Last Comment Bug 786895 - (CVE-2012-4183) Heap-use-after-free in DOMSVGTests::GetRequiredFeatures
(CVE-2012-4183)
: Heap-use-after-free in DOMSVGTests::GetRequiredFeatures
Status: RESOLVED FIXED
[asan][advisory-tracking+]
: csectype-uaf, regression, sec-critical, testcase
Product: Core
Classification: Components
Component: SVG (show other bugs)
: Trunk
: x86_64 All
: -- normal (vote)
: ---
Assigned To: Robert Longson
:
:
Mentors:
Depends on:
Blocks: 754592
  Show dependency treegraph
 
Reported: 2012-08-29 18:07 PDT by Abhishek Arya
Modified: 2014-07-24 13:42 PDT (History)
9 users (show)
dchanm+bugzilla: sec‑bounty+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
affected
fixed
fixed
fixed
unaffected


Attachments
backout patch for aurora (13.60 KB, patch)
2012-08-30 10:14 PDT, Robert Longson
akeybl: approval‑mozilla‑aurora+
Details | Diff | Splinter Review
Testcase (324.38 KB, application/x-zip-compressed)
2012-09-03 00:27 PDT, Abhishek Arya
no flags Details
backout patch for beta (13.73 KB, patch)
2012-09-03 13:37 PDT, Daniel Holbert [:dholbert]
akeybl: approval‑mozilla‑beta+
Details | Diff | Splinter Review

Description Abhishek Arya 2012-08-29 18:07:13 PDT
Reproduces on trunk. Don't have reliable testcase, but this is hitting every now and then. I got it once under a fully symbolized build that might give an idea of the problem. As i get the reliable testcase, i will attach it soon. This hits in both DOMSVGTests::GetRequiredFeatures and DOMSVGTests::GetRequiredExtensions.

=================================================================
==1718== ERROR: AddressSanitizer heap-use-after-free on address 0x7f6583c87f88 at pc 0x7f65b68c2506 bp 0x7fff5fd7bf90 sp 0x7fff5fd7bf88
READ of size 8 at 0x7f6583c87f88 thread T0
    #0 0x7f65b68c2505 in nsCycleCollectingAutoRefCnt::incr(void*) src/../../../dist/include/nsISupportsImpl.h:108
    #1 0x7f65bcddcdec in mozilla::DOMSVGStringList::AddRef() src/content/svg/content/src/DOMSVGStringList.cpp:21
    #2 0x7f65bcde89d6 in nsRefPtr src/../../../../dist/include/nsAutoPtr.h:898
    #3 0x7f65bcddea07 in nsRefPtr src/../../../../dist/include/nsAutoPtr.h:899
    #4 0x7f65bcdde502 in mozilla::DOMSVGStringList::GetDOMWrapper(mozilla::SVGStringList*, nsSVGElement*, bool, unsigned char) src/content/svg/content/src/DOMSVGStringList.cpp:43
    #5 0x7f65bcdeb3d1 in DOMSVGTests::GetRequiredFeatures(nsIDOMSVGStringList**) src/content/svg/content/src/DOMSVGTests.cpp:33
    #6 0x7f65c25d50e7 in NS_InvokeByIndex_P src/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:162
    #7 0x7f65bda32bde in CallMethodHelper::Invoke() src/js/xpconnect/src/XPCWrappedNative.cpp:3105
    #8 0x7f65bda99a67 in XPCWrappedNative::GetAttribute(XPCCallContext&) src/js/xpconnect/src/xpcprivate.h:2817
    #9 0x7f65bda98e8c in XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*) src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1518
    #10 0x7f65c8ba6501 in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/jscntxtinlines.h:372
    #11 0x7f65c843d6dc in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) src/js/src/jsinterp.h:119
    #12 0x7f65c8babebb in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:388
    #13 0x7f65c8bb2910 in js::InvokeGetterOrSetter(JSContext*, JSObject*, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:461
    #14 0x7f65c8eb4372 in js::Shape::get(JSContext*, JS::Handle<JSObject*>, JSObject*, JSObject*, JS::MutableHandle<JS::Value>) src/js/src/jsscopeinlines.h:296
    #15 0x7f65c8e56c4e in js_NativeGetInline(JSContext*, JS::Handle<JSObject*>, JSObject*, JSObject*, js::Shape*, unsigned int, JS::Value*) src/js/src/jsobj.cpp:4461
    #16 0x7f65c82bed14 in JSObject::getGeneric(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<long>, JS::MutableHandle<JS::Value>) src/js/src/jsobjinlines.h:173
    #17 0x7f65c828f65b in JSObject::getProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, js::PropertyName*, JS::MutableHandle<JS::Value>) src/js/src/jsobjinlines.h:184
    #18 0x7f65c8b2cd71 in js::GetObjectElementOperation(JSContext*, JSOp, JS::Handle<JSObject*>, JS::Value const&, JS::MutableHandle<JS::Value>) src/js/src/jsinterpinlines.h:713
    #19 0x7f65c8a9a772 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) src/js/src/jsinterp.cpp:301
    #20 0x7f65c8bb3836 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) src/js/src/jsinterp.cpp:486
    #21 0x7f65c8bb57ee in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) src/js/src/jsinterp.cpp:523
    #22 0x7f65c830d5f4 in JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, unsigned short const*, unsigned long, JS::Value*) src/js/src/jsapi.cpp:5673
    #23 0x7f65baba9ffd in nsJSContext::EvaluateString(nsAString_internal const&, JSObject*, nsIPrincipal*, nsIPrincipal*, char const*, unsigned int, JSVersion, nsAString_internal*, bool*) src/dom/base/nsJSEnvironment.cpp:1499
    #24 0x7f65bad59e4f in nsGlobalWindow::RunTimeoutHandler(nsTimeout*, nsIScriptContext*) src/dom/base/nsGlobalWindow.cpp:9590
    #25 0x7f65bad117c9 in nsGlobalWindow::RunTimeout(nsTimeout*) src/dom/base/nsGlobalWindow.cpp:9851
    #26 0x7f65bad57eaa in nsGlobalWindow::TimerCallback(nsITimer*, void*) src/dom/base/nsGlobalWindow.cpp:10118
    #27 0x7f65c25173e2 in nsTimerImpl::Fire() src/xpcom/threads/nsTimerImpl.cpp:473
    #28 0x7f65c2518c98 in nsTimerEvent::Run() src/xpcom/threads/nsTimerImpl.cpp:556
    #29 0x7f65c24dc08e in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:624
    #30 0x7f65c217d4f7 in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:220
    #31 0x7f65c0f57df5 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:82
    #32 0x7f65c2786c69 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:208
    #33 0x7f65c2786ab2 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:201
    #34 0x7f65c2786997 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:175
    #35 0x7f65c04213be in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:163
    #36 0x7f65bf085608 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:273
    #37 0x7f65b5863ae0 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:3835
    #38 0x7f65b5869d54 in XREMain::XRE_main(int, char**, nsXREAppData const*) src/toolkit/xre/nsAppRunner.cpp:3912
    #39 0x7f65b586ce1e in XRE_main src/toolkit/xre/nsAppRunner.cpp:3988
    #40 0x40c5bb in do_main(int, char**) src/browser/app/nsBrowserApp.cpp:174
    #41 0x409e1f in main src/browser/app/nsBrowserApp.cpp:279
    #42 0x7f65d2368c4d in ?? ??:0
0x7f6583c87f88 is located 8 bytes inside of 32-byte region [0x7f6583c87f80,0x7f6583c87fa0)
freed by thread T0 here:
    #0 0x4c3e30 in free ??:0
    #1 0x7f65cf206572 in moz_free src/memory/mozalloc/mozalloc.cpp:51
    #2 0x7f65bcddd248 in operator delete(void*) src/../../../../dist/include/mozilla/mozalloc.h:224
    #3 0x7f65bd8eadc5 in _ZL17DoDeferredReleaseIP11nsISupportsEvR8nsTArrayIT_24nsTArrayDefaultAllocatorE src/js/xpconnect/src/XPCJSRuntime.cpp:564
    #4 0x7f65bd8ea578 in XPCJSRuntime::GCCallback(JSRuntime*, JSGCStatus) src/js/xpconnect/src/XPCJSRuntime.cpp:718
    #5 0x7f65c88b7b0e in Collect(JSRuntime*, bool, long, js::JSGCInvocationKind, js::gcreason::Reason) src/js/src/jsgc.cpp:4505
    #6 0x7f65c88b83b6 in js::GCFinalSlice(JSRuntime*, js::JSGCInvocationKind, js::gcreason::Reason) src/js/src/jsgc.cpp:4544
    #7 0x7f65c88049e8 in js::FinishIncrementalGC(JSRuntime*, js::gcreason::Reason) src/js/src/jsfriendapi.cpp:177
    #8 0x7f65c825d7a3 in JS_TransplantObject src/js/src/jsapi.cpp:1570
    #9 0x7f65bea486f5 in xpc::TransplantObject(JSContext*, JSObject*, JSObject*) src/js/xpconnect/wrappers/WrapperFactory.cpp:674
    #10 0x7f65bda1648e in XPCWrappedNative::ReparentWrapperIfFound(XPCCallContext&, XPCWrappedNativeScope*, XPCWrappedNativeScope*, JSObject*, nsISupports*, XPCWrappedNative**) src/js/xpconnect/src/XPCWrappedNative.cpp:1669
    #11 0x7f65bd69955d in nsXPConnect::ReparentWrappedNativeIfFound(JSContext*, JSObject*, JSObject*, nsISupports*, nsIXPConnectJSObjectHolder**) src/js/xpconnect/src/nsXPConnect.cpp:1531
    #12 0x7f65b8dce9b8 in nsNodeUtils::CloneAndAdopt(nsINode*, bool, bool, nsNodeInfoManager*, JSContext*, JSObject*, nsCOMArray<nsINode>&, nsINode*, nsINode**) src/content/base/src/nsNodeUtils.cpp:537
    #13 0x7f65b8bc3c9f in nsNodeUtils::CloneAndAdopt(nsINode*, bool, bool, nsNodeInfoManager*, JSContext*, JSObject*, nsCOMArray<nsINode>&, nsIDOMNode**) src/../../../../dist/include/nsNodeUtils.h:282
    #14 0x7f65b8afdd38 in nsNodeUtils::Adopt(nsINode*, nsNodeInfoManager*, JSContext*, JSObject*, nsCOMArray<nsINode>&) src/content/base/src/nsNodeUtils.h:182
