Closed Bug 869038 Opened 7 years ago Closed 7 years ago
Crash with iframe, contenteditable, GC
1. Install https://www.squarefree.com/extensions/domFuzzLite3.xpi 2. Load the testcase Result: crash with this=0xdadadadadadadada within js::assertSameCompartment
Crashes in non-debug ASan builds too, in a different place.
This looks related to Document bindings, which IIUC landed recently.
Doesn't crash for me.
Managed to get it to crash.
Assignee: nobody → peterv
Status: NEW → ASSIGNED
nsContentUtils::ReleaseWrapper unsets PreservingWrapper, so it needs to clear the expando.
Attachment #746635 - Flags: review?(bzbarsky)
Comment on attachment 746635 [details] [diff] [review] v1 r=me
Attachment #746635 - Flags: review?(bzbarsky) → review+
Summary: Crash with iframe, contenteditable, GC, focus → Crash with iframe, contenteditable, GC
Is Firefox 22 and earlier unaffected?
Yes, bug 855971 was landed in 23.
Matt, can you take a look at this to verify for Firefox 23?
QA Contact: mwobensmith
Confirmed crash on FF23, 2013-05-05 Confirmed fixed on FF23, 2013-06-14
You need to log in before you can comment on or make changes to this bug.