|
2.45 KB,
text/plain
|
Details | |
|
2.46 KB,
text/plain
|
Details | |
|
1.26 KB,
patch
|
jst
:
review+
jst
:
superreview+
jst
:
approval-branch-1.8.1+
dveditz
:
approval1.8.0.4+
|
Details | Diff | Splinter Review |
Following part of the steps frmo bug 309564, valgrind reports an invalid read in nsJSEventListener::HandleEvent (of freed memory). Steps to reproduce: 2. Visit the linked URL ( http://demo.planzo.com ) 3. Click a box on the calendar and type a comment then press <ENTER> 4. Double-click the event you entered in Step 3. The page is heavily DHTML and also does AJAX. I'll attach the info valgrind gives.
|
(Reporter) | |
Comment 1•12 years ago
|
||
Created attachment 197000 [details]
valgrind info
|
(Assignee) | |
Comment 2•11 years ago
|
||
Andrew, do you still see this? I can't reproduce...
|
|
(Reporter) | |
Comment 3•11 years ago
|
||
worksforme with trunk although I still see it with a 1.8 branch build. Is there interest fixing this there?
|
|
(Assignee) | |
Comment 4•11 years ago
|
||
Probably... if we could figure out when this got fixed on trunk (e.g. could we test with nightlies?), that would be a great start.
|
|
(Reporter) | |
Comment 5•11 years ago
|
||
a build from 2005120204 does a build from 2005120305 does not have the bug
|
|
(Assignee) | |
Comment 6•11 years ago
|
||
Presumably when the JS event listener stuff got changed majorly in bug 241518... Do we have any idea for the line number or anything like that? I mean on the branch?
|
|
(Reporter) | |
Comment 7•11 years ago
|
||
Created attachment 218027 [details]
valgrind log for MOZILLA_1_8_BRANCH
line numbers are only a bit off from before|
|
(Assignee) | |
Comment 8•11 years ago
|
||
Does doing: nsCOMPtr<nsIJSEventListener> kungFuDeathGrip(this); At the top of HandleEvent help? It looks to me like we die in the event, then try to access our member...
|
|
(Reporter) | |
Comment 9•11 years ago
|
||
yes, the kungFuDeathGrip fixed the valgrind error
|
|
(Assignee) | |
Comment 10•11 years ago
|
||
Created attachment 218492 [details] [diff] [review] Patch OK, I see why bug 241518 helped. This patch should fix the valgrind warning too. Drivers: This is a memory read of deleted memory. I _think_ it's not exploitable (it's just accessing a member variable). But it might make sense to fix this on the 1.8.0 branch anyway.
|
|
(Assignee) | |
Updated•11 years ago
|
||
|
||
Comment 11•11 years ago
|
||
Comment on attachment 218492 [details] [diff] [review] Patch r+sr+a=jst
|
|
(Assignee) | |
Comment 12•11 years ago
|
||
Fixed on 1.8.1 branch.
|
||
Comment 13•11 years ago
|
||
Comment on attachment 218492 [details] [diff] [review] Patch approved for 1.8.0 branch, a=dveditz for drivers
Description
•