Bug 306663 (stirdom)

Bugs found by "Stir DOM" module of DOMFuzz

NEW
Assigned to

Status

()

defect
14 years ago
a year ago

People

(Reporter: jruderman, Assigned: jruderman)

Tracking

(Depends on 18 bugs, Blocks 1 bug, {meta, sec-other})

Trunk
Points:
---
384504, 436204, 584208, 591480, 709536, 725928, 767233, 788929, 872878, 878538, 883712, 1191948, 1223724, 1230378, 1230424, 1233254, 1286419, 1411689, 205735, 265367, 291531, 291902, 294022, 306782, 306787, 306789, 306798, 306902, 306911, 306915, 307277, 307280, 307298, 307314, 307322, 307394, 307444, 307470, 307565, 307826, 307839, 307854, 307989, 307992, 308120, 308278, 308585, 308752, 308917, 309120, 309122, 309732, 310267, 310426, 310436, 310520, 310556, 310638, 311478, 314307, 315549, 317544, 317545, 317546, 317547, 317549, 321299, 322625, 323022, 323585, 323604, 324318, 324918, 325427, 325984, 328944, 328946, 329335, 329407, 329884, 329891, 330010, 330925, 330998, 335896, 336065, 336074, 337066, 337412, 337419, 338251, 338301, 338312, 338649, 340083, 340733, 342120, 342145, 342923, 342942, 342954, 343935, 344881, 344898, 346512, 347348, 347355, 347495, 348708, 348709, 349355, 350128, 351627, 351628, 354133, 354510, 356325, 359371, 361226, 361389, 363448, 365923, 366203, 366493, 366537, 366564, 367111, 367149, 368860, 369126, 369438, 370876, 371125, 372550, 374882, 375058, 376666, 377470, 377783, 379217, 379872, 380482, 380550, 381057, 381502, 382212, 382507, 383979, 384391, 384392, 384637, 385118, 385132, 385289, 386386, 386575, 386807, 386939, 387227, 388172, 389014, 389151, 389326, 389636, 390976, 392132, 393475, 393649, 393656, 393661, 393671, 393746, 393749, 393758, 393822, 394111, 395340, 396744, 397112, 397551, 397844, 397856, 398021, 399365, 399412, 399687, 399694, 399858, 400078, 400349, 401393, 401395, 402172, 402400, 402408, 403134, 403369, 404213, 404215, 404470, 404721, 405639, 406902, 408292, 408904, 411835, 412243, 412543, 413079, 413085, 413174, 414719, 416107, 416734, 419527, 420031, 421393, 423107, 423264, 425981, 426040, 427325, 428113, 429454, 429881, 430991, 432058, 432752, 433450, 434894, 442860, 443528, 443538, 443655, 444484, 445288, 448064, 448993, 449129, 453406, 453736, 454361, 455614, 457514, 458493, 460209, 460323, 460910, 460924, 461289, 462968, 463741, 464589, 466585, 466763, 468578, 468773, 470063, 470167, 472237, 473042, 474041, 474377, 476579, 477878, 477928, 478527, 479938, 481089, 481139, 481806, 482398, 487539, 487724, 489480, 489501, 494225, 494332, 495546, 496011, 496062, 496420, 497734, 499841, 499857, 500847, 501878, 503699, 505399, 508154, 508908, 508919, 513153, 522516, 523468, 531550, 535632, 536720, 537624, 538062, 538210, 538233, 538267, 539167, 540760, 545574, 550355, 550362, 551620, 557348, 559491, 560447, 564063, 564368, 564968, 571105, 571981, 572003, 572607, 575446, 580129, 580140, 580151, 587336, 589316, 590395, 591141, 591409, 592129, 595783, 596796, 596876, 597240, 597317, 604843, 605340, 605345, 606101, 606430, 606642, 611927, 612736, 615002, 615944, 616748, 617089, 621598, 627647, 635442, 635636, 637214, 643853, 650489, 654928, 655451, 656130, 665334, 667025, 667321, 669225, 674223, 690979, 690990, 690994, 691096, 693142, 695573, 696175, 707098, 710149, 713413, 713499, 716503, 718236, 718290, 723382, 723657, 725918, 729431, 736389, 736924, 738555, 740199, 742190, 745699, 757751, 760957, 766471, 779707, 780764, 788831, 791430, 791601, 797945, 803562, 809762, 822086, 841163, 843086, 847119, 847130, 849593, 852129, 852138, 852150, 852293, 856402, 862303, 866659, 867487, 873222, 880892, 883708, 884202, 886215, 886230, 890775, 893515, 895082, 897384, 898913, 898926, 898951, 914029, 914501, 931453, 931464, 936988, 950000, 950324, 978644, 1007298, 1009036, 1015562, 1072137, 1072792, 1133615, 1133964, 1153695, 1153716, 1156257, 1156588, 1169423, 1190646, 1217984, 1223522, 1223561, 1228707, 1228876, 1230110, 1233191, 1234701, 1250793, 1274579, 1278457, 1281715, 1282691, 1282894, 1286013
Dependency tree / graph
Bug Flags:
blocking1.8b5 -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:nse] meta)

Attachments

(3 attachments, 8 obsolete attachments)

(Assignee)

Description

14 years ago
Steps to reproduce:
1. Go to a small web page, such as http://www.google.com/.
2. Use the bookmarklet in this bug's URL field.
3. Wait a while.

Result: more often than not, Firefox crashes with a minute or two.

Here are the crashes I've seen so far with the bookmarklet:

nsStyleContext::GetStyleData()
TB8922845W, TB8923024X, TB8923158K, TB8923275Q, TB8923389M, TB8923438Z

GetNifOrSpecialSibling()
TB8923432H

nsCSSFrameConstructor::GetFloatContainingBlock()
TB8922738K, TB8923005W, TB8923133W*

The starred crash report is particularly scary because it occurred at a "random
address" with SIGILL.  According to the libc manual, "SIGILL typically indicates
that the executable file is corrupted, or that you are trying to execute data."  

I'm filing this as a security-sensitive bug because I have already found a
potential security hole with it.  I will keep the bookmarklet secret for now as
well, because someone with the bookmarklet might be able to rediscover the
scarier crashes.

I can make a more deterministic version of the bookmarklet if that would make it
easier to make a testcase for each crash it finds.
(Assignee)

Updated

14 years ago
Group: security
Fun.  This needs attention, pronto.  Who will own it?

/be
Flags: blocking1.8b5+
Flags: blocking1.8b4?
These additional assertions prevent one problem from showing up 20 frames down
the stack when we do a bogus reflow with a bogus 0 availableHeight -- they at
least cause the problem to show up as an assertion pretty close to where it
happens.  I think the underlying problem here is bug 203923.  But I don't know
whether it's related to any of the crashes, which I haven't hit yet.
(Assignee)

Comment 3

14 years ago
The GetNifOrSpecialSibling crash might also be exploitable: TB8950615Y.
(Assignee)

Updated

14 years ago
Depends on: 306782
(Assignee)

Updated

14 years ago
Depends on: 306789
(Assignee)

Updated

14 years ago
Depends on: 306798
(Assignee)

Updated

14 years ago
Depends on: 306787
(Assignee)

Comment 4

14 years ago
All of the crashes I've found so far happen on the Gecko 1.8 branch but not on
trunk.  I suspect they all have the same underlying cause, which was fixed on
the trunk after the branch point.
(Assignee)

Comment 5

14 years ago
I've seen Opera(Win), IE(Win), and Safari(Mac) crash with this bookmarklet.  I
haven't seen Firefox trunk crash yet.
Jesse, could you possibly try trunk builds to see when the crash disappeared on
trunk?
(Assignee)

Comment 7

14 years ago
The crashes for the testcases on all four bugs (bug 306782, bug 306787, bug
306789, bug 306798) disappeared between Aug 16 and Aug 17 trunk nightlies.

2005-08-16-07-trunk - crash (all four testcases)
2005-08-17-09-trunk - no crash (all four testcases)

Bug 265367 was checked in between those builds.  Could it have fixed these crashes?
FWIW I eventually got a crash running that bookmarklet on this very page (the
bug report itself, I mean).
> Bug 265367 was checked in between those builds.  Could it have fixed these
> crashes?

Possibly, yes.  It would certainly help on any page that has an animated image
in a very direct way; for other pages I'm not sure how it could prevent crashes,
but I wouldn't be too surprised.

Also bug 289377 landed in the same range.  And so did bug 303484.
So I found a general case where the patch for bug 265367 would prevent a crash.

Say we have nodes A, B, and C and that the frame for node A is a leaf (eg A is
an <img>).  Consider the following sequence of operations, starting with a state
when A is in the document and hence has a frame (called A').

1)  Insert B as a child of A.  This creates a frame B' for B, sets the parent of
    B' to be A', sets B' as the primary frame for B.  Then we try to append B'
    to the frame list of A'.  This throws, but the error return is ignored.  So
    B' is not in the child list of A' (since A' has no child list).
2)  Move A to a different place in the DOM.  This destroys A' and all its
    descendants.  Since B' is not a child of A', B' is NOT destroyed.
3)  Insert C as a child of B.  This tries to create a frame C' for C, with B' as
    its parent (since B' is what we got when we did a primary frame lookup on
    B).  We start looking up things like the containing blocks we should use,
    which means we walk the parent chain of B'.  But the mParent pointer of B'
    points to the now-deleted A' frame, or in other words to some random memory.
    We might not crash there right away, since the random memory comes from an
    arena and hence is probably still allocated to our process; if we've
    allocated over it again, it won't even be marked with 0xdddddddd.

The alternative to the patch for bug 265367 is to actually check rv for all
cases when we're inserting or appending frames and clean up if it fails (at the
very least clean up the primary frame map).  This is not completely trivial to
do right in full generality (i.e. with destruction of the not-appended frames),
I suspect, and the patch for bug 265367 is pretty safe given that there have
been no regressions reported yet, so maybe we should just take bug 265367 on the
branch and also add the rv checks on trunk just in case?

Comment 11

14 years ago
Jesse, what did 1.0.x do with this test case? Is this crash a regression over
1.0? Fixing this crash may mean taking a pretty large change to gecko, Bug
265367 which scares me after a looking at it briefly. I'd like to see if this
crash is new or not and how many crash reports we are seeing in talkback before
making a decision on this and 265367.

> what did 1.0.x do with this test case?

Crashed.

It also crashed on the testcases in bug 291022 and bug 291513, of course.  ;)

And I think the reason Jesse is worried is not just because it's a crash but a
crash likely to be exploitable.

