Closed Bug 1330964 Opened 9 years ago Closed 3 years ago

Access violation - code c0000005 while running with Dr. Memory

Categories

(Core :: General, defect)

Product:
Core
Component:
General
Version:
48 Branch
Type:
defect

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: romi007r, Unassigned)

Details

(Keywords: crash, testcase)

Attachments

(1 file)

ff.zip
28.94 KB, application/x-zip-compressed
Details
Attached file ff.zip
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 Steps to reproduce: drmemory.exe -leaks_only -brief -fuzz -- "c:\Program Files (x86)\Mozilla Firefox\firefox.exe" attached trace Dr. Memory version 1.11.0 build 2 built on Aug 29 2016 02:42:07 Dr. Memory results for pid 32644: "firefox.exe" Application cmdline: ""c:\Program Files (x86)\Mozilla Firefox\firefox.exe"" Recorded 115 suppression(s) from default c:\Program Files (x86)\Dr. Memory\bin\suppress-default.txt Error #1: POSSIBLE LEAK 40 direct bytes 0x00c083f8-0x00c08420 + 1 indirect bytes # 0 replace_RtlAllocateHeap [d:\drmemory_package\common\alloc_replace.c:3770] # 1 ntdll.dll!LdrpGetNewTlsVector # 2 ntdll.dll!LdrpLoadDll # 3 ntdll.dll!LdrLoadDll # 4 mozglue.dll!double_conversion::DoubleToStringConverter::DoubleToAscii +0x7d4 (0x5a5c83c8 <mozglue.dll+0x83c8>) # 5 firefox.exe!? +0x0 (0x01133e24 <firefox.exe+0x3e24>) # 6 firefox.exe!? +0x0 (0x0113397e <firefox.exe+0x397e>) # 7 firefox.exe!? +0x0 (0x011354e9 <firefox.exe+0x54e9>) # 8 KERNEL32.dll!BaseThreadInitThunk =========================================================================== FINAL SUMMARY: DUPLICATE ERROR COUNTS: SUPPRESSIONS USED: ERRORS FOUND: 0 unique, 0 total invalid heap argument(s) 0 unique, 0 total warning(s) 0 unique, 0 total, 0 byte(s) of leak(s) 1 unique, 1 total, 41 byte(s) of possible leak(s) ERRORS IGNORED: 4 potential leak(s) (suspected false positives) (details: C:\Users\310222344\AppData\Roaming\Dr. Memory\DrMemory-firefox.exe.32644.000\potential_errors.txt) 433 unique, 1286 total, 136513 byte(s) of still-reachable allocation(s) (re-run with "-show_reachable" for details) Details: C:\Users\310222344\AppData\Roaming\Dr. Memory\DrMemory-firefox.exe.32644.000\results.txt Actual results: application exited with abnormal code 0x1 crash generated with WER and crash reporter Expected results: it should not crash
Wrong traced pasted above correct is this one Dr. Memory version 1.11.0 build 2 built on Aug 29 2016 02:42:07 Dr. Memory results for pid 22904: "firefox.exe" Application cmdline: ""c:\Program Files (x86)\Mozilla Firefox\firefox.exe"" Recorded 115 suppression(s) from default c:\Program Files (x86)\Dr. Memory\bin\suppress-default.txt WARNING: application is missing line number information. Error #1: UNADDRESSABLE ACCESS: executing 0x00000000-0x00000001 1 byte(s) # 0 <not in a module> (0x00000000) # 1 xul.dll!NS_CycleCollectorSuspect3 +0x41a52 (0x05b7cfb6 <xul.dll+0x22cfb6>) # 2 xul.dll!XRE_IsParentProcess +0x45772 (0x05a9dd80 <xul.dll+0x14dd80>) # 3 xul.dll!mozilla::net::LoadInfo::GetParentOuterWindowID +0x17f60 (0x060c6efd <xul.dll+0x776efd>) # 4 xul.dll!mozilla::net::LoadInfo::LoadingPrincipal +0xdf65 (0x059f7366 <xul.dll+0xa7366>) # 5 xul.dll!mozilla::net::LoadInfo::LoadingPrincipal +0xdd69 (0x059f716a <xul.dll+0xa716a>) # 6 xul.dll!mozilla::net::LoadInfo::LoadingPrincipal +0xd9b9 (0x059f6dba <xul.dll+0xa6dba>) # 7 xul.dll!XRE_IsParentProcess +0x3a3dd (0x05a929eb <xul.dll+0x1429eb>) # 8 xul.dll!mozilla::net::LoadInfo::LoadingPrincipal +0xe0bb (0x059f74bc <xul.dll+0xa74bc>) # 9 xul.dll!mozilla::net::LoadInfo::LoadingPrincipal +0xdd69 (0x059f716a <xul.dll+0xa716a>) #10 xul.dll!XRE_IsParentProcess +0x41f0c (0x05a9a51a <xul.dll+0x14a51a>) #11 xul.dll!mozilla::net::LoadInfo::GetParentOuterWindowID +0x17f60 (0x060c6efd <xul.dll+0x776efd>) #12 xul.dll!mozilla::net::LoadInfo::LoadingPrincipal +0xdf65 (0x059f7366 <xul.dll+0xa7366>) #13 xul.dll!mozilla::net::LoadInfo::LoadingPrincipal +0xdd69 (0x059f716a <xul.dll+0xa716a>) #14 xul.dll!XRE_IsParentProcess +0x41f0c (0x05a9a51a <xul.dll+0x14a51a>) #15 xul.dll!mozilla::net::LoadInfo::GetParentOuterWindowID +0x17f60 (0x060c6efd <xul.dll+0x776efd>) #16 xul.dll!mozilla::net::LoadInfo::LoadingPrincipal +0xdf65 (0x059f7366 <xul.dll+0xa7366>) #17 xul.dll!mozilla::net::LoadInfo::LoadingPrincipal +0xdd69 (0x059f716a <xul.dll+0xa716a>) #18 xul.dll!XRE_IsParentProcess +0x41f0c (0x05a9a51a <xul.dll+0x14a51a>) #19 xul.dll!mozilla::net::LoadInfo::GetParentOuterWindowID +0x17f60 (0x060c6efd <xul.dll+0x776efd>) Note: @0:00:04.650 in thread 10592 Error #2: LEAK 128 direct bytes 0x00b600f8-0x00b60178 + 0 indirect bytes # 0 replace_RtlAllocateHeap [d:\drmemory_package\common\alloc_replace.c:3770] # 1 ucrtbase.dll!_malloc_base # 2 ucrtbase.dll!__crt_seh_guarded_call<>::operator()<> # 3 ucrtbase.dll!__crt_seh_guarded_call<>::operator()<> # 4 ucrtbase.dll!_crt_atexit # 5 firefox.exe!? +0x0 (0x01135804 <firefox.exe+0x5804>) # 6 firefox.exe!? +0x0 (0x01135828 <firefox.exe+0x5828>) # 7 firefox.exe!? +0x0 (0x0113536d <firefox.exe+0x536d>) # 8 firefox.exe!? +0x0 (0x0113543f <firefox.exe+0x543f>) # 9 KERNEL32.dll!BaseThreadInitThunk Error #3: LEAK 128 direct bytes 0x00b6ed18-0x00b6ed98 + 0 indirect bytes # 0 replace_RtlAllocateHeap [d:\drmemory_package\common\alloc_replace.c:3770] # 1 ucrtbase.dll!_malloc_base # 2 ucrtbase.dll!__crt_seh_guarded_call<>::operator()<> # 3 ucrtbase.dll!__crt_seh_guarded_call<>::operator()<> # 4 ucrtbase.dll!_register_onexit_function # 5 nss3.dll!NSS_SMIMEUtil_FindBulkAlgForRecipients +0xe75 (0x0f22c239 <nss3.dll+0xac239>) # 6 nss3.dll!NSS_SMIMEUtil_FindBulkAlgForRecipients +0xe8d (0x0f22c251 <nss3.dll+0xac251>) # 7 nss3.dll!NSS_SMIMEUtil_FindBulkAlgForRecipients +0x8ce (0x0f22bc92 <nss3.dll+0xabc92>) # 8 nss3.dll!NSS_SMIMEUtil_FindBulkAlgForRecipients +0x854 (0x0f22bc18 <nss3.dll+0xabc18>) # 9 nss3.dll!NSS_SMIMEUtil_FindBulkAlgForRecipients +0xa54 (0x0f22be18 <nss3.dll+0xabe18>) #10 nss3.dll!NSS_SMIMEUtil_FindBulkAlgForRecipients +0xb5d (0x0f22bf21 <nss3.dll+0xabf21>) #11 ntdll.dll!LdrpCallInitRoutine Error #4: LEAK 128 direct bytes 0x00b6f8d0-0x00b6f950 + 0 indirect bytes # 0 replace_RtlAllocateHeap [d:\drmemory_package\common\alloc_replace.c:3770] # 1 ucrtbase.dll!_malloc_base # 2 ucrtbase.dll!__crt_seh_guarded_call<>::operator()<> # 3 ucrtbase.dll!__crt_seh_guarded_call<>::operator()<> # 4 ucrtbase.dll!_register_onexit_function # 5 lgpllibs.dll!soundtouch::destroySoundTouchObj +0x1439 (0x05899825 <lgpllibs.dll+0x9825>) # 6 lgpllibs.dll!soundtouch::destroySoundTouchObj +0x1451 (0x0589983d <lgpllibs.dll+0x983d>) # 7 lgpllibs.dll!soundtouch::destroySoundTouchObj +0xd7b (0x05899167 <lgpllibs.dll+0x9167>) # 8 lgpllibs.dll!soundtouch::destroySoundTouchObj +0xd01 (0x058990ed <lgpllibs.dll+0x90ed>) # 9 lgpllibs.dll!soundtouch::destroySoundTouchObj +0xf01 (0x058992ed <lgpllibs.dll+0x92ed>) #10 lgpllibs.dll!soundtouch::destroySoundTouchObj +0x100a (0x058993f6 <lgpllibs.dll+0x93f6>) #11 ntdll.dll!LdrpCallInitRoutine Error #5: POSSIBLE LEAK 40 direct bytes 0x00b783f8-0x00b78420 + 1 indirect bytes # 0 replace_RtlAllocateHeap [d:\drmemory_package\common\alloc_replace.c:3770] # 1 ntdll.dll!LdrpGetNewTlsVector # 2 ntdll.dll!LdrpLoadDll # 3 ntdll.dll!LdrLoadDll # 4 mozglue.dll!double_conversion::DoubleToStringConverter::DoubleToAscii +0x7d4 (0x5a5c83c8 <mozglue.dll+0x83c8>) # 5 firefox.exe!? +0x0 (0x01133e24 <firefox.exe+0x3e24>) # 6 firefox.exe!? +0x0 (0x0113397e <firefox.exe+0x397e>) # 7 firefox.exe!? +0x0 (0x011354e9 <firefox.exe+0x54e9>) # 8 KERNEL32.dll!BaseThreadInitThunk Error #6: POSSIBLE LEAK 512 direct bytes 0x00b8cfc8-0x00b8d1c8 + 0 indirect bytes # 0 replace_RtlReAllocateHeap [d:\drmemory_package\common\alloc_replace.c:3816] # 1 ucrtbase.dll!__crt_seh_guarded_call<>::operator()<> # 2 ucrtbase.dll!__crt_seh_guarded_call<>::operator()<> # 3 ucrtbase.dll!_register_onexit_function # 4 xul.dll!NS_DebugBreak +0x52f24 (0x06016d71 <xul.dll+0x6c6d71>) # 5 xul.dll!NS_DebugBreak +0x52f3c (0x06016d89 <xul.dll+0x6c6d89>) # 6 xul.dll!? +0x0 (0x059b9288 <xul.dll+0x69288>) # 7 xul.dll!NS_DebugBreak +0x5318c (0x06016fd9 <xul.dll+0x6c6fd9>) # 8 xul.dll!NS_DebugBreak +0x530cd (0x06016f1a <xul.dll+0x6c6f1a>) # 9 xul.dll!NS_DebugBreak +0x532cd (0x0601711a <xul.dll+0x6c711a>) #10 xul.dll!NS_DebugBreak +0x533d6 (0x06017223 <xul.dll+0x6c7223>) #11 ntdll.dll!LdrpCallInitRoutine Error #7: POSSIBLE LEAK 768 direct bytes 0x00bf2388-0x00bf2688 + 0 indirect bytes # 0 replace_RtlAllocateHeap [d:\drmemory_package\common\alloc_replace.c:3770] # 1 ucrtbase.dll!_calloc_base # 2 ucrtbase.dll!__acrt_locale_initialize_ctype # 3 ucrtbase.dll!rand # 4 ucrtbase.dll!___mb_cur_max_func # 5 ucrtbase.dll!__crt_state_management::wrapped_invoke<> # 6 ucrtbase.dll!__crt_seh_guarded_call<>::operator()<> # 7 ucrtbase.dll!wcstoul # 8 ucrtbase.dll!__crt_seh_guarded_call<>::operator()<> # 9 ucrtbase.dll!setlocale #10 ucrtbase.dll!setlocale #11 xul.dll!NS_InitXPCOM2 +0x1fa (0x05de8148 <xul.dll+0x498148>) Error #8: POSSIBLE LEAK 384 direct bytes 0x00bf26a8-0x00bf2828 + 0 indirect bytes # 0 replace_RtlAllocateHeap [d:\drmemory_package\common\alloc_replace.c:3770] # 1 ucrtbase.dll!_calloc_base # 2 ucrtbase.dll!__acrt_locale_initialize_ctype # 3 ucrtbase.dll!rand # 4 ucrtbase.dll!___mb_cur_max_func # 5 ucrtbase.dll!__crt_state_management::wrapped_invoke<> # 6 ucrtbase.dll!__crt_seh_guarded_call<>::operator()<> # 7 ucrtbase.dll!wcstoul # 8 ucrtbase.dll!__crt_seh_guarded_call<>::operator()<> # 9 ucrtbase.dll!setlocale #10 ucrtbase.dll!setlocale #11 xul.dll!NS_InitXPCOM2 +0x1fa (0x05de8148 <xul.dll+0x498148>) Error #9: POSSIBLE LEAK 384 direct bytes 0x00bf2848-0x00bf29c8 + 0 indirect bytes # 0 replace_RtlAllocateHeap [d:\drmemory_package\common\alloc_replace.c:3770] # 1 ucrtbase.dll!_calloc_base # 2 ucrtbase.dll!__acrt_locale_initialize_ctype # 3 ucrtbase.dll!rand # 4 ucrtbase.dll!___mb_cur_max_func # 5 ucrtbase.dll!__crt_state_management::wrapped_invoke<> # 6 ucrtbase.dll!__crt_seh_guarded_call<>::operator()<> # 7 ucrtbase.dll!wcstoul # 8 ucrtbase.dll!__crt_seh_guarded_call<>::operator()<> # 9 ucrtbase.dll!setlocale #10 ucrtbase.dll!setlocale #11 xul.dll!NS_InitXPCOM2 +0x1fa (0x05de8148 <xul.dll+0x498148>) Error #10: LEAK 128 direct bytes 0x00c08be0-0x00c08c60 + 0 indirect bytes # 0 replace_RtlAllocateHeap [d:\drmemory_package\common\alloc_replace.c:3770] # 1 ucrtbase.dll!_malloc_base # 2 ucrtbase.dll!__crt_seh_guarded_call<>::operator()<> # 3 ucrtbase.dll!__crt_seh_guarded_call<>::operator()<> # 4 ucrtbase.dll!_register_onexit_function # 5 browsercomps.dll!? +0x0 (0x6f5638ee <browsercomps.dll+0x38ee>) # 6 browsercomps.dll!? +0x0 (0x6f563906 <browsercomps.dll+0x3906>) # 7 browsercomps.dll!? +0x0 (0x6f563223 <browsercomps.dll+0x3223>) # 8 browsercomps.dll!? +0x0 (0x6f5631a9 <browsercomps.dll+0x31a9>) # 9 browsercomps.dll!? +0x0 (0x6f5633a9 <browsercomps.dll+0x33a9>) #10 browsercomps.dll!? +0x0 (0x6f5634b2 <browsercomps.dll+0x34b2>) #11 ntdll.dll!LdrpCallInitRoutine =========================================================================== FINAL SUMMARY: DUPLICATE ERROR COUNTS: SUPPRESSIONS USED: ERRORS FOUND: command line drmemory.exe -leaks_only -fuzz "c:\Program Files (x86)\Mozilla Firefox\firefox.exe"
Julian, as you wrote an article about Dr. Memory, could you help maybe? If not, could you NI? someone else at Mozilla, please.
Component: Untriaged → General
Flags: needinfo?(jseward)
Product: Firefox → Core
Severity: normal → critical
Keywords: crash
It can be a security issue use after free it crashes with same command line in Windows 10 also
dump analysis on windows 10 probably exploitable WARNING: Teb 21 pointer is NULL - defaulting to 7ffde000 WARNING: 7ffde000 does not appear to be a TEB WARNING: Teb 21 pointer is NULL - defaulting to 7ffde000 WARNING: 7ffde000 does not appear to be a TEB WARNING: Teb 21 pointer is NULL - defaulting to 7ffde000 WARNING: 7ffde000 does not appear to be a TEB WARNING: Teb 21 pointer is NULL - defaulting to 7ffde000 WARNING: 7ffde000 does not appear to be a TEB WARNING: Teb 21 pointer is NULL - defaulting to 7ffde000 WARNING: 7ffde000 does not appear to be a TEB WARNING: Teb 21 pointer is NULL - defaulting to 7ffde000 WARNING: 7ffde000 does not appear to be a TEB WARNING: Teb 21 pointer is NULL - defaulting to 7ffde000 WARNING: 7ffde000 does not appear to be a TEB WARNING: Teb 21 pointer is NULL - defaulting to 7ffde000 WARNING: 7ffde000 does not appear to be a TEB DUMP_CLASS: 2 DUMP_QUALIFIER: 400 CONTEXT: (.ecxr) eax=0bb01001 ebx=0cb62220 ecx=00d7aa50 edx=1dd84779 esi=00003444 edi=00d7ac00 eip=00000000 esp=00d7aa4c ebp=00d7aa8c iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 00000000 ?? ??? Resetting default scope FAULTING_IP: +0 00000000 ?? ??? EXCEPTION_RECORD: (.exr -1) ExceptionAddress: 00000000 ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000008 Parameter[1]: 00000000 Attempt to execute non-executable address 00000000 PROCESS_NAME: firefox.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_CODE_STR: c0000005 EXCEPTION_PARAMETER1: 00000008 EXCEPTION_PARAMETER2: 00000000 FOLLOWUP_IP: xul!EnterBaseline+288 [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\jit\baselinejit.cpp @ 158] 5044d2a8 8b4704 mov eax,dword ptr [edi+4] FAILED_INSTRUCTION_ADDRESS: +0 00000000 ?? ??? WATSON_BKT_PROCSTAMP: 5849ff9c WATSON_BKT_PROCVER: 50.1.0.6186 PROCESS_VER_PRODUCT: Firefox WATSON_BKT_MODULE: unknown WATSON_BKT_MODVER: 0.0.0.0 WATSON_BKT_MODOFFSET: 0 WATSON_BKT_MODSTAMP: bbbbbbb4 BUILD_VERSION_STRING: 10.0.14393.0 (rs1_release.160715-1616) MODLIST_WITH_TSCHKSUM_HASH: 56b2267988735aceb99561b75683145c2afeab46 MODLIST_SHA1_HASH: 67f4056e3976616d912678f88351d9f78b7cc0df DUMP_FLAGS: 400 DUMP_TYPE: 0 ANALYSIS_SESSION_HOST: DESKTOP-NQOB8UH ANALYSIS_SESSION_TIME: 01-14-2017 17:36:43.0645 ANALYSIS_VERSION: 10.0.14321.1024 amd64fre THREAD_ATTRIBUTES: PROBLEM_CLASSES: SOFTWARE_NX_FAULT Tid [0x2444] Frame [0x00]: unknown!unknown NULL Tid [0x2444] Frame [0x00]: unknown!unknown Failure Bucketing PROBABLYEXPLOITABLE Tid [0x2444] Frame [0x00]: unknown!unknown Failure Bucketing BUGCHECK_STR: SOFTWARE_NX_FAULT_PROBABLYEXPLOITABLE_NULL DEFAULT_BUCKET_ID: SOFTWARE_NX_FAULT_PROBABLYEXPLOITABLE_NULL IP_ON_STACK: +0 00d7aa50 90 nop FRAME_ONE_INVALID: 1 LAST_CONTROL_TRANSFER: from 00d7aa50 to 00000000 STACK_TEXT: WARNING: Frame IP not in any known module. Following frames may be wrong. 00d7aa48 00d7aa50 528f8090 0cb59f88 015e6ab0 0x0 00d7aad8 5044d2a8 015e6970 00000004 0cdbe280 0xd7aa50 00d7abf0 5044cfb6 0a258000 00000000 015e6970 xul!EnterBaseline+0x288 00d7ac88 5036dd80 0a258000 0cb7f3a0 00000000 xul!js::jit::EnterBaselineMethod+0x126 00d7b5e0 50996efd 00d7b6f4 00d7b6f4 00d7b6f4 xul!Interpret+0x9370 00d7b670 502c7366 0a258000 00d7b6e4 00d7b7a0 xul!js::RunScript+0x21d 00d7b744 502c716a 00000000 0cdbe210 ffffff8c xul!js::InternalCallOrConstruct+0x1a6 00d7b768 502c6dba 00000004 00d7b8f4 0a258000 xul!InternalCall+0x9a 00d7b81c 503629eb 0a258000 00d7b8d0 00d7b8f4 xul!js::Wrapper::call+0x14a 00d7b85c 502c74bc 0a258000 00d7b8d0 00d7b8f4 xul!js::CrossCompartmentWrapper::call+0xa9 00d7b934 502c716a 00000000 0a258000 00000000 xul!js::InternalCallOrConstruct+0x2fc 00d7b958 5036a51a 0a258000 0cb66af0 00000000 xul!InternalCall+0x9a 00d7c2b0 50996efd 00d7c3c4 00d7c3c4 00d7c3c4 xul!Interpret+0x5b0a 00d7c340 502c7366 0a258000 00d7c3b4 00d7c5ec xul!js::RunScript+0x21d 00d7c414 502c716a 00000000 0a258000 00000000 xul!js::InternalCallOrConstruct+0x1a6 00d7c438 5036a51a 0a258000 0cb7ff70 00000000 xul!InternalCall+0x9a 00d7cd90 50996efd 00d7cea4 00d7cea4 00d7cea4 xul!Interpret+0x5b0a 00d7ce20 502c7366 0a258000 00d7ce94 00d7d0cc xul!js::RunScript+0x21d 00d7cef4 502c716a 00000000 0a258000 00000000 xul!js::InternalCallOrConstruct+0x1a6 00d7cf18 5036a51a 0a258000 0cb66700 00000000 xul!InternalCall+0x9a 00d7d878 50996efd 00d7d938 00d7d938 00d7d938 xul!Interpret+0x5b0a 00d7d908 50452ea6 0a258000 00d7d928 0cb62180 xul!js::RunScript+0x21d 00d7d968 50308058 00d7da34 00d7d998 00000000 xul!js::ExecuteKernel+0x64 00d7d9b4 504e6bf6 00d7da34 00000000 504e6bd7 xul!js::Execute+0x76 00d7d9c0 504e6bd7 00d7d9e0 00d7da34 0a258000 xul!ExecuteScript+0x10 00d7d9ec 504e71ae 00d7da34 02309700 0cd92e70 xul!JS_ExecuteScript+0x3e 00d7dc1c 504ffee0 00d7dcf0 0cdbca60 0cd92e9c xul!mozJSComponentLoader::ObjectForLocation+0x218 00d7ddb8 505351c0 0238b580 00d7ddf0 0a258000 xul!mozJSComponentLoader::ImportInto+0x604 00d7de3c 505350a0 02309704 0238b580 00d7e050 xul!mozJSComponentLoader::Import+0xff 00d7de64 50894227 0a63c140 0238b580 00d7e050 xul!nsXPCComponents_Utils::Import+0x54 00d7de98 502e6178 0a63c140 00000009 00000005 xul!_NS_InvokeByIndex+0x27 00d7e110 502c0f5d 0a258000 00000001 00d7e274 xul!XPCWrappedNative::CallMethod+0x388 00d7e19c 502c72a8 0a258000 00000001 0cdbe058 xul!XPC_WN_CallMethod+0x11d 00d7e274 502c716a 00000000 0a258000 00000000 xul!js::InternalCallOrConstruct+0xe8 00d7e298 5036a51a 0a258000 0cb66280 00000000 xul!InternalCall+0x9a 00d7ebf8 50996efd 00d7ecb8 00d7ecb8 00d7ecb8 xul!Interpret+0x5b0a 00d7ec88 50452ea6 0a258000 00d7eca8 0cb62100 xul!js::RunScript+0x21d 00d7ece8 50308058 00d7edb4 00d7ed18 00000000 xul!js::ExecuteKernel+0x64 00d7ed34 504e6bf6 00d7edb4 00000000 504e6bd7 xul!js::Execute+0x76 00d7ed40 504e6bd7 00d7ed60 00d7edb4 0a258000 xul!ExecuteScript+0x10 00d7ed6c 504e71ae 00d7edb4 02309700 0a258000 xul!JS_ExecuteScript+0x3e 00d7ef9c 505f21a6 00d7f098 023069a0 0cd92dac xul!mozJSComponentLoader::ObjectForLocation+0x218 00d7f11c 505f2054 0a24a3a4 02397134 503969be xul!mozJSComponentLoader::LoadModule+0x13c 00d7f128 503969be 023f0f40 02397134 00000025 xul!nsComponentManagerImpl::KnownModule::Load+0x3c 00d7f148 50396847 00d7f170 023970c0 02397134 xul!nsFactoryEntry::GetFactory+0x4b 00d7f17c 503965f7 023970c0 0a63b2b8 00000000 xul!nsComponentManagerImpl::CreateInstanceByContractID+0x170 00d7f1d0 504e884b 023970c0 0a63b2b8 520c7224 xul!nsComponentManagerImpl::GetServiceByContractID+0x26a 00d7f1f4 504ce5cf 520c7224 00000021 0000000f xul!nsCOMPtr_base::assign_from_gs_contractid_with_error+0x25 00d7f2d0 50751e71 0cdb3cd0 00000000 5210bda0 xul!nsAppStartupNotifier::Observe+0x1b6 00d7f4c0 50626d5b 02349110 00d7f69c 00d7f650 xul!XREMain::XRE_mainRun+0x22d 00d7f4ec 50627139 00000000 02301050 00d7f600 xul!XREMain::XRE_main+0x1aa 00d7f650 00c01912 00000001 02301050 00d7f69c xul!XRE_main+0x39 00d7f8e8 00c03af7 0109f038 02306220 00000001 firefox!do_main+0x382 00d7fc74 00c054e9 00000001 ff75f148 01a62768 firefox!wmain+0x407 00d7fcc0 767f62c4 00fd5000 767f62a0 bf9eefac firefox!__scrt_common_main_seh+0xff 00d7fcd4 77220fd9 00fd5000 a7481d99 00000000 kernel32!BaseThreadInitThunk+0x24 00d7fd1c 77220fa4 ffffffff 77242f08 00000000 ntdll!__RtlUserThreadStart+0x2f 00d7fd2c 00000000 00c05566 00fd5000 00000000 ntdll!_RtlUserThreadStart+0x1b THREAD_SHA1_HASH_MOD_FUNC: 25e09e4d2c506e4b0dfc2e24c02cbefcd6e05e3b THREAD_SHA1_HASH_MOD_FUNC_OFFSET: c8e5ad9bc18bf93e535c8e2a897029679eecb1ea THREAD_SHA1_HASH_MOD: d79f2af0d7a57756dd500059c64bef52d607f4db FAULT_INSTR_CODE: 8304478b FAULTING_SOURCE_LINE: c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\jit\baselinejit.cpp FAULTING_SOURCE_FILE: c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\jit\baselinejit.cpp FAULTING_SOURCE_LINE_NUMBER: 158 SYMBOL_STACK_INDEX: 2 SYMBOL_NAME: xul!EnterBaseline+288 FOLLOWUP_NAME: MachineOwner MODULE_NAME: xul IMAGE_NAME: xul.dll DEBUG_FLR_IMAGE_TIMESTAMP: 584a0548 STACK_COMMAND: .ecxr ; kb FAILURE_BUCKET_ID: SOFTWARE_NX_FAULT_PROBABLYEXPLOITABLE_NULL_c0000005_xul.dll!EnterBaseline BUCKET_ID: SOFTWARE_NX_FAULT_PROBABLYEXPLOITABLE_NULL_NULL_IP_xul!EnterBaseline+288 PRIMARY_PROBLEM_CLASS: SOFTWARE_NX_FAULT_PROBABLYEXPLOITABLE_NULL_NULL_IP_xul!EnterBaseline+288 FAILURE_EXCEPTION_CODE: c0000005 FAILURE_IMAGE_NAME: xul.dll BUCKET_ID_IMAGE_STR: xul.dll FAILURE_MODULE_NAME: xul BUCKET_ID_MODULE_STR: xul FAILURE_FUNCTION_NAME: EnterBaseline BUCKET_ID_FUNCTION_STR: EnterBaseline BUCKET_ID_OFFSET: 288 BUCKET_ID_MODTIMEDATESTAMP: 584a0548 BUCKET_ID_MODCHECKSUM: 32d561a BUCKET_ID_MODVER_STR: 50.1.0.6186 BUCKET_ID_PREFIX_STR: SOFTWARE_NX_FAULT_PROBABLYEXPLOITABLE_NULL_NULL_IP_ FAILURE_PROBLEM_CLASS: SOFTWARE_NX_FAULT_PROBABLYEXPLOITABLE_NULL FAILURE_SYMBOL_NAME: xul.dll!EnterBaseline WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/firefox.exe/50.1.0.6186/5849ff9c/unknown/0.0.0.0/bbbbbbb4/c0000005/00000000.htm?Retriage=1 TARGET_TIME: 2017-01-14T11:49:57.000Z OSBUILD: 14393 OSSERVICEPACK: 0 SERVICEPACK_NUMBER: 0 OS_REVISION: 0 SUITE_MASK: 256 PRODUCT_TYPE: 1 OSPLATFORM_TYPE: x86 OSNAME: Windows 10 OSEDITION: Windows 10 WinNt SingleUserTS OS_LOCALE: USER_LCID: 0 OSBUILD_TIMESTAMP: 2016-07-16 07:03:42 BUILDDATESTAMP_STR: 160715-1616 BUILDLAB_STR: rs1_release BUILDOSVER_STR: 10.0.14393.0 ANALYSIS_SESSION_ELAPSED_TIME: 25d2 ANALYSIS_SOURCE: UM FAILURE_ID_HASH_STRING: um:software_nx_fault_probablyexploitable_null_c0000005_xul.dll!enterbaseline FAILURE_ID_HASH: {918a1eb9-ac2b-b72d-a7fa-2398bb84f0fb} Followup: MachineOwner --------- 0:000> !load msec 0:000> !exploitable -m VERSION:1.6.0.0 IDENTITY:HostMachine\HostUser PROCESSOR:X86 CLASS:USER QUALIFIER:USER_SMALL_DUMP EVENT:DEBUG_EVENT_EXCEPTION WARNING:TEB_UNREADABLE WARNING:TEB_UNREADABLE EXCEPTION_FAULTING_ADDRESS:0x0 EXCEPTION_CODE:0xC0000005 EXCEPTION_LEVEL:SECOND_CHANCE EXCEPTION_TYPE:STATUS_ACCESS_VIOLATION EXCEPTION_SUBTYPE:DEP MAJOR_HASH:0x1db65339 MINOR_HASH:0x13f85e87 STACK_DEPTH:58 STACK_FRAME:Unknown STACK_FRAME:Unknown STACK_FRAME:xul!EnterBaseline+0x288 STACK_FRAME:xul!js::jit::EnterBaselineMethod+0x126 STACK_FRAME:xul!Interpret+0x9370 STACK_FRAME:xul!js::RunScript+0x21d STACK_FRAME:xul!js::InternalCallOrConstruct+0x1a6 STACK_FRAME:xul!InternalCall+0x9a STACK_FRAME:xul!js::Wrapper::call+0x14a STACK_FRAME:xul!js::CrossCompartmentWrapper::call+0xa9 STACK_FRAME:xul!js::InternalCallOrConstruct+0x2fc STACK_FRAME:xul!InternalCall+0x9a STACK_FRAME:xul!Interpret+0x5b0a STACK_FRAME:xul!js::RunScript+0x21d STACK_FRAME:xul!js::InternalCallOrConstruct+0x1a6 STACK_FRAME:xul!InternalCall+0x9a STACK_FRAME:xul!Interpret+0x5b0a STACK_FRAME:xul!js::RunScript+0x21d STACK_FRAME:xul!js::InternalCallOrConstruct+0x1a6 STACK_FRAME:xul!InternalCall+0x9a STACK_FRAME:xul!Interpret+0x5b0a STACK_FRAME:xul!js::RunScript+0x21d STACK_FRAME:xul!js::ExecuteKernel+0x64 STACK_FRAME:xul!js::Execute+0x76 STACK_FRAME:xul!ExecuteScript+0x10 STACK_FRAME:xul!JS_ExecuteScript+0x3e STACK_FRAME:xul!mozJSComponentLoader::ObjectForLocation+0x218 STACK_FRAME:xul!mozJSComponentLoader::ImportInto+0x604 STACK_FRAME:xul!mozJSComponentLoader::Import+0xff STACK_FRAME:xul!nsXPCComponents_Utils::Import+0x54 STACK_FRAME:xul!_NS_InvokeByIndex+0x27 STACK_FRAME:xul!XPCWrappedNative::CallMethod+0x388 STACK_FRAME:xul!XPC_WN_CallMethod+0x11d STACK_FRAME:xul!js::InternalCallOrConstruct+0xe8 STACK_FRAME:xul!InternalCall+0x9a STACK_FRAME:xul!Interpret+0x5b0a STACK_FRAME:xul!js::RunScript+0x21d STACK_FRAME:xul!js::ExecuteKernel+0x64 STACK_FRAME:xul!js::Execute+0x76 STACK_FRAME:xul!ExecuteScript+0x10 STACK_FRAME:xul!JS_ExecuteScript+0x3e STACK_FRAME:xul!mozJSComponentLoader::ObjectForLocation+0x218 STACK_FRAME:xul!mozJSComponentLoader::LoadModule+0x13c STACK_FRAME:xul!nsComponentManagerImpl::KnownModule::Load+0x3c STACK_FRAME:xul!nsFactoryEntry::GetFactory+0x4b STACK_FRAME:xul!nsComponentManagerImpl::CreateInstanceByContractID+0x170 STACK_FRAME:xul!nsComponentManagerImpl::GetServiceByContractID+0x26a STACK_FRAME:xul!nsCOMPtr_base::assign_from_gs_contractid_with_error+0x25 STACK_FRAME:xul!nsAppStartupNotifier::Observe+0x1b6 STACK_FRAME:xul!XREMain::XRE_mainRun+0x22d STACK_FRAME:xul!XREMain::XRE_main+0x1aa STACK_FRAME:xul!XRE_main+0x39 STACK_FRAME:firefox!do_main+0x382 STACK_FRAME:firefox!wmain+0x407 STACK_FRAME:firefox!__scrt_common_main_seh+0xff STACK_FRAME:kernel32!BaseThreadInitThunk+0x24 STACK_FRAME:ntdll!__RtlUserThreadStart+0x2f STACK_FRAME:ntdll!_RtlUserThreadStart+0x1b INSTRUCTION_ADDRESS:0x0000000000000000 INVOKING_STACK_FRAME:2 SOURCE_FILE:c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\js\src\jit\baselinejit.cpp SOURCE_LINE:158 DESCRIPTION:Data Execution Prevention Violation near NULL SHORT_DESCRIPTION:DEPViolation CLASSIFICATION:PROBABLY_EXPLOITABLE BUG_TITLE:Probably Exploitable - Data Execution Prevention Violation near NULL starting at Unknown Symbol @ 0x0000000000000000 called from xul!EnterBaseline+0x0000000000000288 (Hash=0x1db65339.0x13f85e87) EXPLANATION:User mode DEP access violations are probably exploitable if near NULL.
Flags: needinfo?(jseward)
Keywords: testcase
Severity: critical → S2

Sorry to ask after so long, could you specify how to reproduce this?
According to https://drmemory.org/page_fuzzer.html, the -fuzz option seems to use DrMemFuzzFunc as a target, but we don't have that implemented ourselves.

Flags: needinfo?(romi007r)

Feel free to reopen if you can provide the necessary information.

Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → INCOMPLETE
Flags: needinfo?(romi007r)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: