Closed Bug 830098 Opened 12 years ago Closed 12 years ago

Heap-use-after-free in mozilla::WalkAncestorsResetAutoDirection

Categories

(Core :: Layout: Text and Fonts, defect)

Product:
Core
Component:
Layout: Text and Fonts
Platform:
x86_64
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox18 --- unaffected
firefox19 --- unaffected
firefox20 + fixed
firefox21 + fixed
firefox-esr10 --- unaffected
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: inferno, Assigned: smontagu)

References

Details

(5 keywords, Whiteboard: [asan][adv-main20-])

Attachments

(1 file)

Testcase
513 bytes, text/html
Details
Attached file Testcase
Reproduces on trunk. >==30234== ERROR: AddressSanitizer: heap-use-after-free on address 0x7fc1196c8dac at pc 0x7fc13f37cbf3 bp 0x7fff478572d0 sp 0x7fff478572c8 >READ of size 4 at 0x7fc1196c8dac thread T0 > #0 0x7fc13f37cbf2 in nsINode::GetBoolFlag(nsINode::BooleanFlag) const src/content/base/public/nsINode.h:1348 > #1 0x7fc141235a8e in nsINode::HasTextNodeDirectionalityMap() const src/../../../dist/include/nsINode.h:1431 > #2 0x7fc141234277 in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap(nsINode*, mozilla::dom::Element*) src/content/base/src/DirectionalityUtils.cpp:535 > #3 0x7fc141233c3a in mozilla::WalkAncestorsResetAutoDirection(mozilla::dom::Element*, bool) src/content/base/src/DirectionalityUtils.cpp:642 > #4 0x7fc14123b7a1 in mozilla::SetDirOnBind(mozilla::dom::Element*, nsIContent*) src/content/base/src/DirectionalityUtils.cpp:927 > #5 0x7fc141854de0 in mozilla::dom::Element::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) src/content/base/src/Element.cpp:1170 > #6 0x7fc1427ed559 in nsGenericHTMLElement::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) src/content/html/content/src/nsGenericHTMLElement.cpp:603 > #7 0x7fc141930d4a in nsINode::doInsertChildAt(nsIContent*, unsigned int, bool, nsAttrAndChildArray&) src/content/base/src/nsINode.cpp:1324 > #8 0x7fc141d24b77 in mozilla::dom::FragmentOrElement::InsertChildAt(nsIContent*, unsigned int, bool) src/content/base/src/FragmentOrElement.cpp:884 > #9 0x7fc141938bd5 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) src/content/base/src/nsINode.cpp:1884 > #10 0x7fc14187f08d in nsINode::ReplaceChild(nsINode&, nsINode&, mozilla::ErrorResult&) src/../../dist/include/nsINode.h:1547 > #11 0x7fc14187e5cb in mozilla::dom::Element::SetOuterHTML(nsAString_internal const&, mozilla::ErrorResult&) src/content/base/src/Element.cpp:3458 > #12 0x7fc14bcedfc0 in mozilla::dom::ElementBinding::set_outerHTML(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JS::Value*) src/objdir-ff-asan-sym/dom/bindings/ElementBinding.cpp:1743 > #13 0x7fc14bcd9c38 in mozilla::dom::ElementBinding::genericSetter(JSContext*, unsigned int, JS::Value*) src/objdir-ff-asan-sym/dom/bindings/ElementBinding.cpp:2031 > #14 0x7fc154fef1ca in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/jscntxtinlines.h:378 > #15 0x7fc154fef1ca in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:391 > #16 0x7fc154880ccf in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) src/js/src/jsinterp.h:112 > #17 0x7fc154ff4f99 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:439 > #18 0x7fc154ffb415 in js::InvokeGetterOrSetter(JSContext*, JSObject*, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:512 > #19 0x7fc15529d258 in js::Shape::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, bool, JS::MutableHandle<JS::Value>) src/js/src/jsscopeinlines.h:314 > #20 0x7fc1552d81d4 in js::baseops::SetPropertyHelper(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<long>, unsigned int, JS::MutableHandle<JS::Value>, int) src/js/src/jsobj.cpp:3841 > #21 0x7fc15502fa78 in js::SetPropertyOperation(JSContext*, unsigned char*, JS::Handle<JS::Value>, JS::Handle<JS::Value>) src/js/src/jsinterpinlines.h:365 > #22 0x7fc154f8fa7a in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2278 > #23 0x7fc154f007ab in js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) src/js/src/jsinterp.cpp:348 > #24 0x7fc154fefb1e in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:406 > #25 0x7fc154880ccf