Bug 306663 (stirdom)

Bugs found by "Stir DOM" module of DOMFuzz

NEW
Assigned to

Status

()

defect
14 years ago
Last year

People

(Reporter: jruderman, Assigned: jruderman)

Tracking

(Depends on 18 bugs, Blocks 1 bug, {meta, sec-other})

Trunk
Points:
---
384504, 436204, 584208, 591480, 709536, 725928, 767233, 788929, 872878, 878538, 883712, 1191948, 1223724, 1230378, 1230424, 1233254, 1286419, 1411689, 205735, 265367, 291531, 291902, 294022, 306782, 306787, 306789, 306798, 306902, 306911, 306915, 307277, 307280, 307298, 307314, 307322, 307394, 307444, 307470, 307565, 307826, 307839, 307854, 307989, 307992, 308120, 308278, 308585, 308752, 308917, 309120, 309122, 309732, 310267, 310426, 310436, 310520, 310556, 310638, 311478, 314307, 315549, 317544, 317545, 317546, 317547, 317549, 321299, 322625, 323022, 323585, 323604, 324318, 324918, 325427, 325984, 328944, 328946, 329335, 329407, 329884, 329891, 330010, 330925, 330998, 335896, 336065, 336074, 337066, 337412, 337419, 338251, 338301, 338312, 338649, 340083, 340733, 342120, 342145, 342923, 342942, 342954, 343935, 344881, 344898, 346512, 347348, 347355, 347495, 348708, 348709, 349355, 350128, 351627, 351628, 354133, 354510, 356325, 359371, 361226, 361389, 363448, 365923, 366203, 366493, 366537, 366564, 367111, 367149, 368860, 369126, 369438, 370876, 371125, 372550, 374882, 375058, 376666, 377470, 377783, 379217, 379872, 380482, 380550, 381057, 381502, 382212, 382507, 383979, 384391, 384392, 384637, 385118, 385132, 385289, 386386, 386575, 386807, 386939, 387227, 388172, 389014, 389151, 389326, 389636, 390976, 392132, 393475, 393649, 393656, 393661, 393671, 393746, 393749, 393758, 393822, 394111, 395340, 396744, 397112, 397551, 397844, 397856, 398021, 399365, 399412, 399687, 399694, 399858, 400078, 400349, 401393, 401395, 402172, 402400, 402408, 403134, 403369, 404213, 404215, 404470, 404721, 405639, 406902, 408292, 408904, 411835, 412243, 412543, 413079, 413085, 413174, 414719, 416107, 416734, 419527, 420031, 421393, 423107, 423264, 425981, 426040, 427325, 428113, 429454, 429881, 430991, 432058, 432752, 433450, 434894, 442860, 443528, 443538, 443655, 444484, 445288, 448064, 448993, 449129, 453406, 453736, 454361, 455614, 457514, 458493, 460209, 460323, 460910, 460924, 461289, 462968, 463741, 464589, 466585, 466763, 468578, 468773, 470063, 470167, 472237, 473042, 474041, 474377, 476579, 477878, 477928, 478527, 479938, 481089, 481139, 481806, 482398, 487539, 487724, 489480, 489501, 494225, 494332, 495546, 496011, 496062, 496420, 497734, 499841, 499857, 500847, 501878, 503699, 505399, 508154, 508908, 508919, 513153, 522516, 523468, 531550, 535632, 536720, 537624, 538062, 538210, 538233, 538267, 539167, 540760, 545574, 550355, 550362, 551620, 557348, 559491, 560447, 564063, 564368, 564968, 571105, 571981, 572003, 572607, 575446, 580129, 580140, 580151, 587336, 589316, 590395, 591141, 591409, 592129, 595783, 596796, 596876, 597240, 597317, 604843, 605340, 605345, 606101, 606430, 606642, 611927, 612736, 615002, 615944, 616748, 617089, 621598, 627647, 635442, 635636, 637214, 643853, 650489, 654928, 655451, 656130, 665334, 667025, 667321, 669225, 674223, 690979, 690990, 690994, 691096, 693142, 695573, 696175, 707098, 710149, 713413, 713499, 716503, 718236, 718290, 723382, 723657, 725918, 729431, 736389, 736924, 738555, 740199, 742190, 745699, 757751, 760957, 766471, 779707, 780764, 788831, 791430, 791601, 797945, 803562, 809762, 822086, 841163, 843086, 847119, 847130, 849593, 852129, 852138, 852150, 852293, 856402, 862303, 866659, 867487, 873222, 880892, 883708, 884202, 886215, 886230, 890775, 893515, 895082, 897384, 898913, 898926, 898951, 914029, 914501, 931453, 931464, 936988, 950000, 950324, 978644, 1007298, 1009036, 1015562, 1072137, 1072792, 1133615, 1133964, 1153695, 1153716, 1156257, 1156588, 1169423, 1190646, 1217984, 1223522, 1223561, 1228707, 1228876, 1230110, 1233191, 1234701, 1250793, 1274579, 1278457, 1281715, 1282691, 1282894, 1286013
Dependency tree / graph
Bug Flags:
blocking1.8b5 -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:nse] meta)

Attachments

(3 attachments, 8 obsolete attachments)

Assignee

Description

14 years ago
Steps to reproduce:
1. Go to a small web page, such as http://www.google.com/.
2. Use the bookmarklet in this bug's URL field.
3. Wait a while.

