Last Comment Bug 329900 - Crash with evil testcase, using table-column-group, table-column, table-cell
: Crash with evil testcase, using table-column-group, table-column, table-cell
Status: VERIFIED FIXED
[sg:critical?] mem corruption
: crash, testcase, verified1.8.0.5, verified1.8.1
Product: Core
Classification: Components
Component: Layout: Tables (show other bugs)
: Trunk
: x86 Windows XP
: -- critical (vote)
: ---
Assigned To: Bernd
:
Mentors:
: 330015 (view as bug list)
Depends on: 325984
Blocks: ajax-demolisher 330015
  Show dependency treegraph
 
Reported: 2006-03-09 06:51 PST by Martijn Wargers [:mwargers] (not working for Mozilla)
Modified: 2009-04-24 11:17 PDT (History)
6 users (show)
dveditz: blocking1.7.14?
dveditz: blocking‑aviary1.0.9?
bzbarsky: blocking1.9a1+
jaymoz: blocking1.8.1+
jaymoz: blocking1.8.0.5+
bob: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase (464 bytes, text/html)
2006-03-09 06:53 PST, Martijn Wargers [:mwargers] (not working for Mozilla)
no flags Details
patch (2.08 KB, patch)
2006-03-11 07:28 PST, Bernd
no flags Details | Diff | Review
next rev. (5.20 KB, patch)
2006-03-14 12:07 PST, Bernd
no flags Details | Diff | Review
next rev (6.59 KB, patch)
2006-03-16 10:29 PST, Bernd
bzbarsky: review+
bzbarsky: superreview+
dveditz: approval‑branch‑1.8.1-
dveditz: approval1.8.0.5-
Details | Diff | Review
1.0.x patch (6.60 KB, patch)
2006-08-08 08:27 PDT, Alexander Sack
no flags Details | Diff | Review

Description Martijn Wargers [:mwargers] (not working for Mozilla) 2006-03-09 06:51:29 PST
See upcoming testcase, which crashes Mozilla on load.

Talkback ID: TB16137409Q
HaveAutoWidth

(Talbkack has become really short, lately)

The testcase also crashes Mozilla1.7.12, so no (recent) regression.
Comment 1 Martijn Wargers [:mwargers] (not working for Mozilla) 2006-03-09 06:53:04 PST
Created attachment 214548 [details]
testcase
Comment 2 Bernd 2006-03-09 09:44:41 PST
Arrgh, the stack is bogus even in a debug build. This is certainly exploitable, at least writing to 0x0000002 seems like exploitable to me. We  have a major error in the colgroup pseudo handling which yields a strange frame hierarchy cell - inner cell - cell. I need some time to come up with a fix. More than this I would like to move this bug after the OrderRowGroup removal which leads to the deleted object derefs.

Martijn

congratulations to your CVS privilege :-)
, so its fair to assume that you have a build. If you find these bugs so quick you need to learn to classify them. The bogus talkback should have warned you.
Comment 3 Martijn Wargers [:mwargers] (not working for Mozilla) 2006-03-09 10:18:01 PST
(In reply to comment #2)
> congratulations to your CVS privilege :-)
Thanks :)

> , so its fair to assume that you have a build. If you find these bugs so quick
> you need to learn to classify them. The bogus talkback should have warned you.
Well, I asked Boris some time ago, and he explicitly said not to file bugs as security sensitive (something with way too much security bugs already).
I don't really know when a crash is exploitable. (normally, I don't fire up my debug build, maybe I should do that from now on with new crashes)

Comment 4 Bernd 2006-03-09 10:48:14 PST
No, I am not asking to file every bug as security sensitive. But this bug causes already random function calls, it's not the typical already  deleted stuff that I am used to. Launching a crash testcase in a debug build sounds like a good idea anyway, the stacktrace is more reliable than the talkback.
Comment 5 Bernd 2006-03-11 07:28:46 PST
Created attachment 214778 [details] [diff] [review]
patch

The only question that this patch causes is why did I not close the door in bug 239294. Fear Uncertainty Doubt? Or did I not know Martijn at this time? Or did I try a minimal invasive patch?
Comment 6 Bernd 2006-03-14 12:07:02 PST
Created attachment 215044 [details] [diff] [review]
next rev.

this is the next rev. still not *the* fix but closer to the issue.
Comment 7 Bernd 2006-03-16 10:29:02 PST
Created attachment 215297 [details] [diff] [review]
next rev
Comment 8 Boris Zbarsky [:bz] (Out June 25-July 6) 2006-03-23 22:38:39 PST
Comment on attachment 215297 [details] [diff] [review]
next rev

I _think_ I follow this.  :(  My eyes bleed, though.  :(
Comment 9 Bernd 2006-03-26 21:30:28 PST
fixed on trunk
Comment 10 Martijn Wargers [:mwargers] (not working for Mozilla) 2006-03-28 16:06:06 PST
Verified fixed using 2006-03-28 trunk build.
Comment 11 Martijn Wargers [:mwargers] (not working for Mozilla) 2006-03-28 16:07:05 PST
*** Bug 330015 has been marked as a duplicate of this bug. ***
Comment 12 Bernd 2006-03-30 10:19:56 PST
this regressed the testcase in bug 325984
Comment 13 Bernd 2006-03-30 10:21:35 PST
I will try to fix the issue in the open bug 325984
Comment 14 Daniel Veditz [:dveditz] 2006-06-14 10:53:03 PDT
Is this exploitable? On a 1.5.0.4 windows debug build I crash in the nsMargin constructor reading from (0+offset) because mReflowState is null when nsBlockReflowState::BorderPadding() is called (the offset is the location of mComputedBorderPadding). Maybe some of these are uninitialized objects whose values would be non-null in a non-debug build, but in a debug Firefox 1.5.0.4 build this is pretty consistent.

If you think it's exploitable we need a patch for the 1.8 and 1.8.0 branches. If it's not exploitable we can live with this low frequency crash (and should un-hide the bug).
Comment 15 Daniel Veditz [:dveditz] 2006-06-14 10:57:27 PDT
Never mind: this fixes bug 330015 which is definitely operating on a deleted frame, so we do need it on the old branches.
Comment 16 Jay Patel [:jay] 2006-06-14 14:28:26 PDT
Comment on attachment 215297 [details] [diff] [review]
next rev

a=jay for 1.8.0 checkin
Comment 17 Jay Patel [:jay] 2006-06-14 14:39:24 PDT
Comment on attachment 215297 [details] [diff] [review]
next rev

1.8.1 branch approval, a=jay for drivers
Comment 18 Daniel Veditz [:dveditz] 2006-06-19 11:29:10 PDT
Comment on attachment 215297 [details] [diff] [review]
next rev

removing branch approvals from this patch in favor of the regression-fix cummulative patch in bug 333493
Comment 19 Bernd 2006-06-20 22:24:18 PDT
fixed on 1.8 branhc by the cumulative patch in bug 333493
Comment 20 Bernd 2006-06-21 21:52:15 PDT
fixed on 1.8.0.5
Comment 21 Jay Patel [:jay] 2006-06-26 14:52:16 PDT
v.fixed on 1.8.0 branch with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.5) Gecko/20060626 Firefox/1.5.0.5, no crash with testcase.
Comment 22 Alexander Sack 2006-08-08 08:27:15 PDT
Created attachment 232737 [details] [diff] [review]
1.0.x patch
Comment 23 Bob Clary [:bc:] 2006-08-21 22:53:18 PDT
https://bugzilla.mozilla.org/attachment.cgi?id=214548&action=view
ff2b2 winxp, linux no crash
verified fixed 1.8
Comment 24 Bob Clary [:bc:] 2009-04-24 11:17:51 PDT
crash test landed
http://hg.mozilla.org/mozilla-central/rev/fcb4bf8da2b8

Note You need to log in before you can comment on or make changes to this bug.