Last Comment Bug 772346 - (CVE-2012-3958) Heap-use-after-free in nsHTMLEditRules::DeleteNonTableElements
(CVE-2012-3958)
: Heap-use-after-free in nsHTMLEditRules::DeleteNonTableElements
Status: RESOLVED FIXED
[asan][fixed by bug 775552 for Firefo...
: csectype-uaf, regression, sec-critical
Product: Core
Classification: Components
Component: Editor (show other bugs)
: Trunk
: x86_64 All
: -- normal (vote)
: mozilla16
Assigned To: :Ehsan Akhgari (busy, don't ask for review please)
:
Mentors:
Depends on: 775552
Blocks: 755264
  Show dependency treegraph
 
Reported: 2012-07-09 22:34 PDT by Abhishek Arya
Modified: 2014-07-24 13:44 PDT (History)
8 users (show)
rforbes: sec‑bounty+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
unaffected
+
fixed
+
fixed
unaffected


Attachments
Patch (v1) (830 bytes, patch)
2012-07-10 13:07 PDT, :Ehsan Akhgari (busy, don't ask for review please)
roc: review+
lukasblakk+bugs: approval‑mozilla‑beta+
Details | Diff | Review

Description Abhishek Arya 2012-07-09 22:34:53 PDT
Reproduces on trunk. My repro is ugly but reproduces reliably on my local machine. I will attach something here once i get a better minimized repro. 

I debugged and didnt see a reason to wait for filing. Some of the stack frames are missing b/w #0 and #1 since this is an optimized build. But GetPreviousSibling() in #0 [see nsHTMLEditRules::DeleteNonTableElements] tells that the stale child is being accessed. It looks like raw ptr issue probably coming from http://hg.mozilla.org/mozilla-central/diff/270ac87cffba/editor/libeditor/html/nsHTMLEditRules.cpp#l1.85. When i changed to nsCOMPtr and recompiled, crash stopped.

=================================================================
==19766== ERROR: AddressSanitizer heap-use-after-free on address 0x7fc1cdd689b8 at pc 0x7fc20556baa8 bp 0x7fff36485200 sp 0x7fff364851f8
READ of size 8 at 0x7fc1cdd689b8 thread T0
    #0 0x7fc20556baa8 in nsINode::GetPreviousSibling() const firefox/src/modules/zlib/src/inffast.c:0
    #1 0x7fc2062f5dc0 in nsHTMLEditRules::WillDoAction(mozilla::Selection*, nsRulesInfo*, bool*, bool*) firefox/src/editor/libeditor/html/nsHTMLEditRules.cpp:577
    #2 0x7fc20618d040 in nsPlaintextEditor::DeleteSelection(short, short) firefox/src/editor/libeditor/text/nsPlaintextEditor.cpp:657
    #3 0x7fc2062f6468 in nsHTMLEditRules::WillInsertText(nsEditor::OperationID, mozilla::Selection*, bool*, bool*, nsAString_internal const*, nsAString_internal*, int) firefox/src/editor/libeditor/html/nsHTMLEditRules.cpp:1260
    #4 0x7fc2062f5ca3 in nsHTMLEditRules::WillDoAction(mozilla::Selection*, nsRulesInfo*, bool*, bool*) firefox/src/editor/libeditor/html/nsHTMLEditRules.cpp:570
    #5 0x7fc20618d5ec in nsPlaintextEditor::InsertText(nsAString_internal const&) firefox/src/editor/libeditor/text/nsPlaintextEditor.cpp:700
    #6 0x7fc2061c3c67 in nsInsertPlaintextCommand::DoCommandParams(char const*, nsICommandParams*, nsISupports*) firefox/src/editor/libeditor/base/nsEditorCommands.cpp:834
    #7 0x7fc2069858a9 in nsControllerCommandTable::DoCommandParams(char const*, nsICommandParams*, nsISupports*) firefox/src/embedding/components/commandhandler/src/nsControllerCommandTable.cpp:175
    #8 0x7fc20697ec11 in nsBaseCommandController::DoCommandWithParams(char const*, nsICommandParams*) firefox/src/embedding/components/commandhandler/src/nsBaseCommandController.cpp:153
    #9 0x7fc2069824f7 in nsCommandManager::DoCommand(char const*, nsICommandParams*, nsIDOMWindow*) firefox/src/embedding/components/commandhandler/src/nsCommandManager.cpp:238
    #10 0x7fc205de5469 in nsHTMLDocument::ExecCommand(nsAString_internal const&, bool, nsAString_internal const&, bool*) firefox/src/content/html/document/src/nsHTMLDocument.cpp:3218
    #11 0x7fc20721b125 in NS_InvokeByIndex_P firefox/src/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:164
    #12 0x7fc2066bdce8 in CallMethodHelper::Invoke() firefox/src/js/xpconnect/src/XPCWrappedNative.cpp:3071
    #13 0x7fc2066cbfee in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) firefox/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1474
    #14 0x7fc207b2807f in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) firefox/src/js/src/jscntxtinlines.h:400
    #15 0x7fc207b1de9e in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) firefox/src/js/src/jsinterp.cpp:2465
    #16 0x7fc207b09315 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) firefox/src/js/src/jsinterp.cpp:299
    #17 0x7fc207b29467 in js::ExecuteKernel(JSContext*, JSScript*, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) firefox/src/js/src/jsinterp.cpp:482
    #18 0x7fc207b297f1 in js::Execute(JSContext*, JSScript*, JSObject&, JS::Value*) firefox/src/js/src/jsinterp.cpp:519
    #19 0x7fc207a3a713 in EvaluateUCScriptForPrincipalsCommon(JSContext*, JSObject*, JSPrincipals*, JSPrincipals*, unsigned short const*, unsigned int, char const*, unsigned int, JS::Value*, JSVersion) firefox/src/js/src/jsapi.cpp:5370
    #20 0x7fc207a3a9d9 in JS_EvaluateUCScriptForPrincipalsVersionOrigin firefox/src/js/src/jsapi.cpp:5407
    #21 0x7fc205f23907 in nsJSContext::EvaluateString(nsAString_internal const&, JSObject*, nsIPrincipal*, nsIPrincipal*, char const*, unsigned int, JSVersion, nsAString_internal*, bool*) firefox/src/dom/base/nsJSEnvironment.cpp:1466
    #22 0x7fc205f7eece in nsGlobalWindow::RunTimeoutHandler(nsTimeout*, nsIScriptContext*) firefox/src/dom/base/nsGlobalWindow.cpp:9519
    #23 0x7fc205f6e285 in nsGlobalWindow::RunTimeout(nsTimeout*) firefox/src/dom/base/nsGlobalWindow.cpp:9783
    #24 0x7fc205f7e378 in nsGlobalWindow::TimerCallback(nsITimer*, void*) firefox/src/dom/base/nsGlobalWindow.cpp:10055
    #25 0x7fc2071f9094 in nsTimerImpl::Fire() firefox/src/xpcom/threads/nsTimerImpl.cpp:473
    #26 0x7fc2071f95e6 in nsTimerEvent::Run() firefox/src/xpcom/threads/nsTimerImpl.cpp:559
    #27 0x7fc2071ef654 in nsThread::ProcessNextEvent(bool, bool*) firefox/src/xpcom/threads/nsThread.cpp:624
    #28 0x7fc20716061d in NS_ProcessNextEvent_P(nsIThread*, bool) firefox/src/objdir-ff-asan/xpcom/build/nsThreadUtils.cpp:217
    #29 0x7fc206f5fd48 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) firefox/src/ipc/glue/MessagePump.cpp:82
    #30 0x7fc20726091f in MessageLoop::Run() firefox/src/ipc/chromium/src/base/message_loop.cc:176
    #31 0x7fc206d6f73e in nsBaseAppShell::Run() firefox/src/widget/xpwidgets/nsBaseAppShell.cpp:165
    #32 0x7fc205171943 in XREMain::XRE_main(int, char**, nsXREAppData const*) firefox/src/toolkit/xre/nsAppRunner.cpp:3864
    #33 0x7fc205172272 in XRE_main firefox/src/toolkit/xre/nsAppRunner.cpp:3940
    #34 0x409e93 in do_main(int, char**) firefox/src/browser/app/nsBrowserApp.cpp:160
    #35 0x40957d in main firefox/src/browser/app/nsBrowserApp.cpp:330
    #36 0x7fc20c9a2c4d in ?? ??:0
0x7fc1cdd689b8 is located 56 bytes inside of 120-byte region [0x7fc1cdd68980,0x7fc1cdd689f8)
freed by thread T0 here:
    #0 0x425a42 in free ??:0
    #1 0x7fc205b17a9b in nsNodeUtils::LastRelease(nsINode*) firefox/src/content/base/src/nsNodeUtils.cpp:252
    #2 0x7fc205ad86df in nsGenericDOMDataNode::Release() firefox/src/content/base/src/nsGenericDOMDataNode.cpp:113
    #3 0x7fc2063169ad in nsHTMLEditRules::DeleteNonTableElements(nsINode*) firefox/src/editor/libeditor/html/nsHTMLEditRules.cpp:2824
    #4 0x7fc2062f5dc0 in nsHTMLEditRules::WillDoAction(mozilla::Selection*, nsRulesInfo*, bool*, bool*) firefox/src/editor/libeditor/html/nsHTMLEditRules.cpp:577
    #5 0x7fc20618d040 in nsPlaintextEditor::DeleteSelection(short, short) firefox/src/editor/libeditor/text/nsPlaintextEditor.cpp:657
    #6 0x7fc2062f6468 in nsHTMLEditRules::WillInsertText(nsEditor::OperationID, mozilla::Selection*, bool*, bool*, nsAString_internal const*, nsAString_internal*, int) firefox/src/editor/libeditor/html/nsHTMLEditRules.cpp:1260
    #7 0x7fc2062f5ca3 in nsHTMLEditRules::WillDoAction(mozilla::Selection*, nsRulesInfo*, bool*, bool*) firefox/src/editor/libeditor/html/nsHTMLEditRules.cpp:570
    #8 0x7fc20618d5ec in nsPlaintextEditor::InsertText(nsAString_internal const&) firefox/src/editor/libeditor/text/nsPlaintextEditor.cpp:700
    #9 0x7fc2061c3c67 in nsInsertPlaintextCommand::DoCommandParams(char const*, nsICommandParams*, nsISupports*) firefox/src/editor/libeditor/base/nsEditorCommands.cpp:834
    #10 0x7fc2069858a9 in nsControllerCommandTable::DoCommandParams(char const*, nsICommandParams*, nsISupports*) firefox/src/embedding/components/commandhandler/src/nsControllerCommandTable.cpp:175
    #11 0x7fc20697ec11 in nsBaseCommandController::DoCommandWithParams(char const*, nsICommandParams*) firefox/src/embedding/components/commandhandler/src/nsBaseCommandController.cpp:153
    #12 0x7fc2069824f7 in nsCommandManager::DoCommand(char const*, nsICommandParams*, nsIDOMWindow*) firefox/src/embedding/components/commandhandler/src/nsCommandManager.cpp:238
    #13 0x7fc205de5469 in nsHTMLDocument::ExecCommand(nsAString_internal const&, bool, nsAString_internal const&, bool*) firefox/src/content/html/document/src/nsHTMLDocument.cpp:3218
    #14 0x7fc20721b125 in NS_InvokeByIndex_P firefox/src/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:164
    #15 0x7fc2066bdce8 in CallMethodHelper::Invoke() firefox/src/js/xpconnect/src/XPCWrappedNative.cpp:3071
    #16 0x7fc2066cbfee in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) firefox/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1474
    #17 0x7fc207b2807f in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) firefox/src/js/src/jscntxtinlines.h:400
    #18 0x7fc207b1de9e in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) firefox/src/js/src/jsinterp.cpp:2465
    #19 0x7fc207b09315 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) firefox/src/js/src/jsinterp.cpp:299
    #20 0x7fc207b29467 in js::ExecuteKernel(JSContext*, JSScript*, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) firefox/src/js/src/jsinterp.cpp:482
    #21 0x7fc207b297f1 in js::Execute(JSContext*, JSScript*, JSObject&, JS::Value*) firefox/src/js/src/jsinterp.cpp:519
    #22 0x7fc207a3a713 in EvaluateUCScriptForPrincipalsCommon(JSContext*, JSObject*, JSPrincipals*, JSPrincipals*, unsigned short const*, unsigned int, char const*, unsigned int, JS::Value*, JSVersion) firefox/src/js/src/jsapi.cpp:5370
    #23 0x7fc207a3a9d9 in JS_EvaluateUCScriptForPrincipalsVersionOrigin firefox/src/js/src/jsapi.cpp:5407
    #24 0x7fc205f23907 in nsJSContext::EvaluateString(nsAString_internal const&, JSObject*, nsIPrincipal*, nsIPrincipal*, char const*, unsigned int, JSVersion, nsAString_internal*, bool*) firefox/src/dom/base/nsJSEnvironment.cpp:1466
    #25 0x7fc205f7eece in nsGlobalWindow::RunTimeoutHandler(nsTimeout*, nsIScriptContext*) firefox/src/dom/base/nsGlobalWindow.cpp:9519
    #26 0x7fc205f6e285 in nsGlobalWindow::RunTimeout(nsTimeout*) firefox/src/dom/base/nsGlobalWindow.cpp:9783
    #27 0x7fc205f7e378 in nsGlobalWindow::TimerCallback(nsITimer*, void*) firefox/src/dom/base/nsGlobalWindow.cpp:10055
    #28 0x7fc2071f9094 in nsTimerImpl::Fire() firefox/src/xpcom/threads/nsTimerImpl.cpp:473
    #29 0x7fc2071f95e6 in nsTimerEvent::Run() firefox/src/xpcom/threads/nsTimerImpl.cpp:559
previously allocated by thread T0 here:
    #0 0x425b02 in __interceptor_malloc ??:0
    #1 0x7fc209fd13f0 in moz_xmalloc firefox/src/memory/mozalloc/mozalloc.cpp:54
    #2 0x7fc205a3f31d in nsContentUtils::SetNodeTextContent(nsIContent*, nsAString_internal const&, bool) firefox/src/content/base/src/nsContentUtils.cpp:4310
    #3 0x7fc20677c151 in nsIDOMNode_SetTextContent(JSContext*, JS::Handle<JSObject*>, JS::Handle<long>, int, JS::Value*) firefox/src/objdir-ff-asan/js/xpconnect/src/dom_quickstubs.cpp:5665
    #4 0x7fc207b64928 in js::CallJSPropertyOpSetter(JSContext*, int (*)(JSContext*, JS::Handle<JSObject*>, JS::Handle<long>, int, JS::Value*), JS::Handle<JSObject*>, JS::Handle<long>, int, JS::Value*) firefox/src/js/src/jscntxtinlines.h:460
    #5 0x7fc207b695f1 in js::baseops::SetPropertyHelper(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<long>, unsigned int, JS::Value*, int) firefox/src/js/src/jsobj.cpp:4924
    #6 0x7fc207b2d620 in js::SetPropertyOperation(JSContext*, unsigned char*, JS::Value const&, JS::Value const&) firefox/src/js/src/jsinterpinlines.h:353
    #7 0x7fc207b0bbb8 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) firefox/src/js/src/jsinterp.cpp:2378
    #8 0x7fc207b09315 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) firefox/src/js/src/jsinterp.cpp:299
    #9 0x7fc207b29467 in js::ExecuteKernel(JSContext*, JSScript*, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) firefox/src/js/src/jsinterp.cpp:482
    #10 0x7fc207b297f1 in js::Execute(JSContext*, JSScript*, JSObject&, JS::Value*) firefox/src/js/src/jsinterp.cpp:519
    #11 0x7fc207a3a713 in EvaluateUCScriptForPrincipalsCommon(JSContext*, JSObject*, JSPrincipals*, JSPrincipals*, unsigned short const*, unsigned int, char const*, unsigned int, JS::Value*, JSVersion) firefox/src/js/src/jsapi.cpp:5370
    #12 0x7fc207a3a9d9 in JS_EvaluateUCScriptForPrincipalsVersionOrigin firefox/src/js/src/jsapi.cpp:5407
    #13 0x7fc205f23907 in nsJSContext::EvaluateString(nsAString_internal const&, JSObject*, nsIPrincipal*, nsIPrincipal*, char const*, unsigned int, JSVersion, nsAString_internal*, bool*) firefox/src/dom/base/nsJSEnvironment.cpp:1466
    #14 0x7fc205f7eece in nsGlobalWindow::RunTimeoutHandler(nsTimeout*, nsIScriptContext*) firefox/src/dom/base/nsGlobalWindow.cpp:9519
    #15 0x7fc205f6e285 in nsGlobalWindow::RunTimeout(nsTimeout*) firefox/src/dom/base/nsGlobalWindow.cpp:9783
    #16 0x7fc205f7e378 in nsGlobalWindow::TimerCallback(nsITimer*, void*) firefox/src/dom/base/nsGlobalWindow.cpp:10055
    #17 0x7fc2071f9094 in nsTimerImpl::Fire() firefox/src/xpcom/threads/nsTimerImpl.cpp:473
    #18 0x7fc2071f95e6 in nsTimerEvent::Run() firefox/src/xpcom/threads/nsTimerImpl.cpp:559
    #19 0x7fc2071ef654 in nsThread::ProcessNextEvent(bool, bool*) firefox/src/xpcom/threads/nsThread.cpp:624
    #20 0x7fc20716061d in NS_ProcessNextEvent_P(nsIThread*, bool) firefox/src/objdir-ff-asan/xpcom/build/nsThreadUtils.cpp:217
    #21 0x7fc206f5fd48 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) firefox/src/ipc/glue/MessagePump.cpp:82
    #22 0x7fc20726091f in MessageLoop::Run() firefox/src/ipc/chromium/src/base/message_loop.cc:176
    #23 0x7fc206d6f73e in nsBaseAppShell::Run() firefox/src/widget/xpwidgets/nsBaseAppShell.cpp:165
    #24 0x7fc205171943 in XREMain::XRE_main(int, char**, nsXREAppData const*) firefox/src/toolkit/xre/nsAppRunner.cpp:3864
==19766== ABORTING
Stats: 254M malloced (344M for red zones) by 1006225 calls
Stats: 61M realloced by 90383 calls
Stats: 199M freed by 740263 calls
Stats: 96M really freed by 201732 calls
Stats: 528M (135231 full pages) mmaped in 132 calls
  mmaps   by size class: 8:704469; 9:81910; 10:24570; 11:20470; 12:5120; 13:4608; 14:1792; 15:512; 16:640; 17:160; 18:208; 19:48; 20:16;
  mallocs by size class: 8:829738; 9:109453; 10:28229; 11:24936; 12:5172; 13:4924; 14:2120; 15:516; 16:683; 17:171; 18:222; 19:45; 20:16;
  frees   by size class: 8:588569; 9:95710; 10:23943; 11:20926; 12:3996; 13:3894; 14:1904; 15:444; 16:595; 17:151; 18:78; 19:40; 20:13;
  rfrees  by size class: 8:144710; 9:31877; 10:10454; 11:10832; 12:1184; 13:698; 14:1154; 15:224; 16:419; 17:82; 18:51; 19:37; 20:10;
Stats: malloc large: 454 small slow: 3904
Shadow byte and word:
  0x1ff839bad137: fd
  0x1ff839bad130: fd fd fd fd fd fd fd fd
More shadow bytes:
  0x1ff839bad110: 00 00 00 fb fb fb fb fb
  0x1ff839bad118: fb fb fb fb fb fb fb fb
  0x1ff839bad120: fa fa fa fa fa fa fa fa
  0x1ff839bad128: fa fa fa fa fa fa fa fa
=>0x1ff839bad130: fd fd fd fd fd fd fd fd
  0x1ff839bad138: fd fd fd fd fd fd fd fd
  0x1ff839bad140: fa fa fa fa fa fa fa fa
  0x1ff839bad148: fa fa fa fa fa fa fa fa
  0x1ff839bad150: fd fd fd fd fd fd fd fd
Comment 1 Olli Pettay [:smaug] (high review load, please consider other reviewers) 2012-07-10 02:54:28 PDT
Yet another regression to not-follow-xpcom rules?
Comment 2 :Ehsan Akhgari (busy, don't ask for review please) 2012-07-10 13:07:23 PDT
Created attachment 640732 [details] [diff] [review]
Patch (v1)
Comment 3 :Ehsan Akhgari (busy, don't ask for review please) 2012-07-10 17:11:26 PDT
https://hg.mozilla.org/integration/mozilla-inbound/rev/32b6c83aeac5
Comment 4 Abhishek Arya 2012-07-10 19:59:11 PDT
Looks like this needs to be marked Resolved :)
Comment 5 :Ehsan Akhgari (busy, don't ask for review please) 2012-07-10 20:20:28 PDT
mozilla-inbound is our integrtion branch which gets merged to mozilla-central a few times a day.  We usually mark bugs as fixed when the patch lands on mozilla-central.  This should probably happen some time tomorrow for this bug.  :-)
Comment 6 Abhishek Arya 2012-07-10 20:24:15 PDT
GReat! good to know ....:)
Comment 7 Ed Morley [:emorley] 2012-07-11 09:36:52 PDT
And voilà! :-)

https://hg.mozilla.org/mozilla-central/rev/32b6c83aeac5
Comment 8 :Aryeh Gregor (away until August 15) 2012-07-13 00:08:41 PDT
This code is probably wrong anyway, for the same reason as in bug 767684.  It now says

  for (nsCOMPtr<nsIContent> child = aNode->GetLastChild();
       child;
       child = child->GetPreviousSibling()) {
    nsresult rv = DeleteNonTableElements(child);
    NS_ENSURE_SUCCESS(rv, rv);
  }

But DeleteNonTableElements(child) might remove child, so GetPreviousSibling will incorrectly return null.  Changing it back to the way it was should both fix the use-after-free and make it correctly affect all children:

  for (PRInt32 i = aNode->GetChildCount() - 1; i >= 0; --i) {
    nsresult rv = DeleteNonTableElements(aNode->GetChildAt(i));
    NS_ENSURE_SUCCESS(rv, rv);
  }

Anyway, this is likely a regression from bug 755264, and probably affects 15.  I can't tell, because there's no test-case here (ugly or otherwise).  Do we want to backport this?
Comment 9 :Ehsan Akhgari (busy, don't ask for review please) 2012-07-13 08:00:39 PDT
(In reply to :Aryeh Gregor from comment #8)
> This code is probably wrong anyway, for the same reason as in bug 767684. 
> It now says
> 
>   for (nsCOMPtr<nsIContent> child = aNode->GetLastChild();
>        child;
>        child = child->GetPreviousSibling()) {
>     nsresult rv = DeleteNonTableElements(child);
>     NS_ENSURE_SUCCESS(rv, rv);
>   }
> 
> But DeleteNonTableElements(child) might remove child, so GetPreviousSibling
> will incorrectly return null.  Changing it back to the way it was should
> both fix the use-after-free and make it correctly affect all children:
> 
>   for (PRInt32 i = aNode->GetChildCount() - 1; i >= 0; --i) {
>     nsresult rv = DeleteNonTableElements(aNode->GetChildAt(i));
>     NS_ENSURE_SUCCESS(rv, rv);
>   }
> 
> Anyway, this is likely a regression from bug 755264, and probably affects
> 15.  I can't tell, because there's no test-case here (ugly or otherwise). 
> Do we want to backport this?

Good point.  For Aurora, I'd rather us back out bug 755264.  Can you please attach a patch for that?  Thanks!
Comment 10 :Aryeh Gregor (away until August 15) 2012-07-15 02:19:57 PDT
(In reply to Ehsan Akhgari [:ehsan] from comment #9)
> Good point.  For Aurora, I'd rather us back out bug 755264.  Can you please
> attach a patch for that?  Thanks!

Sure.  FWIW, this extra bug was fixed by bug 772332 part 1, which is on m-i and may or may not make it to Aurora.
Comment 11 :Ehsan Akhgari (busy, don't ask for review please) 2012-07-17 20:05:26 PDT
(In reply to :Aryeh Gregor from comment #10)
> (In reply to Ehsan Akhgari [:ehsan] from comment #9)
> > Good point.  For Aurora, I'd rather us back out bug 755264.  Can you please
> > attach a patch for that?  Thanks!
> 
> Sure.  FWIW, this extra bug was fixed by bug 772332 part 1, which is on m-i
> and may or may not make it to Aurora.

It didn't, as it got backed out!
Comment 12 :Aryeh Gregor (away until August 15) 2012-07-19 08:11:20 PDT
Filed bug 775552.  The patch no longer backs out cleanly.
Comment 13 Alex Keybl [:akeybl] 2012-07-26 17:36:09 PDT
(In reply to :Aryeh Gregor from comment #12)
> Filed bug 775552.  The patch no longer backs out cleanly.

Is there more work to be done here to resolve for FF15? I think bug 775552 just set us up to apply cleanly, correct?
Comment 14 :Ehsan Akhgari (busy, don't ask for review please) 2012-07-26 19:30:57 PDT
(In reply to Alex Keybl [:akeybl] from comment #13)
> (In reply to :Aryeh Gregor from comment #12)
> > Filed bug 775552.  The patch no longer backs out cleanly.
> 
> Is there more work to be done here to resolve for FF15? I think bug 775552
> just set us up to apply cleanly, correct?

Hmm, I think we need the patch in bug 775552 to land on beta as well.  I'll nominate it right now.
Comment 15 :Ehsan Akhgari (busy, don't ask for review please) 2012-07-31 07:55:12 PDT
Comment on attachment 640732 [details] [diff] [review]
Patch (v1)

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 755264
User impact if declined: sec-critical
Testing completed (on m-c, etc.): has baked on Nightly and Aurora
Risk to taking this patch (and alternatives if risky): this has very minimal risk
String or UUID changes made by this patch: none
Comment 16 Lukas Blakk [:lsblakk] use ?needinfo 2012-07-31 09:21:22 PDT
Comment on attachment 640732 [details] [diff] [review]
Patch (v1)

Low risk, approving for beta.
Comment 17 :Ehsan Akhgari (busy, don't ask for review please) 2012-07-31 11:21:42 PDT
I was about to land this and I realized that this has been fixed on beta by bug 775552 landing there.  So I'm going to mark this as such.
Comment 19 Raymond Forbes[:rforbes] 2013-07-19 18:42:27 PDT
rforbes-bugspam-for-setting-that-bounty-flag-20130719

Note You need to log in before you can comment on or make changes to this bug.