Closed Bug 590395 Opened 10 years ago Closed 10 years ago

"ABORT: Removing image that wasn't in the tracker!" after moving image between documents

Categories

(Core :: ImageLib, defect, critical)

x86
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
blocking2.0 --- beta5+
status1.9.2 --- unaffected
status1.9.1 --- unaffected

People

(Reporter: jruderman, Assigned: bholley)

References

(Blocks 2 open bugs)

Details

(4 keywords, Whiteboard: [sg:critical?])

Attachments

(1 file)

1. Load the testcase.
2. Quit Firefox (or otherwise close it and then cause a GC).

Result:
###!!! ABORT: Removing image that wasn't in the tracker!: 'found', file content/base/src/nsDocument.cpp, line 8007

Bug 589469 might be the same as this bug (see bug 589469 comment 3 option 3), but I can't be sure because that bug doesn't have a testcase.
This should block Gecko 2.0 because it might be responsible for crashes at http://derstandard.at/ (Alexa: #9 in Austria).
blocking2.0: --- → ?
Oh and also because it's likely exploitable, since in opt builds, it crashes touching a bogus address.
Group: core-security
Whiteboard: [sg:critical?]
The appendChild call in this case does an implicit removeChild followed by implicit adoptNode.  Then see bug 589469 comment 8.
Blocks: 512260
blocking2.0: ? → beta5+
Keywords: regression
FWIW, I've got an (un-reduced, save-as-webpage-complete) testcase from a purchase receipt that triggers this same ABORT_IF_FALSE shortly after leaving print preview.

Just talked to bholley about it; if it ends up not being fixed by bholley's patch here, I'll file a new bug on that.
Pushed a fix for this testcase to mozilla-central:
http://hg.mozilla.org/mozilla-central/rev/cf4d7946e2e0

Resolving fixed.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
The testcase I mentioned in comment 4 still triggers this abort -- I filed bug 591560 on that.
older branches appear don't trigger the alert, as expected since the regressing bug 512260 (suspected or proved?) didn't land there.
(In reply to comment #7)
> older branches appear don't trigger the alert, as expected since the regressing
> bug 512260 (suspected or proved?) didn't land there.

The tracker in question did not exist pre bug 512260.
Blocks: 594645
Group: core-security
You need to log in before you can comment on or make changes to this bug.