Closed
Bug 493287
Opened 16 years ago
Closed 16 years ago
Reproducible crash [@gfxTextRun::`vector deleting destructor'(unsigned int) and [@ XUL@0xa556c6 ] Data from Faulting Address may be used as a return value starting at gklayout!nsIFrame::RemoveStateBits+0xf (Hash=0x71263649.0x7d087401)
Categories
(Core :: Layout: Text and Fonts, defect)
Tracking
()
VERIFIED
FIXED
mozilla1.9.2a1
People
(Reporter: cbook, Assigned: smontagu)
References
()
Details
(4 keywords, Whiteboard: [sg:critical?][fixed by bug 468491])
Crash Data
Steps to reproduce:
-> Load http://www.musingsfrommars.org/2007/02/crystal-clear-pushing-macosx-windows-beyond-translucent.html (you may need to wait a little while till this is loaded).
--> Crash
Crashs 1.9.1 opt/debug builds Mozilla/5.0 (Windows; U; Windows NT 5.1;
en-US; rv:1.9.1b5pre) Gecko/20090515 Shiretoko/3.5b5pre - trunk seems fine.
Marking as security bug for now, because Exploitability Classification: UNKNOWN
(928.b48): Access violation - code c0000005 (!!! second chance !!!)
eax=bfffffff ebx=7ffd8000 ecx=dddddddd edx=06a149f0 esi=04d3b300 edi=7c910222
eip=02be48ef esp=0012db90 ebp=0012db94 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
gklayout!nsIFrame::RemoveStateBits+0xf:
02be48ef 234124 and eax,dword ptr [ecx+24h] ds:0023:ddddde01=????????
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address may be used as a return value starting at gklayout!nsIFrame::RemoveStateBits+0xf (Hash=0x71263649.0x7d087401)
The data from the faulting address may later be used as a return value from this function.
ChildEBP RetAddr
0012db94 02c88e30 gklayout!nsIFrame::RemoveStateBits+0xf
0012dba0 02c88d91 gklayout!ClearAllTextRunReferences+0x10
0012dbbc 02c90fa3 gklayout!UnhookTextRunFromFrames+0x41
0012dbdc 02c90691 gklayout!nsTextFrame::ClearTextRun+0x23
0012dbec 02cb7ce6 gklayout!nsContinuingTextFrame::Destroy+0x41
0012dca4 02cb6cc0 gklayout!nsBlockFrame::DoRemoveFrame+0x5f6
0012dcd4 02c3f8fe gklayout!nsBlockFrame::RemoveFrame+0x30
0012dd04 02c2f6cc gklayout!nsFrameManager::RemoveFrame+0x4e
0012dd5c 02c2f9bf gklayout!nsCSSFrameConstructor::RemoveFloatingFirstLetterFrames+0x1cc
0012dd84 02c290dc gklayout!nsCSSFrameConstructor::RemoveLetterFrames+0x3f
0012df64 02beb2bf gklayout!nsCSSFrameConstructor::ContentAppended+0x72c
0012df7c 02eaac68 gklayout!PresShell::ContentAppended+0xcf
0012dfb4 02e977bc gklayout!nsNodeUtils::ContentAppended+0xe8
0012e088 02e972d5 gklayout!nsGenericElement::doInsertChildAt+0x4dc
0012e0ac 02e98f3b gklayout!nsGenericElement::InsertChildAt+0x55
0012e1ec 02e980a3 gklayout!nsGenericElement::doReplaceOrInsertBefore+0xe2b
0012e20c 03328958 gklayout!nsGenericElement::InsertBefore+0x23
0012e224 02e935fe gklayout!nsHTMLParagraphElement::InsertBefore+0x18
0012e23c 033289b4 gklayout!nsGenericElement::AppendChild+0x1e
0012e250 0119cf80 gklayout!nsHTMLParagraphElement::AppendChild+0x14
quit:
Flags: blocking-firefox3.5?
|
||
Comment 1•16 years ago
|
||
here are the windows stacks I get out of soccoro in a couple of quick test runs. that would make this the #10 topcrash on 3.5b4
crash #1
0 xul.dll gfxTextRun::`vector deleting destructor'
1 xul.dll nsTextFrame::ClearTextRun layout/generic/nsTextFrameThebes.cpp:3683
2 xul.dll nsContinuingTextFrame::Destroy layout/generic/nsTextFrameThebes.cpp:3483
crash #2
0 xul.dll gfxTextRun::`vector deleting destructor'
1 xul.dll nsTextFrame::ClearTextRun layout/generic/nsTextFrameThebes.cpp:3683
2 xul.dll nsContinuingTextFrame::Destroy layout/generic/nsTextFrameThebes.cpp:3483
3 xul.dll nsBlockFrame::DoRemoveFrame layout/generic/nsBlockFrame.cpp:5456
4 js3250.dll js_NativeGet js/src/jsobj.cpp:4239
Keywords: topcrash+
Summary: Data from Faulting Address may be used as a return value starting at gklayout!nsIFrame::RemoveStateBits+0xf → Reproducible crash [@ gfxTextRun::`vector deleting destructor''(unsigned int) ] Data from Faulting Address may be used as a return value starting at gklayout!nsIFrame::RemoveStateBits+0xf
|
|
||
Updated•16 years ago
|
Component: General → GFX: Thebes
Flags: blocking-firefox3.5?
Product: Firefox → Core
QA Contact: general → thebes
Version: 3.5 Branch → 1.9.1 Branch
|
Reporter | |
Updated•16 years ago
|
Flags: blocking1.9.1?
|
|
||
Updated•16 years ago
|
Whiteboard: sg:investigate
|
||
Updated•16 years ago
|
Whiteboard: sg:investigate → [sg:investigate]
|
|
Reporter | |
Updated•16 years ago
|
Summary: Reproducible crash [@ gfxTextRun::`vector deleting destructor''(unsigned int) ] Data from Faulting Address may be used as a return value starting at gklayout!nsIFrame::RemoveStateBits+0xf → Data from Faulting Address may be used as a return value starting at gklayout!nsIFrame::RemoveStateBits+0xf (Hash=0x71263649.0x7d087401)
|
|
||
Comment 2•16 years ago
|
||
gfxTextRun::`vector deleting destructor'(unsigned int) 0x4
http://www.newliturgicalmovement.org/
Every time I log on to WWW.newliturgicalmovement.org Firefox crashes.
looks like this might also show up on Mac as
Firefox 3.5b5pre Crash Report [@ XUL@0xa556c6 ]
http://crash-stats.mozilla.com/report/index/d11b8c50-5278-4017-9ad8-4ee7d2090518
0 XUL XUL@0xa556c6
1 XUL nsContinuingTextFrame::Destroy layout/generic/nsTextFrameThebes.cpp:3483
2 XUL nsBlockFrame::DoRemoveFrame layout/generic/nsBlockFrame.cpp:5456
3 XUL nsBlockFrame::RemoveFrame layout/generic/nsBlockFrame.cpp:5047
4 XUL nsFrameManager::RemoveFrame layout/base/nsFrameManager.cpp:716
5 XUL nsCSSFrameConstructor::RemoveFloatingFirstLetterFrames layout/base/nsCSSFrameConstructor.cpp:12159
6 XUL nsCSSFrameConstructor::RemoveLetterFrames layout/base/nsCSSFrameConstructor.cpp:12275
7 XUL nsCSSFrameConstructor::ContentAppended layout/base/nsCSSFrameConstructor.cpp:8582
8 XUL PresShell::ContentAppended layout/base/nsPresShell.cpp:4844
9 XUL nsNodeUtils::ContentAppended content/base/src/nsNodeUtils.cpp:119
10 XUL nsContentSink::NotifyAppend content/base/src/nsContentSink.cpp:1340
11 XUL SinkContext::FlushTags content/html/document/src/nsHTMLContentSink.cpp:1382
12 XUL SinkContext::AddLeaf content/html/document/src/nsHTMLContentSink.cpp:1165
13 XUL SinkContext::AddLeaf content/html/document/src/nsHTMLContentSink.cpp:1096
14 XUL CNavDTD::HandleDefaultStartToken parser/htmlparser/src/CNavDTD.cpp:1080
15 XUL CNavDTD::HandleStartToken parser/htmlparser/src/CNavDTD.cpp:1432
16 XUL CNavDTD::HandleToken parser/htmlparser/src/CNavDTD.cpp:756
17 XUL CNavDTD::BuildModel parser/htmlparser/src/CNavDTD.cpp:332
18 XUL nsParser::BuildModel parser/htmlparser/src/nsParser.cpp:2378
19 XUL nsParser::ResumeParse parser/htmlparser/src/nsParser.cpp:2251
20 XUL nsParser::ContinueInterruptedParsing parser/htmlparser/src/nsParser.cpp:1751
21 XUL nsParserContinueEvent::Run parser/htmlparser/src/nsParser.cpp:164
22 XUL nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:510
23 XUL NS_ProcessPendingEvents_P nsThreadUtils.cpp:180
24 XUL nsBaseAppShell::NativeEventCallback widget/src/xpwidgets/nsBaseAppShell.cpp:121
25 XUL nsAppShell::ProcessGeckoEvents widget/src/cocoa/nsAppShell.mm:405
26 CoreFoundation CFRunLoopRunSpecific
27 CoreFoundation CFRunLoopRunInMode
28 HIToolbox RunCurrentEventLoopInMode
29 HIToolbox ReceiveNextEventCommon
30 HIToolbox BlockUntilNextEventMatchingListInMode
31 AppKit _DPSNextEvent
32 AppKit -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:]
33 JavaEmbeddingPlugin JavaEmbeddingPlugin@0x12fc2
34 AppKit -[NSApplication run]
35 XUL nsAppShell::Run widget/src/cocoa/nsAppShell.mm:716
36 XUL nsAppStartup::Run toolkit/components/startup/src/nsAppStartup.cpp:193
37 XUL XRE_main toolkit/xre/nsAppRunner.cpp:3298
38 firefox-bin main browser/app/nsBrowserApp.cpp:156
39 firefox-bin firefox-bin@0x1541
40 firefox-bin firefox-bin@0x1468
41 @0x0
Summary: Data from Faulting Address may be used as a return value starting at gklayout!nsIFrame::RemoveStateBits+0xf (Hash=0x71263649.0x7d087401) → Reproducible crash [@gfxTextRun::`vector deleting destructor'(unsigned int) and [@ XUL@0xa556c6 ] Data from Faulting Address may be used as a return value starting at gklayout!nsIFrame::RemoveStateBits+0xf (Hash=0x71263649.0x7d087401)
|
|
||
Comment 3•16 years ago
|
||
In comment 0 ecx looks like a deleted object, potentially exploitable.
I haven't crashed on the 1.9.0 branch, tried Mac and Windows opt builds and a Mac debug build.
It looks like Carsten could reproduce, maybe he could save-as-complete what he gets (using a non-crashing trunk) and see if we can repro from that, then whittle it down and attach to the bug.
Keywords: testcase-wanted
Whiteboard: [sg:investigate] → [sg:critical?]
|
|
||
Comment 4•16 years ago
|
||
I could reproduce on a Win Shiretoko build, looks like a regresson between 1.9.0 and 1.9.1. A regression window would help pin down what change caused this.
|
|
Reporter | |
Comment 5•16 years ago
|
||
will see that i can find the regression window!
|
|
Reporter | |
Comment 6•16 years ago
|
||
Regression range:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b3pre) Gecko/20090101 Shiretoko/3.1b3pre BuildID=20090101033446 -> works
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b3pre) Gecko/20090102 Shiretoko/3.1b3pre BuildID: 20090102050105 -> crash
so regressed between 20090101033446 and 20090102050105
Keywords: regressionwindow-wanted
|
|
||
Comment 7•16 years ago
|
||
|
|
||
Comment 8•16 years ago
|
||
Err, wait, this was a 1.9.1 regression window.
http://hg.mozilla.org/releases/mozilla-1.9.1/pushloghtml?startdate=2009-01-01+03%3A34%3A46&enddate=2009-01-02+05%3A01%3A05
I don't see anything that looks like a suspect :(
|
||
Comment 9•16 years ago
|
||
Vlad said we should block on this, so we are.
Flags: blocking1.9.1? → blocking1.9.1+
|
|
Assignee | |
Comment 10•16 years ago
|
||
Bug 466763 is right before that window, and in related code.
Flags: blocking1.9.1+ → blocking1.9.1?
|
||
Updated•16 years ago
|
Flags: blocking1.9.1? → blocking1.9.1+
|
|
||
Comment 11•16 years ago
|
||
A slightly more accurate regression window is http://hg.mozilla.org/releases/mozilla-1.9.1/pushloghtml?fromchange=cda265c626be&tochange=067649fefb8d - which includes Simon's proposed regressor. So, for now, on to him.
Assignee: nobody → smontagu
Component: GFX: Thebes → Layout: Text
QA Contact: thebes → layout.fonts-and-text
|
|
Assignee | |
Comment 12•16 years ago
|
||
Given that this doesn't crash on trunk, it may be fixed by branch checkin of bug 468491.
Depends on: 468491
Whiteboard: [sg:critical?] → [sg:critical?][depends on 468491]
Should be fixed now that 468491 is checked in.
|
|
Assignee | |
Comment 14•16 years ago
|
||
None of the URLs crash for me now.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
|
||
Updated•16 years ago
|
Keywords: fixed1.9.1
Resolution: FIXED → WORKSFORME
Whiteboard: [sg:critical?][depends on 468491] → [sg:critical?][fixed by bug 468491]
Target Milestone: --- → mozilla1.9.2a1
|
|
||
Updated•16 years ago
|
Resolution: WORKSFORME → FIXED
|
|
||
Comment 15•16 years ago
|
||
No more crashes can be found on Socorro. Marking verified fixed.
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1 → verified1.9.1
|
||
Updated•14 years ago
|
Crash Signature: [@ XUL@0xa556c6 ]
|
|
||
Updated•12 years ago
|
Group: core-security
|
||
Updated•10 years ago
|
Keywords: testcase-wanted
You need to log in
before you can comment on or make changes to this bug.
Description
•