For what it's worth, the change for bug 265367 is a good bit safer than a lot of
the other stuff we've been landing on branch for a while now...  At least in my
opinion.  The other approach (of checking rv on the inserts/appends) would
actually be less safe, imo (and would certainly be less tested; I was running
with the patch in bug 265367 for three months and didn't see any issues).
going to take 256367 asap.
Flags: blocking1.8b4?
(Assignee)

Comment 14

14 years ago
I made a small change to the bookmarklet so it would work on XML pages:
- var myRoot = document.body;
+ var myRoot = document.body || document.documentElement;
(Assignee)

Updated

14 years ago
Depends on: 306902
(Assignee)

Updated

14 years ago
Depends on: 306911
(Assignee)

Updated

14 years ago
Depends on: 306915
Checked in bug 265367 on the 1.8 branch.
(Assignee)

Comment 16

14 years ago
Aaron, tomorrow's branch build won't crash much when you use this bookmarklet on
HTML pages, so you can start testing accessiblity code and/or screen readers
with this bookmarklet.  See the testcase in e.g. bug 306915 for the version that
includes its own random number generator for reproducibility.
(Assignee)

Comment 17

14 years ago
See also bug 306939, the metabug for another crash-finding bookmarklet.
(Assignee)

Comment 18

14 years ago
I should do another round of testing on HTML now that I can avoid the crashes
caused by bug 265367.

Bug 306902 shows up often (with many different seeds) on mixed HTML-and-MathML.
 I'll do another round of testing on mixed HTML-and-MathML pages once it is fixed.

Bug 306911 or bug 306915 happens almost immediately when I run the bookmarklet
on a XUL page.  I'll do another round of testing on XUL pages once they are fixed.
(Assignee)

Comment 19

14 years ago
How much do we care about assertion failures turned up by this kind of testing?
 Memory leaks?
> How much do we care about assertion failures turned up by this kind of testing?

I care a good bit.

> Memory leaks?

Same, esp. if we can get a non-randomized testcase... ;)
(In reply to comment #20)
> > How much do we care about assertion failures turned up by this kind of testing?
> 
> I care a good bit.

I proposed that we make assertions fatal for 1.9, see
http://weblogs.mozillazine.org/roadmap/archives/2005_01.html.  dbaron suggested
doing this first by setting the XPCOM_DEBUG_BREAK envariable for some tinderbox
machines, to build up cross-platform testing coverage.  That's a good idea, and
I think we will do this starting tomorrow, or as soon as we can.

/be
(Assignee)

Updated

14 years ago
Depends on: 307277
(Assignee)

Updated

14 years ago
Depends on: 307280
(Assignee)

Comment 22

14 years ago
I'm seeing crashes at DoDeletingFrameSubtree (bug 307277) and/or
nsBlockFrame::Destroy (bug 307280) on multiple sites:
http://www.csszengarden.com/, http://www.43things.com/, http://www.w3.org/Style/.

Once those bugs are fixed, I'll retest those sites.
(Assignee)

Comment 23

14 years ago
Putting new version of the bookmarklet in the URL field.  You can now control
the random number seed and several speed-related parameters.
(Assignee)

Updated

14 years ago
Depends on: 307298
(Assignee)

Comment 24

14 years ago
I will retest http://www.xulplanet.com/tutorials/xulqa/treeimage.xul and other
tree examples after bug 307298 is fixed.
(Assignee)

Updated

14 years ago
Alias: stirdom
(Assignee)

Updated

14 years ago
Depends on: 307314
(Assignee)

Comment 25

14 years ago
I will retest http://www.carto.net/papers/svg/samples/text.svg after bug 307314
is fixed.
(Assignee)

Updated

14 years ago
Depends on: 307322
(Assignee)

Comment 26

14 years ago
I will retest http://www.carto.net/papers/svg/samples/symbol.svg after bug
307322 is fixed.
(Assignee)

Comment 27

14 years ago
I retested http://www.carto.net/papers/svg/samples/text.svg on trunk (now that
bug 307314 is fixed) and didn't hit any more crashes :)
(Assignee)

Updated

14 years ago
Depends on: 307444
(Assignee)

Comment 28

14 years ago
I will retest everything under
http://www.w3.org/Graphics/SVG/Test/20030813/htmlframe/full-index.html once bug
307444 is fixed.
(Assignee)

Comment 29

14 years ago
... and http://www.svgbasics.com/.
(Assignee)

Updated

14 years ago
Depends on: 307470
(Assignee)

Comment 30

14 years ago
I will retest http://www.svgbasics.com/examples/marker_ex1.svg after bug 307470
is fixed.
(Assignee)

Updated

14 years ago
Depends on: 307565
(Assignee)

Comment 31

14 years ago
I will retest http://www.w3.org/TR/SVG/images/filters/filters01.svg on Windows
after bug 307565 is fixed with seeds 0 and 1, at least.
(Assignee)

Comment 32

14 years ago
(Assignee)

Comment 33

14 years ago
Attachment #195379 - Attachment is obsolete: true
(Assignee)

Updated

14 years ago
Blocks: 307826
(Assignee)

Updated

14 years ago
Depends on: 307839
(Assignee)

Updated

14 years ago
No longer blocks: 307826
Depends on: 307826
(Assignee)

Updated

14 years ago
Depends on: 307854
(Assignee)