Result: more often than not, Firefox crashes with a minute or two.

Here are the crashes I've seen so far with the bookmarklet:

nsStyleContext::GetStyleData()
TB8922845W, TB8923024X, TB8923158K, TB8923275Q, TB8923389M, TB8923438Z

GetNifOrSpecialSibling()
TB8923432H

nsCSSFrameConstructor::GetFloatContainingBlock()
TB8922738K, TB8923005W, TB8923133W*

The starred crash report is particularly scary because it occurred at a "random
address" with SIGILL.  According to the libc manual, "SIGILL typically indicates
that the executable file is corrupted, or that you are trying to execute data."  

I'm filing this as a security-sensitive bug because I have already found a
potential security hole with it.  I will keep the bookmarklet secret for now as
well, because someone with the bookmarklet might be able to rediscover the
scarier crashes.

I can make a more deterministic version of the bookmarklet if that would make it
easier to make a testcase for each crash it finds.
Assignee

Updated

14 years ago
Group: security
Fun.  This needs attention, pronto.  Who will own it?

/be
Flags: blocking1.8b5+
Flags: blocking1.8b4?
These additional assertions prevent one problem from showing up 20 frames down
the stack when we do a bogus reflow with a bogus 0 availableHeight -- they at
least cause the problem to show up as an assertion pretty close to where it
happens.  I think the underlying problem here is bug 203923.  But I don't know
whether it's related to any of the crashes, which I haven't hit yet.
Assignee

Comment 3

14 years ago
The GetNifOrSpecialSibling crash might also be exploitable: TB8950615Y.
Assignee

Updated

14 years ago
Depends on: 306782
Assignee

Updated

14 years ago
Depends on: 306789
Assignee

Updated

14 years ago
Depends on: 306798
Assignee

Updated

14 years ago
Depends on: 306787
Assignee

Comment 4

14 years ago
All of the crashes I've found so far happen on the Gecko 1.8 branch but not on
trunk.  I suspect they all have the same underlying cause, which was fixed on
the trunk after the branch point.
Assignee

Comment 5

14 years ago
I've seen Opera(Win), IE(Win), and Safari(Mac) crash with this bookmarklet.  I
haven't seen Firefox trunk crash yet.
Jesse, could you possibly try trunk builds to see when the crash disappeared on
trunk?
Assignee

Comment 7

14 years ago
The crashes for the testcases on all four bugs (bug 306782, bug 306787, bug
306789, bug 306798) disappeared between Aug 16 and Aug 17 trunk nightlies.

2005-08-16-07-trunk - crash (all four testcases)
2005-08-17-09-trunk - no crash (all four testcases)

Bug 265367 was checked in between those builds.  Could it have fixed these crashes?
FWIW I eventually got a crash running that bookmarklet on this very page (the
bug report itself, I mean).
> Bug 265367 was checked in between those builds.  Could it have fixed these
> crashes?

Possibly, yes.  It would certainly help on any page that has an animated image
in a very direct way; for other pages I'm not sure how it could prevent crashes,
but I wouldn't be too surprised.

Also bug 289377 landed in the same range.  And so did bug 303484.
So I found a general case where the patch for bug 265367 would prevent a crash.

Say we have nodes A, B, and C and that the frame for node A is a leaf (eg A is
an <img>).  Consider the following sequence of operations, starting with a state
when A is in the document and hence has a frame (called A').

1)  Insert B as a child of A.  This creates a frame B' for B, sets the parent of
    B' to be A', sets B' as the primary frame for B.  Then we try to append B'
    to the frame list of A'.  This throws, but the error return is ignored.  So
    B' is not in the child list of A' (since A' has no child list).
2)  Move A to a different place in the DOM.  This destroys A' and all its
    descendants.  Since B' is not a child of A', B' is NOT destroyed.
3)  Insert C as a child of B.  This tries to create a frame C' for C, with B' as
    its parent (since B' is what we got when we did a primary frame lookup on
    B).  We start looking up things like the containing blocks we should use,
    which means we walk the parent chain of B'.  But the mParent pointer of B'
    points to the now-deleted A' frame, or in other words to some random memory.
    We might not crash there right away, since the random memory comes from an
    arena and hence is probably still allocated to our process; if we've
    allocated over it again, it won't even be marked with 0xdddddddd.

The alternative to the patch for bug 265367 is to actually check rv for all
cases when we're inserting or appending frames and clean up if it fails (at the
very least clean up the primary frame map).  This is not completely trivial to
do right in full generality (i.e. with destruction of the not-appended frames),
I suspect, and the patch for bug 265367 is pretty safe given that there have
been no regressions reported yet, so maybe we should just take bug 265367 on the
branch and also add the rv checks on trunk just in case?

Comment 11

14 years ago
Jesse, what did 1.0.x do with this test case? Is this crash a regression over
1.0? Fixing this crash may mean taking a pretty large change to gecko, Bug
265367 which scares me after a looking at it briefly. I'd like to see if this
crash is new or not and how many crash reports we are seeing in talkback before
making a decision on this and 265367.

> what did 1.0.x do with this test case?

Crashed.

It also crashed on the testcases in bug 291022 and bug 291513, of course.  ;)

And I think the reason Jesse is worried is not just because it's a crash but a
crash likely to be exploitable.

For what it's worth, the change for bug 265367 is a good bit safer than a lot of
the other stuff we've been landing on branch for a while now...  At least in my
opinion.  The other approach (of checking rv on the inserts/appends) would
actually be less safe, imo (and would certainly be less tested; I was running
with the patch in bug 265367 for three months and didn't see any issues).
going to take 256367 asap.
Flags: blocking1.8b4?
Assignee

Comment 14

14 years ago
I made a small change to the bookmarklet so it would work on XML pages:
- var myRoot = document.body;
+ var myRoot = document.body || document.documentElement;
Assignee

Updated

14 years ago
Depends on: 306902
Assignee

Updated

14 years ago
Depends on: 306911
Assignee

Updated

14 years ago
Depends on: 306915
Checked in bug 265367 on the 1.8 branch.
Assignee

Comment 16

14 years ago
Aaron, tomorrow's branch build won't crash much when you use this bookmarklet on
HTML pages, so you can start testing accessiblity code and/or screen readers
with this bookmarklet.  See the testcase in e.g. bug 306915 for the version that
includes its own random number generator for reproducibility.
Assignee

Comment 17

14 years ago
See also bug 306939, the metabug for another crash-finding bookmarklet.
Assignee

Comment 18

14 years ago
I should do another round of testing on HTML now that I can avoid the crashes
caused by bug 265367.

Bug 306902 shows up often (with many different seeds) on mixed HTML-and-MathML.
 I'll do another round of testing on mixed HTML-and-MathML pages once it is fixed.

Bug 306911 or bug 306915 happens almost immediately when I run the bookmarklet
on a XUL page.  I'll do another round of testing on XUL pages once they are fixed.
Assignee

Comment 19

14 years ago
How much do we care about assertion failures turned up by this kind of testing?
 Memory leaks?
> How much do we care about assertion failures turned up by this kind of testing?

I care a good bit.

> Memory leaks?

Same, esp. if we can get a non-randomized testcase... ;)
(In reply to comment #20)
> > How much do we care about assertion failures turned up by this kind of testing?
> 
> I care a good bit.

I proposed that we make assertions fatal for 1.9, see
http://weblogs.mozillazine.org/roadmap/archives/2005_01.html.  dbaron suggested
doing this first by setting the XPCOM_DEBUG_BREAK envariable for some tinderbox
machines, to build up cross-platform testing coverage.  That's a good idea, and
I think we will do this starting tomorrow, or as soon as we can.

/be
Assignee

Updated

14 years ago
Depends on: 307277
Assignee

Updated

14 years ago
Depends on: 307280
Assignee

Comment 22

14 years ago
I'm seeing crashes at DoDeletingFrameSubtree (bug 307277) and/or
nsBlockFrame::Destroy (bug 307280) on multiple sites:
http://www.csszengarden.com/, http://www.43things.com/, http://www.w3.org/Style/.

Once those bugs are fixed, I'll retest those sites.
Assignee

Comment 23

14 years ago
Putting new version of the bookmarklet in the URL field.  You can now control
the random number seed and several speed-related parameters.
Assignee

Updated

14 years ago
Depends on: 307298
Assignee

Comment 24

14 years ago
I will retest http://www.xulplanet.com/tutorials/xulqa/treeimage.xul and other
tree examples after bug 307298 is fixed.
Assignee

Updated

14 years ago
Alias: stirdom
Assignee

Updated

14 years ago
Depends on: 307314
Assignee

Comment 25

14 years ago
I will retest http://www.carto.net/papers/svg/samples/text.svg after bug 307314
is fixed.
Assignee

Updated

14 years ago
Depends on: 307322
Assignee

Comment 26

14 years ago
I will retest http://www.carto.net/papers/svg/samples/symbol.svg after bug
307322 is fixed.
Assignee

Comment 27

14 years ago
I retested http://www.carto.net/papers/svg/samples/text.svg on trunk (now that
bug 307314 is fixed) and didn't hit any more crashes :)
Assignee

Updated

14 years ago
Depends on: 307444
Assignee

Comment 28

14 years ago
I will retest everything under
http://www.w3.org/Graphics/SVG/Test/20030813/htmlframe/full-index.html once bug
307444 is fixed.
Assignee

Comment 29

14 years ago
... and http://www.svgbasics.com/.
Assignee

Updated

14 years ago
Depends on: 307470
Assignee

Comment 30

14 years ago
I will retest http://www.svgbasics.com/examples/marker_ex1.svg after bug 307470
is fixed.
Assignee

Updated

14 years ago
Depends on: 307565
Assignee

Comment 31

14 years ago
I will retest http://www.w3.org/TR/SVG/images/filters/filters01.svg on Windows
after bug 307565 is fixed with seeds 0 and 1, at least.
Assignee

Comment 32

14 years ago
Assignee

Comment 33

14 years ago
Attachment #195379 - Attachment is obsolete: true
Assignee

Updated

14 years ago
Blocks: 307826
Assignee

Updated

14 years ago
Depends on: 307839
Assignee

Updated

14 years ago
No longer blocks: 307826
Depends on: 307826
Assignee

Updated

14 years ago
Depends on: 307854
Assignee

Updated

14 years ago
Depends on: 307989
Assignee

Updated

14 years ago
Depends on: 307992
Assignee

Updated

14 years ago
Depends on: 308120
Assignee

Updated

14 years ago
Depends on: 308278
Assignee

Comment 34

14 years ago
* Added discovery of nodes in frames, iframes, and <embed>s containing SVG.
* Added discovery of XBL anonymous children.
* Made it use chained setTimeout instead of setInterval to improve
responsiveness when slow.
* Increased the default speed.
* Commented out the "javascript:" at the top of the non-bookmarklet version
because it caused a parse error in Safari.
Attachment #195381 - Attachment is obsolete: true
Assignee

Comment 35

14 years ago
List includes URLs I found crashes on and URLs that use rarely-used Gecko
features.

Updated

14 years ago
Attachment #194596 - Flags: review?(bernd.mielke) → review+
Assignee

Updated

14 years ago
Depends on: 308585
Assignee

Updated

14 years ago
Depends on: 308752
FYI, I'm not authorized to access the majority of the bugs you're referring,
in case you want any help on those...
Assignee

Updated

14 years ago
Depends on: 308917
Assignee

Updated

14 years ago
Depends on: 309120
Assignee

Updated

14 years ago
Depends on: 309122
Assignee

Updated

14 years ago
Depends on: 309732
Assignee

Updated

14 years ago
Depends on: 291531, 291902
Assignee

Comment 37

14 years ago
There are five remaining StirDOM crashes that look exploitable to me:
  * Tables:     bug 308752
  * DOM+UI:     bug 307992, bug 307989
  * MathML:     bug 309120, bug 307826

There are several types of content for which Stir DOM runs into the same crash
often enough that it's hard to tell whether there are other crashes:
  * XBL:        bug 308120
  * XUL grids:  bug 306911
  * XUL trees:  bug 291531, bug 309732
  * SVG:        bug 307444

Based on what bz said in a security-group@ email, it sounds like we can't fix
the XUL crashes for Firefox 1.5 without making Firefox 1.5 slip.  I'm ok with
postponing the release of Stir DOM until the next version of Firefox and hoping
nobody else thinks of doing the same kind of fuzz testing on web browsers.  It
would be nice if the already-known, exploitable-looking crashes were fixed for
Firefox 1.5, though.

Gecko has a hidden pref for disabling SVG for use during security firedrills. 
It might be worthwhile to add similar prefs for disabling:
  * XUL in non-chrome
  * MathML
  * XBL in non-chrome (including <marquee> and <xul:button>)
Assignee

Updated

14 years ago
Depends on: 310267
Assignee

Updated

14 years ago
Depends on: 310426
Assignee

Updated

14 years ago
Depends on: 310436
Assignee

Updated

14 years ago
Depends on: 310520
We'll evaluate each crash fix as they come in. No longer blocking on tracking bugs.
Flags: blocking1.8b5+ → blocking1.8b5-
Assignee

Updated

14 years ago
Depends on: 310556
Assignee

Updated

14 years ago
Depends on: 310638
Assignee

Comment 39

14 years ago
Posted file Stir DOM recorder (obsolete) —
This is one of the tools I use to reduce Stir DOM testcases.  Its output is
intended to be pasted back in, replacing the first two lines of the script.
Assignee

Updated

14 years ago
Depends on: 311478
Whiteboard: [sg:investigate]
Assignee

Updated

14 years ago
Blocks: fuzz

Updated

14 years ago
Depends on: 317544

Updated

14 years ago
Depends on: 317545

Updated

14 years ago
Depends on: 317546

Updated

14 years ago
Depends on: 317547

Updated

14 years ago
Depends on: 317549

Updated

14 years ago
Flags: blocking1.8.0.1?

Comment 40

14 years ago
crashes or timeouts found in this run appear as 

stirdom: url?fuzz=parms...

The test loads the page (with the querystring), then runs the stirdom
bookmarklet with the specified parameters. You can copy/paste the parameters
from the query string directly into the stirdom input prompt.

The end of each line identifies the machine, the date the test run began and
the build which was tested. For example, 

prunessh/2005-12-17-02-34-33-firefox-1.5-build-dbg-1.8_2005121411.log

was run on prune (a windows machine), on Dec 17, using a 1.8 debug build built
on 2005-12-14-11. 

You can reproduce each test case by loading the url including the query string,
then running stirdom with the appropriate parameter.

Updated

14 years ago
Depends on: 321299
Assignee

Comment 41

14 years ago
Posted file Stir DOM recorder (obsolete) —
Changes made to both Stir DOM and Random Styles recorders:
1. Make it record information about chunks/intervals so that
  (a) it can record the equivalent of a nonzero "number of changes to do immediately" in the bookmarklet.
  (b) while reducing, the chunk boundaries don't move.
2. Make it work with both XML and HTML without requiring separate versions.
3. Improve the instructions.
Attachment #198555 - Attachment is obsolete: true
Flags: blocking1.8.0.1? → blocking1.8.0.1+
Whiteboard: [sg:investigate] → [sg:nse] meta
Flags: blocking1.8.0.1+

Updated

14 years ago
Depends on: 323022
Assignee

Updated

14 years ago
Depends on: 205735
Assignee

Updated

14 years ago
Depends on: 323585
Assignee

Updated

14 years ago
Depends on: 315549
Assignee

Updated

14 years ago
Depends on: 323604
Assignee

Updated

14 years ago
Depends on: 323978
Assignee

Updated

14 years ago
Depends on: 324318
Assignee

Updated

14 years ago
Depends on: 294022
Assignee

Comment 42

14 years ago
Stupid bug:

  if(n.getSVGDocument){try{addNodes(n.getSVGDocument());}catch(ex){}}

should check that n.getSVGDocument() is non-null before recursing.  I'm not fixing it (yet) because I'm lazy, and because it would change the behavior of the script on any page that uses Flash and I want to avoid changing its behavior too much.
Assignee

Updated

14 years ago
Depends on: 254144
Assignee

Updated

14 years ago
Depends on: 324918
Assignee

Updated

14 years ago
No longer depends on: 254144
Assignee

Updated

14 years ago
Depends on: 325427
Assignee

Updated

14 years ago
Depends on: 325984
Assignee

Updated

14 years ago
Depends on: 328944
Assignee

Updated

14 years ago
Depends on: 328946
Assignee

Updated

14 years ago
Depends on: 329335
Assignee

Updated

14 years ago
Depends on: 314307
Assignee

Updated

14 years ago
Depends on: 329407
Assignee

Updated

14 years ago
Depends on: 329884
Assignee

Updated

14 years ago
Depends on: 329891
Assignee

Updated

14 years ago
Depends on: 330010
Assignee

Updated

13 years ago
Depends on: 330925
Assignee

Updated

13 years ago
Depends on: 330998
Assignee

Updated

13 years ago
Keywords: crash
Assignee

Updated

13 years ago
Depends on: 335896
Assignee

Updated

13 years ago
Depends on: 336065
Assignee

Updated

13 years ago
Depends on: 336074
Assignee

Updated

13 years ago
Depends on: 337066
Assignee

Updated

13 years ago
Depends on: 337412
Assignee

Updated

13 years ago
Depends on: 337419
Assignee

Updated

13 years ago
Depends on: 338251
Assignee

Updated

13 years ago
Depends on: 338301
Assignee

Updated

13 years ago
Depends on: 338312
Assignee

Updated

13 years ago
Depends on: 338649
Assignee

Comment 43

13 years ago
Stir DOM and some other fuzzers will need changes once bug 47903, "WRONG_DOCUMENT_ERR not being thrown", is fixed.  I'm not fixing Stir DOM now because I'm hoping to use adoptNode (bug 330677) rather than importNode.
Assignee

Comment 44

13 years ago
Posted file Stir DOM 1.8 (requires fuzz.js) (obsolete) —
* Converted it to use fuzz.js (see bug 339948).
* Turned off recursing into XBL for now.
* No longer uses separate versions for bookmarklet-source and recording :)
* Various small changes.
Attachment #196006 - Attachment is obsolete: true
Attachment #207402 - Attachment is obsolete: true
Assignee

Updated

13 years ago
Depends on: 340083
Assignee

Updated

13 years ago
Depends on: 340733
Assignee

Updated

13 years ago
Depends on: 342120
Assignee

Updated

13 years ago
Depends on: 342145
Assignee

Comment 45

13 years ago
Posted file Stir DOM 2.0 (obsolete) —
Updated for fuzz.js 2.0.
Attachment #224049 - Attachment is obsolete: true
Assignee

Updated

13 years ago
Depends on: 342923

Updated

13 years ago
Depends on: 342942
Assignee

Updated

13 years ago
Depends on: 342954
Assignee

Updated

13 years ago
Depends on: 343935
Assignee

Updated

13 years ago
Depends on: 344881
Assignee

Updated

13 years ago
Depends on: 344898
Assignee

Updated

13 years ago
Depends on: 346512
Assignee

Updated

13 years ago
Depends on: 347348
Assignee

Updated

13 years ago
Depends on: 347355
Assignee

Updated

13 years ago
Depends on: 347495
Assignee

Updated

13 years ago
Depends on: 348708
Assignee

Updated

13 years ago
Depends on: 348709

Updated

13 years ago
Depends on: 349355
Assignee

Updated

13 years ago
Depends on: 350128
Assignee

Updated

13 years ago
Depends on: 351627
Assignee

Updated

13 years ago
Depends on: 351628
Depends on: 322625
Depends on: 354133
Depends on: 354510
Depends on: 356325
Assignee

Comment 46

13 years ago
Posted file Stir DOM 3.0 (obsolete) —
Attachment #226744 - Attachment is obsolete: true
Assignee

