472774 - [1.9.1 branch] "ASSERTION: null frame is not allowed" and crash [@ IsPercentageAware] with -moz-column, :first-letter

Status: VERIFIED FIXED

(Core :: Layout, defect)

Description

[Jesse Ruderman]

Attachment: testcase

###!!! ASSERTION: null frame is not allowed: 'aFrame', file /Users/jruderman/central/layout/generic/nsLineLayout.cpp, line 670

Crash [@ IsPercentageAware]

Comment 1

[Bernd]

kid is 0 at http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/layout/generic/nsFirstLetterFrame.cpp&rev=1.82&mark=203#190
at other places we check if kid is zero, here we do not.
However the code is pretty old (1.1)

Comment 2

[Jesse Ruderman]

WFM Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090517 Minefield/3.6a1pre

I'll add this testcase as a crashtest.

Comment 3

[Jesse Ruderman]

Added crashtest:
http://hg.mozilla.org/mozilla-central/rev/63120a5301f2

Comment 4

[Bob Clary [:bc] (inactive)]

attachment id=356112 crashes with null pointer [@ IsPercentageAware] 1.9.1/mac, reopening and targeting to 1.9.1

Comment 5

[Bob Clary [:bc] (inactive)]

fyi, on windows !exploitable says:

(9b8.f54): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=7ffd4000 ecx=00000000 edx=00000000 esi=0000b6d0 edi=00240000
eip=02c26742 esp=0012c354 ebp=0012c378 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246

Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Data from Faulting Address controls Code Flow starting at gklayout!IsPercentageAware+0x0000000000000032 (Hash=0x1d0e112e.0x21731e0c)

The data from the faulting address is later used as the target for a branch.

Comment 6

[chris hofmann]

isPercentageAware is one of the signatures in Bug 526587 -- new crashes as fall out of frame poisoning.  combination of comment 5 and bug 526587 makes me think we should hide this bug.  reopen if this doesn't sound right.

Comment 7

[chris hofmann]

http://crash-stats.mozilla.com/report/index/8b2dfdc2-7044-4c2f-98ad-42c3f2091031 is a crash found in 3.6beta1 data.

Comment 8

[Mats Palmgren (inactive)]

I'll dig into this one and see what I can find...

Comment 9

[Mats Palmgren (inactive)]

This was fixed on trunk in the range:  2009-05-08-03 -- 2009-05-09-03
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=c4fcaec2898a&tochange=baf06abf0af4
By bug 399412 it seems.

I can reproduce the crash in a local 1.9.1 build.
The crash does NOT occur in a local trunk, 1.9.2. or 1.9.0 build.

Applying the patch in bug 399412 to my 1.9.1 build fixes this crash.

That leaves to explain the 3.6b1 crash in comment 7.
It's a different bug that also ends up crashing in IsPercentageAware?

Comment 10

[Mats Palmgren (inactive)]

The 3.6b1 crash in comment 7 could be bug 491547 which was fixed
2009-11-02 on the 1.9.2 branch (for beta 2).

Comment 11

[Daniel Veditz [:dveditz]]

We've had twelve different bugs resulting in crashes at IsPercentageAware.

comment 5 is an example of where !exploitable guesses wrong. We're using a nsCOMPtr there and it will definitely be null if not set correctly.

Comment 12

[Mats Palmgren (inactive)]

Fixed by bug 399412.

Comment 13

[Henrik Skupin [:whimboo][⌚️UTC+1]]

Verified fixed on 1.9.1 with builds on all platforms like Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8pre) Gecko/20100127 Shiretoko/3.5.8pre (.NET CLR 3.5.30729) ID:20100127050511