Updated

14 years ago
Depends on: 307989
(Assignee)

Updated

14 years ago
Depends on: 307992
(Assignee)

Updated

14 years ago
Depends on: 308120
(Assignee)

Updated

14 years ago
Depends on: 308278
(Assignee)

Comment 34

14 years ago
* Added discovery of nodes in frames, iframes, and <embed>s containing SVG.
* Added discovery of XBL anonymous children.
* Made it use chained setTimeout instead of setInterval to improve
responsiveness when slow.
* Increased the default speed.
* Commented out the "javascript:" at the top of the non-bookmarklet version
because it caused a parse error in Safari.
Attachment #195381 - Attachment is obsolete: true
(Assignee)

Comment 35

14 years ago
List includes URLs I found crashes on and URLs that use rarely-used Gecko
features.

Updated

14 years ago
Attachment #194596 - Flags: review?(bernd.mielke) → review+
(Assignee)

Updated

14 years ago
Depends on: 308585
(Assignee)

Updated

14 years ago
Depends on: 308752
FYI, I'm not authorized to access the majority of the bugs you're referring,
in case you want any help on those...
(Assignee)

Updated

14 years ago
Depends on: 308917
(Assignee)

Updated

14 years ago
Depends on: 309120
(Assignee)

Updated

14 years ago
Depends on: 309122
(Assignee)

Updated

14 years ago
Depends on: 309732
(Assignee)

Updated

14 years ago
Depends on: 291531, 291902
(Assignee)

Comment 37

14 years ago
There are five remaining StirDOM crashes that look exploitable to me:
  * Tables:     bug 308752
  * DOM+UI:     bug 307992, bug 307989
  * MathML:     bug 309120, bug 307826

There are several types of content for which Stir DOM runs into the same crash
often enough that it's hard to tell whether there are other crashes:
  * XBL:        bug 308120
  * XUL grids:  bug 306911
  * XUL trees:  bug 291531, bug 309732
  * SVG:        bug 307444

Based on what bz said in a security-group@ email, it sounds like we can't fix
the XUL crashes for Firefox 1.5 without making Firefox 1.5 slip.  I'm ok with
postponing the release of Stir DOM until the next version of Firefox and hoping
nobody else thinks of doing the same kind of fuzz testing on web browsers.  It
would be nice if the already-known, exploitable-looking crashes were fixed for
Firefox 1.5, though.

Gecko has a hidden pref for disabling SVG for use during security firedrills. 
It might be worthwhile to add similar prefs for disabling:
  * XUL in non-chrome
  * MathML
  * XBL in non-chrome (including <marquee> and <xul:button>)
(Assignee)

Updated

14 years ago
Depends on: 310267
(Assignee)

Updated

14 years ago
Depends on: 310426
(Assignee)

Updated

14 years ago
Depends on: 310436
(Assignee)

Updated

14 years ago
Depends on: 310520
We'll evaluate each crash fix as they come in. No longer blocking on tracking bugs.
Flags: blocking1.8b5+ → blocking1.8b5-
(Assignee)

Updated

14 years ago
Depends on: 310556
(Assignee)

Updated

14 years ago
Depends on: 310638
(Assignee)

Comment 39

14 years ago
Posted file Stir DOM recorder (obsolete) —
This is one of the tools I use to reduce Stir DOM testcases.  Its output is
intended to be pasted back in, replacing the first two lines of the script.
(Assignee)

Updated

14 years ago
Depends on: 311478
Whiteboard: [sg:investigate]
(Assignee)

Updated

14 years ago
Blocks: fuzz

Updated

14 years ago
Depends on: 317544

Updated

14 years ago
Depends on: 317545

Updated

14 years ago
Depends on: 317546

Updated

14 years ago
Depends on: 317547

Updated

14 years ago
Depends on: 317549

Updated

14 years ago
Flags: blocking1.8.0.1?

Comment 40

14 years ago
crashes or timeouts found in this run appear as 

stirdom: url?fuzz=parms...

The test loads the page (with the querystring), then runs the stirdom
bookmarklet with the specified parameters. You can copy/paste the parameters
from the query string directly into the stirdom input prompt.

The end of each line identifies the machine, the date the test run began and
the build which was tested. For example, 

prunessh/2005-12-17-02-34-33-firefox-1.5-build-dbg-1.8_2005121411.log

was run on prune (a windows machine), on Dec 17, using a 1.8 debug build built
on 2005-12-14-11. 

You can reproduce each test case by loading the url including the query string,
then running stirdom with the appropriate parameter.
Depends on: 321299
(Assignee)

Comment 41

14 years ago
Posted file Stir DOM recorder (obsolete) —
Changes made to both Stir DOM and Random Styles recorders:
1. Make it record information about chunks/intervals so that
  (a) it can record the equivalent of a nonzero "number of changes to do immediately" in the bookmarklet.
  (b) while reducing, the chunk boundaries don't move.
2. Make it work with both XML and HTML without requiring separate versions.
3. Improve the instructions.
Attachment #198555 - Attachment is obsolete: true
Flags: blocking1.8.0.1? → blocking1.8.0.1+
Whiteboard: [sg:investigate] → [sg:nse] meta
Flags: blocking1.8.0.1+

Updated

14 years ago
Depends on: 323022
(Assignee)

Updated

13 years ago
Depends on: 205735
(Assignee)

