Closed Bug 1303997 Opened 9 years ago Closed 9 years ago

mozglue!abort_from_exception and Unknown exception - code c0000025

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
48 Branch
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: romi007r, Unassigned, NeedInfo)

Details

(Keywords: testcase-wanted)

Attachments

(1 file)

crashes.zip
739.67 KB, application/x-zip-compressed
Details
Attached file crashes.zip
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MS-RTC LM 8; .NET4.0C; .NET4.0E; rv:11.0) like Gecko Steps to reproduce: fuzzed firefox with winafl command line command_line : afl-fuzz.exe -i in -o new -D c:\winafl-master\dyno\bin32 -t 100000+ -m 15000 -- -coverage_module firefox.exe -target_offset 0xd8ff -fuzz_iterations 100000 -nargs 4 -- c:\progra~2\mozill~1\firefox.exe Actual results: I am attaching dump files for analysis .ecxr eax=002bed08 ebx=002bf19c ecx=00000000 edx=000002cc esi=002bf040 edi=002bf1ac eip=10df5cd2 esp=002bf038 ebp=002bf110 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200212 xul!google_breakpad::ExceptionHandler::WriteMinidump+0x3a: 10df5cd2 8d8d30ffffff lea ecx,[ebp-0D0h] I have attached a few dump file in the zip folder
additional trace ExceptionAddress: 7424efe5 (mozglue!mozalloc_abort+0x0000002c) ExceptionCode: 80000003 (Break instruction exception) ExceptionFlags: 00000000 NumberParameters: 1 Parameter[0]: 00000000 0:050> ExceptionAddress: 7424efe5 (mozglue!mozalloc_abort+0x0000002c) ExceptionCode: 80000003 (Break instruction exception) ExceptionFlags: 00000000 NumberParameters: 1 Parameter[0]: 00000000 0:050> .exr 7424efe5 ExceptionAddress: 1015ff00 (xul!mozilla::dom::VTTCueBinding::GetConstructorObjectHandle+0x00000046) ExceptionCode: c7036acc ExceptionFlags: 00000005 NumberParameters: 1349789024 Parameter[0]: 605c15ff Parameter[1]: 55cc7425 Parameter[2]: ec83ec8b Parameter[3]: a000a138 Parameter[4]: c5337425 Parameter[5]: 53fc4589 Parameter[6]: eca15756 Parameter[7]: 8d7425ab Parameter[8]: 5d8bc87d Parameter[9]: 7434be08 Parameter[10]: 0c6a7425 Parameter[11]: 66a5f359 Parameter[12]: 74c085a5 Parameter[13]: d0ff5304 Parameter[14]: 59206a59 FAULTING_IP: mozglue!mozalloc_abort+2c [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\memory\mozalloc\mozalloc_abort.cpp @ 33] 7424efe5 cc int 3 EXCEPTION_RECORD: (.exr -1) ExceptionAddress: 7424efe5 (mozglue!mozalloc_abort+0x0000002c) ExceptionCode: 80000003 (Break instruction exception) ExceptionFlags: 00000000 NumberParameters: 1 Parameter[0]: 00000000 DEFAULT_BUCKET_ID: STATUS_BREAKPOINT_AVRF PROCESS_NAME: firefox.exe ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION} Breakpoint A breakpoint has been reached. EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments are invalid EXCEPTION_CODE_STR: 80000003 EXCEPTION_PARAMETER1: 00000000 WATSON_BKT_PROCSTAMP: 57bd2863 WATSON_BKT_PROCVER: 48.0.2.6079 PROCESS_VER_PRODUCT: Firefox WATSON_BKT_MODULE: mozglue.dll WATSON_BKT_MODSTAMP: 57bd2857 WATSON_BKT_MODOFFSET: efe5 WATSON_BKT_MODVER: 48.0.2.6079 MODULE_VER_PRODUCT: Firefox BUILD_VERSION_STRING: 6.1.7601.23418 (win7sp1_ldr.160408-2045) MODLIST_WITH_TSCHKSUM_HASH: c93760ace52cdbd495d1d6a59d2d9b48a50ab335 MODLIST_SHA1_HASH: 36c664a5538c03e977ee42b9019daee4450da6af DUMP_FLAGS: 400 DUMP_TYPE: 0 APPLICATION_VERIFIER_LOADED: 1 FAULTING_THREAD: 00002178 ANALYSIS_SESSION_HOST: INGBTCPIC5DTL90 ANALYSIS_SESSION_TIME: 09-20-2016 18:24:29.0946 ANALYSIS_VERSION: 10.0.14321.1024 amd64fre THREAD_ATTRIBUTES: PROBLEM_CLASSES: Tid [0x0] Frame [0x00] String [STATUS_BREAKPOINT] Data Bucketing AVRF Tid [0x2178] Frame [0x00]: mozglue!mozalloc_abort Failure Bucketing BUGCHECK_STR: STATUS_BREAKPOINT_AVRF LAST_CONTROL_TRANSFER: from 7424f05c to 7424efe5 STACK_TEXT: 27b1ef70 7424f05c 27b1ef88 00010000 163f5580 mozglue!mozalloc_abort+0x2c 27b1efc0 7424c9f5 00010000 853eb018 5253cf28 mozglue!mozalloc_handle_oom+0x5c 27b1efd8 0f1b682f 0f1b68eb 00010000 0f1b971d mozglue!moz_xmalloc+0x94b5 27b1f000 0f5a76b6 163f5580 27b1f518 163f5580 xul!CCGraphBuilder::NoteJSObject+0x7f 27b1f014 0f1b91cd 2af1c460 10f20ec4 163f5580 xul!nsScriptObjectTracer::NoteJSChild+0x30 27b1f024 0f1b9575 26ae97a8 10f20ec4 163f5580 xul!TraceCallbackFunc::Trace+0x16 27b1f044 0f4748d6 11719f70 26ae97a0 27b1f064 xul!mozilla::dom::CallbackObject::cycleCollection::Trace+0x42 27b1f06c 0f34a75a 11719f70 26ae97a0 163f5580 xul!mozilla::dom::CallbackObject::cycleCollection::Traverse+0x3b 27b1f08c 0f52c273 28092050 28092000 00000100 xul!CCGraphBuilder::BuildGraph+0x53 27b1f09c 0f52da54 27b1f108 286a9828 00000000 xul!nsCycleCollector::MarkRoots+0x1a 27b1f0e0 0f700714 00000001 27b1f108 00000000 xul!nsCycleCollector::Collect+0x104 27b1f12c 0f52fdd0 0f52fd8b 00000001 27b1f18c xul!nsCycleCollector_collect+0x68 27b1f130 0f52fd8b 00000001 27b1f18c 0f52fd40 xul!`anonymous namespace'::WorkerJSRuntime::CustomGCCallback+0x17 27b1f13c 0f52fd40 00000001 0f52fd2d 286df000 xul!mozilla::CycleCollectedJSRuntime::OnGC+0x4a 27b1f144 0f52fd2d 286df000 00000001 27b1f4e0 xul!mozilla::CycleCollectedJSRuntime::GCCallback+0xd 27b1f154 0f52ea90 00000001 286df210 286df360 xul!js::gc::GCRuntime::callGCCallback+0x18 27b1f170 0f52ea00 00000001 0000002e 286df210 xul!`anonymous namespace'::AutoNotifyGCActivity::~AutoNotifyGCActivity+0x2d 27b1f1c4 0f52e734 00000001 27b1f260 0000002e xul!js::gc::GCRuntime::gcCycle+0x166 27b1f250 0f254602 00000001 0000002e ffffffff xul!js::gc::GCRuntime::collect+0xbc 27b1f2a8 0f2545ad 00000001 0000002e 0f25456c xul!js::gc::GCRuntime::gc+0x54 27b1f2b4 0f25456c 0000002e 28538f50 12cae0a0 xul!JS::GCForReason+0x10 27b1f2cc 0f254524 28538f50 00000001 00000001 xul!mozilla::dom::workers::WorkerPrivate::GarbageCollectInternal+0x42 27b1f2e0 0f2b2843 28538f50 26a87c00 12cae0a0 xul!`anonymous namespace'::GarbageCollectRunnable::WorkerRun+0x18 27b1f3f0 0f5839a8 12cae0a0 26a87c00 26a87e70 xul!mozilla::dom::workers::WorkerRunnable::Run+0x123 27b1f420 0f58366e 28538f50 26c01000 26ad3260 xul!mozilla::dom::workers::WorkerPrivate::ProcessAllControlRunnablesLocked+0xa9 27b1f4bc 0f23a568 28538f50 00000000 26ad3260 xul!mozilla::dom::workers::WorkerPrivate::DoRunLoop+0xba 27b1f674 0f33f4f1 26ad3260 26a2b8c0 27b1f701 xul!`anonymous namespace'::WorkerThreadPrimaryRunnable::Run+0x135 27b1f778 0f583b44 269bbe50 27b1f701 27b1f793 xul!nsThread::ProcessNextEvent+0x278 27b1f794 0f583afa 27b1f7ec 630c3760 26a2b8c0 xul!NS_ProcessNextEvent+0x16 27b1f7b4 0f58279f 26a2b800 1b834ed9 26a2b8c0 xul!mozilla::ipc::MessagePumpForNonMainThreads::Run+0xce 27b1f7ec 0f58276e 269bbe50 00000001 27b1f800 xul!MessageLoop::RunHandler+0x20 27b1f80c 0f58b71b 05a0e350 267828e0 267828e0 xul!MessageLoop::Run+0x19 27b1f82c 630c2b0b 269bbe50 00000000 274d0c40 xul!nsThread::ThreadFunc+0xa4 27b1f848 630c21b1 267828e0 6329c01d 267828e0 nss3!_PR_NativeRunThread+0x9a 27b1f850 6329c01d 267828e0 1bd6c254 00000000 nss3!pr_root+0xb 27b1f888 6329c001 00000000 27b1f8a0 772e338a msvcr120!_callthreadstartex+0x1b 27b1f894 772e338a 258b6c40 27b1f8e0 77a29902 msvcr120!_threadstartex+0x7c 27b1f8a0 77a29902 258b6c40 550af26e 00000000 kernel32!BaseThreadInitThunk+0xe 27b1f8e0 77a298d5 6329bfb4 258b6c40 00000000 ntdll!__RtlUserThreadStart+0x70 27b1f8f8 00000000 6329bfb4 258b6c40 00000000 ntdll!_RtlUserThreadStart+0x1b THREAD_SHA1_HASH_MOD_FUNC: f5bc79e01a9effd3f8dda4434e0dfb56325db981 THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 704b8d2e9376af859424bc0b0426dbdd9982aebd THREAD_SHA1_HASH_MOD: 7f74bf12034b4cb42db3d3f1b8d9f0a2e5d03650 FOLLOWUP_IP: mozglue!mozalloc_abort+2c [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\memory\mozalloc\mozalloc_abort.cpp @ 33] 7424efe5 cc int 3 FAULT_INSTR_CODE: c7036acc FAULTING_SOURCE_LINE: c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\memory\mozalloc\mozalloc_abort.cpp FAULTING_SOURCE_FILE: c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\memory\mozalloc\mozalloc_abort.cpp FAULTING_SOURCE_LINE_NUMBER: 33 SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: mozglue!mozalloc_abort+2c FOLLOWUP_NAME: MachineOwner MODULE_NAME: mozglue IMAGE_NAME: mozglue.dll DEBUG_FLR_IMAGE_TIMESTAMP: 57bd2857 STACK_COMMAND: .ecxr ; kb BUCKET_ID: STATUS_BREAKPOINT_AVRF_mozglue!mozalloc_abort+2c PRIMARY_PROBLEM_CLASS: STATUS_BREAKPOINT_AVRF_mozglue!mozalloc_abort+2c FAILURE_EXCEPTION_CODE: 80000003 FAILURE_IMAGE_NAME: mozglue.dll BUCKET_ID_IMAGE_STR: mozglue.dll FAILURE_MODULE_NAME: mozglue BUCKET_ID_MODULE_STR: mozglue FAILURE_FUNCTION_NAME: mozalloc_abort BUCKET_ID_FUNCTION_STR: mozalloc_abort BUCKET_ID_OFFSET: 2c BUCKET_ID_MODTIMEDATESTAMP: 57bd2857 BUCKET_ID_MODCHECKSUM: 1e87d BUCKET_ID_MODVER_STR: 48.0.2.6079 BUCKET_ID_PREFIX_STR: STATUS_BREAKPOINT_AVRF_ FAILURE_PROBLEM_CLASS: STATUS_BREAKPOINT_AVRF FAILURE_SYMBOL_NAME: mozglue.dll!mozalloc_abort FAILURE_BUCKET_ID: STATUS_BREAKPOINT_AVRF_80000003_mozglue.dll!mozalloc_abort WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/firefox.exe/48.0.2.6079/57bd2863/mozglue.dll/48.0.2.6079/57bd2857/80000003/0000efe5.htm?Retriage=1 TARGET_TIME: 2016-09-20T09:53:28.000Z OSBUILD: 7601 OSSERVICEPACK: 23418 SERVICEPACK_NUMBER: 0 OS_REVISION: 0 SUITE_MASK: 256 PRODUCT_TYPE: 1 OSPLATFORM_TYPE: x86 OSNAME: Windows 7 OSEDITION: Windows 7 WinNt (Service Pack 1) SingleUserTS OS_LOCALE: USER_LCID: 0 OSBUILD_TIMESTAMP: 2016-04-09 12:27:39 BUILDDATESTAMP_STR: 160408-2045 BUILDLAB_STR: win7sp1_ldr BUILDOSVER_STR: 6.1.7601.23418 ANALYSIS_SESSION_ELAPSED_TIME: 5eebc ANALYSIS_SOURCE: UM FAILURE_ID_HASH_STRING: um:status_breakpoint_avrf_80000003_mozglue.dll!mozalloc_abort FAILURE_ID_HASH: {3dde0e24-123e-6879-f111-0a5776b9f3a9} Followup: MachineOwner ---------
OS: Unspecified → Windows 7
Hardware: Unspecified → x86_64
Can you provide actual test cases?
Flags: needinfo?(romi007r)
Typically mozalloc_abort means we've hit an out of memory condition that we weren't prepared to handle, so we crash ourselves rather than risk memory corruption. It's a bug, but not a vulnerability. It's also super generic and impossible to fix without a testcase of how to get in that state.
Keywords: testcase-wanted
Daniel thanks for the reply there are a bunch of other dumps one with c000025 error I took the stack trace of only one issue one I fuzzed with afl Firefox crashed I only have input files but as it was only a trial only on windows test case was not generated I will try to rerun it and generate test case
Carsten: can you check the dumps in this zip to see if the two other crashes are interesting? the mozalloc-abort one is a safe crash.
Flags: needinfo?(cbook)
(In reply to Daniel Veditz [:dveditz] from comment #5) > Carsten: can you check the dumps in this zip to see if the two other crashes > are interesting? the mozalloc-abort one is a safe crash. Hey never did this before but will try and maybe hope to find testcases
Flags: needinfo?(cbook)
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: