Closed
Bug 705347
Opened 13 years ago
Closed 12 years ago
Crash [@ nsCOMPtr<imgIDecoderObserver>::nsCOMPtr<imgIDecoderObserver>]
Categories
(Core :: Graphics: ImageLib, defect)
Tracking
()
People
(Reporter: bc, Assigned: joe)
References
()
Details
(Keywords: crash, verified1.9.2, Whiteboard: [sg:critical] fixed by bug 432391)
Crash Data
Attachments
(2 files, 2 obsolete files)
57 bytes,
text/html
|
Details | |
2.61 KB,
patch
|
joe
:
review+
dveditz
:
approval1.9.2.26+
|
Details | Diff | Splinter Review |
+++ This bug was initially created as a clone of Bug #587720 +++ 1. http://nizhnegorsk.at.ua/index/veb_kamery_nizhnegorska/0-13 2. Crash ? Beta/9 Windows XP/7 ( I couldn't reproduce this locally) Operating system: Windows NT 5.1.2600 Service Pack 3 CPU: x86 GenuineIntel family 6 model 44 stepping 2 1 CPU Crash reason: EXCEPTION_ACCESS_VIOLATION_READ Crash address: 0xffffffffdddddde1 Thread 0 (crashed) 0 xul.dll!nsCOMPtr<imgIDecoderObserver>::nsCOMPtr<imgIDecoderObserver>(imgIDecoderObserver *) [nsCOMPtr.h : 600 + 0xd] eip = 0x01819694 esp = 0x0012d228 ebp = 0x0012d230 ebx = 0x00000001 esi = 0x00902848 edi = 0x00000000 eax = 0x06db8e10 ecx = 0xdddddddd edx = 0x0012d260 efl = 0x00210202 Found by: given as instruction pointer in context 1 xul.dll!imgRequestProxy::OnStopRequest(int) [imgRequestProxy.cpp : 737 + 0x11] eip = 0x01818f0a esp = 0x0012d238 ebp = 0x0012d2c4 Found by: call frame info 2 xul.dll!imgStatusTracker::EmulateRequestFinished(imgRequestProxy *,unsigned int,int) [imgStatusTracker.cpp : 291 + 0x9] eip = 0x0181b633 esp = 0x0012d2cc ebp = 0x0012d2d8 Found by: call frame info 3 xul.dll!imgRequest::RemoveProxy(imgRequestProxy *,unsigned int,int) [imgRequest.cpp : 320 + 0x19] eip = 0x01812891 esp = 0x0012d2e0 ebp = 0x0012d410 Found by: call frame info 4 xul.dll!imgRequestProxy::DoCancel(unsigned int) [imgRequestProxy.cpp : 294 + 0x1b] eip = 0x01817e82 esp = 0x0012d418 ebp = 0x0012d428 Found by: call frame info 5 xul.dll!imgRequestProxy::imgCancelRunnable::Run() [imgRequestProxy.h : 157 + 0x18] eip = 0x01817dec esp = 0x0012d430 ebp = 0x0012d434 Found by: call frame info Beta/9 Mac OS X 1. http://nizhnegorsk.at.ua/index/veb_kamery_nizhnegorska/0-13 2. Shutdown 3. Crash. I can reproduce this locally on Mac OS X. Operating system: Mac OS X 10.6.8 10K549 CPU: amd64 family 6 model 23 stepping 10 2 CPUs Crash reason: EXC_BAD_ACCESS / 0x0000000d Crash address: 0x0 Thread 0 (crashed) 0 XUL!nsCOMPtr<imgIDecoderObserver>::nsCOMPtr [nsCOMPtr.h : 600 + 0xe] rbx = 0x0000000118a29b28 r12 = 0x0000000102a268c8 r13 = 0x0000000100119150 r14 = 0x0000000100118c30 r15 = 0x0000000000000000 rip = 0x00000001015471c3 rsp = 0x00007fff5fbf9400 rbp = 0x00007fff5fbf9410 Found by: given as instruction pointer in context 1 XUL!imgRequestProxy::OnStopRequest [imgRequestProxy.cpp : 737 + 0x16] rbx = 0x0000000118a29b28 r12 = 0x0000000102a268c8 r13 = 0x0000000100119150 r14 = 0x0000000100118c30 r15 = 0x0000000000000000 rip = 0x00000001015446af rsp = 0x00007fff5fbf9420 rbp = 0x00007fff5fbf9500 Found by: call frame info 2 XUL!imgStatusTracker::EmulateRequestFinished [imgStatusTracker.cpp : 291 + 0xd] rbx = 0x0000000118a36280 r12 = 0x0000000102a268c8 r13 = 0x0000000100119150 r14 = 0x0000000100118c30 r15 = 0x0000000000000000 rip = 0x000000010154935c rsp = 0x00007fff5fbf9510 rbp = 0x00007fff5fbf9540 Found by: call frame info 3 XUL!imgRequest::RemoveProxy [imgRequest.cpp : 320 + 0x25] rbx = 0x0000000118a36280 r12 = 0x0000000102a268c8 r13 = 0x0000000100119150 r14 = 0x0000000100118c30 r15 = 0x0000000000000000 rip = 0x000000010153f1bb rsp = 0x00007fff5fbf9550 rbp = 0x00007fff5fbf96d0 Found by: call frame info running under gdb with scribble malloc enabled I get Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0x55555559 0x05339067 in nsCOMPtr<imgIDecoderObserver>::nsCOMPtr (this=0xbfffcc08, aRawPtr=0x2888f240) at nsCOMPtr.h:600 600 NSCAP_ADDREF(this, mRawPtr); (gdb) bt #0 0x05339067 in nsCOMPtr<imgIDecoderObserver>::nsCOMPtr (this=0xbfffcc08, aRawPtr=0x2888f240) at nsCOMPtr.h:600 #1 0x05336732 in imgRequestProxy::OnStopRequest (this=0x2888f1a0, lastPart=0) at /work/mozilla/builds/beta/mozilla/modules/libpr0n/src/imgRequestProxy.cpp:737 #2 0x0533aab1 in imgStatusTracker::SendStopRequest (this=0x2557d8f0, aProxy=0x2888f1a0, aLastPart=0, aStatus=0) at /work/mozilla/builds/beta/mozilla/modules/libpr0n/src/imgStatusTracker.cpp:522 #3 0x053309ec in imgRequest::OnStopRequest (this=0x255149b0, aRequest=0x28783380, ctxt=0x0, status=0) at /work/mozilla/builds/beta/mozilla/modules/libpr0n/src/imgRequest.cpp:948 #4 0x05154b67 in nsPartChannel::SendOnStopRequest (this=0x28783380, aContext=0x0, aStatus=0) at /work/mozilla/builds/beta/mozilla/netwerk/streamconv/converters/nsMultiMixedConv.cpp:120 #5 0x05154bd9 in nsMultiMixedConv::SendStop (this=0x287b78a0, aStatus=0) at /work/mozilla/builds/beta/mozilla/netwerk/streamconv/converters/nsMultiMixedConv.cpp:857 (gdb) info registers eax 0x55555559 1431655769 ecx 0x0 0 edx 0xbfffcc08 -1073755128 ebx 0x5336644 87254596 esp 0xbfffcb70 0xbfffcb70 ebp 0xbfffcb88 0xbfffcb88 esi 0x288b09f8 680200696 edi 0x5320cf8 87166200 eip 0x5339067 0x5339067 <nsCOMPtr<imgIDecoderObserver>::nsCOMPtr(imgIDecoderObserver*)+33> eflags 0x210206 2163206 cs 0x17 23 ss 0x1f 31 ds 0x1f 31 es 0x1f 31 fs 0x0 0 gs 0x37 55 I can reproduce on Mac with a saved version. Reducing now.
Reporter | ||
Comment 1•13 years ago
|
||
<video poster="http://konica.strace.net:7890/"> </video> The contents of the url is an unbounded? jpeg? Content-Type: image/jpeg Content-Length: 6067
Assignee | ||
Comment 2•13 years ago
|
||
Seems like konica.strace.net:7890 isn't responding right now; unsurprisingly, I can't reproduce.
Reporter | ||
Comment 3•13 years ago
|
||
It is up right now. I just crashed on shutdown with pure virtual method called.
Updated•13 years ago
|
Assignee: nobody → joe
Whiteboard: [sg:critical]
Updated•13 years ago
|
status-firefox10:
--- → affected
status-firefox11:
--- → affected
status-firefox8:
--- → wontfix
tracking-firefox10:
--- → +
tracking-firefox11:
--- → +
tracking-firefox8:
--- → -
tracking-firefox9:
--- → -
Comment 4•13 years ago
|
||
Joe, ping?
Assignee | ||
Comment 5•13 years ago
|
||
It is likely that we will give George trial-by-fire on this bug. :)
Assignee | ||
Comment 6•12 years ago
|
||
George will be looking for something new to do in the near future, and this is going to be it. :)
Assignee: joe → gwright
Assignee | ||
Comment 7•12 years ago
|
||
This still crashes in 9.0.1, but the latest 10 beta has apparently fixed that crash. We should probably get a fix window, but for now let's just call this WFM.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
Comment 8•12 years ago
|
||
Yes, we need a fix window because the still-supported 1.9.2 branch has this bug, too.
Whiteboard: [sg:critical] → [sg:critical][fix-range-wanted]
Assignee | ||
Comment 9•12 years ago
|
||
Fix window: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=9fa62f76f1cf&tochange=311fdb9b38b7 From that, I suspect https://hg.mozilla.org/mozilla-central/rev/81665fc485dd Going to work on a 1.9.2 build to figure out if that is indeed the fix.
Assignee | ||
Updated•12 years ago
|
tracking-firefox10:
+ → ---
tracking-firefox11:
+ → ---
Assignee | ||
Comment 10•12 years ago
|
||
Boris' patch does fix this bug. I've transplanted it to 1.9.2, but the code had drifted a little, so it was not strictly a trivial merge. Thus, I'm going to get review on it.
Assignee | ||
Comment 11•12 years ago
|
||
The main difference here between the patch committed to mozilla-central (https://hg.mozilla.org/mozilla-central/rev/81665fc485dd) and this patch is the addition of !mOwner in the early exit in imgRequestProxy::CancelAndForgetObserver. This is due to bug 572520, part 6, which Jeff reviewed. Thus, I'm going to get him to review this patch.
Assignee: gwright → joe
Attachment #588205 -
Flags: review?(jmuizelaar)
Assignee | ||
Updated•12 years ago
|
Whiteboard: [sg:critical][fix-range-wanted] → [sg:critical]
Comment 12•12 years ago
|
||
Comment on attachment 588205 [details] [diff] [review] transplant 81665fc485dd from mozilla-central Split the if to it more clear. If you can make a test in a reasonable time of time, that would be nice too.
Attachment #588205 -
Flags: review?(jmuizelaar) → review+
Assignee | ||
Comment 13•12 years ago
|
||
Unfortunately, creating a reliable testcase is non-trivial. We'll just go with this for now.
Attachment #588205 -
Attachment is obsolete: true
Attachment #588987 -
Flags: review+
Attachment #588987 -
Flags: approval1.9.2.26?
Assignee | ||
Comment 14•12 years ago
|
||
Comment on attachment 588987 [details] [diff] [review] updated for review comments Wrong version of the patch.
Attachment #588987 -
Attachment is obsolete: true
Attachment #588987 -
Flags: approval1.9.2.26?
Assignee | ||
Comment 15•12 years ago
|
||
Attachment #588989 -
Flags: review+
Attachment #588989 -
Flags: approval1.9.2.26?
Comment 16•12 years ago
|
||
For security bugs a branch status of "fixed" is better than "unaffected" for tracking purposes. Especially when the fix was identified to the point of being able to backport it :-)
Depends on: 432391
Whiteboard: [sg:critical] → [sg:critical] fixed by bug 432391
Comment 17•12 years ago
|
||
Comment on attachment 588989 [details] [diff] [review] updated for review comments approved for 1.9.2.26, a=dveditz
Attachment #588989 -
Flags: approval1.9.2.26? → approval1.9.2.26+
Comment 18•12 years ago
|
||
https://hg.mozilla.org/releases/mozilla-1.9.2/rev/173bc943fe0d
Comment 19•12 years ago
|
||
Verified fixed for Firefox 3.6.26 comparing the testcase in comment 0 with mozilla-1.9.2-debug from 2012-01-11 and 2012-01-24.
Keywords: verified1.9.2
Comment 20•12 years ago
|
||
Is there a CVE for this issue yet?
Updated•12 years ago
|
Group: core-security
Updated•9 years ago
|
Keywords: testcase-wanted
You need to log in
before you can comment on or make changes to this bug.
Description
•