Updated

13 years ago
Depends on: 323585
(Assignee)

Updated

13 years ago
Depends on: 315549
(Assignee)

Updated

13 years ago
Depends on: 323604
(Assignee)

Updated

13 years ago
Depends on: 323978
(Assignee)

Updated

13 years ago
Depends on: 324318
(Assignee)

Updated

13 years ago
Depends on: 294022
(Assignee)

Comment 42

13 years ago
Stupid bug:

  if(n.getSVGDocument){try{addNodes(n.getSVGDocument());}catch(ex){}}

should check that n.getSVGDocument() is non-null before recursing.  I'm not fixing it (yet) because I'm lazy, and because it would change the behavior of the script on any page that uses Flash and I want to avoid changing its behavior too much.
(Assignee)

Updated

13 years ago
Depends on: 254144
(Assignee)

Updated

13 years ago
Depends on: 324918
(Assignee)

Updated

13 years ago
No longer depends on: 254144
(Assignee)

Updated

13 years ago
Depends on: 325427
(Assignee)

Updated

13 years ago
Depends on: 325984
(Assignee)

Updated

13 years ago
Depends on: 328944
(Assignee)

Updated

13 years ago
Depends on: 328946
(Assignee)

Updated

13 years ago
Depends on: 329335
(Assignee)

Updated

13 years ago
Depends on: 314307
(Assignee)

Updated

13 years ago
Depends on: 329407
(Assignee)

Updated

13 years ago
Depends on: 329884
(Assignee)

Updated

13 years ago
Depends on: 329891
(Assignee)

Updated

13 years ago
Depends on: 330010
(Assignee)

Updated

13 years ago
Depends on: 330925
(Assignee)

Updated

13 years ago
Depends on: 330998
(Assignee)

Updated

13 years ago
Keywords: crash
(Assignee)

Updated

13 years ago
Depends on: 335896
(Assignee)

Updated

13 years ago
Depends on: 336065
(Assignee)

Updated

13 years ago
Depends on: 336074
(Assignee)

Updated

13 years ago
Depends on: 337066
(Assignee)

Updated

13 years ago
Depends on: 337412
(Assignee)

Updated

13 years ago
Depends on: 337419
(Assignee)

Updated

13 years ago
Depends on: 338251
(Assignee)

Updated

13 years ago
Depends on: 338301
(Assignee)

Updated

13 years ago
Depends on: 338312
(Assignee)

Updated

13 years ago
Depends on: 338649
(Assignee)

Comment 43

13 years ago
Stir DOM and some other fuzzers will need changes once bug 47903, "WRONG_DOCUMENT_ERR not being thrown", is fixed.  I'm not fixing Stir DOM now because I'm hoping to use adoptNode (bug 330677) rather than importNode.
(Assignee)

Comment 44

13 years ago
Posted file Stir DOM 1.8 (requires fuzz.js) (obsolete) —
* Converted it to use fuzz.js (see bug 339948).
* Turned off recursing into XBL for now.
* No longer uses separate versions for bookmarklet-source and recording :)
* Various small changes.
Attachment #196006 - Attachment is obsolete: true
Attachment #207402 - Attachment is obsolete: true
(Assignee)

Updated

13 years ago
Depends on: 340083
(Assignee)

Updated

13 years ago
Depends on: 340733
(Assignee)

Updated

13 years ago
Depends on: 342120
(Assignee)

Updated

13 years ago
Depends on: 342145
(Assignee)

Comment 45

13 years ago
Posted file Stir DOM 2.0 (obsolete) —
Updated for fuzz.js 2.0.
Attachment #224049 - Attachment is obsolete: true
(Assignee)

Updated

13 years ago
Depends on: 342923
Depends on: 342942
(Assignee)

Updated

13 years ago
Depends on: 342954
(Assignee)

Updated

13 years ago
Depends on: 343935
(Assignee)

Updated

13 years ago
Depends on: 344881
(Assignee)

Updated

13 years ago
Depends on: 344898
(Assignee)

Updated

13 years ago
Depends on: 346512
(Assignee)

Updated

13 years ago
Depends on: 347348
(Assignee)

Updated

13 years ago
Depends on: 347355
(Assignee)

Updated

13 years ago
Depends on: 347495
(Assignee)

Updated

13 years ago
Depends on: 348708
(Assignee)

Updated

13 years ago
Depends on: 348709
Depends on: 349355
(Assignee)

Updated

13 years ago
Depends on: 350128
(Assignee)

Updated

13 years ago
Depends on: 351627
(Assignee)

Updated

13 years ago
Depends on: 351628
Depends on: 322625
Depends on: 354133
Depends on: 354510
Depends on: 356325
(Assignee)

Comment 46

13 years ago
Posted file Stir DOM 3.0 (obsolete) —
Attachment #226744 - Attachment is obsolete: true
(Assignee)

Updated

13 years ago
Depends on: 359371
(Assignee)

Updated

13 years ago
Depends on: 361226
Depends on: 361389
Shouldn't have security bugs assigned to nobody. Jesse can own his test bugs
Assignee: nobody → jruderman
Depends on: 363448
Depends on: 365923
(Assignee)

Updated

13 years ago
Depends on: 366203
Depends on: 366493
(Assignee)

Updated

12 years ago
Depends on: 366537
(Assignee)

Updated

12 years ago
Depends on: 366564
(Assignee)

Updated

12 years ago
Depends on: 367111
Depends on: 367149
(Assignee)

Updated

12 years ago
Summary: Crashes found by Jesse's "Stir DOM" bookmarklet → Bugs found by Jesse's "Stir DOM" bookmarklet
(Assignee)

Updated

12 years ago
Depends on: 368860
(Assignee)

Updated

12 years ago
Depends on: 369126
(Assignee)

Updated

12 years ago
Depends on: 369438
(Assignee)

Updated

12 years ago
Depends on: 370876
Depends on: 371125
Depends on: 371124
(Assignee)

Updated

12 years ago
No longer depends on: 371124
(Assignee)

Comment 48

12 years ago
Comment on attachment 242967 [details]
Stir DOM 3.0

New version in bug 339948.
Attachment #242967 - Attachment is obsolete: true
(Assignee)

Updated

12 years ago
Severity: critical → normal
Version: 1.8 Branch → Trunk
(Assignee)

Updated

12 years ago
Depends on: 372550
(Assignee)

Updated

12 years ago
Depends on: 374882
(Assignee)

Updated

12 years ago
Depends on: 375058
(Assignee)

Updated

12 years ago
Depends on: 376666
Depends on: 377470
Depends on: 377783
(Assignee)

Updated

12 years ago
Depends on: 379217
Depends on: 379872
Depends on: 380482
Depends on: 380550
Depends on: 381057
Depends on: 381502
(Assignee)

Updated

12 years ago
Depends on: 382212
(Assignee)

Updated

12 years ago
Depends on: 382507
(Assignee)

Updated

12 years ago
Depends on: 383979
(Assignee)

Updated

12 years ago
Depends on: 384391
(Assignee)

Updated

12 years ago
Depends on: 384392
(Assignee)

Updated

12 years ago
Depends on: 384504
(Assignee)

Updated

12 years ago
Depends on: 384637
(Assignee)

Updated

12 years ago
Depends on: 385118
(Assignee)

Updated

12 years ago
Depends on: 385132
(Assignee)

Updated

12 years ago
Depends on: 385289
(Assignee)

Updated

12 years ago
Depends on: 386386
(Assignee)

Updated

12 years ago
Depends on: 386575
(Assignee)

Updated

12 years ago
Depends on: 386807
(Assignee)

Updated

12 years ago
Depends on: 386939
(Assignee)

Updated

12 years ago
Depends on: 387227
(Assignee)

Updated

12 years ago
Depends on: 388172
(Assignee)

Updated

12 years ago
Depends on: 389014
(Assignee)

Updated

12 years ago
Depends on: 389151
(Assignee)

Updated

12 years ago
Depends on: 389326
(Assignee)

Updated

12 years ago
Depends on: 389636
(Assignee)

Updated

12 years ago
Depends on: 390976
(Assignee)

Updated

12 years ago
Depends on: 392132
(Assignee)

Updated

12 years ago
Depends on: 393475
(Assignee)

Updated

12 years ago
Depends on: 393649
(Assignee)

Updated

12 years ago
Depends on: 393656
(Assignee)

Updated

12 years ago
Depends on: 393661
(Assignee)

Updated

12 years ago
Depends on: 393671
(Assignee)

Updated

12 years ago
Depends on: 393746
(Assignee)

Updated

12 years ago
Depends on: 393749
(Assignee)

Updated

12 years ago
Depends on: 393758
(Assignee)

Updated

12 years ago
Depends on: 393822
(Assignee)

Updated

12 years ago
Depends on: 394111
(Assignee)

Updated

12 years ago
Depends on: 395340
Depends on: 396744
Depends on: 397112
(Assignee)

Updated

12 years ago
Depends on: 397551
(Assignee)

Updated

12 years ago
Depends on: 397844
(Assignee)

Updated

12 years ago
Depends on: 397856
Depends on: 398021
(Assignee)

Updated

12 years ago
Depends on: 399365
(Assignee)

Updated

12 years ago
Depends on: 399412
(Assignee)

Updated

12 years ago
Depends on: 399687
(Assignee)

Updated

12 years ago
Depends on: 399694
Depends on: 399858
(Assignee)

Updated

12 years ago
Depends on: 400078
(Assignee)

Updated

12 years ago
Depends on: 400349
(Assignee)

Updated

12 years ago
No longer depends on: 323978
(Assignee)

Updated

12 years ago
Depends on: 401393
Depends on: 401395
(Assignee)

Updated

12 years ago
Depends on: 402172
(Assignee)

Updated

12 years ago
Depends on: 402400
(Assignee)

Updated

12 years ago
Depends on: 402408
(Assignee)

Updated

12 years ago
Depends on: 403134
(Assignee)

Updated

12 years ago
Depends on: 403369
(Assignee)

Updated

12 years ago
Depends on: 404213
(Assignee)

Updated

12 years ago
Depends on: 404215
(Assignee)

Updated

12 years ago
Depends on: 404470
(Assignee)

Updated

12 years ago
Depends on: 404721
(Assignee)

Updated

12 years ago
Depends on: 405639
(Assignee)

Updated

12 years ago
Depends on: 406902
(Assignee)

Updated

12 years ago
Depends on: 408292
(Assignee)

Updated

12 years ago
Depends on: 408904
(Assignee)

Updated

11 years ago
Depends on: 411835
(Assignee)

Updated

11 years ago
Depends on: 412243
(Assignee)

Updated

11 years ago
Depends on: 412543
(Assignee)

Updated

11 years ago
Depends on: 413079
(Assignee)

Updated

11 years ago
Depends on: 413085
(Assignee)

Updated

11 years ago
Depends on: 413174
(Assignee)

Updated

11 years ago
Depends on: 414719
(Assignee)

Updated

11 years ago
Depends on: 416107
(Assignee)

Updated

11 years ago
Depends on: 416734
(Assignee)

Updated

11 years ago
Depends on: 419527
(Assignee)

Updated

11 years ago
Depends on: 420031
(Assignee)

Updated

11 years ago
Depends on: 421393
(Assignee)

Updated

11 years ago
Depends on: 423107
(Assignee)

Updated

11 years ago
Depends on: 423264
(Assignee)

Updated

11 years ago
Depends on: 425981
(Assignee)

Updated

11 years ago
Depends on: 426040
(Assignee)

Updated

11 years ago
Depends on: 427325
(Assignee)

Updated

11 years ago
Depends on: 428113
(Assignee)

Updated

11 years ago
Depends on: 429454
(Assignee)

Updated

11 years ago
Depends on: 429881
(Assignee)

Updated

11 years ago
Depends on: 430991
(Assignee)

Updated

11 years ago
Depends on: 432058
(Assignee)

Updated

11 years ago
Depends on: 432752
(Assignee)

Updated

11 years ago
Depends on: 433450
Depends on: 434894
(Assignee)

Updated

11 years ago
Depends on: 436204
(Assignee)

Updated

11 years ago
Depends on: 442860
(Assignee)

Updated

11 years ago
Depends on: 443528
(Assignee)

Updated

11 years ago
Depends on: 443538
(Assignee)

Updated

11 years ago
Depends on: 443655
(Assignee)

Updated

11 years ago
Depends on: 444484
(Assignee)

Updated

11 years ago
Depends on: 445288
Depends on: 448064
(Assignee)

Updated

11 years ago
Depends on: 448993
(Assignee)

Updated

11 years ago
Depends on: 449129
(Assignee)

Updated

11 years ago
Depends on: 453406
(Assignee)

Updated

11 years ago
Depends on: 453736
(Assignee)

Updated

11 years ago
Depends on: 454361
(Assignee)

Updated

11 years ago
Depends on: 455614
(Assignee)

Updated

11 years ago
Depends on: 457514
(Assignee)

Updated

11 years ago
Depends on: 458493
(Assignee)

Updated

11 years ago
Depends on: 460209
(Assignee)

Updated

11 years ago
Depends on: 460323
(Assignee)

Updated

11 years ago
Depends on: 460910
(Assignee)

Updated

11 years ago
Depends on: 460924
(Assignee)

Updated

11 years ago
Depends on: 461289
(Assignee)

Updated

11 years ago
Depends on: 462968
(Assignee)

Updated

11 years ago
Depends on: 463741
(Assignee)

Updated

11 years ago
Depends on: 464589
(Assignee)

Updated

11 years ago
Depends on: 466585
(Assignee)

Updated

11 years ago
Depends on: 466763
(Assignee)

Updated

11 years ago
Depends on: 468578
(Assignee)

Updated

11 years ago
Depends on: 468773
(Assignee)

Updated

11 years ago
Depends on: 470063
(Assignee)

Updated

11 years ago
Depends on: 470167
(Assignee)

Updated

10 years ago
Depends on: 472237
(Assignee)

Updated

10 years ago
Depends on: 473042
(Assignee)

Updated

10 years ago
Depends on: 474041
(Assignee)

Updated

10 years ago
Depends on: 474377
(Assignee)

Updated

10 years ago
Depends on: 476579
(Assignee)

Updated

10 years ago
Depends on: 477878
(Assignee)

Updated

10 years ago
Depends on: 477928
(Assignee)

Updated

10 years ago
Depends on: 478527
(Assignee)

Updated

10 years ago
Depends on: 479938
(Assignee)

Updated

10 years ago
Depends on: 481089
(Assignee)

Updated

10 years ago
Depends on: 481139
(Assignee)

Updated

10 years ago
Depends on: 481806
(Assignee)

Updated

10 years ago
Depends on: 482398
(Assignee)

Updated

10 years ago
Depends on: 487539
(Assignee)

Updated

10 years ago
Depends on: 487724
(Assignee)

Updated

10 years ago
Depends on: 489480
(Assignee)

Updated

10 years ago
Depends on: 489501
(Assignee)

Updated

10 years ago
Depends on: 494225
(Assignee)

Updated

10 years ago
Depends on: 494332
(Assignee)

Updated

10 years ago
Depends on: 495546
(Assignee)

Updated

10 years ago
Depends on: 496011
(Assignee)

Updated

10 years ago
Depends on: 496062
(Assignee)

Updated

10 years ago
Depends on: 496420
(Assignee)

Updated

10 years ago
Depends on: 497734
(Assignee)

Updated

10 years ago
Depends on: 499841
(Assignee)

Updated

10 years ago
Depends on: 499857
(Assignee)

Updated

10 years ago
Depends on: 500847
(Assignee)

Updated

10 years ago
Depends on: 501878
(Assignee)

Updated

10 years ago
Depends on: 503699
(Assignee)

