Closed Bug 223201 Opened 21 years ago Closed 21 years ago

Crash in permissions [opening popup blocking?]

Tracking

()

Status:

VERIFIED FIXED

People

(Reporter: timeless, Assigned: mvl)

Details

(Keywords: crash)

Attachments

(1 file)

first try to fix 21 years ago Michiel van Leeuwen (email: mvl+moz@) 1.85 KB, patch	dwitte : review+ darin.moz : superreview+	Details \| Diff \| Splinter Review

timeless

Reporter

Description

•

21 years ago

Incident ID       24640608
Stack Signature   ntdll.dll + 0x4999b (0x77fc999b) df118fea
Product ID        MozillaTrunk
Build ID          2003102004
Trigger Time      2003-10-21 22:52:33
Platform          Win32
Operating System  Windows NT 5.0 build 2195
Module            ntdll.dll
Trigger Reason    Access violation

Stack Trace

#0 ntdll.dll + 0x4999b (0x77fc999b)
#1 MSVCRT.DLL + 0x1089 (0x78001089)
#2 MSVCRT.DLL + 0x1026 (0x78001026)
   nsPermissionEnumerator::nsPermissionEnumerator
[c:/builds/seamonkey/mozilla/extensions/cookie/nsPermissionManager.cpp, line 101]
   nsPermissionManager::GetEnumerator
[c:/builds/seamonkey/mozilla/extensions/cookie/nsPermissionManager.cpp, line 389]
#4 XPTC_InvokeByIndex
[c:/builds/seamonkey/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp,
line 102]
#5 XPCWrappedNative::CallMethod
[c:/builds/seamonkey/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2019]
#6 XPC_WN_GetterSetter
[c:/builds/seamonkey/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp,
line 1302]
#7 js_Invoke
[c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 842]
js_InternalInvoke
[c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 933]
js_InternalGetOrSet
[c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 976]
js_GetProperty
[c:/builds/seamonkey/mozilla/js/src/jsobj.c, line 2666]
js_Interpret
[c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 2691]
js_Invoke
[c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 858]
js_InternalInvoke
[c:/builds/seamonkey/mozilla/js/src/jsinterp.c, line 933]
JS_CallFunctionValue
[c:/builds/seamonkey/mozilla/js/src/jsapi.c, line 3573]
nsJSContext::CallEventHandler
[c:/builds/seamonkey/mozilla/dom/src/base/nsJSEnvironment.cpp, line 1222]

Note that the functions listed below are the closest exported functions for the
libraries listed, not necessarily the function that actually hosted the code.
You need to check the offsets. The talkback info gives real function names...

#0 NTDLL! 77fc999b()
#1 MSVCRT! malloc + 137 bytes
#2 MSVCRT! malloc + 38 bytes
#3 COOKIE! NSGetModule + 5210 bytes
#4 XPCOM! nsServiceManager::RegisterService(char const *,class nsISupports *) +
66389 bytes
#5 XPC3250! NSGetModule + 27266 bytes
#6 XPC3250! NSGetModule + 41025 bytes
#7 JS3250! js_Invoke + 1135 bytes
...

619027A4   push        esi
619027A5   mov         esi,ecx
619027A7   mov         ecx,dword ptr [esp+10h]
619027AB   xor         eax,eax
619027AD   mov         dword ptr [esi+4],eax
619027B0   mov         dword ptr [esi+8],ecx
619027B3   mov         ecx,dword ptr [esp+8]
619027B7   mov         dword ptr [esi+0Ch],eax
619027BA   mov         dword ptr [esi+14h],ecx
619027BD   mov         ecx,dword ptr [esp+0Ch]
619027C1   mov         dword ptr [esi+10h],eax
619027C4   mov         dword ptr [esi+18h],ecx
619027C7   mov         dword ptr [esi+1Ch],eax
619027CA   mov         eax,dword ptr [esp+14h]
619027CE   mov         ecx,esi
619027D0   mov         dword ptr [esi+20h],eax
619027D3   mov         dword ptr [esi],61905620h
619027D9   call        NSGetModule+0CF1h (61902075) ; #3
619027DE   mov         eax,esi
619027E0   pop         esi
619027E1   ret         10h
619027E4   mov         ecx,dword ptr [esp+4]
619027E8   xor         eax,eax
619027EA   cmp         dword ptr [ecx+1Ch],eax
619027ED   mov         ecx,dword ptr [esp+8]
619027F1   setne       al
619027F4   mov         dword ptr [ecx],eax
619027F6   xor         eax,eax
619027F8   ret         8
619027FB   mov         eax,dword ptr [esp+8]
619027FF   push        esi
61902800   mov         esi,dword ptr [esp+8]
61902804   mov         ecx,dword ptr [esi+1Ch]
61902807   mov         dword ptr [eax],ecx
61902809   cmp         dword ptr [esi+1Ch],0
6190280D   jne         NSGetModule+1492h (61902816)
6190280F   mov         eax,80004005h                 ; NS_ERROR_FAILURE
61902814   jmp         NSGetModule+14A3h (61902827)
61902816   mov         eax,dword ptr [eax]
61902818   push        eax
61902819   mov         ecx,dword ptr [eax]
6190281B   call        dword ptr [ecx+4]
6190281E   mov         ecx,esi
61902820   call        NSGetModule+0CF1h (61902075)
61902825   xor         eax,eax                       ; NS_OK
61902827   pop         esi
61902828   ret         8

malloc:
78001000   push        dword ptr [__unguarded_readlc_active+0FFFF928Ch (7803b00c)]
78001006   push        dword ptr [esp+8]
7800100A   call        malloc+12h (78001012)
7800100F   pop         ecx
78001010   pop         ecx
78001011   ret
78001012   cmp         dword ptr [esp+4],0E0h
78001017   ja          operator delete[]+0BCh (7800cccf)
7800101D   push        dword ptr [esp+4]
78001021   call        malloc+30h (78001030) ; #2
78001026   test        eax,eax
78001028   pop         ecx
78001029   je          operator delete[]+0A0h (7800ccb3)
7800102F   ret
78001030   push        ebp
78001031   mov         ebp,esp
78001033   push        0FFh
78001035   push        offset exception::`vftable'+0FFFFF02Ch (78033238)
7800103A   push        offset _except_handler3 (7800f56a)
7800103F   mov         eax,fs:[00000000]
78001045   push        eax
78001046   mov         dword ptr fs:[0],esp
7800104D   sub         esp,10h
78001050   push        ebx
78001051   push        esi
78001052   push        edi
78001053   mov         eax,[__unguarded_readlc_active+0FFFF9284h (7803b004)]
78001058   cmp         eax,3
7800105B   je          operator delete[]+0C3h (7800ccd6)
78001061   cmp         eax,2
78001064   je          operator delete[]+10Ah (7800cd1d)
7800106A   mov         eax,dword ptr [ebp+8]
7800106D   test        eax,eax
7800106F   je          operator delete[]+16Bh (7800cd7e)
78001075   nop
78001076   nop
78001077   nop
78001078   nop
78001079   nop
7800107A   push        eax
7800107B   push        0
7800107D   push        dword ptr [__unguarded_readlc_active+0FFFF9280h (7803b000)]
78001083   call        dword ptr [exception::`vftable'+0FFFFEE88h (78033094)] ; #1
78001089   mov         ecx,dword ptr [ebp-10h]
7800108C   mov         dword ptr fs:[0],ecx
78001093   pop         edi
78001094   pop         esi
78001095   pop         ebx
78001096   leave
78001097   ret

77FC970E   push        ebp
77FC970F   mov         ebp,esp
77FC9711   mov         ecx,dword ptr [ebp+8]
77FC9714   mov         eax,dword ptr [ebp+0Ch]
77FC9717   push        esi
77FC9718   push        edi
77FC9719   or          eax,dword ptr [ecx+10h]
77FC971C   test        eax,69020000h
77FC9721   jne         RtlInvertRangeList+13Fh (77fcc2d9)
77FC9727   mov         eax,dword ptr [ebp+10h]
77FC972A   add         eax,0F8h
77FC972D   mov         cl,byte ptr [eax+5]
77FC9730   test        cl,1
77FC9733   je          RtlInvertRangeList+159h (77fcc2f3)
77FC9739   test        cl,8
77FC973C   jne         RtlInvertRangeList+183h (77fcc31d)
77FC9742   movzx       esi,word ptr [eax]
77FC9745   movzx       ecx,byte ptr [eax+6]
77FC9749   shl         esi,3
77FC974C   sub         esi,ecx
77FC974E   mov         eax,esi
77FC9750   pop         edi
77FC9751   pop         esi
77FC9752   pop         ebp
77FC9753   ret         0Ch
77FC9756   mov         edx,dword ptr [edx]
77FC9758   cmp         eax,edx
77FC975A   je          RtlDestroyHeap+9A9h (77fca898)
77FC9760   cmp         bx,word ptr [edx-8]
77FC9764   ja          RtlSizeHeap+48h (77fc9756)
77FC9766   jmp         RtlDestroyHeap+9A9h (77fca898)
77FC976B   push        ebp
77FC976C   mov         ebp,esp
77FC976E   push        0FFh
77FC9770   push        offset RtlConsoleMultiByteToUnicodeN+34Bh (77f8ae78)
77FC9775   push        offset wcsspn+195h (77fb80db)
77FC977A   mov         eax,fs:[00000000]
77FC9780   push        eax
77FC9781   mov         dword ptr fs:[0],esp
77FC9788   push        ecx
77FC9789   push        ecx
77FC978A   sub         esp,170h
77FC9790   push        ebx
77FC9791   push        esi
77FC9792   push        edi
77FC9793   mov         esi,dword ptr [ebp+8]
77FC9796   mov         dword ptr [ebp-5Ch],esi
77FC9799   and         byte ptr [ebp-48h],0
77FC979D   mov         eax,dword ptr [ebp+0Ch]
77FC97A0   or          eax,dword ptr [esi+10h]
77FC97A3   mov         dword ptr [ebp+0Ch],eax
77FC97A6   test        eax,7D030F60h
77FC97AB   jne         RtlDestroyHeap+0D09h (77fcabf8)
77FC97B1   mov         eax,dword ptr [ebp+10h]
77FC97B4   cmp         eax,80000000h
77FC97B9   jae         RtlDestroyHeap+0D09h (77fcabf8)
77FC97BF   test        eax,eax
77FC97C1   je          RtlDestroyHeap+9F7h (77fca8e6)
77FC97C7   add         eax,0Fh
77FC97CA   and         al,0F8h
77FC97CC   mov         dword ptr [ebp-20h],eax
77FC97CF   mov         ebx,eax
77FC97D1   shr         ebx,3
77FC97D4   mov         dword ptr [ebp-44h],ebx
77FC97D7   mov         eax,dword ptr [esi+580h]
77FC97DD   test        eax,eax
77FC97DF   je          RtlAllocateHeap+0E0h (77fc984b)
77FC97E1   cmp         dword ptr [esi+584h],0
77FC97E8   jne         RtlAllocateHeap+0E0h (77fc984b)
77FC97EA   cmp         ebx,80h
77FC97F0   jae         RtlAllocateHeap+0E0h (77fc984b)
77FC97F2   lea         ecx,[ebx+ebx*2]
77FC97F5   shl         ecx,4
77FC97F8   lea         edi,[ecx+eax]
77FC97FB   mov         eax,dword ptr [edi+0Ch]
77FC97FE   sub         eax,dword ptr [edi+1Ch]
77FC9801   movzx       ecx,word ptr [edi+8]
77FC9805   shl         ecx,7
77FC9808   cmp         eax,ecx
77FC980A   jge         RtlDestroyHeap+736h (77fca625)
77FC9810   push        edi
77FC9811   call        RtlInitializeCriticalSection+67h (77f9438f)
77FC9816   mov         edx,eax
77FC9818   mov         dword ptr [ebp-24h],edx
77FC981B   test        edx,edx
77FC981D   je          RtlAllocateHeap+0E0h (77fc984b)
77FC981F   mov         al,byte ptr [ebp-20h]
77FC9822   mov         ecx,dword ptr [ebp+10h]
77FC9825   sub         al,cl
77FC9827   mov         byte ptr [edx-2],al
77FC982A   and         byte ptr [edx-1],0
77FC982E   test        byte ptr [ebp+0Ch],8
77FC9832   jne         RtlDestroyHeap+3EDh (77fca2dc)
77FC9838   mov         eax,edx
77FC983A   mov         ecx,dword ptr [ebp-10h]
77FC983D   mov         dword ptr fs:[0],ecx
77FC9844   pop         edi
77FC9845   pop         esi
77FC9846   pop         ebx
77FC9847   leave
77FC9848   ret         0Ch
77FC984B   and         dword ptr [ebp-4],0
77FC984F   test        byte ptr [ebp+0Ch],1
77FC9853   jne         RtlAllocateHeap+0F9h (77fc9864)
77FC9855   push        dword ptr [esi+578h]
77FC985B   call        RtlEnterCriticalSection (77f8aa4c)
77FC9860   mov         byte ptr [ebp-48h],1
77FC9864   cmp         ebx,80h
77FC986A   jae         RtlAllocateHeap+36Ch (77fc9ad7)
77FC9870   lea         eax,[esi+ebx*8+178h]
77FC9877   mov         dword ptr [ebp-2Ch],eax
77FC987A   cmp         dword ptr [eax],eax
77FC987C   jne         RtlDestroyHeap+4F8h (77fca3e7)
77FC9882   mov         edx,ebx
77FC9884   shr         edx,5
77FC9887   mov         dword ptr [ebp-1Ch],edx
77FC988A   lea         edi,[esi+edx*4+158h]
77FC9891   mov         dword ptr [ebp-4Ch],edi
77FC9894   mov         ecx,ebx
77FC9896   and         ecx,1Fh
77FC9899   push        1
77FC989B   pop         eax
77FC989C   shl         eax,cl
77FC989E   dec         eax
77FC989F   not         eax
77FC98A1   and         eax,dword ptr [edi]
77FC98A3   mov         dword ptr [ebp-38h],eax
77FC98A6   add         edi,4
77FC98A9   mov         dword ptr [ebp-4Ch],edi
77FC98AC   sub         edx,0
77FC98AF   jne         RtlDestroyHeap+5BAh (77fca4a9)
77FC98B5   test        eax,eax
77FC98B7   je          RtlAllocateHeap+304h (77fc9a6f)
77FC98BD   lea         edi,[esi+178h]
77FC98C3   mov         dword ptr [ebp-2Ch],edi
77FC98C6   test        ax,offset RtlAllocateHeap+15Dh (77fc98c8)
77FC98CA   je          RtlDestroyHeap+0AC0h (77fca9af)
77FC98D0   mov         ecx,eax
77FC98D2   and         ecx,0FFh
77FC98D8   je          RtlDestroyHeap+4D3h (77fca3c2)
77FC98DE   movsx       eax,byte ptr iswspace+60h (77f83a38)[ecx]
77FC98E5   lea         eax,[edi+eax*8]
77FC98E8   mov         dword ptr [ebp-2Ch],eax
77FC98EB   mov         eax,dword ptr [eax+4]
77FC98EE   sub         eax,8
77FC98F1   mov         dword ptr [ebp-50h],eax
77FC98F4   mov         ecx,dword ptr [eax+8]
77FC98F7   mov         dword ptr [ebp-0C8h],ecx
77FC98FD   mov         edx,dword ptr [eax+0Ch]
77FC9900   mov         dword ptr [ebp-0CCh],edx
77FC9906   mov         dword ptr [edx],ecx
77FC9908   mov         dword ptr [ecx+4],edx
77FC990B   cmp         ecx,edx
77FC990D   jne         RtlAllocateHeap+1C9h (77fc9934)
77FC990F   movzx       ecx,word ptr [eax]
77FC9912   mov         edi,ecx
77FC9914   shr         edi,3
77FC9917   mov         dword ptr [ebp-0D4h],edi
77FC991D   and         ecx,7
77FC9920   push        1
77FC9922   pop         edx
77FC9923   shl         edx,cl
77FC9925   mov         dword ptr [ebp-0D0h],edx
77FC992B   lea         esi,[edi+esi+158h]
77FC9932   xor         byte ptr [esi],dl
77FC9934   mov         cl,byte ptr [eax+5]
77FC9937   mov         byte ptr [ebp-3Ch],cl
77FC993A   movzx       edx,word ptr [eax]
77FC993D   mov         ecx,dword ptr [ebp-5Ch]
77FC9940   sub         dword ptr [ecx+28h],edx
77FC9943   mov         dword ptr [ebp-28h],eax
77FC9946   mov         byte ptr [eax+5],1
77FC994A   movzx       edi,word ptr [eax]
77FC994D   sub         edi,ebx
77FC994F   mov         dword ptr [ebp-58h],edi
77FC9952   mov         word ptr [eax],bx
77FC9955   mov         ecx,dword ptr [ebp-20h]
77FC9958   sub         ecx,dword ptr [ebp+10h]
77FC995B   mov         byte ptr [eax+6],cl
77FC995E   and         byte ptr [eax+7],0
77FC9962   test        edi,edi
77FC9964   je          RtlAllocateHeap+2BEh (77fc9a29)
77FC996A   cmp         edi,1
77FC996D   je          RtlDestroyHeap+0A67h (77fca956)
77FC9973   lea         esi,[eax+ebx*8]
77FC9976   mov         dword ptr [ebp-34h],esi
77FC9979   mov         cl,byte ptr [ebp-3Ch]
77FC997C   mov         byte ptr [esi+5],cl
77FC997F   mov         word ptr [esi+2],bx
77FC9983   mov         al,byte ptr [eax+4]
77FC9986   mov         byte ptr [esi+4],al
77FC9989   mov         word ptr [esi],di
77FC998C   test        cl,10h
77FC998F   jne         RtlAllocateHeap+45Bh (77fc9bc6)
77FC9995   lea         eax,[esi+edi*8]
77FC9998   mov         dword ptr [ebp-30h],eax
77FC999B   mov         cl,byte ptr [eax+5] ; #0
77FC999E   test        cl,1
77FC99A1   je          RtlDestroyHeap+1103h (77fcaff2)
77FC99A7   mov         word ptr [eax+2],di
77FC99AB   cmp         di,offset RtlAllocateHeap+243h (77fc99ae)
77FC99B0   jae         RtlDestroyHeap+355h (77fca244)
77FC99B6   and         byte ptr [esi+5],10h
77FC99BA   movzx       eax,di

 EAX = 1517DF80 EBX = 00000007 ECX = 00000048
 EDX = 00004860 ESI = 15159CB8 EDI = 00004859
 EIP = 77FC999B ESP = 0012EBFC EBP = 0012ED90
 EFL = 00200246 CS = 001B DS = 0023 ES = 0023 SS = 0023
 FS = 003B GS = 0000 OV=0 UP=0 EI=1 PL=0 ZR=1 AC=0 PE=1
 CY=0

Thinking about it for a while, I think I might have tried to open some manager.
(Some bug talked about an exception in popup blocking so i wanted to look for it).

The talkback function names don't quite match what I expect or see. Especially
the NS_ERROR_FAILURE which doesn't correspond to anything in either of:
   nsPermissionEnumerator::nsPermissionEnumerator
   nsPermissionManager::GetEnumerator

Michiel van Leeuwen (email: mvl+moz@)

Assignee

Comment 1

•

21 years ago

Attached patch first try to fix — Details — Splinter Review

http://lxr.mozilla.org/seamonkey/source/extensions/cookie/nsPermissionManager.cpp#413
relies on mHostCount to actually be right. It is set in AddInternal (#267),
where it relies on PermissionsAreEmpty() returning true on a new entry.
(nsPermissionManager.h#127)
But mPermissions in never set to contain only zeros, so in the end mHostCount
might be less then the actual number of entries, and stuff can crash.

So, this patch fixes the init. I just hope it is actually this crash :)

Michiel van Leeuwen (email: mvl+moz@)

Assignee

Updated

•

21 years ago

Attachment #133969 - Flags: superreview?(darin)

Attachment #133969 - Flags: review?(dwitte)

dwitte@gmail.com

Comment 2

•

21 years ago

Comment on attachment 133969 [details] [diff] [review]
first try to fix

>Index: extensions/cookie/nsPermissionManager.cpp
>===================================================================
> nsHostEntry::nsHostEntry(const nsHostEntry& toCopy)
> {
>   mHost = ArenaStrDup(toCopy.mHost, gHostArena);
>+  mPermissions[0] = mPermissions[1] = 0;
> }

the copy constructor will never be called... so, you can do this instead, for
some codesizeage:

nsHostEntry::nsHostEntry(const nsHostEntry& toCopy)
{
  // nsTHashtable shouldn't allow us to end up here, since we
  // set ALLOW_MEMMOVE to true.
  NS_NOTREACHED("nsHostEntry copy constructor is forbidden!");
}

>Index: extensions/cookie/nsPermissionManager.h
>===================================================================
>+// and the constructors

terminate with a fullstop please.

r=dwitte

Attachment #133969 - Flags: review?(dwitte) → review+

Darin Fisher

Updated

•

21 years ago

Attachment #133969 - Flags: superreview?(darin) → superreview+

Michiel van Leeuwen (email: mvl+moz@)

Assignee

Comment 3

•

21 years ago

checked in

Status: NEW → RESOLVED

Closed: 21 years ago

Resolution: --- → FIXED

benc

Comment 4

•

21 years ago

V:
http://bonsai.mozilla.org/cvsview2.cgi?diff_mode=context&whitespace_mode=show&file=nsPermissionManager.cpp&branch=&root=/cvsroot&subdir=mozilla/extensions/cookie&command=DIFF_FRAMESET&rev1=1.34&rev2=1.35

QA Contact: cookieqa → benc

benc

Updated

•

21 years ago

Status: RESOLVED → VERIFIED

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

Crash in permissions [opening popup blocking?]

Categories

(Core :: Networking: Cookies, defect)

Tracking

()

People

(Reporter: timeless, Assigned: mvl)

References

Details

(Keywords: crash)

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Updated

Comment 2

Updated

Comment 3

Comment 4

Updated

Attachment

General

Description

File Name

Content Type