    #15 0x7f65b8af942c in nsDocument::AdoptNode(nsIDOMNode*, nsIDOMNode**) src/content/base/src/nsDocument.cpp:6169
    #16 0x7f65ba424360 in nsHTMLDocument::AdoptNode(nsIDOMNode*, nsIDOMNode**) src/content/html/document/src/nsHTMLDocument.h:87
    #17 0x7f65ba42a366 in non-virtual thunk to nsHTMLDocument::AdoptNode(nsIDOMNode*, nsIDOMNode**) src/gfx/cairo/cairo/src/cairo-surface-subsurface.c:0
    #18 0x7f65b8d2f657 in AdoptNodeIntoOwnerDoc(nsINode*, nsINode*) src/content/base/src/nsINode.cpp:1257
    #19 0x7f65b8d34540 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*) src/content/base/src/nsINode.cpp:1809
    #20 0x7f65b8f11881 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, unsigned int*) src/../../../dist/include/nsINode.h:1464
    #21 0x7f65b8f0f948 in nsINode::InsertBefore(nsINode*, nsINode*, unsigned int*) src/../../../dist/include/nsINode.h:488
    #22 0x7f65b9afb20a in nsINode::AppendChild(nsINode*, unsigned int*) src/../../../dist/include/nsINode.h:498
    #23 0x7f65bdbe8437 in nsIDOMNode_AppendChild(JSContext*, unsigned int, JS::Value*) src/objdir-ff-asan-sym/js/xpconnect/src/dom_quickstubs.cpp:5531
    #24 0x7f65c8ba6501 in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/jscntxtinlines.h:372
    #25 0x7f65c8b33731 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2405
    #26 0x7f65c8a9a772 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) src/js/src/jsinterp.cpp:301
    #27 0x7f65c8bb3836 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) src/js/src/jsinterp.cpp:486
    #28 0x7f65c8bb57ee in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) src/js/src/jsinterp.cpp:523
    #29 0x7f65c830d5f5 in JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, unsigned short const*, unsigned long, JS::Value*) src/js/src/jsapi.cpp:5673
previously allocated by thread T0 here:
    #0 0x4c3ef0 in __interceptor_malloc ??:0
    #1 0x7f65cf2066c6 in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:57
    #2 0x7f65bcdde56d in operator new(unsigned long) src/../../../../dist/include/mozilla/mozalloc.h:200
    #3 0x7f65bcdeb3d1 in DOMSVGTests::GetRequiredFeatures(nsIDOMSVGStringList**) src/content/svg/content/src/DOMSVGTests.cpp:33
    #4 0x7f65c25d50e7 in NS_InvokeByIndex_P src/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:162
    #5 0x7f65bda32bde in CallMethodHelper::Invoke() src/js/xpconnect/src/XPCWrappedNative.cpp:3105
    #6 0x7f65bda99a67 in XPCWrappedNative::GetAttribute(XPCCallContext&) src/js/xpconnect/src/xpcprivate.h:2817
    #7 0x7f65bda98e8c in XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*) src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1518
    #8 0x7f65c8ba6501 in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/jscntxtinlines.h:372
    #9 0x7f65c843d6dc in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) src/js/src/jsinterp.h:119
    #10 0x7f65c8babebb in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:388
    #11 0x7f65c8bb2910 in js::InvokeGetterOrSetter(JSContext*, JSObject*, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:461
    #12 0x7f65c8eb4372 in js::Shape::get(JSContext*, JS::Handle<JSObject*>, JSObject*, JSObject*, JS::MutableHandle<JS::Value>) src/js/src/jsscopeinlines.h:296
    #13 0x7f65c8e56c4e in js_NativeGetInline(JSContext*, JS::Handle<JSObject*>, JSObject*, JSObject*, js::Shape*, unsigned int, JS::Value*) src/js/src/jsobj.cpp:4461
    #14 0x7f65c82bed14 in JSObject::getGeneric(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<long>, JS::MutableHandle<JS::Value>) src/js/src/jsobjinlines.h:173
    #15 0x7f65c828f65b in JSObject::getProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, js::PropertyName*, JS::MutableHandle<JS::Value>) src/js/src/jsobjinlines.h:184
    #16 0x7f65c8b2cd71 in js::GetObjectElementOperation(JSContext*, JSOp, JS::Handle<JSObject*>, JS::Value const&, JS::MutableHandle<JS::Value>) src/js/src/jsinterpinlines.h:713
    #17 0x7f65c8a9a772 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) src/js/src/jsinterp.cpp:301
    #18 0x7f65c8bb3836 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) src/js/src/jsinterp.cpp:486
    #19 0x7f65c8bb57ee in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) src/js/src/jsinterp.cpp:523
    #20 0x7f65c830d5f4 in JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, unsigned short const*, unsigned long, JS::Value*) src/js/src/jsapi.cpp:5673
    #21 0x7f65baba9ffd in nsJSContext::EvaluateString(nsAString_internal const&, JSObject*, nsIPrincipal*, nsIPrincipal*, char const*, unsigned int, JSVersion, nsAString_internal*, bool*) src/dom/base/nsJSEnvironment.cpp:1499
    #22 0x7f65bad59e4f in nsGlobalWindow::RunTimeoutHandler(nsTimeout*, nsIScriptContext*) src/dom/base/nsGlobalWindow.cpp:9590
    #23 0x7f65bad117c9 in nsGlobalWindow::RunTimeout(nsTimeout*) src/dom/base/nsGlobalWindow.cpp:9851
    #24 0x7f65bad57eab in nsGlobalWindow::TimerCallback(nsITimer*, void*) src/dom/base/nsGlobalWindow.cpp:10119
Shadow byte and word:
  0x1fecb0790ff1: fd
  0x1fecb0790ff0: fd fd fd fd fd fd fd fd
More shadow bytes:
  0x1fecb0790fd0: 00 00 00 00 00 00 00 00
  0x1fecb0790fd8: 00 00 00 fb fb fb fb fb
  0x1fecb0790fe0: fa fa fa fa fa fa fa fa
  0x1fecb0790fe8: fa fa fa fa fa fa fa fa
=>0x1fecb0790ff0: fd fd fd fd fd fd fd fd
  0x1fecb0790ff8: fd fd fd fd fd fd fd fd
  0x1fecb0791000: fa fa fa fa fa fa fa fa
  0x1fecb0791008: fa fa fa fa fa fa fa fa
  0x1fecb0791010: 00 00 00 00 fb fb fb fb
Stats: 250M malloced (286M for red zones) by 749048 calls
Stats: 117M realloced by 28773 calls
Stats: 218M freed by 507760 calls
Stats: 83M really freed by 211442 calls
Stats: 484M (123977 full pages) mmaped in 121 calls
  mmaps   by size class: 8:557022; 9:40955; 10:16380; 11:10235; 12:3072; 13:2048; 14:768; 15:256; 16:576; 17:224; 18:288; 19:208; 20:4;
  mallocs by size class: 8:677534; 9:36702; 10:14422; 11:12268; 12:3345; 13:2207; 14:878; 15:297; 16:587; 17:251; 18:343; 19:210; 20:4;
  frees   by size class: 8:455111; 9:26721; 10:10654; 11:8924; 12:2273; 13:1923; 14:605; 15:266; 16:519; 17:241; 18:316; 19:205; 20:2;
  rfrees  by size class: 8:174168; 9:20742; 10:7805; 11:4812; 12:1489; 13:1110; 14:416; 15:139; 16:471; 17:142; 18:142; 19:4; 20:2;
Stats: malloc large: 808 small slow: 2574
==1718== ABORTING
Comment 1 Andrew McCreight [:mccr8] 2012-08-30 09:11:42 PDT
It looks like sSVGStringListTearoffTable.GetTearoff is returning a dead pointer, which we then attempt to AddRef.  It looks like the tearoff table intentionally doesn't hold a strong reference, so something is forgetting to remove itself when it dies I guess.
Comment 2 Robert Longson 2012-08-30 09:30:09 PDT
DOMSVGStringList::GetDOMWrapper creates a new DOMSVGStringList if necessary and adds it to the tear off table. DOMSVGStringList::~DOMSVGStringList removes the tear off from the list. It's the same as various other lists e.g. DOMSVGAnimatedLengthList.
Comment 3 Robert Longson 2012-08-30 09:39:53 PDT
The only difference for SVGTests is that they are properties on an element. If the element dies, ReleaseStringListPropertyValue would be called on the SVGStringList in DOMSVGTests. 

The same kind of thing should happen on a DOMAnimatedLengthList though I think as the SVGAnimatedLength lists are members of the elements so if the element dies, so do they.
Comment 4 Olli Pettay [:smaug] 2012-08-30 09:40:55 PDT
Are we then missing a virtual dtor or something?
Comment 5 Robert Longson 2012-08-30 09:47:05 PDT
neither DOMSVGStringList nor SVGStringList has one. We do set the pointer to the right type before we delete in ReleaseStringListPropertyValue though.

Another option might be to back out 754592 and see whether that stops it crashing. I could maybe create a try server build with that removed tomorrow.
Comment 6 Robert Longson 2012-08-30 09:47:39 PDT
That's bug 754592 for easy linking
Comment 7 Robert Longson 2012-08-30 10:14:45 PDT
Created attachment 656932 [details] [diff] [review]
backout patch for aurora
Comment 8 Robert Longson 2012-08-30 10:18:46 PDT
Or even tonight...

Watch https://tbpl.mozilla.org/?tree=Try&rev=090bdbb19a1d for your results to come in.

Builds and logs will be available at http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/longsonr@gmail.com-090bdbb19a1d.
Comment 9 Abhishek Arya 2012-08-30 17:45:57 PDT
So, i had a reliable testcase hit last night. Reliable in the sense that if i run like 15 firefox instances, it crashes 100% of the times with the ASAN stack. I won't be able to attach it since it is a fuzzer testcase and i am trying my minimizer on it. Minimization is just making unreliable since this looks timing dependent. I will try a few tricks over the next couple of days to see if i can get a good minimized testcase out of it.

For the time being, i tried your backout patch on my trunk where it reliably reproduced. And it completely stops the crash. Tested without(2)/with(2)/without(2) patch, just to make sure i was getting right results.
Comment 10 Abhishek Arya 2012-09-03 00:27:40 PDT
Created attachment 657794 [details]
Testcase

Reproduces easily on Windows debug with 1-2 reloads. Also, reproduces on linux but needs a dozen of simultaneous firefox instances
Comment 11 Daniel Holbert [:dholbert] 2012-09-03 13:37:10 PDT
Created attachment 657900 [details] [diff] [review]
backout patch for beta

longsonr and I agree that the best bet for Aurora/Beta here is to back out bug 754592 on those branches.

The already-attached backout patch applies cleanly on Aurora; this patch applies cleanly on Beta. (This one is basically a clean backout, since not too much has changed between bug 754592's landing and current beta.  There were I think 2 function-signature-changes in the code that bug 754592 added, which required trivial manual-merging to work around in the backout.)

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 754592
User impact if declined: security risk
Testing completed (on m-c, etc.): none (this is just a straight backout).  No feature-loss, either -- bug 754592 was just an optimization.
Risk to taking this patch (and alternatives if risky): Low -- just a backout.
String or UUID changes made by this patch: none
Comment 12 Daniel Holbert [:dholbert] 2012-09-03 13:37:44 PDT
Comment on attachment 656932 [details] [diff] [review]
backout patch for aurora

[Approval Request Comment]
(see prev. comment)
Comment 13 Daniel Holbert [:dholbert] 2012-09-03 21:53:06 PDT
FWIW, I just landed the backout patch on trunk (using longsonr's "backout patch for aurora").  Noted in bug 754592 comment 7, & reopened that bug (since that's the bug being backed out).
Comment 14 Alex Keybl [:akeybl] 2012-09-04 06:32:13 PDT
Comment on attachment 656932 [details] [diff] [review]
backout patch for aurora

[Triage Comment]
Backout to known good state for a security issue. It would be good to get a security rating on this bug for future reference.
Comment 15 Daniel Holbert [:dholbert] 2012-09-05 10:52:01 PDT
OK, backouts have landed on trunk / Aurora / Beta (Firefox 18 / 17 / 16) -- cset links posted over on the bug being backed out, bug 754592.

Setting the status flags for those branches to "fixed".  Setting status flag for 15 (current release) to "affected", since bug 754592 landed for Firefox 15.

(I've heard talk of there being a 15.0.1 (?) -- if we wanted to include this backout in that release, I'd be happy to land the backout on that branch, too.)
Comment 16 Alex Keybl [:akeybl] 2012-09-05 10:56:03 PDT
(In reply to Daniel Holbert [:dholbert] from comment #15)
> (I've heard talk of there being a 15.0.1 (?) -- if we wanted to include this
> backout in that release, I'd be happy to land the backout on that branch,
> too.)

We'll let this ride for FF16, released in 4 weeks or so. We'd like to minimize change to critical regression/security bugs. It's not clear this qualifies based upon the difficulty to exploit.
Comment 17 Robert Longson 2012-09-07 06:38:14 PDT
The backout has fixed this bug. Obviously we still need to get the testcase here not to crash if we're to reenable the memory optimisation in bug 754592 but that can be handled in that bug.
Comment 19 Tracy Walker [:tracy] 2014-01-10 10:42:40 PST
mass remove verifyme requests greater than 4 months old

Note You need to log in before you can comment on or make changes to this bug.