493243 - reproducable crash [@ nsCOMPtr_base::assign_from_qi(nsQueryInterface, nsID const&) ] -> User Mode Write AV starting at @ 0x6d89c0006d89c

Status: RESOLVED DUPLICATE of bug 493281

(Core :: JavaScript Engine, defect)

Description

[Carsten Book [:Tomcat]]

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b5pre) Gecko/20090515 Shiretoko/3.5b5pre

Steps to reproduce:
-> Load http://www.haus-b.de/baum/bie_de.htm
--> Crash

Exploitability Classification: EXPLOITABLE

Does not happen on 1.9.0 - only crashes on 1.9.1

(bec.824): Access violation - code c0000005 (!!! second chance !!!)
eax=04ebf0f4 ebx=7ffd0700 ecx=0012ea18 edx=0045ab50 esi=00cea2a0 edi=2f616c6c
eip=08086f5b esp=0012e26c ebp=0012e288 iopl=0         nv up ei pl nz na pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000207
08086f5b 0002            add     byte ptr [edx],al          ds:0023:0045ab50=30
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at Unknown Symbol @ 0x6d89c0006d89c (Hash=0x4f5f116d.0x6a1e2957)

User mode write access violations that are not near NULL are exploitable.
ChildEBP RetAddr
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012e268 0028a98d 0x8086f5b
0012e288 02bcad99 xpcom_core!nsQueryInterface::operator()+0x2d
0012e29c 02bc6004 gklayout!nsCOMPtr<nsIDOMHTMLDocument>::assign_from_qi+0x19
0012e2b0 030103d5 gklayout!nsCOMPtr<nsIDOMHTMLDocument>::nsCOMPtr<nsIDOMHTMLDocument>+0x34
0012e328 00540989 gklayout!nsHTMLDocumentSH::DocumentAllGetProperty+0x55
0012e348 00540639 js3250!js_GetSprop+0xa9
0012e394 005171d3 js3250!js_NativeGet+0x239
0012ea5c 00503cff js3250!js_Interpret+0x10e33
0012eb3c 005045d2 js3250!js_Invoke+0x99f
0012eb60 004b2afd js3250!js_InternalInvoke+0x82
0012eb88 02ff1e40 js3250!JS_CallFunctionValue+0x5d
0012ec38 03055789 gklayout!nsJSContext::CallEventHandler+0x2a0
0012eeac 02eac19d gklayout!nsJSEventListener::HandleEvent+0x10d9
0012efa4 02eac5a4 gklayout!nsEventListenerManager::HandleEventSubType+0x1ad
0012f010 02eb01d0 gklayout!nsEventListenerManager::HandleEvent+0x374
0012f050 02eb0414 gklayout!nsEventTargetChainItem::HandleEvent+0x130
0012f08c 02eb0b2e gklayout!nsEventTargetChainItem::HandleEventTargetChain+0x194
0012f158 02bcf065 gklayout!nsEventDispatcher::Dispatch+0x51e
0012f1e0 039e73bc gklayout!DocumentViewerImpl::LoadComplete+0x1c5
0012f21c 039ca0f7 docshell!nsDocShell::EndPageLoad+0x8c
quit:

Comment 1

[Bob Clary [:bc] (inactive)]

crashes minefield/mac as well.

Comment 2

[chris hofmann]

3.5b4 stacksignature looks like the signature of #94 on the top crash list  

http://crash-stats.mozilla.com/report/list?product=Firefox&version=Firefox%3A3.5b4&query_search=signature&query_type=exact&query=&date=&range_value=1&range_unit=weeks&do_query=1&signature=nsCOMPtr_base%3A%3Aassign_from_qi%28nsQueryInterface%2C%20nsID%20const%26%29

the actual stacks under that list are quite varied.

my stack for this crash on  Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b5pre) Gecko/20090513 Shiretoko/3.5b5pre winds through a lot of code and things maybe when wrong in several places.   we might need several hand offs to get this reproducable crash into the right hands.

0  	 	@0x230a6737  	
1 	XUL 	nsCOMPtr_base::assign_from_qi 	nsCOMPtr.cpp:96
2 	XUL 	nsHTMLDocumentSH::DocumentAllGetProperty 	nsCOMPtr.h:572
3 	libmozjs.dylib 	js_NativeGet 	js/src/jsscope.h:361
4 	libmozjs.dylib 	js_Interpret 	js/src/jsinterp.cpp:5262
5 	libmozjs.dylib 	js_Invoke 	js/src/jsinterp.cpp:1373
6 	libmozjs.dylib 	js_InternalInvoke 	js/src/jsinterp.cpp:1426
7 	libmozjs.dylib 	JS_CallFunctionValue 	js/src/jsapi.cpp:5187
8 	XUL 	nsJSContext::CallEventHandler 	dom/src/base/nsJSEnvironment.cpp:2011
9 	XUL 	nsJSEventListener::HandleEvent 	dom/src/events/nsJSEventListener.cpp:247
10 	XUL 	nsEventListenerManager::HandleEventSubType 	content/events/src/nsEventListenerManager.cpp:1101
11 	XUL 	nsEventListenerManager::HandleEvent 	content/events/src/nsEventListenerManager.cpp:1206
12 	XUL 	nsEventTargetChainItem::HandleEvent 	content/events/src/nsEventDispatcher.cpp:236
13 	XUL 	nsEventTargetChainItem::HandleEventTargetChain 	content/events/src/nsEventDispatcher.cpp:300
14 	XUL 	nsEventDispatcher::Dispatch 	content/events/src/nsEventDispatcher.cpp:514
15 	XUL 	DocumentViewerImpl::LoadComplete 	layout/base/nsDocumentViewer.cpp:1006
16 	XUL 	nsDocShell::EndPageLoad 	docshell/base/nsDocShell.cpp:5274
17 	XUL 	nsWebShell::EndPageLoad 	docshell/base/nsWebShell.cpp:1013
18 	XUL 	nsDocShell::OnStateChange 	docshell/base/nsDocShell.cpp:5170
19 	XUL 	nsDocLoader::FireOnStateChange 	uriloader/base/nsDocLoader.cpp:1259
20 	XUL 	nsDocLoader::doStopDocumentLoad 	uriloader/base/nsDocLoader.cpp:880
21 	XUL 	nsDocLoader::DocLoaderIsEmpty 	uriloader/base/nsDocLoader.cpp:785
22 	XUL 	nsDocLoader::OnStopRequest 	uriloader/base/nsDocLoader.cpp:680
23 	XUL 	nsLoadGroup::RemoveRequest 	netwerk/base/src/nsLoadGroup.cpp:688
24 	XUL 	nsDocument::DoUnblockOnload 	content/base/src/nsDocument.cpp:7044
25 	XUL 	nsImageLoadingContent::OnStopDecode 	content/base/src/nsImageLoadingContent.cpp:807
26 	XUL 	nsRunnable::Release 	nsThreadUtils.cpp:51
27 	XUL 	XUL@0x9d2443 	
28 	XUL 	nsThread::ProcessNextEvent 	
29 	XUL 	NS_ProcessPendingEvents_P 	nsThreadUtils.cpp:180
30 	XUL 	nsBaseAppShell::NativeEventCallback 	widget/src/xpwidgets/nsBaseAppShell.cpp:121
31 	XUL 	nsAppShell::ProcessGeckoEvents 	widget/src/cocoa/nsAppShell.mm:405
32 	CoreFoundation 	CFRunLoopRunSpecific 	
33 	CoreFoundation 	CFRunLoopRunInMode 	
34 	HIToolbox 	RunCurrentEventLoopInMode 	
35 	HIToolbox 	ReceiveNextEventCommon 	
36 	HIToolbox 	BlockUntilNextEventMatchingListInMode 	
37 	AppKit 	_DPSNextEvent 	
38 	AppKit 	-[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] 	
39 	JavaEmbeddingPlugin 	JavaEmbeddingPlugin@0x12fc2 	
40 	AppKit 	-[NSApplication run] 	
41 	XUL 	nsAppShell::Run 	widget/src/cocoa/nsAppShell.mm:716
42 	XUL 	nsAppStartup::Run 	toolkit/components/startup/src/nsAppStartup.cpp:193
43 	XUL 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3298
44 	firefox-bin 	main 	browser/app/nsBrowserApp.cpp:156
45 	firefox-bin 	firefox-bin@0x1541 	
46 	firefox-bin 	firefox-bin@0x1468 	
47 		@0x2

Comment 3

[Robert Sayre]

==58639== 
==58639== Invalid read of size 1
==58639==    at 0x21DC7A4B: ???
==58639==    by 0x2F734DF: nsCOMPtr<nsIDOMHTMLDocument>::assign_from_qi(nsQueryInterface, nsID const&) (in /Users/sayrer/dev/clean-debug-tracemonkey/toolkit/library/XUL)
==58639==    by 0x2F73539: nsCOMPtr<nsIDOMHTMLDocument>::nsCOMPtr(nsQueryInterface) (in /Users/sayrer/dev/clean-debug-tracemonkey/toolkit/library/XUL)
==58639==    by 0x355ADFD: nsHTMLDocumentSH::DocumentAllGetProperty(JSContext*, JSObject*, long, long*) (in /Users/sayrer/dev/clean-debug-tracemonkey/toolkit/library/XUL)
==58639==    by 0x316700: js_GetSprop (in /Users/sayrer/dev/clean-debug-tracemonkey/js/src/libmozjs.dylib)
==58639==    by 0x323BB0: js_NativeGet (in /Users/sayrer/dev/clean-debug-tracemonkey/js/src/libmozjs.dylib)
==58639==    by 0x2F4466: js_Interpret (in /Users/sayrer/dev/clean-debug-tracemonkey/js/src/libmozjs.dylib)
==58639==    by 0x308CCC: js_Invoke (in /Users/sayrer/dev/clean-debug-tracemonkey/js/src/libmozjs.dylib)
==58639==    by 0x308F76: js_InternalInvoke (in /Users/sayrer/dev/clean-debug-tracemonkey/js/src/libmozjs.dylib)
==58639==    by 0x285EC8: JS_CallFunctionValue (in /Users/sayrer/dev/clean-debug-tracemonkey/js/src/libmozjs.dylib)
==58639==    by 0x34FA597: nsJSContext::CallEventHandler(nsISupports*, void*, void*, nsIArray*, nsIVariant**) (in /Users/sayrer/dev/clean-debug-tracemonkey/toolkit/library/XUL)
==58639==    by 0x356A1A5: nsJSEventListener::HandleEvent(nsIDOMEvent*) (in /Users/sayrer/dev/clean-debug-tracemonkey/toolkit/library/XUL)
==58639==  Address 0x5ee39389 is not stack'd, malloc'd or (recently) free'd

Comment 4

[Robert Sayre]

not clear that this is a JS bug, though

Comment 5

[Blake Kaplan (:mrbkap) (inactive)]

Duping forward to a bug with a patch.

Comment 6

[Martijn Wargers (dead)]

Attachment: zipped up unminimized testcase