Created attachment 619433 [details] PoC triggering the crash. Use-after-free is triggered during replacing/inserting node in document. Crashes on: - 14.0a1 (Ubuntu 11.11, Linux x86-64), - 15.0a1 (Windows 7, x86-64), - 12.0 (Windows XP SP3). Does not crash on 10.0.2. Attached test-case is a bit flaky, but it will crash browser after 2-5 reloads. ASan log is from version 14.0a1.
Confirmed with this try build: http://email@example.com/try-linux64-debug/firefox-15.0a1.en-US.linux-x86_64.tar.bz2 Had to reload the test twice as described, but then it reproduced.
Does not crash on 10.0.x because outerHTML wasn't implemented until Firefox 11.
Is this an exploitable crash?
I believe so
Anything preventing this from being checked in? The patch is very safe so I guess we might want to wait with pushing to all branches until the late in the cycle?
Uh, I thought I had pushed this.
Comment on attachment 619439 [details] [diff] [review] patch [Approval Request Comment] Bug caused by (feature/regressing bug #): bug 92264 User impact if declined: crash Testing completed (on m-c, etc.): just landed Risk to taking this patch (and alternatives if risky): Should be super-safe String or UUID changes made by this patch: NA
Comment on attachment 619439 [details] [diff] [review] patch [Triage Comment] Please land as soon as possible to make the 5/22 beta 5 go to build. Thanks!
I just did an ASAN build on OS X 10.7 and had one from three days ago as well. Pre-fix, I see the bug. With the current builds, I do not. Marking verified for trunk.