Updated

10 years ago
Depends on: 505399
(Assignee)

Updated

10 years ago
Depends on: 508154
(Assignee)

Updated

10 years ago
Depends on: 508919
(Assignee)

Updated

10 years ago
Depends on: 508908
(Assignee)

Updated

10 years ago
Depends on: 513153
(Assignee)

Updated

10 years ago
Depends on: 522516
(Assignee)

Updated

10 years ago
Depends on: 523468
(Assignee)

Updated

10 years ago
Depends on: 531550
(Assignee)

Updated

10 years ago
Depends on: 535632
(Assignee)

Updated

9 years ago
Depends on: 536720
(Assignee)

Updated

9 years ago
Depends on: 537624
(Assignee)

Updated

9 years ago
Depends on: 538062
(Assignee)

Updated

9 years ago
Depends on: 538210
(Assignee)

Updated

9 years ago
Depends on: 538233
(Assignee)

Updated

9 years ago
Depends on: 538267
(Assignee)

Updated

9 years ago
Depends on: 539167
(Assignee)

Updated

9 years ago
Depends on: 540760
(Assignee)

Updated

9 years ago
Depends on: 545574
(Assignee)

Updated

9 years ago
Depends on: 550355
(Assignee)

Updated

9 years ago
Depends on: 550362
(Assignee)

Updated

9 years ago
Depends on: 551620
(Assignee)

Updated

9 years ago
Depends on: 557348
(Assignee)

Updated

9 years ago
Depends on: 559491
(Assignee)

Updated

9 years ago
Depends on: 560447
(Assignee)

Updated

9 years ago
Depends on: 564063
(Assignee)

Updated

9 years ago
Depends on: 564368
(Assignee)

Updated

9 years ago
Depends on: 564968
(Assignee)

Updated

9 years ago
Depends on: 571105
(Assignee)

Updated

9 years ago
Depends on: 571981
(Assignee)

Updated

9 years ago
Depends on: 572003
(Assignee)

Updated

9 years ago
Depends on: 572607
(Assignee)

Updated

9 years ago
Depends on: 575446
(Assignee)

Updated

9 years ago
Depends on: 580129
(Assignee)

Updated

9 years ago
Depends on: 580140
(Assignee)

Updated

9 years ago
Depends on: 580151
(Assignee)

Updated

9 years ago
Depends on: 584208
(Assignee)

Updated

9 years ago
Depends on: 587336
(Assignee)

Updated

9 years ago
Depends on: 589316
(Assignee)

Updated

9 years ago
Depends on: 590395
(Assignee)

Updated

9 years ago
Depends on: 591141
Depends on: 591409
(Assignee)

Updated

9 years ago
Depends on: 591480
(Assignee)

Updated

9 years ago
Depends on: 592129
(Assignee)

Updated

9 years ago
Depends on: 595783
(Assignee)

Updated

9 years ago
Depends on: 596796
(Assignee)

Updated

9 years ago
Depends on: 596876
(Assignee)

Updated

9 years ago
Depends on: 597240
(Assignee)

Updated

9 years ago
Depends on: 597317
(Assignee)

Updated

9 years ago
Depends on: 604843
(Assignee)

Updated

9 years ago
Depends on: 605340
(Assignee)

Updated

9 years ago
Depends on: 605345
(Assignee)

Updated

9 years ago
Depends on: 606101
(Assignee)

Updated

9 years ago
Depends on: 606430
(Assignee)

Updated

9 years ago
Depends on: 606642
(Assignee)

Updated

9 years ago
Depends on: 611927
(Assignee)

Updated

9 years ago
Depends on: 612736
(Assignee)

Updated

9 years ago
Depends on: 615002
(Assignee)

Updated

9 years ago
Depends on: 615944
(Assignee)

Updated

9 years ago
Depends on: 616748
(Assignee)

Updated

9 years ago
Depends on: 617089
(Assignee)

Updated

8 years ago
Depends on: 621598
(Assignee)

Updated

8 years ago
Depends on: 627647
(Assignee)

Updated

8 years ago
Depends on: 635442
(Assignee)

Updated

8 years ago
Depends on: 635636
(Assignee)

Updated

8 years ago
Depends on: 637214
(Assignee)

Updated

8 years ago
Depends on: 643853
(Assignee)

Updated

8 years ago
Depends on: 650489
(Assignee)

Updated

8 years ago
Depends on: 654928
(Assignee)

Updated

8 years ago
Depends on: 655451
(Assignee)

Updated

8 years ago
Depends on: 656130
(Assignee)

Updated

8 years ago
Depends on: 665334
(Assignee)

Updated

8 years ago
Depends on: 667025
(Assignee)

Updated

8 years ago
Depends on: 667321
(Assignee)

Updated

8 years ago
Depends on: 669225
(Assignee)

Updated

8 years ago
Depends on: 674223
(Assignee)

Updated

8 years ago
Depends on: 690979
(Assignee)

Updated

8 years ago
Depends on: 690990
(Assignee)

Updated

8 years ago
Depends on: 690994
(Assignee)

Updated

8 years ago
Depends on: 691096
(Assignee)

Updated

8 years ago
Depends on: 693142
(Assignee)

Updated

8 years ago
Depends on: 695573
(Assignee)

Updated

8 years ago
Depends on: 696175
(Assignee)

Updated

8 years ago
Depends on: