Closed Bug 307992 Opened 19 years ago Closed 19 years ago

Crash [@ nsContainerFrame::PositionFrameView] using text zoom in evil document

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: jruderman, Assigned: dbaron)

References

Details

(Keywords: crash, Whiteboard: [sg:critical?])

Crash Data

Attachments

(5 files)

evil testcase
5.20 KB, text/html
Details
apple crash report with stack trace
25.95 KB, text/plain
Details
Windows stack trace from Talkback
7.10 KB, text/plain
Details
testcase2, not minimised
4.37 KB, text/html
Details
patch that fixes tons of reflow assertions (but not the crash) (checked in to trunk, 2005-12-15) (BELONGS ON BUG 320502)
2.56 KB, patch
roc
: review+
roc
: superreview+
dbaron
: approval1.8.0.1-
Details | Diff | Splinter Review 
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9a1) Gecko/20050910
Firefox/1.6a1

Please keep this security-sensitive until a Firefox both bug 306663 and bug
306939 have become public.
Attached file evil testcase 
Using text zoom after it finishes loading crashes about 50% of the time.

    
    

    
  
I managed to make it crash with a similar stack but a nonzero, random-looking
address at the top of the stack (using parameters other than the one hardcoded
in the testcase).  As a result, I think this crash is exploitable.
Whiteboard: [sg:fix]

    
    

    
  
Crashes on Windows too.  TB9235998K
OS: MacOS X → All
Hardware: Macintosh → All

    
    

    
  


  

    
  
Flags: blocking1.8b5?

    
  
Flags: blocking1.8b5? → blocking1.8b5+

    
    

    
  
David, can you dig into this one?
Assignee: nobody → dbaron

    
    

    
  
If you come up with a very safe fix in the next couple of days, please request
approval for the patch and we'll evaluate.
Flags: blocking1.8b5+ → blocking1.8b5-

    
    

    
  


  
While trying to minimise, I quickly got something that crashes directly when clicking at the button (although I takes 10 seconds or so).
Talkback ID: TB11047629Y

    
    

    
  
So this actually turned into a DoDeletingFrameSubtree crash for me...

    
    

    
  


  
So this fixes tons of assertions on this testcase, but not the crash (although it might have made it take longer to crash; sicking thinks so, anyway).

This is also something that could potentially fix crashes or potentially fix other StirDOM bugs...

        Attachment #206017 -
        Flags: superreview?(roc)

        Attachment #206017 -
        Flags: review?(roc)

    
    

    
  
Comment on attachment 206017 [details] [diff] [review]
patch that fixes tons of reflow assertions (but not the crash) (checked in to trunk, 2005-12-15) (BELONGS ON BUG 320502)

(We should probably do this in some MathML case too, and for SVG foreign object.  And really we should force construction of an anonymous block around inline, text, and br frames.  And maybe also use a different signature for inline Reflow, which is a different protocol.)

        Attachment #206017 -
        Flags: superreview?(roc)

        Attachment #206017 -
        Flags: superreview+

        Attachment #206017 -
        Flags: review?(roc)

        Attachment #206017 -
        Flags: review+

    
    

    
  
A simplified testcase would probably help with the crash for this one.

    
    

    
  
The testcases here are really messy and hard to reduce, so let's work on other bugs for now and see if these crashes go away.

    
    

    
  
These testcases combine Stir DOM, Random Styles, and creation of random HTML elements and text nodes.  Bug 307989 is the only other bug with such an evil testcase.  I'll say something if I manage to crash while text-zooming or dragging using only Stir DOM or only Random Styles.

        Attachment #206017 -
        Attachment description: patch that fixes tons of reflow assertions → patch that fixes tons of reflow assertions (but not the crash)

    
    

    
  
Comment on attachment 206017 [details] [diff] [review]
patch that fixes tons of reflow assertions (but not the crash) (checked in to trunk, 2005-12-15) (BELONGS ON BUG 320502)

I'm adding an approval request here since there's a chance this may fix some of the other bugs and I don't want to forget about that...

        Attachment #206017 -
        Attachment description: patch that fixes tons of reflow assertions (but not the crash) → patch that fixes tons of reflow assertions (but not the crash) (checked in to trunk, 2005-12-15)

        Attachment #206017 -
        Flags: approval1.8.0.1?

    
    

    
  
I filed bug 320502 for further nsHTMLReflowState::mLineLayout issues.

    
  
Blocks: 316318

    
  
Blocks: 317682

    
    

    
  
I can't get either testcase to crash in a debug build. The crash I get in an opt build on windows is quite different from the two here. TB13044966, TB13045491

This now crashes at the same windows.dll+offset as bug 310481 but with different JS calls on the stack above that.

