Closed Bug 869038 Opened 11 years ago Closed 11 years ago

Crash with iframe, contenteditable, GC

Categories

(Core :: DOM: Core & HTML, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla23
Tracking Status
firefox22 --- unaffected
firefox23 --- verified
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: jruderman, Assigned: peterv)

References

Details

(Keywords: crash, testcase, Whiteboard: [adv-main23-])

Attachments

(3 files)

1. Install https://www.squarefree.com/extensions/domFuzzLite3.xpi
2. Load the testcase

Result: crash with this=0xdadadadadadadada within js::assertSameCompartment
Attached file stack (gdb)
Crashes in non-debug ASan builds too, in a different place.
This looks related to Document bindings, which IIUC landed recently.
Doesn't crash for me.
Managed to get it to crash.
Assignee: nobody → peterv
Status: NEW → ASSIGNED
Attached patch v1Splinter Review
nsContentUtils::ReleaseWrapper unsets PreservingWrapper, so it needs to clear the expando.
Attachment #746635 - Flags: review?(bzbarsky)
Comment on attachment 746635 [details] [diff] [review]
v1

r=me
Attachment #746635 - Flags: review?(bzbarsky) → review+
https://hg.mozilla.org/mozilla-central/rev/ef2134c93dae
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
Summary: Crash with iframe, contenteditable, GC, focus → Crash with iframe, contenteditable, GC
Blocks: 869027
Is Firefox 22 and earlier unaffected?
Yes, bug 855971 was landed in 23.
Keywords: verifyme
Matt, can you take a look at this to verify for Firefox 23?
QA Contact: mwobensmith
Confirmed crash on FF23, 2013-05-05
Confirmed fixed on FF23, 2013-06-14
Status: RESOLVED → VERIFIED
Whiteboard: [adv-main23-]
Group: core-security
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.