in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) src/js/src/jsinterp.h:112 > #26 0x7fc154ff4f99 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:439 > #27 0x7fc154776d42 in JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) src/js/src/jsapi.cpp:5829 > #28 0x7fc1476c8dc5 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJSClass.cpp:1432 > #29 0x7fc147669a50 in nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJS.cpp:581 > #30 0x7fc14d5ead6f in PrepareAndDispatch src/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:122 > #31 0x7fc14d5e7a56 in SharedStub > #32 0x7fc142448b85 in nsEventListenerManager::HandleEventSubType(nsListenerStruct*, nsIDOMEventListener*, nsIDOMEvent*, nsIDOMEventTarget*, nsCxPusher*) src/content/events/src/nsEventListenerManager.cpp:922 > #33 0x7fc14244a397 in nsEventListenerManager::HandleEventInternal(nsPresContext*, nsEvent*, nsIDOMEvent**, nsIDOMEventTarget*, nsEventStatus*, nsCxPusher*) src/content/events/src/nsEventListenerManager.cpp:989 > #34 0x7fc14263b36a in nsEventListenerManager::HandleEvent(nsPresContext*, nsEvent*, nsIDOMEvent**, nsIDOMEventTarget*, nsEventStatus*, nsCxPusher*) src/content/events/src/nsEventListenerManager.h:278 > #35 0x7fc14262a51c in nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor&, bool, nsCxPusher*) src/content/events/src/nsEventDispatcher.cpp:181 > #36 0x7fc142628783 in nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor&, nsDispatchingCallback*, bool, nsCxPusher*) src/content/events/src/nsEventDispatcher.cpp:310 > #37 0x7fc1426304b7 in nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, nsEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*, nsCOMArray<nsIDOMEventTarget>*) src/content/events/src/nsEventDispatcher.cpp:678 > #38 0x7fc142632d09 in nsEventDispatcher::DispatchDOMEvent(nsISupports*, nsEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) src/content/events/src/nsEventDispatcher.cpp:738 > #39 0x7fc14192c1e5 in nsINode::DispatchEvent(nsIDOMEvent*, bool*) src/content/base/src/nsINode.cpp:1100 > #40 0x7fc14140eeb0 in nsContentUtils::DispatchEvent(nsIDocument*, nsISupports*, nsAString_internal const&, bool, bool, bool, bool*) src/content/base/src/nsContentUtils.cpp:3511 > #41 0x7fc14140e184 in nsContentUtils::DispatchTrustedEvent(nsIDocument*, nsISupports*, nsAString_internal const&, bool, bool, bool*) src/content/base/src/nsContentUtils.cpp:3481 > #42 0x7fc141635a6f in nsDocument::DispatchContentLoadedEvents() src/content/base/src/nsDocument.cpp:4320 > #43 0x7fc141738162 in nsRunnableMethodImpl<void (nsDocument::*)(), true>::Run() src/../../../dist/include/nsThreadUtils.h:367 > #44 0x7fc14d4bb24f in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:627 > #45 0x7fc14d12fbd5 in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:238 > #46 0x7fc14a74017c in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:82 > #47 0x7fc14d7ad1d2 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:215 > #48 0x7fc14d7ad009 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:208 > #49 0x7fc14d7acede in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:182 > #50 0x7fc149afb7f7 in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:163 > #51 0x7fc1486070e5 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:288 > #52 0x7fc13d86d7b4 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:3823 > #53 0x7fc13d87339a in XREMain::XRE_main(int, char**, nsXREAppData const*) src/toolkit/xre/nsAppRunner.cpp:3890 > #54 0x7fc13d876170 in XRE_main src/toolkit/xre/nsAppRunner.cpp:4093 > #55 0x41d963 in do_main(int, char**, nsIFile*) src/browser/app/nsBrowserApp.cpp:195 > #56 0x41ac69 in main src/browser/app/nsBrowserApp.cpp:388 > #57 0x7fc160a1d76c in >0x7fc1196c8dac is located 44 bytes inside of 120-byte region [0x7fc1196c8d80,0x7fc1196c8df8) >freed by thread T0 here: > #0 0x40f992 in __interceptor_free > #1 0x7fc15d69d409 in moz_free src/memory/mozalloc/mozalloc.cpp:48 > #2 0x7fc141b953e0 in operator delete(void*) src/../../../dist/include/mozilla/mozalloc.h:224 > #3 0x7fc141b953e0 in nsTextNode::~nsTextNode() src/content/base/src/nsTextNode.cpp:117 > #4 0x7fc141a5ba07 in nsNodeUtils::LastRelease(nsINode*) src/content/base/src/nsNodeUtils.cpp:258 > #5 0x7fc1418d57e0 in nsGenericDOMDataNode::Release() src/content/base/src/nsGenericDOMDataNode.cpp:117 > #6 0x7fc141b958da in nsTextNode::Release() src/content/base/src/nsTextNode.cpp:121 > #7 0x7fc13d83729f in nsCOMPtr_base::~nsCOMPtr_base() src/objdir-ff-asan-sym/media/webrtc/signaling/signaling_ecc/../../../../dist/include/nsCOMPtr.h:410 > #8 0x7fc13f631a2c in nsCOMPtr<nsIContent>::~nsCOMPtr() src/../../dist/include/nsCOMPtr.h:449 > #9 0x7fc13f6316f9 in nsCOMPtr<nsIContent>::~nsCOMPtr() src/../../dist/include/nsCOMPtr.h:449 > #10 0x7fc141d24f8d in mozilla::dom::FragmentOrElement::RemoveChildAt(unsigned int, bool) src/content/base/src/FragmentOrElement.cpp:896 > #11 0x7fc14187bcd1 in mozilla::dom::Element::SetInnerHTML(nsAString_internal const&, mozilla::ErrorResult&) src/content/base/src/Element.cpp:3376 > #12 0x7fc14bcf11e4 in mozilla::dom::ElementBinding::set_innerHTML(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JS::Value*) src/objdir-ff-asan-sym/dom/bindings/ElementBinding.cpp:1689 > #13 0x7fc14bcd9c38 in mozilla::dom::ElementBinding::genericSetter(JSContext*, unsigned int, JS::Value*) src/objdir-ff-asan-sym/dom/bindings/ElementBinding.cpp:2031 > #14 0x7fc154fef1ca in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/jscntxtinlines.h:378 > #15 0x7fc154fef1ca in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:391 > #16 0x7fc154880ccf in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) src/js/src/jsinterp.h:112 > #17 0x7fc154ff4f99 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:439 > #18 0x7fc154ffb415 in js::InvokeGetterOrSetter(JSContext*, JSObject*, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:512 > #19 0x7fc15529d258 in js::Shape::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, bool, JS::MutableHandle<JS::Value>) src/js/src/jsscopeinlines.h:314 > #20 0x7fc1552d81d4 in js::baseops::SetPropertyHelper(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<long>, unsigned int, JS::MutableHandle<JS::Value>, int) src/js/src/jsobj.cpp:3841 > #21 0x7fc15502fa78 in js::SetPropertyOperation(JSContext*, unsigned char*, JS::Handle<JS::Value>, JS::Handle<JS::Value>) src/js/src/jsinterpinlines.h:365 > #22 0x7fc154f8fa7a in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2278 > #23 0x7fc154f007ab in js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) src/js/src/jsinterp.cpp:348 > #24 0x7fc154fefb1e in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:406 > #25 0x7fc154880ccf in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) src/js/src/jsinterp.h:112 > #26 0x7fc154ff4f99 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:439 > #27 0x7fc154776d42 in JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) src/js/src/jsapi.cpp:5829 > #28 0x7fc1476c8dc5 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJSClass.cpp:1432 > #29 0x7fc147669a50 in nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJS.cpp:581 > #30 0x7fc14d5ead6f in PrepareAndDispatch src/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:122 > #31 0x7fc14d5e7a56 in SharedStub >previously allocated by thread T0 here: > #0 0x40fa72 in malloc > #1 0x7fc15d69d554 in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:54 > #2 0x7fc141b94c00 in operator new(unsigned long) src/../../../dist/include/mozilla/mozalloc.h:200 > #3 0x7fc141b94c00 in NS_NewTextNode(nsIContent**, nsNodeInfoManager*) src/content/base/src/nsTextNode.cpp:106 > #4 0x7fc1454bdd2e in nsHtml5TreeOperation::AppendText(unsigned short const*, unsigned int, nsIContent*, nsHtml5TreeOpExecutor*) src/parser/html/nsHtml5TreeOperation.cpp:164 > #5 0x7fc1454c8fb7 in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**) src/parser/html/nsHtml5TreeOperation.cpp:457 > #6 0x7fc1454e7116 in nsHtml5TreeOpExecutor::RunFlushLoop() src/parser/html/nsHtml5TreeOpExecutor.cpp:559 > #7 0x7fc14552512d in nsHtml5ExecutorFlusher::Run() src/parser/html/nsHtml5StreamParser.cpp:127 > #8 0x7fc14d4bb24f in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:627 > #9 0x7fc14d12fbd5 in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:238 > #10 0x7fc14a74017c in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:82 > #11 0x7fc14d7ad1d2 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:215 > #12 0x7fc14d7ad009 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:208 > #13 0x7fc14d7acede in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:182 > #14 0x7fc149afb7f7 in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:163 > #15 0x7fc1486070e5 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:288 > #16 0x7fc13d86d7b4 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:3823 > #17 0x7fc13d87339a in XREMain::XRE_main(int, char**, nsXREAppData const*) src/toolkit/xre/nsAppRunner.cpp:3890 > #18 0x7fc13d876170 in XRE_main src/toolkit/xre/nsAppRunner.cpp:4093 > #19 0x41d963 in do_main(int, char**, nsIFile*) src/browser/app/nsBrowserApp.cpp:195 > #20 0x41ac69 in main src/browser/app/nsBrowserApp.cpp:388 > #21 0x7fc160a1d76c in >Shadow bytes around the buggy address: > 0x1ff8232d9160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x1ff8232d9170: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd > 0x1ff8232d9180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x1ff8232d9190: 00 00 00 00 fb fb fb fb fb fb fb fb fb fb fb fb > 0x1ff8232d91a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa >=>0x1ff8232d91b0: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd > 0x1ff8232d91c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x1ff8232d91d0: 00 00 00 00 fb fb fb fb fb fb fb fb fb fb fb fb > 0x1ff8232d91e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa > 0x1ff8232d91f0: 00 00 00 00 00 00 00 00 fb fb fb fb fb fb fb fb > 0x1ff8232d9200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa >Shadow byte legend (one shadow byte represents 8 application bytes): > Addressable: 00 > Partially addressable: 01 02 03 04 05 06 07 > Heap left redzone: fa > Heap righ redzone: fb > Freed Heap region: fd > Stack left redzone: f1 > Stack mid redzone: f2 > Stack right redzone: f3 > Stack partial redzone: f4 > Stack after return: f5 > Stack use after scope: f8 > Global redzone: f9 > Global init order: f6 > Poisoned by user: f7 > ASan internal: fe >Stats: 251M malloced (272M for red zones) by 404409 calls >Stats: 47M realloced by 24245 calls >Stats: 224M freed by 281024 calls >Stats: 90M really freed by 191448 calls >Stats: 472M (472M-0M) mmaped; 118 maps, 0 unmaps > mmaps by size class: 8:294894; 9:32764; 10:8190; 11:14329; 12:2048; 13:1536; 14:1280; 15:384; 16:1216; 17:1312; 18:48; 19:40; 20:24; > mallocs by size class: 8:336825; 9:32581; 10:9050; 11:16485; 12:2556; 13:1927; 14:1616; 15:407; 16:1467; 17:1363; 18:69; 19:40; 20:23; > frees by size class: 8:229999; 9:23256; 10:5677; 11:14428; 12:1626; 13:1519; 14:1447; 15:285; 16:1325; 17:1346; 18:58; 19:38; 20:20; > rfrees by size class: 8:167925; 9:8488; 10:2245; 11:9567; 12:648; 13:559; 14:522; 15:161; 16:972; 17:330; 18:26; 19:4; 20:1; >Stats: malloc large: 1495 small slow: 2406 >Stats: StackDepot: 0 ids; 0M mapped >==30234== ABORTING >
Guessing "csec-uaf, sec-critical" based on bug 827190.
Blocks: DirAuto
Severity: normal → critical
status-b2g18: --- → unaffected
status-firefox-esr10: --- → unaffected
status-firefox18: --- → unaffected
status-firefox19: --- → unaffected
status-firefox20: --- → affected
status-firefox21: --- → affected
status-firefox-esr17: --- → unaffected
tracking-firefox20: --- → ?
tracking-firefox21: --- → ?
Keywords: crash, csec-uaf, regression, sec-critical, testcase
Whiteboard: [asan]
This isn't exactly a dupe of bug 829428, but it seems to be a symptom of the same underlying issue.
Fixed by the patch in bug 829428 (but note that this crash was originally reported in bug 827190 comment 5, before bug 829428).
Status: NEW → RESOLVED
Closed: 12 years ago
Depends on: 829428
Resolution: --- → FIXED
Bug 829428 checked in on Aurora https://hg.mozilla.org/releases/mozilla-aurora/rev/a728a1f234a0 I'll check in the testcase from here once the bug is open
status-firefox20: affectedfixed
status-firefox21: affectedfixed
Flags: in-testsuite?
Assignee: nobody → smontagu
Whiteboard: [asan] → [asan][adv-main20+]
Whiteboard: [asan][adv-main20+] → [asan][adv-main20-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: