Closed Bug 1224185 Opened 5 years ago Closed 5 years ago

Crash at xul!JSCompartment::traceIncomingCrossCompartmentEdgesForZoneGC+c9

Categories

(Core :: ImageLib, defect)

defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1223465
Tracking Status
firefox42 --- unaffected
firefox43 + verified
firefox44 + ---
firefox45 + ---
firefox-esr38 --- unaffected

People

(Reporter: cbook, Unassigned, NeedInfo)

References

()

Details

(Keywords: crash, regression, sec-high, Whiteboard: [gfx-noted])

Attachments

(1 file)

Attached file windbg information
found via bughunter on http://www.ref4bux.com/index.php?view=ads 

Steps to reproduce:
-> http://www.ref4bux.com/index.php?view=ads

reload this site a few times 

--> Crash

Windbg shows EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff) so marking as s-s bug
I can reproduce GC crashes with a debug build on OS X after reloading that page a number of times.

Maybe we can bisect it or something.
Group: javascript-core-security
Flags: needinfo?(terrence)
So far I've managed to get it down to:

83:05.93 LOG: MainThread Bisector INFO Last good revision: 6256ec9113c115141aab089c45ee69438884b680 (2015-09-28)
83:05.93 LOG: MainThread Bisector INFO First bad revision: ccee6614fd9d18a31f263fbcfe9676b224d851aa (2015-09-29)
83:05.93 LOG: MainThread Bisector INFO Pushlog:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=6256ec9113c115141aab089c45ee69438884b680&tochange=ccee6614fd9d18a31f263fbcfe9676b224d851aa

Will keep churning on m-i, but bustage ahoy.
Flags: needinfo?(terrence)
Reduced it to:

129:59.72 LOG: MainThread Bisector INFO Narrowed inbound regression window from [3797b7f3, 649f934c] (4 revisions) to [bd4a6ddd, 649f934c] (2 revisions) (~1 steps left)
129:59.73 LOG: MainThread main INFO Oh noes, no (more) inbound revisions :(
129:59.73 LOG: MainThread Bisector INFO Last good revision: bd4a6ddd01a049ebf846a0e4b5a795596e65508e
129:59.73 LOG: MainThread Bisector INFO First bad revision: 649f934c48e639a9d52e8da665b06a733f2e590d
129:59.73 LOG: MainThread Bisector INFO Pushlog:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=bd4a6ddd01a049ebf846a0e4b5a795596e65508e&tochange=649f934c48e639a9d52e8da665b06a733f2e590d

That is:

649f934c48e6	Seth Fowler — Bug 1207378 (Part 2) - Use Downscaler to remove first-frame padding when downscaling GIFs. r=tn
3d603de6ef4b	Seth Fowler — Bug 1207378 (Part 1) - Add support for a frame rect to Downscaler. r=tn

Passing the ni to seth@mozilla.com.
Flags: needinfo?(seth)
This may be the same issue as in Bug 1223465 - AddressSanitizer: heap-buffer-overflow in mozilla::image::nsGIFDecoder2::DoLzw and Bug 1224100 - AddressSanitizer: heap-buffer-overflow - Wheel of crashes [@ js::jit::EnterBaselineMethod ] | [@ nsDisplayList::SortByZOrder ] | [@ AddRule ]

I've seen the mozilla::image::nsGIFDecoder2::DoLzw heap error in both bugs and terrence's bisection points to Gifs.
See Also: → 1223465, 1224100
Component: JavaScript Engine → ImageLib
Group: core-security, javascript-core-security → gfx-core-security
Presumably Firefox 42 is unaffected if bug 1207378 is the regressor
Seth is this something you can work on, or can you help us find an owner for this bug?
Looks like we will release 43 with it, if not.
Whiteboard: [gfx-noted]
(In reply to Liz Henry (:lizzard) (needinfo? me) from comment #6)
> Seth is this something you can work on, or can you help us find an owner for
> this bug?
> Looks like we will release 43 with it, if not.

I'm fairly certain this bug is the same as bug 1223465, which is waiting on beta approval.
Marking fixed based on comment 7. 
Cornel, can someone on your team could verify the fix?
Flags: needinfo?(cornel.ionce)
Assigning to Alexandra for verification.
Flags: needinfo?(cornel.ionce) → needinfo?(alexandra.lucinet)
QA Contact: alexandra.lucinet
Crashed 43.0b7, under Windows 7 64-bit, with STR from comment 0:
> bp-fea36c2d-26a9-47ef-a997-4ea9b2151208
> bp-e136b3d2-fb25-4475-98ed-021752151208

Unable to reproduce the crash with 43.0b9 (Build ID: 20151203163240), across platforms [1].

[1] Ubuntu 14.04 32-bit, Windows 7 64-bit and Mac OS X 10.11
Flags: needinfo?(alexandra.lucinet)
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1223465
Group: gfx-core-security
You need to log in before you can comment on or make changes to this bug.