Closed Bug 200578 Opened 23 years ago Closed 13 years ago

Crash dereferencing unallocated heap while opening new window

Categories

(Core :: Networking, defect, P5)

Product:
Core
Component:
Networking
Platform:
x86
Windows 2000
Type:
defect

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: timeless, Unassigned)

Details

(Keywords: crash)

Build ID: 2003032608 W32 Talkback (talkback didn't catch it because i was running in msdev) stack: NECKO! NSGetModule + 182071 bytes NECKO! NSGetModule + 32274 bytes XPCOM! NS_AddFastLoadChecksums(unsigned int,unsigned int,unsigned int) + 42595 bytes KERNEL32! CreateFileA + 283 bytes (void*)ecx 0xfeeefeee /* 0xfeeefeee is memory that has been dedicated to a heap but not yet allocated by HeapAlloc() or LocalAlloc() */ Function at top of stack: 6126EA57 push ebp 6126EA58 mov ebp,esp 6126EA5A mov eax,dword ptr [ebp+0Ch] 6126EA5D push esi 6126EA5E sub eax,0 6126EA61 je NSGetModule+2C78Ch (6126ead9) 6126EA63 dec eax 6126EA64 je NSGetModule+2C772h (6126eabf) 6126EA66 dec eax 6126EA67 je NSGetModule+2C75Bh (6126eaa8) 6126EA69 dec eax 6126EA6A je NSGetModule+2C746h (6126ea93) 6126EA6C dec eax 6126EA6D je NSGetModule+2C73Ch (6126ea89) 6126EA6F dec eax 6126EA70 jne NSGetModule+2C794h (6126eae1) 6126EA72 mov esi,dword ptr [ebp+14h] 6126EA75 mov ecx,dword ptr [ebp+8] 6126EA78 push esi 6126EA79 call NSGetModule+2C596h (6126e8e3) 6126EA7E lea eax,[esi+8] 6126EA81 push eax 6126EA82 mov ecx,dword ptr [eax] 6126EA84 call dword ptr [ecx+8] <- crash point 6126EA87 jmp NSGetModule+2C794h (6126eae1) 6126EA89 mov ecx,dword ptr [ebp+8] 6126EA8C call NSGetModule+2C564h (6126e8b1) 6126EA91 jmp NSGetModule+2C794h (6126eae1) 6126EA93 push dword ptr [ebp+14h] 6126EA96 mov ecx,dword ptr [ebp+8] 6126EA99 call NSGetModule+2C4EDh (6126e83a) 6126EA9E mov ecx,dword ptr [ebp+14h] 6126EAA1 call NSGetModule+2B923h (6126dc70) 6126EAA6 jmp NSGetModule+2C794h (6126eae1) 6126EAA8 push dword ptr [ebp+10h] 6126EAAB mov esi,dword ptr [ebp+14h] 6126EAAE mov ecx,dword ptr [ebp+8] 6126EAB1 push esi 6126EAB2 call NSGetModule+2C44Bh (6126e798) 6126EAB7 mov eax,dword ptr [esi] 6126EAB9 push esi 6126EABA call dword ptr [eax+8] 6126EABD jmp NSGetModule+2C794h (6126eae1) 6126EABF mov esi,dword ptr [ebp+14h] 6126EAC2 mov ecx,dword ptr [ebp+8] 6126EAC5 push esi 6126EAC6 call NSGetModule+2C2A0h (6126e5ed) 6126EACB test eax,eax 6126EACD jns NSGetModule+2C76Ah (6126eab7) 6126EACF mov edx,dword ptr [esi] 6126EAD1 push eax 6126EAD2 mov ecx,esi 6126EAD4 call dword ptr [edx+2Ch] 6126EAD7 jmp NSGetModule+2C76Ah (6126eab7) 6126EAD9 mov ecx,dword ptr [ebp+8] 6126EADC call NSGetModule+2C249h (6126e596) 6126EAE1 xor eax,eax 6126EAE3 pop esi 6126EAE4 pop ebp 6126EAE5 ret 10h caller: 6124A124 push ebx 6124A125 push esi 6124A126 push edi 6124A127 mov edi,ecx 6124A129 mov ebx,dword ptr [edi+24h] 6124A12C push ebx 6124A12D call dword ptr ds:[6128F12Ch] 6124A133 mov esi,dword ptr [edi+1Ch] 6124A136 and dword ptr [edi+1Ch],0 6124A13A and dword ptr [edi+20h],0 6124A13E mov edi,dword ptr [edi+0Ch] 6124A141 push ebx 6124A142 call dword ptr ds:[6128F134h] 6124A148 pop ecx 6124A149 test esi,esi 6124A14B pop ecx 6124A14C je NSGetModule+7E24h (6124a171) 6124A14E push dword ptr [esi+0Ch] 6124A151 mov eax,dword ptr [esi] 6124A153 push dword ptr [esi+8] 6124A156 mov ecx,dword ptr [eax] 6124A158 push dword ptr [esi+4] 6124A15B push eax 6124A15C call dword ptr [ecx+0Ch] <- callsite 6124A15F mov ebx,dword ptr [esi+10h] 6124A162 push 1 6124A164 mov ecx,esi 6124A166 call NSGetModule+7E2Ah (6124a177) 6124A16B test ebx,ebx 6124A16D mov esi,ebx 6124A16F jne NSGetModule+7E01h (6124a14e) 6124A171 mov eax,edi 6124A173 pop edi 6124A174 pop esi 6124A175 pop ebx 6124A176 ret fwiw, this appears to be the main thread: NTDLL! NtRequestWaitReplyPort + 11 bytes KERNEL32! WriteFile + 366 bytes KERNEL32! WriteConsoleA + 23 bytes MSVCRT! write + 412 bytes MSVCRT! write + 114 bytes MSVCRT! flsbuf + 253 bytes MSVCRT! fcloseall + 2402 bytes MSVCRT! fcloseall + 2496 bytes MSVCRT! printf + 76 bytes JSDOM! NSGetModule + 25319 bytes XPCOM! NS_AddFastLoadChecksums(unsigned int,unsigned int,unsigned int) + 104123 bytes XPC3250! NSGetModule + 25915 bytes XPC3250! NSGetModule + 39373 bytes JS3250! js_Invoke + 1136 bytes JS3250! js_Invoke + 21985 bytes JS3250! js_Invoke + 1197 bytes XPC3250! NSGetModule + 17607 bytes XPC3250! NSGetModule + 7870 bytes XPCOM! NS_AddFastLoadChecksums(unsigned int,unsigned int,unsigned int) + 101273 bytes APPCOMPS! NSGetModule + 144326 bytes DOCSHELL! NSGetModule + 74540 bytes DOCSHELL! NSGetModule + 73056 bytes DOCSHELL! NSGetModule + 72679 bytes NECKO! NSGetModule + 14351 bytes NECKO! NSGetModule + 13412 bytes DOCSHELL! NSGetModule + 71622 bytes DOCSHELL! NSGetModule + 68507 bytes DOCSHELL! NSGetModule + 33532 bytes DOCSHELL! NSGetModule + 47583 bytes DOCSHELL! NSGetModule + 3448 bytes DOCSHELL! NSGetModule + 2926 bytes XPCOM! NS_AddFastLoadChecksums(unsigned int,unsigned int,unsigned int) + 55153 bytes 778b0c24() I was opening a new window, i don't remember what kind of window.
the stack looks bogus to me. NS_AddFastLoadChecksums doesn't call any functions, so it can't be in the middle of the stack. is this a stock tree?
Summary: Crash dereferencing unallocated heap → Crash dereferencing unallocated heap while opening new window
you can't rely on the mozilla function names. this is a talkback build which means the symbols are stripped. so that's the most recent exported symbol in the dll. you have to rely on the math to calculate what function you're in, or recognize the asm. XPCOM! NS_AddFastLoadChecksums(unsigned int,unsigned int,unsigned int) + 104123 the +104123 is certainly well beyond NS_AddFastLoadChecksums. There's a reason i posted the full function disassemblies.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P5
Assignee: darin → nobody
QA Contact: benc → networking
This bug has no information on current versions and no clear lead as to what the crashes that it tracks are. This should either be updated with current info and reopened or new bugs be filed on concrete actions/crashes on current code.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.