez (:emilio) from comment #12)

I'll land https://phabricator.services.mozilla.com/D256321 only on nightly once sec-approval is granted, if that's fine? Or in a separate bug.

That's fine

Comment 18

[Emilio Cobos Álvarez [:emilio]]

Comment on attachment 9498997 [details]
(secure)

Beta/Release Uplift Approval Request

• User impact if declined/Reason for urgency: Comment 0
• Is this code covered by automated tests?: No
• Has the fix been verified in Nightly?: Yes
• Needs manual test from QE?: No
• If yes, steps to reproduce:
• List of other uplifts needed: none
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): Null-check.
• String changes made/needed: none
• Is Android affected?: Yes

Comment 19

[Pulsebot]

Pushed by ealvarez@mozilla.com:
https://github.com/mozilla-firefox/firefox/commit/b1434f56b487
https://hg.mozilla.org/integration/autoland/rev/3fa79c09efb0
Add a missing null-check. r=smaug

Comment 20

[Phabricator Automation]

Comment on attachment 9499000 [details]
(secure)

Revision D256323 was moved to bug 1976191. Setting attachment 9499000 [details] to obsolete.

Comment 21

[BugBot [:suhaib / :marco/ :calixte]]

Based on comment #13, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.

:emilio, if possible, could you fill the Regressed by field and investigate this regression?

For more information, please visit BugBot documentation.

Comment 22

[Donal Meehan [:dmeehan]]

Comment on attachment 9498997 [details]
(secure)

Rejecting release uplift request. We don't have any more releases scheduled for Fx140. This affects ESR so is not suitable for a dot release.

Comment 23

[Emilio Cobos Álvarez [:emilio]]

While this test-case relies on bug 1936411, I think you could trigger this before that all the way back to bug 1856539.

I don't think ESR115 is affected.

Comment 24

[Andrew McCreight [:mccr8]]

[Tracking Requested - why for this release]:

Comment 25

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/mozilla-central/rev/3fa79c09efb0

Comment 26

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20250708162502-79eaf77350d0.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 27

[Pulsebot]

https://github.com/mozilla-firefox/firefox/commit/349cc687b2a7
https://hg.mozilla.org/releases/mozilla-beta/rev/431917892878

Comment 28

[Pulsebot]

https://hg.mozilla.org/releases/mozilla-esr128/rev/28ddc8ad00da

Comment 29

[Pulsebot]

https://hg.mozilla.org/releases/mozilla-esr140/rev/0141bf47e497

Comment 30

[Pascal Chevrel:pascalc]

Emilio, could you provide a separate patch for esr 115? b1434f56b487 doesn't cherry-pick cleanly to the branch. Thanks!

Comment 31

[Emilio Cobos Álvarez [:emilio]]

See comment 23, esr115 is not affected, the code isn't there.