Closed Bug 223201 Opened 21 years ago Closed 21 years ago

Crash in permissions [opening popup blocking?]

Categories

(Core :: Networking: Cookies, defect)

Product:
Core
Component:
Networking: Cookies
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: timeless, Assigned: mvl)

Details

(Keywords: crash)

Attachments

(1 file)

first try to fix
1.85 KB, patch
dwitte
: review+
darin.moz
: superreview+
Details | Diff | Splinter Review
Incident ID 24640608 Stack Signature ntdll.dll + 0x4999b (0x77fc999b) df118fea Product ID MozillaTrunk Build ID 2003102004 Trigger Time 2003-10-21 22:52:33 Platform Win32 Operating System Windows NT 5.0 build 2195 Module ntdll.dll Trigger Reason Access violation Stack Trace #0 ntdll.dll + 0x4999b (0x77fc999b) #1 MSVCRT.DLL + 0x1089 (0x78001089) #2 MSVCRT.DLL + 0x1026 (0x78001026) nsPermissionEnumerator::nsPermissionEnumerator [c:/builds/seamonkey/mozilla/extensions/cookie/nsPermissionManager.cpp, line 101] nsPermissionManager::GetEnumerator [c:/builds/seamonkey/mozilla/extensions/cookie/nsPermissionManager.cpp, line 389] #4 XPTC_InvokeByIndex [c:/builds/seamonkey/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp, line 102] #5 XPCWrappedNative::CallMethod [c:/builds/seamonkey/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2019] #6 XPC_WN_GetterSetter [c:/builds/seamonkey/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1302] #7 js_Invoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 842] js_InternalInvoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 933] js_InternalGetOrSet [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 976] js_GetProperty [c:/builds/seamonkey/mozilla/js/src/jsobj.c, line 2666] js_Interpret [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 2691] js_Invoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 858] js_InternalInvoke [c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 933] JS_CallFunctionValue [c:/builds/seamonkey/mozilla/js/src/jsapi.c, line 3573] nsJSContext::CallEventHandler [c:/builds/seamonkey/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1222] Note that the functions listed below are the closest exported functions for the libraries listed, not necessarily the function that actually hosted the code. You need to check the offsets. The talkback info gives real function names... #0 NTDLL! 77fc999b() #1 MSVCRT! malloc + 137 bytes #2 MSVCRT! malloc + 38 bytes #3 COOKIE! NSGetModule + 5210 bytes #4 XPCOM! nsServiceManager::RegisterService(char const *,class nsISupports *) + 66389 bytes #5 XPC3250! NSGetModule + 27266 bytes #6 XPC3250! NSGetModule + 41025 bytes #7 JS3250! js_Invoke + 1135 bytes ... 619027A4 push esi 619027A5 mov esi,ecx 619027A7 mov ecx,dword ptr [esp+10h] 619027AB xor eax,eax 619027AD mov dword ptr [esi+4],eax 619027B0 mov dword ptr [esi+8],ecx 619027B3 mov ecx,dword ptr [esp+8] 619027B7 mov dword ptr [esi+0Ch],eax 619027BA mov dword ptr [esi+14h],ecx 619027BD mov ecx,dword ptr [esp+0Ch] 619027C1 mov dword ptr [esi+10h],eax 619027C4 mov dword ptr [esi+18h],ecx 619027C7 mov dword ptr [esi+1Ch],eax 619027CA mov eax,dword ptr [esp+14h] 619027CE mov ecx,esi 619027D0 mov dword ptr [esi+20h],eax 619027D3 mov dword ptr [esi],61905620h 619027D9 call NSGetModule+0CF1h (61902075) ; #3 619027DE mov eax,esi 619027E0 pop esi 619027E1 ret 10h 619027E4 mov ecx,dword ptr [esp+4] 619027E8 xor eax,eax 619027EA cmp dword ptr [ecx+1Ch],eax 619027ED mov ecx,dword ptr [esp+8] 619027F1 setne al 619027F4 mov dword ptr [ecx],eax 619027F6 xor eax,eax 619027F8 ret 8 619027FB mov eax,dword ptr [esp+8] 619027FF push esi 61902800 mov esi,dword ptr [esp+8] 61902804 mov ecx,dword ptr [esi+1Ch] 61902807 mov dword ptr [eax],ecx 61902809 cmp dword ptr [esi+1Ch],0 6190280D jne NSGetModule+1492h (61902816) 6190280F mov eax,80004005h ; NS_ERROR_FAILURE 61902814 jmp NSGetModule+14A3h (61902827) 61902816 mov eax,dword ptr [eax] 61902818 push eax 61902819 mov ecx,dword ptr [eax] 6190281B call dword ptr [ecx+4] 6190281E mov ecx,esi 61902820 call NSGetModule+0CF1h (61902075) 61902825 xor eax,eax ; NS_OK 61902827 pop esi 61902828 ret 8 malloc: 78001000 push dword ptr [__unguarded_readlc_active+0FFFF928Ch (7803b00c)] 78001006 push dword ptr [esp+8] 7800100A call malloc+12h (78001012) 7800100F pop ecx 78001010 pop ecx 78001011 ret 78001012 cmp dword ptr [esp+4],0E0h 78001017 ja operator delete[]+0BCh (7800cccf) 7800101D push dword ptr [esp+4] 78001021 call malloc+30h (78001030) ; #2 78001026 test eax,eax 78001028 pop ecx 78001029 je operator delete[]+0A0h (7800ccb3) 7800102F ret 78001030 push ebp 78001031 mov ebp,esp 78001033 push 0FFh 78001035 push offset exception::`vftable'+0FFFFF02Ch (78033238) 7800103A push offset _except_handler3 (7800f56a) 7800103F mov eax,fs:[00000000] 78001045 push eax 78001046 mov dword ptr fs:[0],esp 7800104D sub esp,10h 78001050 push ebx 78001051 push esi 78001052 push edi 78001053 mov eax,[__unguarded_readlc_active+0FFFF9284h (7803b004)] 78001058 cmp eax,3 7800105B je operator delete[]+0C3h (7800ccd6) 78001061 cmp eax,2 78001064 je operator delete[]+10Ah (7800cd1d) 7800106A mov eax,dword ptr [ebp+8] 7800106D test eax,eax 7800106F je operator delete[]+16Bh (7800cd7e) 78001075 nop 78001076 nop 78001077 nop 78001078 nop 78001079 nop 7800107A push eax 7800107B push 0 7800107D push dword ptr [__unguarded_readlc_active+0FFFF9280h (7803b000)] 78001083 call dword ptr [exception::`vftable'+0FFFFEE88h (78033094)] ; #1 78001089 mov ecx,dword ptr [ebp-10h] 7800108C mov dword ptr fs:[0],ecx 78001093 pop edi 78001094 pop esi 78001095 pop ebx 78001096 leave 78001097 ret 77FC970E push ebp 77FC970F mov ebp,esp 77FC9711 mov ecx,dword ptr [ebp+8] 77FC9714 mov eax,dword ptr [ebp+0Ch] 77FC9717 push esi 77FC9718 push edi 77FC9719 or eax,dword ptr [ecx+10h] 77FC971C test eax,69020000h 77FC9721 jne RtlInvertRangeList+13Fh (77fcc2d9) 77FC9727 mov eax,dword ptr [ebp+10h] 77FC972A add eax,0F8h 77FC972D mov cl,byte ptr [eax+5] 77FC9730 test cl,1 77FC9733 je RtlInvertRangeList+159h (77fcc2f3) 77FC9739 test cl,8 77FC973C jne RtlInvertRangeList+183h (77fcc31d) 77FC9742 movzx esi,word ptr [eax] 77FC9745 movzx ecx,byte ptr [eax+6] 77FC9749 shl esi,3 77FC974C sub esi,ecx 77FC974E mov eax,esi 77FC9750 pop edi 77FC9751 pop esi 77FC9752 pop ebp 77FC9753 ret 0Ch 77FC9756 mov edx,dword ptr [edx] 77FC9758 cmp eax,edx 77FC975A je RtlDestroyHeap+9A9h (77fca898) 77FC9760 cmp bx,word ptr [edx-8] 77FC9764 ja RtlSizeHeap+48h (77fc9756) 77FC9766 jmp RtlDestroyHeap+9A9h (77fca898) 77FC976B push ebp 77FC976C mov ebp,esp 77FC976E push 0FFh 77FC9770 push offset RtlConsoleMultiByteToUnicodeN+34Bh (77f8ae78) 77FC9775 push offset wcsspn+195h (77fb80db) 77FC977A mov eax,fs:[00000000] 77FC9780 push eax 77FC9781 mov dword ptr fs:[0],esp 77FC9788 push ecx 77FC9789 push ecx 77FC978A sub esp,170h 77FC9790 push ebx 77FC9791 push esi 77FC9792 push edi 77FC9793 mov esi,dword ptr [ebp+8] 77FC9796 mov dword ptr [ebp-5Ch],esi 77FC9799 and byte ptr [ebp-48h],0 77FC979D mov eax,dword ptr [ebp+0Ch] 77FC97A0 or eax,dword ptr [esi+10h] 77FC97A3 mov dword ptr [ebp+0Ch],eax 77FC97A6 test eax,7D030F60h 77FC97AB jne RtlDestroyHeap+0D09h (77fcabf8) 77FC97B1 mov eax,dword ptr [ebp+10h] 77FC97B4 cmp eax,80000000h 77FC97B9 jae RtlDestroyHeap+0D09h (77fcabf8) 77FC97BF test eax,eax 77FC97C1 je RtlDestroyHeap+9F7h (77fca8e6) 77FC97C7 add eax,0Fh 77FC97CA and al,0F8h 77FC97CC mov dword ptr [ebp-20h],eax 77FC97CF mov ebx,eax 77FC97D1 shr ebx,3 77FC97D4 mov dword ptr [ebp-44h],ebx 77FC97D7 mov eax,dword ptr [esi+580h] 77FC97DD test eax,eax 77FC97DF je RtlAllocateHeap+0E0h (77fc984b) 77FC97E1 cmp dword ptr [esi+584h],0 77FC97E8 jne RtlAllocateHeap+0E0h (77fc984b) 77FC97EA cmp ebx,80h 77FC97F0 jae RtlAllocateHeap+0E0h (77fc984b) 77FC97F2 lea ecx,[ebx+ebx*2] 77FC97F5 shl ecx,4 77FC97F8 lea edi,[ecx+eax] 77FC97FB mov eax,dword ptr [edi+0Ch] 77FC97FE sub eax,dword ptr [edi+1Ch] 77FC9801 movzx ecx,word ptr [edi+8] 77FC9805 shl ecx,7 77FC9808 cmp eax,ecx 77FC980A jge RtlDestroyHeap+736h (77fca625) 77FC9810 push edi 77FC9811 call RtlInitializeCriticalSection+67h (77f9438f) 77FC9816 mov edx,eax 77FC9818 mov dword ptr [ebp-24h],edx 77FC981B test edx,edx 77FC981D je RtlAllocateHeap+0E0h (77fc984b) 77FC981F mov al,byte ptr [ebp-20h] 77FC9822 mov ecx,dword ptr [ebp+10h] 77FC9825 sub al,cl 77FC9827 mov byte ptr [edx-2],al 77FC982A and byte ptr [edx-1],0 77FC982E test byte ptr [ebp+0Ch],8 77FC9832 jne RtlDestroyHeap+3EDh (77fca2dc) 77FC9838 mov eax,edx 77FC983A mov ecx,dword ptr [ebp-10h] 77FC983D mov dword ptr fs:[0],ecx 77FC9844 pop edi 77FC9845 pop esi 77FC9846 pop ebx 77FC9847 leave 77FC9848 ret 0Ch 77FC984B and dword ptr [ebp-4],0 77FC984F test byte ptr [ebp+0Ch],1 77FC9853 jne RtlAllocateHeap+0F9h (77fc9864) 77FC9855 push dword ptr [esi+578h] 77FC985B call RtlEnterCriticalSection (77f8aa4c) 77FC9860 mov byte ptr [ebp-48h],1 77FC9864 cmp ebx,80h 77FC986A jae RtlAllocateHeap+36Ch (77fc9ad7) 77FC9870 lea eax,[esi+ebx*8+178h] 77FC9877 mov dword ptr [ebp-2Ch],eax 77FC987A cmp dword ptr [eax],eax 77FC987C jne RtlDestroyHeap+4F8h (77fca3e7) 77FC9882 mov edx,ebx 77FC9884 shr edx,5 77FC9887 mov dword ptr [ebp-1Ch],edx 77FC988A lea edi,[esi+edx*4+158h] 77FC9891 mov dword ptr [ebp-4Ch],edi 77FC9894 mov ecx,ebx 77FC9896 and ecx,1Fh 77FC9899 push 1 77FC989B pop eax 77FC989C shl eax,cl 77FC989E dec eax 77FC989F not eax 77FC98A1 and eax,dword ptr [edi] 77FC98A3 mov dword ptr [ebp-38h],eax 77FC98A6 add edi,4 77FC98A9 mov dword ptr [ebp-4Ch],edi 77FC98AC sub edx,0 77FC98AF jne RtlDestroyHeap+5BAh (77fca4a9) 77FC98B5 test eax,eax 77FC98B7 je RtlAllocateHeap+304h (77fc9a6f) 77FC98BD lea edi,[esi+178h] 77FC98C3 mov dword ptr [ebp-2Ch],edi 77FC98C6 test ax,offset RtlAllocateHeap+15Dh (77fc98c8) 77FC98CA je RtlDestroyHeap+0AC0h (77fca9af) 77FC98D0 mov ecx,eax 77FC98D2 and ecx,0FFh 77FC98D8 je RtlDestroyHeap+4D3h (77fca3c2) 77FC98DE movsx eax,byte ptr iswspace+60h (77f83a38)[ecx] 77FC98E5 lea eax,[edi+eax*8] 77FC98E8 mov dword ptr [ebp-2Ch],eax 77FC98EB mov eax,dword ptr [eax+4] 77FC98EE sub eax,8 77FC98F1 mov dword ptr [ebp-50h],eax 77FC98F4 mov ecx,dword ptr [eax+8] 77FC98F7 mov dword ptr [ebp-0C8h],ecx 77FC98FD mov edx,dword ptr [eax+0Ch] 77FC9900 mov dword ptr [ebp-0CCh],edx 77FC9906 mov dword ptr [edx],ecx 77FC9908 mov dword ptr [ecx+4],edx 77FC990B cmp ecx,edx 77FC990D jne RtlAllocateHeap+1C9h (77fc9934) 77FC990F movzx ecx,word ptr [eax] 77FC9912 mov edi,ecx 77FC9914 shr edi,3 77FC9917 mov dword ptr [ebp-0D4h],edi 77FC991D and ecx,7 77FC9920 push 1 77FC9922 pop edx 77FC9923 shl edx,cl 77FC9925 mov dword ptr [ebp-0D0h],edx 77FC992B lea esi,[edi+esi+158h] 77FC9932 xor byte ptr [esi],dl 77FC9934 mov cl,byte ptr [eax+5] 77FC9937 mov byte ptr [ebp-3Ch],cl 77FC993A movzx edx,word ptr [eax] 77FC993D mov ecx,dword ptr [ebp-5Ch] 77FC9940 sub dword ptr [ecx+28h],edx 77FC9943 mov dword ptr [ebp-28h],eax 77FC9946 mov byte ptr [eax+5],1 77FC994A movzx edi,word ptr [eax] 77FC994D sub edi,ebx 77FC994F mov dword ptr [ebp-58h],edi 77FC9952 mov word ptr [eax],bx 77FC9955 mov ecx,dword ptr [ebp-20h] 77FC9958 sub ecx,dword ptr [ebp+10h] 77FC995B mov byte ptr [eax+6],cl 77FC995E and byte ptr [eax+7],0 77FC9962 test edi,edi 77FC9964 je RtlAllocateHeap+2BEh (77fc9a29) 77FC996A cmp edi,1 77FC996D je RtlDestroyHeap+0A67h (77fca956) 77FC9973 lea esi,[eax+ebx*8] 77FC9976 mov dword ptr [ebp-34h],esi 77FC9979 mov cl,byte ptr [ebp-3Ch] 77FC997C mov byte ptr [esi+5],cl 