Closed Bug 869038 Opened 12 years ago Closed 12 years ago

Crash with iframe, contenteditable, GC

Tracking

()

Status:

VERIFIED FIXED

Milestone:

mozilla23

Tracking Flags:

Tracking

Status

firefox22

---

unaffected

firefox23

---

verified

firefox-esr17

---

unaffected

b2g18

---

unaffected

People

(Reporter: jruderman, Assigned: peterv)

References

Details

(Keywords: crash, testcase, Whiteboard: [adv-main23-])

Attachments

(3 files)

testcase (requires extension for GC) 12 years ago Jesse Ruderman 410 bytes, text/html		Details
stack (gdb) 12 years ago Jesse Ruderman 16.52 KB, text/plain		Details
v1 12 years ago Peter Van der Beken [:peterv] 1.95 KB, patch	bzbarsky : review+	Details \| Diff \| Splinter Review

Jesse Ruderman

Reporter

Description

•

12 years ago

Attached file testcase (requires extension for GC) — Details

1. Install https://www.squarefree.com/extensions/domFuzzLite3.xpi 2. Load the testcase Result: crash with this=0xdadadadadadadada within js::assertSameCompartment

Jesse Ruderman

Reporter

Comment 1

•

12 years ago

Attached file stack (gdb) — Details

Jesse Ruderman

Reporter

Comment 2

•

12 years ago

Crashes in non-debug ASan builds too, in a different place.

Bobby Holley (:bholley)

Comment 3

•

12 years ago

This looks related to Document bindings, which IIUC landed recently.

Peter Van der Beken [:peterv]

Assignee

Comment 4

•

12 years ago

Doesn't crash for me.

Peter Van der Beken [:peterv]

Assignee

Comment 5

•

12 years ago

Managed to get it to crash.

Assignee: nobody → peterv

Status: NEW → ASSIGNED

Peter Van der Beken [:peterv]

Assignee

Comment 6

•

12 years ago

Attached patch v1 — Details — Splinter Review

nsContentUtils::ReleaseWrapper unsets PreservingWrapper, so it needs to clear the expando.

Attachment #746635 - Flags: review?(bzbarsky)

Boris Zbarsky [:bzbarsky]

Comment 7

•

12 years ago

Comment on attachment 746635 [details] [diff] [review] v1 r=me

Attachment #746635 - Flags: review?(bzbarsky) → review+

Peter Van der Beken [:peterv]

Assignee

Comment 8

•

12 years ago

https://hg.mozilla.org/integration/mozilla-inbound/rev/ef2134c93dae

Ed Morley [:emorley]

Comment 9

•

12 years ago

https://hg.mozilla.org/mozilla-central/rev/ef2134c93dae

Status: ASSIGNED → RESOLVED

Closed: 12 years ago

status-firefox23: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → mozilla23

Jesse Ruderman

Reporter

Updated

•

12 years ago

Summary: Crash with iframe, contenteditable, GC, focus → Crash with iframe, contenteditable, GC

Jesse Ruderman

Reporter

Updated

•

12 years ago

Blocks: 869027

Al Billings [:abillings - ex-MoCo]

Comment 10

•

12 years ago

Is Firefox 22 and earlier unaffected?

Peter Van der Beken [:peterv]

Assignee

Comment 11

•

12 years ago

Yes, bug 855971 was landed in 23.

Andrew McCreight [:mccr8]

Updated

•

12 years ago

status-b2g18: --- → unaffected

status-firefox22: --- → unaffected

status-firefox-esr17: --- → unaffected

u279076

Updated

•

12 years ago

Keywords: verifyme

u279076

Comment 12

•

12 years ago

Matt, can you take a look at this to verify for Firefox 23?

QA Contact: mwobensmith

Matt Wobensmith [:mwobensmith][:matt:]

Comment 13

•

12 years ago

Confirmed crash on FF23, 2013-05-05 Confirmed fixed on FF23, 2013-06-14

Status: RESOLVED → VERIFIED

status-firefox23: fixed → verified

Matt Wobensmith [:mwobensmith][:matt:]

Updated

•

12 years ago

Keywords: verifyme

Al Billings [:abillings - ex-MoCo]

Updated

•

11 years ago

Whiteboard: [adv-main23-]

Daniel Veditz [:dveditz]

Updated

•

11 years ago

Group: core-security

Nobody; OK to take it and work on it

Updated

•

6 years ago

Component: DOM → DOM: Core & HTML

You need to log in before you can comment on or make changes to this bug.