xpsp2res.dll + 0x202113 (0x20202113)
js_InitObjectClass  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 1799]
InitFunctionAndObjectClasses  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 1131]
JS_ResolveStandardClass  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 1418]
nsWindowSH::NewResolve  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/dom/src/base/nsDOMClassInfo.cpp, line 5527]
XPC_WN_Helper_NewResolve  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1063]
js_LookupPropertyWithFlags  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 2675]
js_FindConstructor  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 2070]
GetClassPrototype  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 3802]
js_NewObject  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsobj.c, line 1952]
JS_NewObject  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsapi.c, line 2240]
nsXPConnect::InitClassesWithNewWrappedGlobal  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/nsXPConnect.cpp, line 491]
nsGlobalWindow::SetNewDocument  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 1060]
nsGlobalWindow::SetNewDocument  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/dom/src/base/nsGlobalWindow.cpp, line 809]
DocumentViewerImpl::Init  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsDocumentViewer.cpp, line 633]
nsDocShell::Embed  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/docshell/base/nsDocShell.cpp, line 4554]
nsDocShell::CreateContentViewer  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/docshell/base/nsDocShell.cpp, line 5660]
nsDSURIContentListener::DoContent  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/docshell/base/nsDSURIContentListener.cpp, line 131]
nsDocumentOpenInfo::TryContentListener  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/uriloader/base/nsURILoader.cpp, line 776]
nsDocumentOpenInfo::DispatchContent  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/uriloader/base/nsURILoader.cpp, line 500]
nsDocumentOpenInfo::OnStartRequest  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/uriloader/base/nsURILoader.cpp, line 345]
nsInputStreamChannel::OnStartRequest  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/netwerk/base/src/nsInputStreamChannel.cpp, line 359]
nsInputStreamReadyEvent::EventHandler  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/xpcom/io/nsStreamUtils.cpp, line 120]
0x778b0c24
nsFormControlList::QueryInterface  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/html/content/src/nsHTMLFormElement.cpp, line 1777]
0xd908245c
Whiteboard: [sg:fix] → [sg:dos?]

    
    

    
  
0x20202020 is used for deleted JavaScript objects, or something like that, which might be part of the explanation for how the instruction pointer ends up at 0x20202113.  I don't know how you'd end up with an odd-numbered address, though.

    
    

    
  
Under purify this does look like corrupted memory. I see a handful of invalid pointer writes (IPW) at 

  nsImageWin::CreateImageWithAlphaBits(HDC__ *) [c:\dev\ff15\mozilla\gfx\src\windows\nsimagewin.cpp:434]
  nsImageWin::CreateDDB(void)
  nsImageWin::Draw(nsIRenderingContext&,nsIDrawingSurface*,int,int,int,int,int,int,int,int)
  nsRenderingContextImpl::DrawImage(imgIContainer *,nsRect const&,nsRect const&)
  nsImageBoxFrame::PaintImage(nsIRenderingContext&,nsRect const&,nsFramePaintLayer)
  nsImageBoxFrame::Paint(nsPresContext *,nsIRenderingContext&,nsRect const&,nsFramePaintLayer,UINT)
  nsBoxFrame::PaintChild(nsPresContext *,nsIRenderingContext&,nsRect const&,nsIFrame *,nsFramePaintLayer,UINT)
  nsBoxFrame::PaintChildren(nsPresContext *,nsIRenderingContext&,nsRect const&,nsFramePaintLayer,UINT)
  nsBoxFrame::Paint(nsPresContext *,nsIRenderingContext&,nsRect const&,nsFramePaintLayer,UINT)
  nsBoxFrame::PaintChild(nsPresContext *,nsIRenderingContext&,nsRect const&,nsIFrame *,nsFramePaintLayer,UINT)
  nsBoxFrame::PaintChildren(nsPresContext *,nsIRenderingContext&,nsRect const&,nsFramePaintLayer,UINT)
  nsBoxFrame::Paint(nsPresContext *,nsIRenderingContext&,nsRect const&,nsFramePaintLayer,UINT)

When I break there, even the first one, the various objects look already corrupted. I like Jesse's javascript theory because purify wouldn't know about our internal arena management going wrong. Or since these are native objects maybe it's some other arena (xpc?).
Whiteboard: [sg:dos?] → [sg:critical?]

    
    

    
  
Comment on attachment 206017 [details] [diff] [review]
patch that fixes tons of reflow assertions (but not the crash) (checked in to trunk, 2005-12-15) (BELONGS ON BUG 320502)

I think we actually don't want this on the branch unless it fixes known bugs since it will change Web page behavior.  If we do want it, I should reattach it to its own bug.

        Attachment #206017 -
        Flags: approval1.8.0.1? → approval1.8.0.1-

    
    

    
  
The patch from this bug caused bug 321402.
Depends on: 321402

        Attachment #206017 -
        Attachment description: patch that fixes tons of reflow assertions (but not the crash) (checked in to trunk, 2005-12-15) → patch that fixes tons of reflow assertions (but not the crash) (checked in to trunk, 2005-12-15) (BELONGS ON BUG 320502)

    
    

    
  
WFM Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9a1) Gecko/20060111 Firefox/1.6a1.  I tested with the first testcase about a dozen times.  (Trunk builds from Sept 2005 still crash about 50% of the time with that testcase.)
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → WORKSFORME
Depends on: 328240

    
    

    
  
Would be good to get those crash testcases in somewhere sometime...
Flags: in-testsuite?
Depends on: 321402
Crash Signature: [@ nsContainerFrame::PositionFrameView]

    
  
Group: core-security → core-security-release
Group: core-security-release

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: