Open Bug 700007 Opened 13 years ago Updated 1 year ago

Crash in breakpad (google_breakpad::ReadTaskMemory ?)

Categories

(Toolkit :: Crash Reporting, defect)

Product:
Toolkit
Component:
Crash Reporting
Platform:
x86
macOS
Type:
defect

Tracking

()

People

(Reporter: christian, Unassigned)

Details

(Keywords: crash) 

I got a Nightly crash that brought up the apple crash reporter on 10.0a1 (2011-11-04). Looks like Nightly crashed and then breakpad crashed:

Thread 22 Crashed:
0   libsystem_kernel.dylib        	0x00007fff91d17ce2 __pthread_kill + 10
1   libsystem_c.dylib             	0x00007fff9123a7d2 pthread_kill + 95
2   libsystem_c.dylib             	0x00007fff9122ba7a abort + 143
3   libc++abi.dylib               	0x00007fff8957a7bc abort_message + 214
4   libc++abi.dylib               	0x00007fff89577fcf default_terminate() + 28
5   libobjc.A.dylib               	0x00007fff928391cd _objc_terminate + 114
6   libc++abi.dylib               	0x00007fff89578001 safe_handler_caller(void (*)()) + 11
7   libc++abi.dylib               	0x00007fff8957805c std::terminate() + 16
8   libc++abi.dylib               	0x00007fff89579152 __cxa_throw + 114
9   libstdc++.6.dylib             	0x00007fff8ea87686 operator new(unsigned long) + 86
10  XUL                           	0x000000010102c8f2 std::vector<unsigned char, std::allocator<unsigned char> >::_M_fill_insert(__gnu_cxx::__normal_iterator<unsigned char*, std::vector<unsigned char, std::allocator<unsigned char> > >, unsigned long, unsigned char const&) + 146
11  XUL                           	0x000000010102c003 google_breakpad::ReadTaskMemory(unsigned int, unsigned long long, unsigned long, std::vector<unsigned char, std::allocator<unsigned char> >&) + 227
12  XUL                           	0x000000010102d3a5 void google_breakpad::ReadImageInfo<google_breakpad::MachO32>(google_breakpad::DynamicImages&, unsigned long long) + 213
13  XUL                           	0x000000010102c29b google_breakpad::DynamicImages::DynamicImages(unsigned int) + 171
14  XUL                           	0x000000010102ba16 google_breakpad::MinidumpGenerator::MinidumpGenerator(unsigned int, unsigned int) + 310
15  XUL                           	0x0000000101026dbd google_breakpad::CrashGenerationServer::WaitForOneMessage() + 605
16  XUL                           	0x0000000101026eb8 google_breakpad::CrashGenerationServer::WaitForMessages(void*) + 24
17  libsystem_c.dylib             	0x00007fff912388bf _pthread_start + 335
18  libsystem_c.dylib             	0x00007fff9123bb75 thread_start + 13

I'm going to try to reproduce now...
Since DynamicImages is on the stack, this is probably an out-of-process plugin crash that Breakpad was trying to write a minidump for. I'm guessing we read some bad data somehow, and tried to create an entirely too-large vector to hold it, causing operator new() to throw.
I seem to be able to reproduce a plugin crash / hang on yahoo news that than triggers a breakpad crash or hang. I'll try to figure out which ad is causing it.
Keywords: crash
Severity: critical → S2
Severity: S2 → S3
You need to log in before you can comment on or make changes to this bug.