Access violation (FILL_PATTERN_ffffffff) in prdtoa.c

UNCONFIRMED
Assigned to

Status

--
critical
UNCONFIRMED
10 years ago
10 years ago

People

(Reporter: david_dillard, Assigned: wtc)

Tracking

({crash})

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

70.18 KB, application/octet-stream
Details
59.34 KB, application/octet-stream
Details
(Reporter)

Description

10 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9pre) Gecko/2008052807 Minefield/3.0pre
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9pre) Gecko/2008052807 Minefield/3.0pre

Was running an internal company learning program (mostly Flash based it appears) and I consistently encounter this crash.  Sometimes, it happens when I first start the program, sometimes it happens after a few minutes, but it happened on five out five tries.

(11c4.b90): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=ffffffff ebx=80000000 ecx=600e7000 edx=000026bc esi=600dabec edi=00000006
eip=600bd235 esp=0012fa08 ebp=80000000 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
nspr4!dtoa+0x415:
600bd235 dd01            fld     qword ptr [ecx] ds:0023:600e7000=????????????????
0:000> analyze
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

*** WARNING: Unable to verify checksum for C:\WINDOWS\system32\bmnet.dll
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\bmnet.dll - 
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: kernel32!pNlsUserInfo                         ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: kernel32!pNlsUserInfo                         ***
***                                                                   ***
*************************************************************************

FAULTING_IP: 
nspr4!dtoa+415 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\nsprpub\pr\src\misc\prdtoa.c @ 2988]
600bd235 dd01            fld     qword ptr [ecx]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 600bd235 (nspr4!dtoa+0x00000415)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 600e7000
Attempt to read from address 600e7000

FAULTING_THREAD:  00000b90

DEFAULT_BUCKET_ID:  FILL_PATTERN_ffffffff

PROCESS_NAME:  firefox.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

READ_ADDRESS:  600e7000 

NTGLOBALFLAG:  70

APPLICATION_VERIFIER_FLAGS:  0

PRIMARY_PROBLEM_CLASS:  FILL_PATTERN_ffffffff

BUGCHECK_STR:  APPLICATION_FAULT_FILL_PATTERN_ffffffff

LAST_CONTROL_TRANSFER:  from 600bdb8d to 600bd235

STACK_TEXT:  
0012fa60 600bdb8d 00000002 00000006 0012fb04 nspr4!dtoa+0x415 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\nsprpub\pr\src\misc\prdtoa.c @ 2988]
0012fac4 605d732f e0000000 3f70624d 00000002 nspr4!PR_dtoa+0x4d [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\nsprpub\pr\src\misc\prdtoa.c @ 3407]
0012fb08 608be12f 00000006 e0000000 3f70624d xul!Modified_cnvtf+0x42 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\xpcom\string\src\nsstringobsolete.cpp @ 824]
0012fb4c 608c2e42 0012fb88 3b83126f 7b1bc51f xul!nsString::AppendFloat+0x26 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\xpcom\string\src\nsstringobsolete.cpp @ 1279]
0012fc20 60a305d8 01330709 7b1bc2f3 005193b0 xul!NS_NotifyPluginCall+0x8e [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\modules\plugin\base\src\ns4xplugin.cpp @ 259]
0012fc64 60565d78 0d608280 014169c0 0051f2e0 xul!PluginWindowEvent::Run+0xf0 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\modules\plugin\base\src\nspluginnativewindowwin.cpp @ 440]
0012fc88 6054b42a 00000001 00000001 0012fca8 xul!nsThread::ProcessNextEvent+0x218 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\xpcom\threads\nsthread.cpp @ 511]
0012fca0 606439e2 00000001 80000000 604e7ae8 xul!nsBaseAppShell::Run+0x4a [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\widget\src\xpwidgets\nsbaseappshell.cpp @ 169]
0012fcac 604e7ae8 01413d60 0051c0b0 00000000 xul!nsAppStartup::Run+0x1e [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\toolkit\components\startup\src\nsappstartup.cpp @ 182]
0012fcb4 0051c0b0 00000000 0051c0a8 005004a0 xul!XRE_main+0xdba [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\toolkit\xre\nsapprunner.cpp @ 3174]
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012fcb8 00000000 0051c0a8 005004a0 0052e260 0x51c0b0


FOLLOWUP_IP: 
nspr4!dtoa+415 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\nsprpub\pr\src\misc\prdtoa.c @ 2988]
600bd235 dd01            fld     qword ptr [ecx]

FAULTING_SOURCE_CODE:  
No source found for 'e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\nsprpub\pr\src\misc\prdtoa.c'


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  nspr4!dtoa+415

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nspr4

IMAGE_NAME:  nspr4.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  483c2c02

STACK_COMMAND:  ~0s ; kb

FAILURE_BUCKET_ID:  FILL_PATTERN_ffffffff_c0000005_nspr4.dll!dtoa

BUCKET_ID:  APPLICATION_FAULT_FILL_PATTERN_ffffffff_nspr4!dtoa+415

Followup: MachineOwner
---------


Reproducible: Always

Steps to Reproduce:
1.Not reproducible outside of Symantec
2.
3.
Actual Results:  
Crash


Expected Results:  
No crash
(Reporter)

Comment 1

10 years ago
Created attachment 322887 [details]
Crash dump

Updated

10 years ago
Component: General → Plug-ins
Keywords: crash
Product: Firefox → Core
QA Contact: general → plugins
Version: unspecified → Trunk
(Reporter)

Comment 2

10 years ago
Made it happen with a Flash game (http://www.kongregate.com/games/SandhillGames/ring-pass-not):

(ed0.824): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=ffffffff ebx=80000000 ecx=600e7000 edx=000026bc esi=600dabec edi=00000006
eip=600bd235 esp=0012f888 ebp=80000000 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210202
nspr4!dtoa+0x415:
600bd235 dd01            fld     qword ptr [ecx] ds:0023:600e7000=????????????????
0:000> analyze
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

*** WARNING: Unable to verify checksum for C:\WINDOWS\system32\bmnet.dll
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\bmnet.dll - 
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for 

C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll - 
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: kernel32!pNlsUserInfo                         ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: kernel32!pNlsUserInfo                         ***
***                                                                   ***
*************************************************************************

FAULTING_IP: 
nspr4!dtoa+415 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\nsprpub\pr\src\misc\prdtoa.c @ 2988]
600bd235 dd01            fld     qword ptr [ecx]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 600bd235 (nspr4!dtoa+0x00000415)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 600e7000
Attempt to read from address 600e7000

FAULTING_THREAD:  00000824

DEFAULT_BUCKET_ID:  FILL_PATTERN_ffffffff

PROCESS_NAME:  firefox.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could 

not be "%s".

READ_ADDRESS:  600e7000 

NTGLOBALFLAG:  70

APPLICATION_VERIFIER_FLAGS:  0

PRIMARY_PROBLEM_CLASS:  FILL_PATTERN_ffffffff

BUGCHECK_STR:  APPLICATION_FAULT_FILL_PATTERN_ffffffff

LAST_CONTROL_TRANSFER:  from 600bdb8d to 600bd235

STACK_TEXT:  
0012f8e0 600bdb8d 00000002 00000006 0012f9b0 nspr4!dtoa+0x415 

[e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\nsprpub\pr\src\misc\prdtoa.c @ 2988]
0012f970 605d7f3e e0000000 3f50624d 00000002 nspr4!PR_dtoa+0x4d 

[e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\nsprpub\pr\src\misc\prdtoa.c @ 3407]
0012f9b4 608bd70f 00000006 e0000000 3f50624d xul!Modified_cnvtf+0x42 

[e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\xpcom\string\src\nsstringobsolete.cpp @ 824]
0012f9f8 608c248d 0012fa34 3a83126f 8a17a684 xul!nsString::AppendFloat+0x26 

[e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\xpcom\string\src\nsstringobsolete.cpp @ 1279]
0012facc 60aa8752 0021d920 8a17a7e8 044ab2b0 xul!NS_NotifyPluginCall+0x8e 

[e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\modules\plugin\base\src\ns4xplugin.cpp @ 259]
0012fb58 60a4a7ed 044ab2b0 077e47c0 04c49f40 xul!ns4xPluginStreamListener::OnDataAvailable+0x36f 

[e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\modules\plugin\base\src\ns4xplugininstance.cpp @ 576]
0012fba0 60499df5 04c49f40 03c571ac 00000000 xul!nsPluginStreamListenerPeer::OnDataAvailable+0x1e0 

[e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\modules\plugin\base\src\nspluginhostimpl.cpp @ 2302]
0012fbdc 605b2c5b 04c49f40 03c571ac 00000000 xul!nsStreamListenerTee::OnDataAvailable+0xaf 

[e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\netwerk\base\src\nsstreamlistenertee.cpp @ 83]
0012fc08 604f9af9 03c571ac 001a8d1c 00000000 xul!nsHttpChannel::OnDataAvailable+0xc3 

[e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\netwerk\protocol\http\src\nshttpchannel.cpp @ 4523]
0012fc48 604f99b9 005193b0 03ec9e30 604fc227 xul!nsInputStreamPump::OnStateTransfer+0xe9 

[e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\netwerk\base\src\nsinputstreampump.cpp @ 508]
0012fc54 604fc227 077870b4 03ef2c48 00000000 xul!nsInputStreamPump::OnInputStreamReady+0x29 

[e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\netwerk\base\src\nsinputstreampump.cpp @ 405]
0012fc64 6057f998 03ec9e20 014169c0 0051f2e0 xul!nsInputStreamReadyEvent::Run+0x1d 

[e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\xpcom\io\nsstreamutils.cpp @ 112]
0012fc88 60593c6a 00000001 00000001 0012fca8 xul!nsThread::ProcessNextEvent+0x218 

[e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\xpcom\threads\nsthread.cpp @ 511]
0012fca0 6064774a 00000001 80000000 604b95ff xul!nsBaseAppShell::Run+0x4a 

[e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\widget\src\xpwidgets\nsbaseappshell.cpp @ 169]
0012fcac 604b95ff 01413d60 0051c0b0 00000000 xul!nsAppStartup::Run+0x1e 

[e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\toolkit\components\startup\src\nsappstartup.cpp @ 182]
0012fcb4 0051c0b0 00000000 0051c0a8 005004a0 xul!XRE_main+0xdba 

[e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\toolkit\xre\nsapprunner.cpp @ 3174]
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012fcb8 00000000 0051c0a8 005004a0 0052e260 0x51c0b0


FOLLOWUP_IP: 
nspr4!dtoa+415 [e:\builds\tinderbox\fx-trunk\winnt_5.2_depend\mozilla\nsprpub\pr\src\misc\prdtoa.c @ 2988]
600bd235 dd01            fld     qword ptr [ecx]

FAULTING_SOURCE_CODE:  
  2984: 			dval(d) *= tens[j1 & 0xf];
  2985: 			for(j = j1 >> 4; j; j >>= 1, i++)
  2986: 				if (j & 1) {
  2987: 					ieps++;
> 2988: 					dval(d) *= bigtens[i];
  2989: 					}
  2990: 			}
  2991: 		if (k_check && dval(d) < 1. && ilim > 0) {
  2992: 			if (ilim1 <= 0)
  2993: 				goto fast_failed;


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  nspr4!dtoa+415

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nspr4

IMAGE_NAME:  nspr4.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  483e79fa

STACK_COMMAND:  ~0s ; kb

FAILURE_BUCKET_ID:  FILL_PATTERN_ffffffff_c0000005_nspr4.dll!dtoa

BUCKET_ID:  APPLICATION_FAULT_FILL_PATTERN_ffffffff_nspr4!dtoa+415

Followup: MachineOwner
---------


It doesn't happen every time.
(Reporter)

Comment 3

10 years ago
Created attachment 323142 [details]
Crash dump for crash in comment #2

Comment 4

10 years ago
is it possible that something changed the floating point mode? [ref: _control87]
Assignee: nobody → wtc
Component: Plug-ins → NSPR
Product: Core → NSPR
QA Contact: plugins → nspr
Version: Trunk → other

Comment 5

10 years ago
Is this still reproducible in Flash Player 10? http://www.adobe.com/go/getflashplayer
(Assignee)

Comment 6

10 years ago
prdtoa.c is third-party code that I'm not familiar with.
I'll need someone who knows floating point arithmetic to
help me investigate this bug.

Comment 7

10 years ago
wtc: in general this problem is caused by random modules changing the floating point behavior of the cpu. js and dtoa expect and require the floating point behavior not change, and third party libraries have no business changing it.

this really isn't something you should worry about.

the only useful thing we could do is try to intercept the half dozen public methods which would change the cpu mode. I'm not sure if that's possible.
You need to log in before you can comment on or make changes to this bug.