Closed
Bug 493243
Opened 15 years ago
Closed 15 years ago
reproducable crash [@ nsCOMPtr_base::assign_from_qi(nsQueryInterface, nsID const&) ] -> User Mode Write AV starting at @ 0x6d89c0006d89c
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 493281
People
(Reporter: cbook, Unassigned)
References
()
Details
(Keywords: crash, regression, Whiteboard: [sg:critical])
Crash Data
Attachments
(1 file)
19.20 KB,
application/zip
|
Details |
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b5pre) Gecko/20090515 Shiretoko/3.5b5pre Steps to reproduce: -> Load http://www.haus-b.de/baum/bie_de.htm --> Crash Exploitability Classification: EXPLOITABLE Does not happen on 1.9.0 - only crashes on 1.9.1 (bec.824): Access violation - code c0000005 (!!! second chance !!!) eax=04ebf0f4 ebx=7ffd0700 ecx=0012ea18 edx=0045ab50 esi=00cea2a0 edi=2f616c6c eip=08086f5b esp=0012e26c ebp=0012e288 iopl=0 nv up ei pl nz na pe cy cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000207 08086f5b 0002 add byte ptr [edx],al ds:0023:0045ab50=30 Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - User Mode Write AV starting at Unknown Symbol @ 0x6d89c0006d89c (Hash=0x4f5f116d.0x6a1e2957) User mode write access violations that are not near NULL are exploitable. ChildEBP RetAddr WARNING: Frame IP not in any known module. Following frames may be wrong. 0012e268 0028a98d 0x8086f5b 0012e288 02bcad99 xpcom_core!nsQueryInterface::operator()+0x2d 0012e29c 02bc6004 gklayout!nsCOMPtr<nsIDOMHTMLDocument>::assign_from_qi+0x19 0012e2b0 030103d5 gklayout!nsCOMPtr<nsIDOMHTMLDocument>::nsCOMPtr<nsIDOMHTMLDocument>+0x34 0012e328 00540989 gklayout!nsHTMLDocumentSH::DocumentAllGetProperty+0x55 0012e348 00540639 js3250!js_GetSprop+0xa9 0012e394 005171d3 js3250!js_NativeGet+0x239 0012ea5c 00503cff js3250!js_Interpret+0x10e33 0012eb3c 005045d2 js3250!js_Invoke+0x99f 0012eb60 004b2afd js3250!js_InternalInvoke+0x82 0012eb88 02ff1e40 js3250!JS_CallFunctionValue+0x5d 0012ec38 03055789 gklayout!nsJSContext::CallEventHandler+0x2a0 0012eeac 02eac19d gklayout!nsJSEventListener::HandleEvent+0x10d9 0012efa4 02eac5a4 gklayout!nsEventListenerManager::HandleEventSubType+0x1ad 0012f010 02eb01d0 gklayout!nsEventListenerManager::HandleEvent+0x374 0012f050 02eb0414 gklayout!nsEventTargetChainItem::HandleEvent+0x130 0012f08c 02eb0b2e gklayout!nsEventTargetChainItem::HandleEventTargetChain+0x194 0012f158 02bcf065 gklayout!nsEventDispatcher::Dispatch+0x51e 0012f1e0 039e73bc gklayout!DocumentViewerImpl::LoadComplete+0x1c5 0012f21c 039ca0f7 docshell!nsDocShell::EndPageLoad+0x8c quit:
Flags: blocking1.9.1?
Reporter | ||
Updated•15 years ago
|
Whiteboard: [sg:critical]
Comment 1•15 years ago
|
||
crashes minefield/mac as well.
OS: Windows XP → All
Version: 1.9.1 Branch → Trunk
Comment 2•15 years ago
|
||
3.5b4 stacksignature looks like the signature of #94 on the top crash list http://crash-stats.mozilla.com/report/list?product=Firefox&version=Firefox%3A3.5b4&query_search=signature&query_type=exact&query=&date=&range_value=1&range_unit=weeks&do_query=1&signature=nsCOMPtr_base%3A%3Aassign_from_qi%28nsQueryInterface%2C%20nsID%20const%26%29 the actual stacks under that list are quite varied. my stack for this crash on Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b5pre) Gecko/20090513 Shiretoko/3.5b5pre winds through a lot of code and things maybe when wrong in several places. we might need several hand offs to get this reproducable crash into the right hands. 0 @0x230a6737 1 XUL nsCOMPtr_base::assign_from_qi nsCOMPtr.cpp:96 2 XUL nsHTMLDocumentSH::DocumentAllGetProperty nsCOMPtr.h:572 3 libmozjs.dylib js_NativeGet js/src/jsscope.h:361 4 libmozjs.dylib js_Interpret js/src/jsinterp.cpp:5262 5 libmozjs.dylib js_Invoke js/src/jsinterp.cpp:1373 6 libmozjs.dylib js_InternalInvoke js/src/jsinterp.cpp:1426 7 libmozjs.dylib JS_CallFunctionValue js/src/jsapi.cpp:5187 8 XUL nsJSContext::CallEventHandler dom/src/base/nsJSEnvironment.cpp:2011 9 XUL nsJSEventListener::HandleEvent dom/src/events/nsJSEventListener.cpp:247 10 XUL nsEventListenerManager::HandleEventSubType content/events/src/nsEventListenerManager.cpp:1101 11 XUL nsEventListenerManager::HandleEvent content/events/src/nsEventListenerManager.cpp:1206 12 XUL nsEventTargetChainItem::HandleEvent content/events/src/nsEventDispatcher.cpp:236 13 XUL nsEventTargetChainItem::HandleEventTargetChain content/events/src/nsEventDispatcher.cpp:300 14 XUL nsEventDispatcher::Dispatch content/events/src/nsEventDispatcher.cpp:514 15 XUL DocumentViewerImpl::LoadComplete layout/base/nsDocumentViewer.cpp:1006 16 XUL nsDocShell::EndPageLoad docshell/base/nsDocShell.cpp:5274 17 XUL nsWebShell::EndPageLoad docshell/base/nsWebShell.cpp:1013 18 XUL nsDocShell::OnStateChange docshell/base/nsDocShell.cpp:5170 19 XUL nsDocLoader::FireOnStateChange uriloader/base/nsDocLoader.cpp:1259 20 XUL nsDocLoader::doStopDocumentLoad uriloader/base/nsDocLoader.cpp:880 21 XUL nsDocLoader::DocLoaderIsEmpty uriloader/base/nsDocLoader.cpp:785 22 XUL nsDocLoader::OnStopRequest uriloader/base/nsDocLoader.cpp:680 23 XUL nsLoadGroup::RemoveRequest netwerk/base/src/nsLoadGroup.cpp:688 24 XUL nsDocument::DoUnblockOnload content/base/src/nsDocument.cpp:7044 25 XUL nsImageLoadingContent::OnStopDecode content/base/src/nsImageLoadingContent.cpp:807 26 XUL nsRunnable::Release nsThreadUtils.cpp:51 27 XUL XUL@0x9d2443 28 XUL nsThread::ProcessNextEvent 29 XUL NS_ProcessPendingEvents_P nsThreadUtils.cpp:180 30 XUL nsBaseAppShell::NativeEventCallback widget/src/xpwidgets/nsBaseAppShell.cpp:121 31 XUL nsAppShell::ProcessGeckoEvents widget/src/cocoa/nsAppShell.mm:405 32 CoreFoundation CFRunLoopRunSpecific 33 CoreFoundation CFRunLoopRunInMode 34 HIToolbox RunCurrentEventLoopInMode 35 HIToolbox ReceiveNextEventCommon 36 HIToolbox BlockUntilNextEventMatchingListInMode 37 AppKit _DPSNextEvent 38 AppKit -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] 39 JavaEmbeddingPlugin JavaEmbeddingPlugin@0x12fc2 40 AppKit -[NSApplication run] 41 XUL nsAppShell::Run widget/src/cocoa/nsAppShell.mm:716 42 XUL nsAppStartup::Run toolkit/components/startup/src/nsAppStartup.cpp:193 43 XUL XRE_main toolkit/xre/nsAppRunner.cpp:3298 44 firefox-bin main browser/app/nsBrowserApp.cpp:156 45 firefox-bin firefox-bin@0x1541 46 firefox-bin firefox-bin@0x1468 47 @0x2
Assignee: nobody → general
Component: General → JavaScript Engine
QA Contact: general → general
Summary: User Mode Write AV starting at @ 0x6d89c0006d89c → reproducable crash [@ nsCOMPtr_base::assign_from_qi(nsQueryInterface, nsID const&) ] -> User Mode Write AV starting at @ 0x6d89c0006d89c
Comment 3•15 years ago
|
||
==58639== ==58639== Invalid read of size 1 ==58639== at 0x21DC7A4B: ??? ==58639== by 0x2F734DF: nsCOMPtr<nsIDOMHTMLDocument>::assign_from_qi(nsQueryInterface, nsID const&) (in /Users/sayrer/dev/clean-debug-tracemonkey/toolkit/library/XUL) ==58639== by 0x2F73539: nsCOMPtr<nsIDOMHTMLDocument>::nsCOMPtr(nsQueryInterface) (in /Users/sayrer/dev/clean-debug-tracemonkey/toolkit/library/XUL) ==58639== by 0x355ADFD: nsHTMLDocumentSH::DocumentAllGetProperty(JSContext*, JSObject*, long, long*) (in /Users/sayrer/dev/clean-debug-tracemonkey/toolkit/library/XUL) ==58639== by 0x316700: js_GetSprop (in /Users/sayrer/dev/clean-debug-tracemonkey/js/src/libmozjs.dylib) ==58639== by 0x323BB0: js_NativeGet (in /Users/sayrer/dev/clean-debug-tracemonkey/js/src/libmozjs.dylib) ==58639== by 0x2F4466: js_Interpret (in /Users/sayrer/dev/clean-debug-tracemonkey/js/src/libmozjs.dylib) ==58639== by 0x308CCC: js_Invoke (in /Users/sayrer/dev/clean-debug-tracemonkey/js/src/libmozjs.dylib) ==58639== by 0x308F76: js_InternalInvoke (in /Users/sayrer/dev/clean-debug-tracemonkey/js/src/libmozjs.dylib) ==58639== by 0x285EC8: JS_CallFunctionValue (in /Users/sayrer/dev/clean-debug-tracemonkey/js/src/libmozjs.dylib) ==58639== by 0x34FA597: nsJSContext::CallEventHandler(nsISupports*, void*, void*, nsIArray*, nsIVariant**) (in /Users/sayrer/dev/clean-debug-tracemonkey/toolkit/library/XUL) ==58639== by 0x356A1A5: nsJSEventListener::HandleEvent(nsIDOMEvent*) (in /Users/sayrer/dev/clean-debug-tracemonkey/toolkit/library/XUL) ==58639== Address 0x5ee39389 is not stack'd, malloc'd or (recently) free'd
Updated•15 years ago
|
Flags: blocking1.9.1? → blocking1.9.1+
Comment 4•15 years ago
|
||
not clear that this is a JS bug, though
Comment 5•15 years ago
|
||
Duping forward to a bug with a patch.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Comment 6•15 years ago
|
||
Updated•15 years ago
|
Group: core-security
Flags: wanted1.9.0.x-
Updated•13 years ago
|
Crash Signature: [@ nsCOMPtr_base::assign_from_qi(nsQueryInterface, nsID const&) ]
You need to log in
before you can comment on or make changes to this bug.
Description
•