Reproducible crash [@gfxTextRun::`vector deleting destructor'(unsigned int) and [@ XUL@0xa556c6 ] Data from Faulting Address may be used as a return value starting at gklayout!nsIFrame::RemoveStateBits+0xf (Hash=0x71263649.0x7d087401)

VERIFIED FIXED in mozilla1.9.2a1

Status

()

Core
Layout: Text
--
critical
VERIFIED FIXED
9 years ago
2 years ago

People

(Reporter: Tomcat, Assigned: smontagu)

Tracking

(4 keywords)

1.9.1 Branch
mozilla1.9.2a1
x86
Windows XP
crash, regression, topcrash+, verified1.9.1
Points:
---
Bug Flags:
blocking1.9.1 +
wanted1.9.1.x +
wanted1.9.0.x -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?][fixed by bug 468491], crash signature, URL)

(Reporter)

Description

9 years ago
Steps to reproduce: 
-> Load http://www.musingsfrommars.org/2007/02/crystal-clear-pushing-macosx-windows-beyond-translucent.html (you may need to wait a little while till this is loaded). 
--> Crash

Crashs 1.9.1 opt/debug builds Mozilla/5.0 (Windows; U; Windows NT 5.1;
en-US; rv:1.9.1b5pre) Gecko/20090515 Shiretoko/3.5b5pre - trunk seems fine.

Marking as security bug for now, because Exploitability Classification: UNKNOWN

(928.b48): Access violation - code c0000005 (!!! second chance !!!)
eax=bfffffff ebx=7ffd8000 ecx=dddddddd edx=06a149f0 esi=04d3b300 edi=7c910222
eip=02be48ef esp=0012db90 ebp=0012db94 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
gklayout!nsIFrame::RemoveStateBits+0xf:
02be48ef 234124          and     eax,dword ptr [ecx+24h] ds:0023:ddddde01=????????
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address may be used as a return value starting at gklayout!nsIFrame::RemoveStateBits+0xf (Hash=0x71263649.0x7d087401)

The data from the faulting address may later be used as a return value from this function.
ChildEBP RetAddr
0012db94 02c88e30 gklayout!nsIFrame::RemoveStateBits+0xf
0012dba0 02c88d91 gklayout!ClearAllTextRunReferences+0x10
0012dbbc 02c90fa3 gklayout!UnhookTextRunFromFrames+0x41
0012dbdc 02c90691 gklayout!nsTextFrame::ClearTextRun+0x23
0012dbec 02cb7ce6 gklayout!nsContinuingTextFrame::Destroy+0x41
0012dca4 02cb6cc0 gklayout!nsBlockFrame::DoRemoveFrame+0x5f6
0012dcd4 02c3f8fe gklayout!nsBlockFrame::RemoveFrame+0x30
0012dd04 02c2f6cc gklayout!nsFrameManager::RemoveFrame+0x4e
0012dd5c 02c2f9bf gklayout!nsCSSFrameConstructor::RemoveFloatingFirstLetterFrames+0x1cc
0012dd84 02c290dc gklayout!nsCSSFrameConstructor::RemoveLetterFrames+0x3f
0012df64 02beb2bf gklayout!nsCSSFrameConstructor::ContentAppended+0x72c
0012df7c 02eaac68 gklayout!PresShell::ContentAppended+0xcf
0012dfb4 02e977bc gklayout!nsNodeUtils::ContentAppended+0xe8
0012e088 02e972d5 gklayout!nsGenericElement::doInsertChildAt+0x4dc
0012e0ac 02e98f3b gklayout!nsGenericElement::InsertChildAt+0x55
0012e1ec 02e980a3 gklayout!nsGenericElement::doReplaceOrInsertBefore+0xe2b
0012e20c 03328958 gklayout!nsGenericElement::InsertBefore+0x23
0012e224 02e935fe gklayout!nsHTMLParagraphElement::InsertBefore+0x18
0012e23c 033289b4 gklayout!nsGenericElement::AppendChild+0x1e
0012e250 0119cf80 gklayout!nsHTMLParagraphElement::AppendChild+0x14
quit:
Flags: blocking-firefox3.5?

Comment 1

9 years ago
here are the windows stacks I get out of soccoro in a couple of quick test runs.   that would make this the #10 topcrash on 3.5b4

crash #1

0  	xul.dll  	gfxTextRun::`vector deleting destructor'  	
1 	xul.dll 	nsTextFrame::ClearTextRun 	layout/generic/nsTextFrameThebes.cpp:3683
2 	xul.dll 	nsContinuingTextFrame::Destroy 	layout/generic/nsTextFrameThebes.cpp:3483 

crash #2
0  	xul.dll  	gfxTextRun::`vector deleting destructor'  	
1 	xul.dll 	nsTextFrame::ClearTextRun 	layout/generic/nsTextFrameThebes.cpp:3683
2 	xul.dll 	nsContinuingTextFrame::Destroy 	layout/generic/nsTextFrameThebes.cpp:3483
3 	xul.dll 	nsBlockFrame::DoRemoveFrame 	layout/generic/nsBlockFrame.cpp:5456
4 	js3250.dll 	js_NativeGet 	js/src/jsobj.cpp:4239
Keywords: topcrash+
Summary: Data from Faulting Address may be used as a return value starting at gklayout!nsIFrame::RemoveStateBits+0xf → Reproducible crash [@ gfxTextRun::`vector deleting destructor''(unsigned int) ] Data from Faulting Address may be used as a return value starting at gklayout!nsIFrame::RemoveStateBits+0xf

Updated

9 years ago
Component: General → GFX: Thebes
Flags: blocking-firefox3.5?
Product: Firefox → Core
QA Contact: general → thebes
Version: 3.5 Branch → 1.9.1 Branch
(Reporter)

Updated

9 years ago
Flags: blocking1.9.1?

Updated

9 years ago
Whiteboard: sg:investigate
Whiteboard: sg:investigate → [sg:investigate]
(Reporter)

Updated

9 years ago
Summary: Reproducible crash [@ gfxTextRun::`vector deleting destructor''(unsigned int) ] Data from Faulting Address may be used as a return value starting at gklayout!nsIFrame::RemoveStateBits+0xf → Data from Faulting Address may be used as a return value starting at gklayout!nsIFrame::RemoveStateBits+0xf (Hash=0x71263649.0x7d087401)

Comment 2

9 years ago
gfxTextRun::`vector deleting destructor'(unsigned int)  0x4     
        http://www.newliturgicalmovement.org/
        Every time I log on to WWW.newliturgicalmovement.org Firefox crashes.

looks like this might also show up on Mac as
Firefox 3.5b5pre Crash Report [@ XUL@0xa556c6 ]
http://crash-stats.mozilla.com/report/index/d11b8c50-5278-4017-9ad8-4ee7d2090518

0  	XUL  	XUL@0xa556c6  	
1 	XUL 	nsContinuingTextFrame::Destroy 	layout/generic/nsTextFrameThebes.cpp:3483
2 	XUL 	nsBlockFrame::DoRemoveFrame 	layout/generic/nsBlockFrame.cpp:5456
3 	XUL 	nsBlockFrame::RemoveFrame 	layout/generic/nsBlockFrame.cpp:5047
4 	XUL 	nsFrameManager::RemoveFrame 	layout/base/nsFrameManager.cpp:716
5 	XUL 	nsCSSFrameConstructor::RemoveFloatingFirstLetterFrames 	layout/base/nsCSSFrameConstructor.cpp:12159
6 	XUL 	nsCSSFrameConstructor::RemoveLetterFrames 	layout/base/nsCSSFrameConstructor.cpp:12275
7 	XUL 	nsCSSFrameConstructor::ContentAppended 	layout/base/nsCSSFrameConstructor.cpp:8582
8 	XUL 	PresShell::ContentAppended 	layout/base/nsPresShell.cpp:4844
9 	XUL 	nsNodeUtils::ContentAppended 	content/base/src/nsNodeUtils.cpp:119
10 	XUL 	nsContentSink::NotifyAppend 	content/base/src/nsContentSink.cpp:1340
11 	XUL 	SinkContext::FlushTags 	content/html/document/src/nsHTMLContentSink.cpp:1382
12 	XUL 	SinkContext::AddLeaf 	content/html/document/src/nsHTMLContentSink.cpp:1165
13 	XUL 	SinkContext::AddLeaf 	content/html/document/src/nsHTMLContentSink.cpp:1096
14 	XUL 	CNavDTD::HandleDefaultStartToken 	parser/htmlparser/src/CNavDTD.cpp:1080
15 	XUL 	CNavDTD::HandleStartToken 	parser/htmlparser/src/CNavDTD.cpp:1432
16 	XUL 	CNavDTD::HandleToken 	parser/htmlparser/src/CNavDTD.cpp:756
17 	XUL 	CNavDTD::BuildModel 	parser/htmlparser/src/CNavDTD.cpp:332
18 	XUL 	nsParser::BuildModel 	parser/htmlparser/src/nsParser.cpp:2378
19 	XUL 	nsParser::ResumeParse 	parser/htmlparser/src/nsParser.cpp:2251
20 	XUL 	nsParser::ContinueInterruptedParsing 	parser/htmlparser/src/nsParser.cpp:1751
21 	XUL 	nsParserContinueEvent::Run 	parser/htmlparser/src/nsParser.cpp:164
22 	XUL 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:510
23 	XUL 	NS_ProcessPendingEvents_P 	nsThreadUtils.cpp:180
24 	XUL 	nsBaseAppShell::NativeEventCallback 	widget/src/xpwidgets/nsBaseAppShell.cpp:121
25 	XUL 	nsAppShell::ProcessGeckoEvents 	widget/src/cocoa/nsAppShell.mm:405
26 	CoreFoundation 	CFRunLoopRunSpecific 	
27 	CoreFoundation 	CFRunLoopRunInMode 	
28 	HIToolbox 	RunCurrentEventLoopInMode 	
29 	HIToolbox 	ReceiveNextEventCommon 	
30 	HIToolbox 	BlockUntilNextEventMatchingListInMode 	
31 	AppKit 	_DPSNextEvent 	
32 	AppKit 	-[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] 	
33 	JavaEmbeddingPlugin 	JavaEmbeddingPlugin@0x12fc2 	
34 	AppKit 	-[NSApplication run] 	
35 	XUL 	nsAppShell::Run 	widget/src/cocoa/nsAppShell.mm:716
36 	XUL 	nsAppStartup::Run 	toolkit/components/startup/src/nsAppStartup.cpp:193
37 	XUL 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3298
38 	firefox-bin 	main 	browser/app/nsBrowserApp.cpp:156
39 	firefox-bin 	firefox-bin@0x1541 	
40 	firefox-bin 	firefox-bin@0x1468 	
41 		@0x0
Summary: Data from Faulting Address may be used as a return value starting at gklayout!nsIFrame::RemoveStateBits+0xf (Hash=0x71263649.0x7d087401) → Reproducible crash [@gfxTextRun::`vector deleting destructor'(unsigned int) and [@ XUL@0xa556c6 ] Data from Faulting Address may be used as a return value starting at gklayout!nsIFrame::RemoveStateBits+0xf (Hash=0x71263649.0x7d087401)
In comment 0 ecx looks like a deleted object, potentially exploitable.

I haven't crashed on the 1.9.0 branch, tried Mac and Windows opt builds and a Mac debug build.

It looks like Carsten could reproduce, maybe he could save-as-complete what he gets (using a non-crashing trunk) and see if we can repro from that, then whittle it down and attach to the bug.
Keywords: testcase-wanted
Whiteboard: [sg:investigate] → [sg:critical?]
I could reproduce on a Win Shiretoko build, looks like a regresson between 1.9.0 and 1.9.1. A regression window would help pin down what change caused this.
Flags: wanted1.9.1.x+
Flags: wanted1.9.0.x-
Keywords: regression, regressionwindow-wanted
(Reporter)

Comment 5

9 years ago
will see that i can find the regression window!
(Reporter)

Comment 6

9 years ago
Regression range:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b3pre) Gecko/20090101 Shiretoko/3.1b3pre BuildID=20090101033446 -> works

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b3pre) Gecko/20090102 Shiretoko/3.1b3pre BuildID: 20090102050105 -> crash

so regressed between 20090101033446 and 20090102050105
Keywords: regressionwindow-wanted
Err, wait, this was a 1.9.1 regression window.

http://hg.mozilla.org/releases/mozilla-1.9.1/pushloghtml?startdate=2009-01-01+03%3A34%3A46&enddate=2009-01-02+05%3A01%3A05

I don't see anything that looks like a suspect :(
Vlad said we should block on this, so we are.
Flags: blocking1.9.1? → blocking1.9.1+
(Assignee)

Comment 10

9 years ago
Bug 466763 is right before that window, and in related code.
Flags: blocking1.9.1+ → blocking1.9.1?
Flags: blocking1.9.1? → blocking1.9.1+
A slightly more accurate regression window is http://hg.mozilla.org/releases/mozilla-1.9.1/pushloghtml?fromchange=cda265c626be&tochange=067649fefb8d - which includes Simon's proposed regressor. So, for now, on to him.
Assignee: nobody → smontagu
Component: GFX: Thebes → Layout: Text
QA Contact: thebes → layout.fonts-and-text
(Assignee)

Comment 12

9 years ago
Given that this doesn't crash on trunk, it may be fixed by branch checkin of bug 468491.
Depends on: 468491
Whiteboard: [sg:critical?] → [sg:critical?][depends on 468491]
Should be fixed now that 468491 is checked in.
(Assignee)

Comment 14

9 years ago
None of the URLs crash for me now.
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
Keywords: fixed1.9.1
Resolution: FIXED → WORKSFORME
Whiteboard: [sg:critical?][depends on 468491] → [sg:critical?][fixed by bug 468491]
Target Milestone: --- → mozilla1.9.2a1
Resolution: WORKSFORME → FIXED
No more crashes can be found on Socorro. Marking verified fixed.
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1 → verified1.9.1
Crash Signature: [@ XUL@0xa556c6 ]
Group: core-security
Keywords: testcase-wanted
You need to log in before you can comment on or make changes to this bug.