Updated

13 years ago
Depends on: 359371
Assignee

Updated

13 years ago
Depends on: 361226
Depends on: 361389
Shouldn't have security bugs assigned to nobody. Jesse can own his test bugs
Assignee: nobody → jruderman
Depends on: 363448

Updated

13 years ago
Depends on: 365923
Assignee

Updated

13 years ago
Depends on: 366203
Depends on: 366493
Assignee

Updated

13 years ago
Depends on: 366537
Assignee

Updated

13 years ago
Depends on: 366564
Assignee

Updated

13 years ago
Depends on: 367111
Depends on: 367149
Assignee

Updated

13 years ago
Summary: Crashes found by Jesse's "Stir DOM" bookmarklet → Bugs found by Jesse's "Stir DOM" bookmarklet
Assignee

Updated

13 years ago
Depends on: 368860
Assignee

Updated

13 years ago
Depends on: 369126
Assignee

Updated

13 years ago
Depends on: 369438
Assignee

Updated

13 years ago
Depends on: 370876
Depends on: 371125
Depends on: 371124
Assignee

Updated

13 years ago
No longer depends on: 371124
Assignee

Comment 48

13 years ago
Comment on attachment 242967 [details]
Stir DOM 3.0

New version in bug 339948.
Attachment #242967 - Attachment is obsolete: true
Assignee

Updated

13 years ago
Severity: critical → normal
Version: 1.8 Branch → Trunk
Assignee

Updated

13 years ago
Depends on: 372550
Assignee

Updated

12 years ago
Depends on: 374882
Assignee

Updated

12 years ago
Depends on: 375058
Assignee

Updated

12 years ago
Depends on: 376666
Depends on: 377470
Depends on: 377783
Assignee

Updated

12 years ago
Depends on: 379217
Depends on: 379872
Depends on: 380482
Depends on: 380550
Depends on: 381057
Depends on: 381502
Assignee

Updated

12 years ago
Depends on: 382212
Assignee

Updated

12 years ago
Depends on: 382507
Assignee

Updated

12 years ago
Depends on: 383979
Assignee

Updated

12 years ago
Depends on: 384391
Assignee

Updated

12 years ago
Depends on: 384392
Assignee

Updated

12 years ago
Depends on: 384504
Assignee

Updated

12 years ago
Depends on: 384637
Assignee

Updated

12 years ago
Depends on: 385118
Assignee

Updated

12 years ago
Depends on: 385132
Assignee

Updated

12 years ago
Depends on: 385289
Assignee

Updated

12 years ago
Depends on: 386386
Assignee

Updated

12 years ago
Depends on: 386575
Assignee

Updated

12 years ago
Depends on: 386807
Assignee

Updated

12 years ago
Depends on: 386939
Assignee

Updated

12 years ago
Depends on: 387227
Assignee

Updated

12 years ago
Depends on: 388172
Assignee

Updated

12 years ago
Depends on: 389014
Assignee

Updated

12 years ago
Depends on: 389151
Assignee

Updated

12 years ago
Depends on: 389326
Assignee

Updated

12 years ago
Depends on: 389636
Assignee

Updated

12 years ago
Depends on: 390976
Assignee

Updated

12 years ago
Depends on: 392132
Assignee

Updated

12 years ago
Depends on: 393475
Assignee

Updated

12 years ago
Depends on: 393649
Assignee

Updated

12 years ago
Depends on: 393656
Assignee

Updated

12 years ago
Depends on: 393661
Assignee

Updated

12 years ago
Depends on: 393671
Assignee

Updated

12 years ago
Depends on: 393746
Assignee

Updated

12 years ago
Depends on: 393749
Assignee

Updated

12 years ago
Depends on: 393758
Assignee

Updated

12 years ago
Depends on: 393822
Assignee

Updated

12 years ago
Depends on: 394111
Assignee

Updated

12 years ago
Depends on: 395340
Depends on: 396744
Depends on: 397112
Assignee

Updated

12 years ago
Depends on: 397551
Assignee

Updated

12 years ago
Depends on: 397844
Assignee

Updated

12 years ago
Depends on: 397856
Depends on: 398021
Assignee

Updated

12 years ago
Depends on: 399365
Assignee

Updated

12 years ago
Depends on: 399412
Assignee

Updated

12 years ago
Depends on: 399687
Assignee

Updated

12 years ago
Depends on: 399694
Depends on: 399858
Assignee

Updated

12 years ago
Depends on: 400078
Assignee

Updated

12 years ago
Depends on: 400349
Assignee

Updated

12 years ago
No longer depends on: 323978
Assignee

Updated

12 years ago
Depends on: 401393
Depends on: 401395
Assignee

Updated

12 years ago
Depends on: 402172
Assignee

Updated

12 years ago
Depends on: 402400
Assignee

Updated

12 years ago
Depends on: 402408
Assignee

Updated

12 years ago
Depends on: 403134
Assignee

Updated

12 years ago
Depends on: 403369
Assignee

Updated

12 years ago
Depends on: 404213
Assignee

Updated

12 years ago
Depends on: 404215
Assignee

Updated

12 years ago
Depends on: 404470
Assignee

Updated

12 years ago
Depends on: 404721
Assignee

Updated

12 years ago
Depends on: 405639
Assignee

Updated

12 years ago
Depends on: 406902
Assignee

Updated

12 years ago
Depends on: 408292
Assignee

Updated

12 years ago
Depends on: 408904
Assignee

Updated

12 years ago
Depends on: 411835
Assignee

Updated

12 years ago
Depends on: 412243
Assignee

Updated

12 years ago
Depends on: 412543
Assignee

Updated

12 years ago
Depends on: 413079
Assignee

Updated

12 years ago
Depends on: 413085
Assignee

Updated

12 years ago
Depends on: 413174
Assignee

Updated

12 years ago
Depends on: 414719
Assignee

Updated

12 years ago
Depends on: 416107
Assignee

Updated

12 years ago
Depends on: 416734
Assignee

Updated

12 years ago
Depends on: 419527
Assignee

Updated

12 years ago
Depends on: 420031
Assignee

Updated

11 years ago
Depends on: 421393
Assignee

Updated

11 years ago
Depends on: 423107
Assignee

Updated

11 years ago
Depends on: 423264
Assignee

Updated

11 years ago
Depends on: 425981
Assignee

Updated

11 years ago
Depends on: 426040
Assignee

Updated

11 years ago
Depends on: 427325
Assignee

Updated

11 years ago
Depends on: 428113
Assignee

Updated

11 years ago
Depends on: 429454
Assignee

Updated

11 years ago
Depends on: 429881
Assignee

Updated

11 years ago
Depends on: 430991
Assignee

Updated

11 years ago
Depends on: 432058
Assignee

Updated

11 years ago
Depends on: 432752
Assignee

Updated

11 years ago
Depends on: 433450
Depends on: 434894
Assignee

Updated

11 years ago
Depends on: 436204
Assignee

Updated

11 years ago
Depends on: 442860
Assignee

Updated

11 years ago
Depends on: 443528
Assignee

Updated

11 years ago
Depends on: 443538
Assignee

Updated

11 years ago
Depends on: 443655
Assignee

Updated

11 years ago
Depends on: 444484
Assignee

Updated

11 years ago
Depends on: 445288
Depends on: 448064
Assignee

Updated

11 years ago
Depends on: 448993
Assignee

Updated

11 years ago
Depends on: 449129
Assignee

Updated

11 years ago
Depends on: 453406
Assignee

Updated

11 years ago
Depends on: 453736
Assignee

Updated

11 years ago
Depends on: 454361
Assignee

Updated

11 years ago
Depends on: 455614
Assignee

Updated

11 years ago
Depends on: 457514
Assignee

Updated

11 years ago
Depends on: 458493
Assignee

Updated

11 years ago
Depends on: 460209
Assignee

Updated

11 years ago
Depends on: 460323
Assignee

Updated

11 years ago
Depends on: 460910
Assignee

Updated

11 years ago
Depends on: 460924
Assignee

Updated

11 years ago
Depends on: 461289
Assignee

Updated

11 years ago
Depends on: 462968
Assignee

Updated

11 years ago
Depends on: 463741
Assignee

Updated

11 years ago
Depends on: 464589
Assignee

Updated

11 years ago
Depends on: 466585
Assignee

Updated

11 years ago
Depends on: 466763
Assignee

Updated

11 years ago
Depends on: 468578
Assignee

Updated

11 years ago
Depends on: 468773
Assignee

Updated

11 years ago
Depends on: 470063
Assignee

Updated

11 years ago
Depends on: 470167
Assignee

Updated

11 years ago
Depends on: 472237
Assignee

Updated

11 years ago
Depends on: 473042
Assignee

Updated

11 years ago
Depends on: 474041
Assignee

Updated

11 years ago
Depends on: 474377
Assignee

Updated

11 years ago
Depends on: 476579
Assignee

Updated

11 years ago
Depends on: 477878
Assignee

Updated

11 years ago
Depends on: 477928
Assignee

Updated

11 years ago
Depends on: 478527
Assignee

Updated

10 years ago
Depends on: 479938
Assignee

Updated

10 years ago
Depends on: 481089
Assignee

Updated

10 years ago
Depends on: 481139
Assignee

Updated

10 years ago
Depends on: 481806
Assignee

Updated

10 years ago
Depends on: 482398
Assignee

Updated

10 years ago
Depends on: 487539
Assignee

Updated

10 years ago
Depends on: 487724
Assignee

Updated

10 years ago
Depends on: 489480
Assignee

Updated

10 years ago
Depends on: 489501
Assignee

Updated

10 years ago
Depends on: 494225
Assignee

Updated

10 years ago
Depends on: 494332
Assignee

Updated

10 years ago
Depends on: 495546
Assignee

Updated

10 years ago
Depends on: 496011
Assignee

Updated

10 years ago
Depends on: 496062
Assignee

Updated

10 years ago
Depends on: 496420
Assignee

Updated

10 years ago
Depends on: 497734
Assignee

Updated

10 years ago
Depends on: 499841
Assignee

Updated

10 years ago
Depends on: 499857
Assignee

Updated

10 years ago
Depends on: 500847
Assignee

Updated

10 years ago
Depends on: 501878
Assignee

Updated

10 years ago
Depends on: 503699
Assignee

Updated

10 years ago
Depends on: 505399
Assignee

Updated

10 years ago
Depends on: 508154
Assignee

Updated

10 years ago
Depends on: 508919
Assignee

Updated

10 years ago
Depends on: 508908
Assignee

Updated

10 years ago
Depends on: 513153
Assignee

Updated

10 years ago
Depends on: 522516
Assignee

Updated

10 years ago
Depends on: 523468
Assignee

Updated

10 years ago
Depends on: 531550
Assignee

Updated

10 years ago
Depends on: 535632
Assignee

Updated

10 years ago
Depends on: 536720
Assignee

Updated

10 years ago
Depends on: 537624
Assignee

Updated

10 years ago
Depends on: 538062
Assignee

Updated

10 years ago
Depends on: 538210
Assignee

Updated

10 years ago
Depends on: 538233
Assignee

Updated

10 years ago
Depends on: 538267
Assignee

Updated

10 years ago
Depends on: 539167
Assignee

Updated

10 years ago
Depends on: 540760
Assignee

Updated

10 years ago
Depends on: 545574
Assignee

Updated

9 years ago
Depends on: 550355
Assignee

Updated

9 years ago
Depends on: 550362
Assignee

Updated

9 years ago
Depends on: 551620
Assignee

Updated

9 years ago
Depends on: 557348
Assignee

Updated

9 years ago
Depends on: 559491
Assignee

Updated

9 years ago
Depends on: 560447
Assignee

Updated

9 years ago
Depends on: 564063
Assignee

Updated

9 years ago
Depends on: 564368
Assignee

Updated

9 years ago
Depends on: 564968
Assignee

Updated

9 years ago
Depends on: 571105
Assignee

Updated

9 years ago
Depends on: 571981
Assignee

Updated

9 years ago
Depends on: 572003
Assignee

Updated

9 years ago
Depends on: 572607
Assignee

Updated

9 years ago
Depends on: 575446
Assignee

Updated

9 years ago
Depends on: 580129
Assignee

Updated

9 years ago
Depends on: 580140
Assignee

Updated

9 years ago
Depends on: 580151
Assignee

Updated

9 years ago
Depends on: 584208
Assignee

Updated

9 years ago
Depends on: 587336
Assignee

Updated

9 years ago
Depends on: 589316
Assignee

Updated

9 years ago
Depends on: 590395
Assignee

Updated

9 years ago
Depends on: 591141
Depends on: 591409
Assignee

Updated

9 years ago
Depends on: 591480
Assignee

Updated

9 years ago
Depends on: 592129
Assignee

Updated

9 years ago
Depends on: 595783
Assignee

Updated

9 years ago
Depends on: 596796
Assignee

Updated

9 years ago
Depends on: 596876
Assignee

Updated

9 years ago
Depends on: 597240
Assignee

Updated

9 years ago
Depends on: 597317
Assignee

Updated

9 years ago
Depends on: 604843
Assignee

Updated

9 years ago
Depends on: 605340
Assignee

Updated

9 years ago
Depends on: 605345
Assignee

Updated

9 years ago
Depends on: 606101
Assignee

Updated

9 years ago
Depends on: 606430
Assignee

Updated

9 years ago
Depends on: 606642
Assignee

Updated

9 years ago
Depends on: 611927
Assignee

Updated

9 years ago
Depends on: 612736
Assignee

Updated

9 years ago
Depends on: 615002
Assignee

Updated

9 years ago
Depends on: 615944
Assignee

Updated

9 years ago
Depends on: 616748
Assignee

Updated

9 years ago
Depends on: 617089
Assignee

Updated

9 years ago
Depends on: 621598
Assignee

Updated

9 years ago
Depends on: 627647
Assignee

Updated

8 years ago
Depends on: 635442
Assignee

Updated

8 years ago
Depends on: 635636
Assignee

Updated

8 years ago
Depends on: 637214
Assignee

Updated

8 years ago
Depends on: 643853
Assignee

Updated

8 years ago
Depends on: 650489
Assignee

Updated

8 years ago
Depends on: 654928
Assignee

Updated

8 years ago
Depends on: 655451
Assignee

Updated

8 years ago
Depends on: 656130
Assignee

Updated

8 years ago
Depends on: 665334
Assignee

Updated

8 years ago
Depends on: 667025
Assignee

Updated

8 years ago
Depends on: 667321
Assignee

Updated

8 years ago
Depends on: 669225
Assignee

Updated

8 years ago
Depends on: 674223
Assignee

Updated

8 years ago
Depends on: 690979
Assignee

Updated

8 years ago
Depends on: 690990
Assignee

Updated

8 years ago
Depends on: 690994
Assignee

Updated

8 years ago
Depends on: 691096
Assignee

Updated

8 years ago
Depends on: 693142
Assignee

Updated

8 years ago
Depends on: 695573
Assignee

Updated

8 years ago
Depends on: 696175
Assignee

Updated

8 years ago
Depends on: 707098
Assignee

Updated

8 years ago
Depends on: 709536