Closed
Bug 490410
Opened 15 years ago
Closed 15 years ago
Another Crash on testcase from 489647 with accessibility enabled in [@nsTextFrame::ClearTextRun()]
Categories
(Core :: Layout, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: asac, Unassigned)
References
Details
(Keywords: verified1.9.0.11, Whiteboard: [sg:dupe 472776])
Attachments
(1 file)
|
564 bytes,
text/html
|
Details |
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.10) Gecko/2009042315 Firefox/3.0.10 Seems, I can still make firefox 3.0.10 crash by enabling accessibility in gnome on ubuntu jaunty, like: 1. gconftool-2 --set --type=bool /desktop/gnome/interface/accessibility true 2. ./firefox https://bugzilla.mozilla.org/attachment.cgi?id=374249 Sample Crash: http://crash-stats.mozilla.com/report/index/34ac9c9a-9a6d-4ce6-b4e7-7ace62090427
FYI for automated testing-- the above doesn't always crash immediately. Eg, I would use a file:/// URL and most of the time I would need to click 'Reload' to trigger the crash (though occasionally I wouldn't).
|
||
Comment 2•15 years ago
|
||
FWIW, I couldn't reproduce this, after a minute or two of repeated reloading, using latest-mozilla1.9.0: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2a1pre) Gecko/20090426 Minefield/3.6a1pre
|
||
Comment 3•15 years ago
|
||
Since bug 489647 was blocking, if we can reproduce this, it should block too.
Blocks: CVE-2009-1313
Flags: blocking1.9.0.11?
|
||
Comment 4•15 years ago
|
||
Just enabling accessibility is enough to get this crash, as was already said.
|
|
||
Comment 5•15 years ago
|
||
(In reply to comment #2) > FWIW, I couldn't reproduce this, after a minute or two of repeated reloading, > using latest-mozilla1.9.0: > Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2a1pre) Gecko/20090426 > Minefield/3.6a1pre Daniel, the build id you posted wasn't from a 1.9.0.x build, but from a trunk build, so I guess you tested with a trunk build and not with a 1.9.0.x build.
|
|
||
Comment 6•15 years ago
|
||
Ah, good catch on that build ID... I'd swear I tested with a 1.9.0.x nightly on that machine, but maybe I forgot the "-no-remote" command-line arg or something. In any case, I've downloaded a 1.9.0.x nightly on my laptop now, and I can definitely reproduce the bug here, both with the old bug's testcase (with accessibility enabled) and with Martijn's new automatic-accessibility-enabling testcase attached on this bug. Sample crash report: http://crash-stats.mozilla.com/report/index/acf72021-9bb1-49de-96d0-adefa2090428 Build ID: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.11pre) Gecko/2009042804 GranParadiso/3.0.11pre
|
|
||
Comment 7•15 years ago
|
||
In theory, we should be able to hit this crash with a mozilla-central build/nightly from just after bug 467150's patch landed, and then track down a fix range from there, to see what patch fixed this additional crash.
|
|
||
Comment 8•15 years ago
|
||
(In reply to comment #7) > In theory, we should be able to hit this crash with a mozilla-central > build/nightly from just after bug 467150's patch landed Cool -- I tried the mozilla-central nightly build from 2008/12/17 (right after bug 467150 landed), and it crashed on this bug's testcase, after reloading repeatedly for ~10 sec. I tried the 2008/12/20 nightly (a few days later) to make sure the 12/17 one wasn't just particularly crashy, and the 12/20 build crashed on this bug's testcase, too. Sadly, the crash report doesn't seem to have symbols available. http://crash-stats.mozilla.com/report/index/c62340e5-896a-40d6-a3c5-a975a2090428 http://crash-stats.mozilla.com/report/index/b72d40c7-c4b2-45c3-8d20-7110b2090428 Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2a1pre) Gecko/20081217 Minefield/3.2a1pre
|
|
||
Comment 9•15 years ago
|
||
I traced the crash to being fixed in mozilla-central between these nightlies: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2a1pre) Gecko/20090223 Minefield/3.2a1pre Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2a1pre) Gecko/20090224 Minefield/3.2a1pre That yields this regression range: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b84ee6f45b08&tochange=69c86f3acc5a That range includes the fix for bug 472776, which I think is the exact same as this bug -- it's a crash [@ UnhookTextRunFromFrames] and [@ ClearAllTextRunReferences], which exactly matches the stacks I've been getting from Martijn's testcase here, e.g. http://crash-stats.mozilla.com/report/index/d005a5b3-613e-46ba-8fce-503602090428 So, I think this crash here is effectively a dupe of bug 472776.
|
|
||
Comment 10•15 years ago
|
||
The patch in bug 472776 applies cleanly on 1.9.0.x (aside from 'crashtests.list') -- I tried it out, and it does indeed fix this crash.
|
|
||
Comment 11•15 years ago
|
||
(Though FWIW, I haven't ever been able to reproduce the shutdown crash from bug 472776's testcase in a 1.9.0.x build. That's not a huge deal, though -- it just means there are additional factors involved that caused that particular testcase to fail on mozilla-central.)
|
||
Updated•15 years ago
|
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.11?
Flags: blocking1.9.0.11+
Whiteboard: [sg:critical?]
|
|
||
Updated•15 years ago
|
Whiteboard: [sg:critical?] → [sg:critical?][sg:dupe 472776]
|
|
||
Comment 12•15 years ago
|
||
The fix for bug 472776 just landed on 1.9.0.x, so this should now be fixed.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
|
||
Updated•15 years ago
|
Keywords: fixed1.9.0.11
|
|
||
Updated•15 years ago
|
Whiteboard: [sg:critical?][sg:dupe 472776] → [sg:dupe 472776]
|
||
Comment 13•15 years ago
|
||
I verified this on Ubuntu 8.10 with Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.11pre) Gecko/2009051104 GranParadiso/3.0.11pre. I also verified the crash with 1.9.0.10 on the same system. So this is fixed.
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.0.11 → verified1.9.0.11
|
|
||
Updated•15 years ago
|
Flags: wanted1.8.1.x-
|
|
||
Updated•15 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•