Closed Bug 322391 Opened 15 years ago Closed 3 years ago

Free memory write in PR_MD_ATOMIC_DECREMENT with yahoo app state plugin

Categories

(Core :: Plug-ins, defect)

1.8 Branch
x86
Windows XP
defect
Not set
critical

Tracking

()

RESOLVED INCOMPLETE

People

(Reporter: vlad, Unassigned)

References

Details

(Keywords: sec-vector, Whiteboard: [sg:vector-critical][needs retesting with Purify] [platform-rel-Yahoo!])

I wrote in bug 322363 how the Yahoo Application State Plugin, installed by Yahoo Messenger, seems to cause crashes.  This plugin's purpose seems to be to allow someone to go from clicking on a Yahoo IM link (e.g. a new mail notification) to the appropriate yahoo page in Firefox without having to log in to yahoo inside firefox.  On each access click from the YIM "new mail" notification, I got a Free Memory Write reported in Purify with one of the following traces:

[E] FMW: Free memory write in PR_MD_ATOMIC_DECREMENT {3 occurrences}
        Writing 4 bytes to 0x0cbf7dac (4 bytes at 0x0cbf7dac illegal)
        Address 0x0cbf7dac is 4 bytes into a 16 byte block at 0x0cbf7da8
        Address 0x0cbf7dac points to a C++ new block in heap 0x01c70000
        Thread ID: 0x172c
        Error location
            PR_MD_ATOMIC_DECREMENT [c:\proj\mozilla-cvs\moz18\mozilla\nsprpub\pr\src\md\windows\ntmisc.c:733]
            releaseobject  [c:\proj\mozilla-cvs\moz18\mozilla\modules\plugin\base\src\ns4xplugin.cpp:1520]
            NPObjWrapperPluginDestroyedCallback [c:\proj\mozilla-cvs\moz18\mozilla\modules\plugin\base\src\nsjsnpruntime.cpp:1345]
            PL_DHashTableEnumerate [c:\proj\mozilla-cvs\moz18\firefox\xpcom\build\pldhash.c:621]
            nsJSNPRuntime::OnPluginDestroy(_NPP *) [c:\proj\mozilla-cvs\moz18\mozilla\modules\plugin\base\src\nsjsnpruntime.cpp:1375]
            ns4xPluginInstance::Stop(void) [c:\proj\mozilla-cvs\moz18\mozilla\modules\plugin\base\src\ns4xplugininstance.cpp:938]
            nsObjectFrame::Destroy(nsPresContext *) [c:\proj\mozilla-cvs\moz18\mozilla\layout\generic\nsobjectframe.cpp:748]
            nsLineBox::DeleteLineList(nsPresContext *,nsLineList&) [c:\proj\mozilla-cvs\moz18\mozilla\layout\generic\nslinebox.cpp:325]
            nsBlockFrame::Destroy(nsPresContext *) [c:\proj\mozilla-cvs\moz18\mozilla\layout\generic\nsblockframe.cpp:303]
            nsLineBox::DeleteLineList(nsPresContext *,nsLineList&) [c:\proj\mozilla-cvs\moz18\mozilla\layout\generic\nslinebox.cpp:325]
        Allocation location
            new(UINT)      [f:\vs70builds\3077\vc\crtbld\crt\src\newop.cpp:10]
            nsJSObjWrapper::NP_Allocate(_NPP *,NPClass *) [c:\proj\mozilla-cvs\moz18\mozilla\modules\plugin\base\src\nsjsnpruntime.cpp:435]
            createobject   [c:\proj\mozilla-cvs\moz18\mozilla\modules\plugin\base\src\ns4xplugin.cpp:1491]
            nsJSObjWrapper::GetNewOrUsed(_NPP *,JSContext *,JSObject *) [c:\proj\mozilla-cvs\moz18\mozilla\modules\plugin\base\src\nsjsnpruntime.cpp:821]
            getwindowobject [c:\proj\mozilla-cvs\moz18\mozilla\modules\plugin\base\src\ns4xplugin.cpp:1341]
            getvalue       [c:\proj\mozilla-cvs\moz18\mozilla\modules\plugin\base\src\ns4xplugin.cpp:1919]
            createobject   [c:\proj\mozilla-cvs\moz18\mozilla\modules\plugin\base\src\ns4xplugin.cpp:1491]
            ns4xPluginInstance::GetValueInternal(NPPVariable,void *) [c:\proj\mozilla-cvs\moz18\mozilla\modules\plugin\base\src\ns4xplugininstance.cpp:1461]
            ns4xPluginInstance::GetJSObject(JSContext *) [c:\proj\mozilla-cvs\moz18\mozilla\modules\plugin\base\src\ns4xplugininstance.cpp:1587]
            nsHTMLPluginObjElementSH::GetPluginJSObject(JSContext *,JSObject *,nsIPluginInstance *,JSObject * *,JSObject * *) [c:\proj\mozilla-cvs\moz18\mozilla\dom\src\base\nsdomclassinfo.cpp:8698]
        Free location
            delete(void *) [.\build\intel\xdll_obj\ehprolog.obj]
            nsJSObjWrapper::NP_Deallocate(NPObject *) [c:\proj\mozilla-cvs\moz18\mozilla\modules\plugin\base\src\nsjsnpruntime.cpp:443]
            releaseobject  [c:\proj\mozilla-cvs\moz18\mozilla\modules\plugin\base\src\ns4xplugin.cpp:1524]
            JSObjWrapperPluginDestroyedCallback [c:\proj\mozilla-cvs\moz18\mozilla\modules\plugin\base\src\nsjsnpruntime.cpp:1319]
            PL_DHashTableEnumerate [c:\proj\mozilla-cvs\moz18\firefox\xpcom\build\pldhash.c:621]
            nsJSNPRuntime::OnPluginDestroy(_NPP *) [c:\proj\mozilla-cvs\moz18\mozilla\modules\plugin\base\src\nsjsnpruntime.cpp:1370]
            ns4xPluginInstance::Stop(void) [c:\proj\mozilla-cvs\moz18\mozilla\modules\plugin\base\src\ns4xplugininstance.cpp:938]
            nsObjectFrame::Destroy(nsPresContext *) [c:\proj\mozilla-cvs\moz18\mozilla\layout\generic\nsobjectframe.cpp:748]
            nsLineBox::DeleteLineList(nsPresContext *,nsLineList&) [c:\proj\mozilla-cvs\moz18\mozilla\layout\generic\nslinebox.cpp:325]
            nsBlockFrame::Destroy(nsPresContext *) [c:\proj\mozilla-cvs\moz18\mozilla\layout\generic\nsblockframe.cpp:303]


or


[E] FMW: Free memory write in PR_MD_ATOMIC_DECREMENT {2 occurrences}
        Writing 4 bytes to 0x0bcde6a4 (4 bytes at 0x0bcde6a4 illegal)
        Address 0x0bcde6a4 is 4 bytes into a 16 byte block at 0x0bcde6a0
        Address 0x0bcde6a4 points to a C++ new block in heap 0x01c70000
        Thread ID: 0x172c
        Error location
            PR_MD_ATOMIC_DECREMENT [c:\proj\mozilla-cvs\moz18\mozilla\nsprpub\pr\src\md\windows\ntmisc.c:733]
            releaseobject  [c:\proj\mozilla-cvs\moz18\mozilla\modules\plugin\base\src\ns4xplugin.cpp:1520]
            NPObjWrapperPluginDestroyedCallback [c:\proj\mozilla-cvs\moz18\mozilla\modules\plugin\base\src\nsjsnpruntime.cpp:1345]
            PL_DHashTableEnumerate [c:\proj\mozilla-cvs\moz18\firefox\xpcom\build\pldhash.c:621]
            nsJSNPRuntime::OnPluginDestroy(_NPP *) [c:\proj\mozilla-cvs\moz18\mozilla\modules\plugin\base\src\nsjsnpruntime.cpp:1375]
            ns4xPluginInstance::Stop(void) [c:\proj\mozilla-cvs\moz18\mozilla\modules\plugin\base\src\ns4xplugininstance.cpp:938]
            StopPluginInstance [c:\proj\mozilla-cvs\moz18\mozilla\layout\base\nspresshell.cpp:6582]
            PresShell::EnumeratePlugins(nsIDOMDocument *,nsString const&,(*)(PresShell *,nsIContent *)) [c:\proj\mozilla-cvs\moz18\mozilla\layout\base\nspresshell.cpp:7269]
            PresShell::Freeze(void) [c:\proj\mozilla-cvs\moz18\mozilla\layout\base\nspresshell.cpp:6611]
            DocumentViewerImpl::Destroy(void) [c:\proj\mozilla-cvs\moz18\mozilla\layout\base\nsdocumentviewer.cpp:1331]
        Allocation location
            new(UINT)      [f:\vs70builds\3077\vc\crtbld\crt\src\newop.cpp:10]
            nsJSObjWrapper::NP_Allocate(_NPP *,NPClass *) [c:\proj\mozilla-cvs\moz18\mozilla\modules\plugin\base\src\nsjsnpruntime.cpp:435]
            createobject   [c:\proj\mozilla-cvs\moz18\mozilla\modules\plugin\base\src\ns4xplugin.cpp:1491]
            nsJSObjWrapper::GetNewOrUsed(_NPP *,JSContext *,JSObject *) [c:\proj\mozilla-cvs\moz18\mozilla\modules\plugin\base\src\nsjsnpruntime.cpp:821]
            getwindowobject [c:\proj\mozilla-cvs\moz18\mozilla\modules\plugin\base\src\ns4xplugin.cpp:1341]
            getvalue       [c:\proj\mozilla-cvs\moz18\mozilla\modules\plugin\base\src\ns4xplugin.cpp:1919]
            createobject   [c:\proj\mozilla-cvs\moz18\mozilla\modules\plugin\base\src\ns4xplugin.cpp:1491]
            ns4xPluginInstance::GetValueInternal(NPPVariable,void *) [c:\proj\mozilla-cvs\moz18\mozilla\modules\plugin\base\src\ns4xplugininstance.cpp:1461]
            ns4xPluginInstance::GetJSObject(JSContext *) [c:\proj\mozilla-cvs\moz18\mozilla\modules\plugin\base\src\ns4xplugininstance.cpp:1587]
            nsHTMLPluginObjElementSH::GetPluginJSObject(JSContext *,JSObject *,nsIPluginInstance *,JSObject * *,JSObject * *) [c:\proj\mozilla-cvs\moz18\mozilla\dom\src\base\nsdomclassinfo.cpp:8698]
        Free location
            delete(void *) [.\build\intel\xdll_obj\ehprolog.obj]
            nsJSObjWrapper::NP_Deallocate(NPObject *) [c:\proj\mozilla-cvs\moz18\mozilla\modules\plugin\base\src\nsjsnpruntime.cpp:443]
            releaseobject  [c:\proj\mozilla-cvs\moz18\mozilla\modules\plugin\base\src\ns4xplugin.cpp:1524]
            JSObjWrapperPluginDestroyedCallback [c:\proj\mozilla-cvs\moz18\mozilla\modules\plugin\base\src\nsjsnpruntime.cpp:1319]
            PL_DHashTableEnumerate [c:\proj\mozilla-cvs\moz18\firefox\xpcom\build\pldhash.c:621]
            nsJSNPRuntime::OnPluginDestroy(_NPP *) [c:\proj\mozilla-cvs\moz18\mozilla\modules\plugin\base\src\nsjsnpruntime.cpp:1370]
            ns4xPluginInstance::Stop(void) [c:\proj\mozilla-cvs\moz18\mozilla\modules\plugin\base\src\ns4xplugininstance.cpp:938]
            StopPluginInstance [c:\proj\mozilla-cvs\moz18\mozilla\layout\base\nspresshell.cpp:6582]
            PresShell::EnumeratePlugins(nsIDOMDocument *,nsString const&,(*)(PresShell *,nsIContent *)) [c:\proj\mozilla-cvs\moz18\mozilla\layout\base\nspresshell.cpp:7269]
            PresShell::Freeze(void) [c:\proj\mozilla-cvs\moz18\mozilla\layout\base\nspresshell.cpp:6611]


This seems consistent with the type of crashes that I was seeing (random heap corruption); also, many of the talkback reports for 1.5 cite yahoo as the web page that they were visiting.
This may be the cause of some of our 1.5 crashes; it needs someone who knows plugins to take a look at it.  The line numbers in the purify output are from a 1.8 branch checkout from January 4.

Note that when I disabled the Yahoo App State plugin, I was not able to reproduce the FMW's.  It's not clear if this is something that we can fix or if we can get Yahoo to fix; worst case we may be able to blacklist versions <= 1.0.1 of this plugin...
Flags: blocking1.8.0.1?
Heh, if we had plugin blacklisting, we could!
I've been reading over the code involved here and AFAICT it looks like the code on our end is doing the right thing wrt managing the hashes that we're enumerating through when we crash, or at least when we hit that FMW. The FMW seems a bit odd, too, the stack there shows that NPObjWrapperPluginDestroyedCallback() would be calling releaseobject(), which it doesn't. So I don't know if that's the optimizer causing Purify to show a bogus stack, or if the something's already corrupted enough to cause odd behaviour like this. I'm going to need to find this plugin and install it and give it a spin, somehow...
JST - if you can ping down the problem somewhere in the yahoo app state plugin we can find the right folks over there to try and correct.
My build is just straight --enable-debug ; not sure what optimization flags come into play there, but I think it's a fully unoptimized build.  I gave jst the info on how to reproduce the bug -- basically, install Yahoo IM which installs the plugin, send yourself email, click on the new mail notification from YIM to open mail.yahoo.com.  The FMW appears when you close the tab or navigate away from it.
No fixes in sight, probably can't make 1.8.0.1
Flags: blocking1.8.0.2?
Flags: blocking1.8.0.1?
Flags: blocking1.8.0.1-
Whiteboard: [sg:investigate]
ditto 1.8.0.2
Flags: blocking1.8.0.2? → blocking1.8.0.2-
Whiteboard: [sg:investigate] → [sg:vector-critical][needs retesting with Purify]
Keywords: sec-vector
Keywords: sec-other
platform-rel: --- → ?
Whiteboard: [sg:vector-critical][needs retesting with Purify] → [sg:vector-critical][needs retesting with Purify] [platform-rel-Yahoo!]
platform-rel: ? → ---
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.