Last Comment Bug 776213 - (CVE-2012-1976) Heap-use-after-free in nsHTMLSelectElement::SubmitNamesValues
(CVE-2012-1976)
: Heap-use-after-free in nsHTMLSelectElement::SubmitNamesValues
Status: RESOLVED FIXED
[asan][advisory-tracking+][qa?]
: sec-critical, testcase
Product: Core
Classification: Components
Component: DOM: Core & HTML (show other bugs)
: Trunk
: x86_64 All
: -- normal (vote)
: mozilla17
Assigned To: Andrew McCreight [:mccr8]
:
Mentors:
Depends on:
Blocks: 347165
  Show dependency treegraph
 
Reported: 2012-07-20 22:23 PDT by Abhishek Arya
Modified: 2014-07-24 13:43 PDT (History)
11 users (show)
rforbes: sec‑bounty+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
wontfix
+
fixed
+
fixed
+
fixed
15+
fixed


Attachments
Testcase (482 bytes, text/html)
2012-07-24 07:06 PDT, Abhishek Arya
no flags Details
hold onto sortedControls (1.56 KB, patch)
2012-07-30 13:04 PDT, Andrew McCreight [:mccr8]
bugs: review+
lukasblakk+bugs: approval‑mozilla‑aurora+
lukasblakk+bugs: approval‑mozilla‑beta+
lukasblakk+bugs: approval‑mozilla‑esr10+
Details | Diff | Review

Description Abhishek Arya 2012-07-20 22:23:12 PDT
Reproduces on trunk. Repro reproduced once (but got it under a fully symbolized build). As i have a better testcase, I will add it here. 

=================================================================
==2410== ERROR: AddressSanitizer heap-use-after-free on address 0x7f19a99a1280 at pc 0x7f19d6751fef bp 0x7fff085f3390 sp 0x7fff085f3388
READ of size 8 at 0x7f19a99a1280 thread T0
    #0 0x7f19d6751fef in nsHTMLSelectElement::SubmitNamesValues(nsFormSubmission*) src/content/html/content/src/nsHTMLSelectElement.cpp:1747
    #1 0x7f19d6752c9f in non-virtual thunk to nsHTMLSelectElement::SubmitNamesValues(nsFormSubmission*) asn1cmn.c:0
    #2 0x7f19d635feb2 in nsHTMLFormElement::WalkFormElements(nsFormSubmission*) src/content/html/content/src/nsHTMLFormElement.cpp:983
    #3 0x7f19d635be9a in nsHTMLFormElement::BuildSubmission(nsFormSubmission**, nsEvent*) src/content/html/content/src/nsHTMLFormElement.cpp:772
    #4 0x7f19d635ab79 in nsHTMLFormElement::DoSubmit(nsEvent*) src/content/html/content/src/nsHTMLFormElement.cpp:706
    #5 0x7f19d6353d19 in nsHTMLFormElement::DoSubmitOrReset(nsEvent*, int) src/content/html/content/src/nsHTMLFormElement.cpp:657
    #6 0x7f19d635360b in nsHTMLFormElement::Submit() src/content/html/content/src/nsHTMLFormElement.cpp:391
    #7 0x7f19d635400c in non-virtual thunk to nsHTMLFormElement::Submit() asn1cmn.c:0
    #8 0x7f19da2aa1b1 in nsIDOMHTMLFormElement_Submit(JSContext*, unsigned int, JS::Value*) src/objdir-ff-asan-sym/js/xpconnect/src/dom_quickstubs.cpp:14382
    #9 0x7f19e5566587 in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/jscntxtinlines.h:382
    #10 0x7f19e54dd593 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2426
    #11 0x7f19e5464725 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) src/js/src/jsinterp.cpp:302
    #12 0x7f19e55669a9 in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:356
    #13 0x7f19e4e9c430 in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) src/js/src/jsinterp.h:119
    #14 0x7f19e556bb0d in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:388
    #15 0x7f19e4d470d9 in JS_CallFunctionValue src/js/src/jsapi.cpp:5572
    #16 0x7f19d7225bf5 in nsJSContext::CallEventHandler(nsISupports*, JSObject*, JSObject*, nsIArray*, nsIVariant**) src/dom/base/nsJSEnvironment.cpp:1891
    #17 0x7f19d79c6ca6 in nsJSEventListener::HandleEvent(nsIDOMEvent*) src/dom/src/events/nsJSEventListener.cpp:188
    #18 0x7f19d5e24bb3 in nsEventListenerManager::HandleEventSubType(nsListenerStruct*, nsIDOMEventListener*, nsIDOMEvent*, nsIDOMEventTarget*, unsigned int, nsCxPusher*) src/content/events/src/nsEventListenerManager.cpp:794
    #19 0x7f19d5e2607a in nsEventListenerManager::HandleEventInternal(nsPresContext*, nsEvent*, nsIDOMEvent**, nsIDOMEventTarget*, unsigned int, nsEventStatus*, nsCxPusher*) src/content/events/src/nsEventListenerManager.cpp:867
    #20 0x7f19d5fd4c97 in nsEventListenerManager::HandleEvent(nsPresContext*, nsEvent*, nsIDOMEvent**, nsIDOMEventTarget*, unsigned int, nsEventStatus*, nsCxPusher*) src/content/events/src/nsEventListenerManager.h:144
    #21 0x7f19d5fc3936 in nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor&, unsigned int, bool, nsCxPusher*) src/content/events/src/nsEventDispatcher.cpp:185
    #22 0x7f19d5fc149c in nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor&, unsigned int, nsDispatchingCallback*, bool, nsCxPusher*) src/content/events/src/nsEventDispatcher.cpp:313
    #23 0x7f19d5fc6fb0 in nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, nsEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*, nsCOMArray<nsIDOMEventTarget>*) src/content/events/src/nsEventDispatcher.cpp:634
    #24 0x7f19d367419f in DocumentViewerImpl::LoadComplete(unsigned int) src/layout/base/nsDocumentViewer.cpp:1017
    #25 0x7f19db0e5dd8 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, unsigned int) src/docshell/base/nsDocShell.cpp:6294
    #26 0x7f19db0ddae1 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, unsigned int) src/docshell/base/nsDocShell.cpp:6125
    #27 0x7f19db0decd5 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, unsigned int) asn1cmn.c:0
    #28 0x7f19db1e4fd4 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, unsigned int) src/uriloader/base/nsDocLoader.cpp:1352
    #29 0x7f19db1e29e5 in nsDocLoader::doStopDocumentLoad(nsIRequest*, unsigned int) src/uriloader/base/nsDocLoader.cpp:930
    #30 0x7f19db1dbc38 in nsDocLoader::DocLoaderIsEmpty(bool) src/uriloader/base/nsDocLoader.cpp:822
    #31 0x7f19db1e01bc in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) src/uriloader/base/nsDocLoader.cpp:704
    #32 0x7f19db1e1d0d in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) asn1cmn.c:0
    #33 0x7f19d2042e89 in nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, unsigned int) src/netwerk/base/src/nsLoadGroup.cpp:698
    #34 0x7f19d510bd94 in nsDocument::DoUnblockOnload() src/content/base/src/nsDocument.cpp:7189
    #35 0x7f19d510b821 in nsDocument::UnblockOnload(bool) src/content/base/src/nsDocument.cpp:7132
    #36 0x7f19d701ed84 in nsBindingManager::DoProcessAttachedQueue() src/content/xbl/src/nsBindingManager.cpp:990
    #37 0x7f19d70390f9 in nsRunnableMethodImpl<void (nsBindingManager::*)(), true>::Run() src/../../../dist/include/nsThreadUtils.h:349
    #38 0x7f19de8eb8fd in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:625
    #39 0x7f19de57a6ad in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:217
    #40 0x7f19dd519ce6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:82
    #41 0x7f19deb9db9a in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:209
    #42 0x7f19deb9d9e3 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:202
    #43 0x7f19deb9d8c8 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:176
    #44 0x7f19dca23c8e in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:165
    #45 0x7f19db676eb8 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:257
    #46 0x7f19d1e04d20 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:3787
    #47 0x7f19d1e0b6c2 in XREMain::XRE_main(int, char**, nsXREAppData const*) src/toolkit/xre/nsAppRunner.cpp:3864
    #48 0x7f19d1e0eb92 in XRE_main src/toolkit/xre/nsAppRunner.cpp:3940
    #49 0x40c28f in do_main(int, char**) src/browser/app/nsBrowserApp.cpp:160
    #50 0x409cbd in main src/browser/app/nsBrowserApp.cpp:298
    #51 0x7f19ee9c3c4d in ?? ??:0
0x7f19a99a1280 is located 0 bytes inside of 232-byte region [0x7f19a99a1280,0x7f19a99a1368)
freed by thread T0 here:
    #0 0x4a4392 in free ??:0
    #1 0x7f19eb84f5c3 in moz_free src/memory/mozalloc/mozalloc.cpp:49
    #2 0x7f19d6720436 in ~nsHTMLSelectElement src/content/html/content/src/nsHTMLSelectElement.cpp:134
    #3 0x7f19d541237d in nsNodeUtils::LastRelease(nsINode*) src/content/base/src/nsNodeUtils.cpp:252
    #4 0x7f19d52e8e4f in nsGenericElement::Release() src/content/base/src/nsGenericElement.cpp:3509
    #5 0x7f19d6721884 in nsHTMLSelectElement::Release() src/content/html/content/src/nsHTMLSelectElement.cpp:146
    #6 0x7f19de57d1db in nsXPCOMCycleCollectionParticipant::UnrootImpl(void*) src/objdir-ff-asan-sym/xpcom/build/nsCycleCollectionParticipant.cpp:37
    #7 0x7f19de9a21ec in nsCycleCollector::CollectWhite(nsICycleCollectorListener*) src/xpcom/base/nsCycleCollector.cpp:2305
    #8 0x7f19de9a9ef6 in nsCycleCollector::FinishCollection(nsICycleCollectorListener*) src/xpcom/base/nsCycleCollector.cpp:2845
    #9 0x7f19de9af388 in nsCycleCollectorRunner::Collect(bool, nsCycleCollectorResults*, nsICycleCollectorListener*) src/xpcom/base/nsCycleCollector.cpp:3147
    #10 0x7f19de9ae095 in nsCycleCollector_collect(bool, nsCycleCollectorResults*, nsICycleCollectorListener*) src/xpcom/base/nsCycleCollector.cpp:3236
    #11 0x7f19d72017f5 in nsJSContext::CycleCollectNow(nsICycleCollectorListener*, int, bool) src/dom/base/nsJSEnvironment.cpp:3072
    #12 0x7f19d72463f2 in CCTimerFired(nsITimer*, void*) src/dom/base/nsJSEnvironment.cpp:3263
    #13 0x7f19de927692 in nsTimerImpl::Fire() src/xpcom/threads/nsTimerImpl.cpp:474
    #14 0x7f19de9292cc in nsTimerEvent::Run() src/xpcom/threads/nsTimerImpl.cpp:558
    #15 0x7f19de8eb8fd in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:625
    #16 0x7f19de57a6ad in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:217
    #17 0x7f19db58e826 in nsXULWindow::ShowModal() src/xpfe/appshell/src/nsXULWindow.cpp:378
    #18 0x7f19db571732 in nsContentTreeOwner::ShowAsModal() src/xpfe/appshell/src/nsContentTreeOwner.cpp:529
    #19 0x7f19db5718ac in non-virtual thunk to nsContentTreeOwner::ShowAsModal() asn1cmn.c:0
    #20 0x7f19db39a4eb in nsWindowWatcher::OpenWindowJSInternal(nsIDOMWindow*, char const*, char const*, char const*, bool, nsIArray*, bool, nsIDOMWindow**) src/embedding/components/windowwatcher/src/nsWindowWatcher.cpp:996
    #21 0x7f19db390b71 in nsWindowWatcher::OpenWindow(nsIDOMWindow*, char const*, char const*, char const*, nsISupports*, nsIDOMWindow**) src/embedding/components/windowwatcher/src/nsWindowWatcher.cpp:381
    #22 0x7f19dc80e8b1 in nsNSSDialogHelper::openDialog(nsIDOMWindow*, char const*, nsISupports*, bool) src/security/manager/pki/src/nsNSSDialogHelper.cpp:44
    #23 0x7f19dc7f391b in nsNSSDialogs::DisplayGeneratingKeypairInfo(nsIInterfaceRequestor*, nsIKeygenThread*) src/security/manager/pki/src/nsNSSDialogs.cpp:457
    #24 0x7f19dc7f3af7 in non-virtual thunk to nsNSSDialogs::DisplayGeneratingKeypairInfo(nsIInterfaceRequestor*, nsIKeygenThread*) asn1cmn.c:0
    #25 0x7f19dba35f05 in nsKeygenFormProcessor::GetPublicKey(nsAString_internal&, nsAString_internal&, nsString&, nsAString_internal&, nsAString_internal&) src/security/manager/ssl/src/nsKeygenHandler.cpp:658
    #26 0x7f19dba3a053 in nsKeygenFormProcessor::ProcessValue(nsIDOMHTMLElement*, nsAString_internal const&, nsAString_internal&) src/security/manager/ssl/src/nsKeygenHandler.cpp:800
    #27 0x7f19d675196e in nsHTMLSelectElement::SubmitNamesValues(nsFormSubmission*) src/content/html/content/src/nsHTMLSelectElement.cpp:1771
    #28 0x7f19d6752c9f in non-virtual thunk to nsHTMLSelectElement::SubmitNamesValues(nsFormSubmission*) asn1cmn.c:0
    #29 0x7f19d635feb2 in nsHTMLFormElement::WalkFormElements(nsFormSubmission*) src/content/html/content/src/nsHTMLFormElement.cpp:983
previously allocated by thread T0 here:
    #0 0x4a4452 in __interceptor_malloc ??:0
    #1 0x7f19eb84f717 in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:54
    #2 0x7f19d671ecd9 in NS_NewHTMLSelectElement(already_AddRefed<nsINodeInfo>, mozilla::dom::FromParser) src/content/html/content/src/nsHTMLSelectElement.cpp:104
    #3 0x7f19d69f70ce in CreateHTMLElement(unsigned int, already_AddRefed<nsINodeInfo>, mozilla::dom::FromParser) src/content/html/document/src/nsHTMLContentSink.cpp:497
    #4 0x7f19d69f7990 in NS_NewHTMLElement(nsIContent**, already_AddRefed<nsINodeInfo>, mozilla::dom::FromParser) src/content/html/document/src/nsHTMLContentSink.cpp:480
    #5 0x7f19d53e3978 in NS_NewElement(nsIContent**, already_AddRefed<nsINodeInfo>, mozilla::dom::FromParser) src/content/base/src/nsNameSpaceManager.cpp:201
    #6 0x7f19d84a2b55 in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**) src/parser/html/nsHtml5TreeOperation.cpp:340
    #7 0x7f19d84c3806 in nsHtml5TreeOpExecutor::RunFlushLoop() src/parser/html/nsHtml5TreeOpExecutor.cpp:566
    #8 0x7f19d84ff746 in nsHtml5ExecutorFlusher::Run() src/parser/html/nsHtml5StreamParser.cpp:127
    #9 0x7f19de8eb8fd in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:625
    #10 0x7f19de57a6ad in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:217
    #11 0x7f19dd519ce6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:82
    #12 0x7f19deb9db9a in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:209
    #13 0x7f19deb9d9e3 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:202
    #14 0x7f19deb9d8c8 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:176
    #15 0x7f19dca23c8e in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:165
    #16 0x7f19db676eb8 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:257
    #17 0x7f19d1e04d20 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:3787
    #18 0x7f19d1e0b6c2 in XREMain::XRE_main(int, char**, nsXREAppData const*) src/toolkit/xre/nsAppRunner.cpp:3864
    #19 0x7f19d1e0eb92 in XRE_main src/toolkit/xre/nsAppRunner.cpp:3940
    #20 0x40c28f in do_main(int, char**) src/browser/app/nsBrowserApp.cpp:160
    #21 0x409cbd in main src/browser/app/nsBrowserApp.cpp:298
    #22 0x7f19ee9c3c4d in ?? ??:0
==2410== ABORTING
Stats: 222M malloced (260M for red zones) by 614296 calls
Stats: 50M realloced by 30116 calls
Stats: 191M freed by 382570 calls
Stats: 58M really freed by 173153 calls
Stats: 464M (118841 full pages) mmaped in 116 calls
  mmaps   by size class: 8:425958; 9:57337; 10:65520; 11:20470; 12:4096; 13:3072; 14:1536; 15:384; 16:640; 17:160; 18:224; 19:48; 20:12;
  mallocs by size class: 8:452010; 9:59723; 10:72170; 11:20208; 12:3653; 13:3340; 14:1706; 15:411; 16:629; 17:148; 18:238; 19:47; 20:13;
  frees   by size class: 8:237578; 9:50565; 10:68846; 11:17073; 12:2672; 13:3053; 14:1487; 15:360; 16:531; 17:134; 18:218; 19:43; 20:10;
  rfrees  by size class: 8:129647; 9:23124; 10:8778; 11:8941; 12:816; 13:545; 14:723; 15:159; 16:342; 17:52; 18:21; 19:4; 20:1;
Stats: malloc large: 446 small slow: 2990
Shadow byte and word:
  0x1fe335334250: fd
  0x1fe335334250: fd fd fd fd fd fd fd fd
More shadow bytes:
  0x1fe335334230: fa fa fa fa fa fa fa fa
  0x1fe335334238: fa fa fa fa fa fa fa fa
  0x1fe335334240: fa fa fa fa fa fa fa fa
  0x1fe335334248: fa fa fa fa fa fa fa fa
=>0x1fe335334250: fd fd fd fd fd fd fd fd
  0x1fe335334258: fd fd fd fd fd fd fd fd
  0x1fe335334260: fd fd fd fd fd fd fd fd
  0x1fe335334268: fd fd fd fd fd fd fd fd
  0x1fe335334270: fa fa fa fa fa fa fa fa
Comment 1 Abhishek Arya 2012-07-20 22:40:57 PDT
Some comments::

1. freed element is nsHTMLSelectElement
2. the call triggering the free is nsHTMLSelectElement::SubmitNamesValues(nsFormSubmission*)  line nsHTMLSelectElement.cpp:1771 'keyGenProcessor->ProcessValue(this, name, tmp);'
3. use/crash happens at nsHTMLSelectElement::SubmitNamesValues(nsFormSubmission*) line nsHTMLSelectElement.cpp:1747. since 1747 < 1771. it is probably happening at the next iteration of loop here

971 nsHTMLFormElement::WalkFormElements(nsFormSubmission* aFormSubmission)
972 {
973   nsTArray<nsGenericHTMLFormElement*> sortedControls;
.........
980   PRUint32 len = sortedControls.Length();
981   for (PRUint32 i = 0; i < len; ++i) {
982     // Tell the control to submit its name/value pairs to the submission
983     sortedControls[i]->SubmitNamesValues(aFormSubmission);
984   }

Probably coming from use of a weak-ptr array of node pointers :(
Comment 2 Olli Pettay [:smaug] (high review load, please consider other reviewers) 2012-07-21 02:18:30 PDT
Yup.
Comment 3 Olli Pettay [:smaug] (high review load, please consider other reviewers) 2012-07-21 02:21:45 PDT
That would be a regression from bug 347165.
Comment 4 Mounir Lamouri (:mounir) 2012-07-23 17:12:23 PDT
I will gladly take that bug if there is a test case provided.
Comment 5 Abhishek Arya 2012-07-24 07:06:21 PDT
Created attachment 645285 [details]
Testcase

let the testcase run for 30 sec. it should crash. for me, i could reproduce on both my windows and linux boxes.
Comment 6 David Bolter [:davidb] 2012-07-26 13:40:35 PDT
Wanting to assign Mounir this one but he's on vacay...
Comment 7 Kyle Huey [:khuey] (khuey@mozilla.com) 2012-07-26 15:15:29 PDT
I'll take it.
Comment 8 Mounir Lamouri (:mounir) 2012-07-27 12:19:17 PDT
(In reply to Kyle Huey [:khuey] (khuey@mozilla.com) from comment #7)
> I'll take it.

Thanks, really appreciated :)
If you are not done with it on the 5th, feel free to assign it to me.
Comment 9 Alex Keybl [:akeybl] 2012-07-30 09:23:40 PDT
Is the current thinking that a fix in time for FF15's release would be too risky?
Comment 10 Olli Pettay [:smaug] (high review load, please consider other reviewers) 2012-07-30 09:50:01 PDT
It is possibly to fix this in a very safe, but a bit ugly way.
(manually addref/release the items in the array. That approach is used elsewhere.)
Comment 11 Andrew McCreight [:mccr8] 2012-07-30 13:04:50 PDT
Created attachment 647264 [details] [diff] [review]
hold onto sortedControls

This just implements smaug's suggestion, which is also used with GetSortedControls in nsHTMLFormElement::CheckFormValidity.  Which suggests that it is bad to return a weakly-referenced array from it. ;)

I was able to reproduce the crash almost immediately on OSX without the patch, and it didn't crash after about 4 minutes with the patch.
Comment 12 Andrew McCreight [:mccr8] 2012-07-31 07:01:26 PDT
https://hg.mozilla.org/integration/mozilla-inbound/rev/ec5a657c9751
Comment 13 Lukas Blakk [:lsblakk] use ?needinfo 2012-07-31 16:05:00 PDT
If we're going to try the safe & ugly way,
Comment 14 Lukas Blakk [:lsblakk] use ?needinfo 2012-07-31 16:06:05 PDT
Continuing that thought...

If we're going to try to land this to 15 the safe & ugly way we will also need to make sure it can land in ESR10 at the same time and that the risk is low in both.  I'd feel most comfortable getting this into our next beta if possible (beta 4) so by next Monday, August 6th.
Comment 15 Andrew McCreight [:mccr8] 2012-07-31 16:43:33 PDT
Yes, I went with the simple approach that matches what is done elsewhere.  This function hasn't changed in two years so it will be no problem to backport.  I'll nominate it in a few days assume it doesn't magically blow up.
Comment 16 Andrew McCreight [:mccr8] 2012-07-31 19:35:43 PDT
https://hg.mozilla.org/mozilla-central/rev/ec5a657c9751
Comment 17 Andrew McCreight [:mccr8] 2012-08-04 11:16:19 PDT
Comment on attachment 647264 [details] [diff] [review]
hold onto sortedControls

[Approval Request Comment]
Bug caused by (feature/regressing bug #): something pre-10
If this is not a sec:{high,crit} bug, please state case for ESR consideration:
User impact if declined: possible exploits
Testing completed (on m-c, etc.): It has been on m-c for about a week.
Fix Landed on Version: 17.
Risk to taking this patch (and alternatives if risky): low, it just follows a simple pattern for keeping things alive slightly longer.
String or UUID changes made by this patch: none
Comment 18 Andrew McCreight [:mccr8] 2012-08-04 11:17:05 PDT
(In reply to Andrew McCreight [:mccr8] from comment #17)
> Bug caused by (feature/regressing bug #): something pre-10

Ah, right.  Bug 347165.
Comment 20 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-08-14 15:27:48 PDT
Should the attached testcase be added to the testsuite?
Comment 21 Andrew McCreight [:mccr8] 2012-08-14 16:52:01 PDT
It isn't really a test we can use as a test case.  It could be manually tested, though.  Just run it for a minute and see if the browser crashes.
Comment 23 Raymond Forbes[:rforbes] 2013-07-19 18:10:10 PDT
rforbes-bugspam-for-setting-that-bounty-flag-20130719

Note You need to log in before you can comment on or make changes to this bug.