Closed
Bug 634256
Opened 13 years ago
Closed 6 years ago
crash [@ nsPluginStreamListenerPeer::GetInterfaceGlobal] using cross_fuzzv3
Categories
(Core Graveyard :: Plug-ins, defect, P2)
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: eherokles, Unassigned)
References
()
Details
Crash Data
Attachments
(3 files)
cross_fuzzv3 on firefox4b11 32bit windowsxp FAILURE_BUCKET_ID: NULL_POINTER_READ_c0000005_xul.dll!nsPluginStreamListenerPeer::GetInterfaceGlobal
Updated•13 years ago
|
Component: XUL → Plug-ins
QA Contact: xptoolkit.widgets → plugins
Updated•13 years ago
|
Attachment #512471 -
Attachment mime type: application/octet-stream → text/plain
Comment 1•13 years ago
|
||
What was the cross-fuzz log/salt to reproduce? Do you know what plugin was being used at the time?
As far a I know there is no possibility in cross_fuzz to get these info. Look at : http://lcamtuf.blogspot.com/2011/01/announcing-crossfuzz-potential-0-day-in.html The dialog between Johan an Michael Zalewski. When you know more, please point me on.
Comment 3•13 years ago
|
||
I only used an early version, but I was pretty sure there was a logging feature or somesuch.
I´ve googled for that, but there seems to be nothing. The fuzzer mangleme has this feature, but it is not implemented in cross_fuzz. Anyway, when you have a link that shows other, please send it to me.
Comment 5•13 years ago
|
||
If you load cross_fuzz with #42 it should use seed 42.
Comment 6•13 years ago
|
||
1. http://ru.pokerstrategy.com/strategy/1550/print/ 2. shutdown 3. Crash Linux 32bit 2.0, beta, aurora, nightly I haven't tried to reproduce locally yet (building atm), but this *may* require Spider. Operating system: Linux 0.0.0 Linux 2.6.35.13-91.fc14.i686.PAE #1 SMP Tue May 3 13:29:55 UTC 2011 i686 CPU: x86 GenuineIntel family 6 model 44 stepping 2 1 CPU Crash reason: SIGSEGV Crash address: 0x0 Thread 0 (crashed) 0 libxul.so!nsPluginStreamListenerPeer::GetInterfaceGlobal [nsPluginStreamListenerPeer.cpp : 1327 + 0xb] eip = 0x01f9ea61 esp = 0xbf9636d0 ebp = 0xbf963728 ebx = 0x03235414 esi = 0x00000000 edi = 0x0a462910 eax = 0x00000000 ecx = 0x037b534c edx = 0x00000001 efl = 0x00010282 Found by: given as instruction pointer in context 1 libxul.so!nsPluginStreamListenerPeer::GetInterface [nsPluginStreamListenerPeer.cpp : 1344 + 0x18] eip = 0x01f9eb34 esp = 0xbf963730 ebp = 0xbf963748 ebx = 0x03235414 esi = 0x00000000 edi = 0x0a0b4b14 Found by: call frame info 2 libxul.so!NS_QueryNotificationCallbacks [nsNetUtil.h : 1295 + 0x1f] eip = 0x00ee204e esp = 0xbf963750 ebp = 0xbf963778 ebx = 0x03235414 esi = 0x00000000 edi = 0x0a0b4b14 Found by: call frame info 3 libxul.so!mozilla::net::HttpBaseChannel::GetCallback<nsIProgressEventSink> [HttpBaseChannel.h : 204 + 0x59] eip = 0x00fe287e esp = 0xbf963780 ebp = 0xbf9637b8 ebx = 0x03235414 esi = 0x00000000 edi = 0x0a0b4b14 Found by: call frame info 4 libxul.so!nsHttpChannel::OnTransportStatus [nsHttpChannel.cpp : 4130 + 0x14] eip = 0x00fde47d esp = 0xbf9637c0 ebp = 0xbf9638f8 ebx = 0x03235414 esi = 0x00000000 edi = 0x00000000 Found by: call frame info 5 libxul.so!nsHttpChannel::OnDataAvailable [nsHttpChannel.cpp : 4099 + 0x3e] eip = 0x00fde372 esp = 0xbf963900 ebp = 0xbf963968 ebx = 0x03235414 esi = 0x00000000 edi = 0x00000000 Found by: call frame info
Comment 7•11 years ago
|
||
Other examples though the stacks are somewhat different probably due to changes in the last couple of years: ABORT: You can't dereference a NULL nsCOMPtr with operator->().: 'mRawPtr != 0' https://manslmt.lv/lv/icenter/info.php https://www.ov-chipkaart.nl/mijnovchipkaart/reizenentransacties/mijnreizenentransacties/transactiesprinten/ Load url and then shutdown to see the crash. Haven't been able to reproduce with a locally saved version. Occurs on Beta/20, Aurora/21, Nightly/22 and Window+Linux at least.
Comment 8•11 years ago
|
||
(In reply to Bob Clary [:bc:] from comment #7) > Load url and then shutdown to see the crash. Shutdown as in "close fx" or "shutdown the system"?
OS: Windows XP → All
Priority: -- → P2
Comment 9•11 years ago
|
||
browser
Updated•11 years ago
|
Assignee: nobody → georg.fritzsche
Updated•10 years ago
|
Assignee: georg.fritzsche → nobody
Flags: firefox-backlog?
Updated•10 years ago
|
Flags: firefox-backlog? → firefox-backlog+
Comment 10•9 years ago
|
||
automation no longer crashes on http://ru.pokerstrategy.com/strategy/1550/print/
Updated•7 years ago
|
Crash Signature: [@ nsPluginStreamListenerPeer::GetInterfaceGlobal]
Comment 11•6 years ago
|
||
Closing because no crashes reported for 12 weeks.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
Updated•2 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•