77FC997F mov word ptr [esi+2],bx 77FC9983 mov al,byte ptr [eax+4] 77FC9986 mov byte ptr [esi+4],al 77FC9989 mov word ptr [esi],di 77FC998C test cl,10h 77FC998F jne RtlAllocateHeap+45Bh (77fc9bc6) 77FC9995 lea eax,[esi+edi*8] 77FC9998 mov dword ptr [ebp-30h],eax 77FC999B mov cl,byte ptr [eax+5] ; #0 77FC999E test cl,1 77FC99A1 je RtlDestroyHeap+1103h (77fcaff2) 77FC99A7 mov word ptr [eax+2],di 77FC99AB cmp di,offset RtlAllocateHeap+243h (77fc99ae) 77FC99B0 jae RtlDestroyHeap+355h (77fca244) 77FC99B6 and byte ptr [esi+5],10h 77FC99BA movzx eax,di EAX = 1517DF80 EBX = 00000007 ECX = 00000048 EDX = 00004860 ESI = 15159CB8 EDI = 00004859 EIP = 77FC999B ESP = 0012EBFC EBP = 0012ED90 EFL = 00200246 CS = 001B DS = 0023 ES = 0023 SS = 0023 FS = 003B GS = 0000 OV=0 UP=0 EI=1 PL=0 ZR=1 AC=0 PE=1 CY=0 Thinking about it for a while, I think I might have tried to open some manager. (Some bug talked about an exception in popup blocking so i wanted to look for it). The talkback function names don't quite match what I expect or see. Especially the NS_ERROR_FAILURE which doesn't correspond to anything in either of: nsPermissionEnumerator::nsPermissionEnumerator nsPermissionManager::GetEnumerator
Attached patch first try to fixSplinter Review
http://lxr.mozilla.org/seamonkey/source/extensions/cookie/nsPermissionManager.cpp#413 relies on mHostCount to actually be right. It is set in AddInternal (#267), where it relies on PermissionsAreEmpty() returning true on a new entry. (nsPermissionManager.h#127) But mPermissions in never set to contain only zeros, so in the end mHostCount might be less then the actual number of entries, and stuff can crash. So, this patch fixes the init. I just hope it is actually this crash :)
Attachment #133969 - Flags: superreview?(darin)
Attachment #133969 - Flags: review?(dwitte)
Comment on attachment 133969 [details] [diff] [review] first try to fix >Index: extensions/cookie/nsPermissionManager.cpp >=================================================================== > nsHostEntry::nsHostEntry(const nsHostEntry& toCopy) > { > mHost = ArenaStrDup(toCopy.mHost, gHostArena); >+ mPermissions[0] = mPermissions[1] = 0; > } the copy constructor will never be called... so, you can do this instead, for some codesizeage: nsHostEntry::nsHostEntry(const nsHostEntry& toCopy) { // nsTHashtable shouldn't allow us to end up here, since we // set ALLOW_MEMMOVE to true. NS_NOTREACHED("nsHostEntry copy constructor is forbidden!"); } >Index: extensions/cookie/nsPermissionManager.h >=================================================================== >+// and the constructors terminate with a fullstop please. r=dwitte
Attachment #133969 - Flags: review?(dwitte) → review+
Attachment #133969 - Flags: superreview?(darin) → superreview+
checked in
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: