Closed
Bug 590395
Opened 14 years ago
Closed 14 years ago
"ABORT: Removing image that wasn't in the tracker!" after moving image between documents
Categories
(Core :: Graphics: ImageLib, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | beta5+ |
| status1.9.2 | --- | unaffected |
| status1.9.1 | --- | unaffected |
People
(Reporter: jruderman, Assigned: bholley)
References
Details
(4 keywords, Whiteboard: [sg:critical?])
Attachments
(1 file)
|
216 bytes,
text/html
|
Details |
1. Load the testcase. 2. Quit Firefox (or otherwise close it and then cause a GC). Result: ###!!! ABORT: Removing image that wasn't in the tracker!: 'found', file content/base/src/nsDocument.cpp, line 8007 Bug 589469 might be the same as this bug (see bug 589469 comment 3 option 3), but I can't be sure because that bug doesn't have a testcase.
|
Reporter | |
Comment 1•14 years ago
|
||
This should block Gecko 2.0 because it might be responsible for crashes at http://derstandard.at/ (Alexa: #9 in Austria).
blocking2.0: --- → ?
|
|
Reporter | |
Comment 2•14 years ago
|
||
Oh and also because it's likely exploitable, since in opt builds, it crashes touching a bogus address.
Group: core-security
Whiteboard: [sg:critical?]
|
||
Comment 3•14 years ago
|
||
The appendChild call in this case does an implicit removeChild followed by implicit adoptNode. Then see bug 589469 comment 8.
|
|
||
Updated•14 years ago
|
|
||
Comment 4•14 years ago
|
||
FWIW, I've got an (un-reduced, save-as-webpage-complete) testcase from a purchase receipt that triggers this same ABORT_IF_FALSE shortly after leaving print preview. Just talked to bholley about it; if it ends up not being fixed by bholley's patch here, I'll file a new bug on that.
|
Assignee | |
Comment 5•14 years ago
|
||
Pushed a fix for this testcase to mozilla-central: http://hg.mozilla.org/mozilla-central/rev/cf4d7946e2e0 Resolving fixed.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
|
||
Comment 6•14 years ago
|
||
The testcase I mentioned in comment 4 still triggers this abort -- I filed bug 591560 on that.
|
||
Comment 7•14 years ago
|
||
older branches appear don't trigger the alert, as expected since the regressing bug 512260 (suspected or proved?) didn't land there.
status1.9.1:
--- → unaffected
status1.9.2:
--- → unaffected
|
|
Assignee | |
Comment 8•14 years ago
|
||
(In reply to comment #7) > older branches appear don't trigger the alert, as expected since the regressing > bug 512260 (suspected or proved?) didn't land there. The tracker in question did not exist pre bug 512260.
|
|
||
Updated•14 years ago
|
Group: core-security
Jesse landed this testcase on m-c. http://hg.mozilla.org/mozilla-central/rev/cef75243703a
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•