Closed Bug 493301 Opened 16 years ago Closed 15 years ago

Data from Faulting Address may be used as a return value starting at gklayout!nsIView::GetViewManager+0xa

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Version:
1.9.0 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: cbook, Assigned: roc)

References

(
URL
)

Details

(Keywords: crash, regression, Whiteboard: [sg:critical?] [1.9.0 branch only])

Attachments

(1 file)

unminimized testcase
388 bytes, text/html
Details
Steps to reproduce: -> load http://rutenbau.rybolov.de/ --> Crashes 1.9.0.11 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11pre)Gecko/2009051417 GranParadiso/3.0.11pre 1.9.1 and trunk do not crash but never finish to load this page ? Marking as security bug, because: Exploitability Classification: UNKNOWN (f9c.fb8): Access violation - code c0000005 (!!! second chance !!!) eax=00000000 ebx=7ffde000 ecx=00000000 edx=0000003c esi=00000000 edi=7c910222 eip=022c380a esp=0012e554 ebp=0012e558 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 gklayout!nsIView::GetViewManager+0xa: 022c380a 8b4004 mov eax,dword ptr [eax+4] ds:0023:00000004=???????? The data from the faulting address may later be used as a return value from this function. ChildEBP RetAddr 0012e558 02388cfe gklayout!nsIView::GetViewManager+0xa 0012e5ec 023b383d gklayout!nsSubDocumentFrame::Reflow+0x1ee 0012ea54 023b2ecc gklayout!nsAbsoluteContainingBlock::ReflowAbsoluteFrame+0x37d 0012eae8 02368cc3 gklayout!nsAbsoluteContainingBlock::Reflow+0xcc 0012efcc 02360266 gklayout!nsBlockFrame::Reflow+0xa63 0012f010 0237d93c gklayout!nsContainerFrame::ReflowChild+0xe6 0012f1a8 02360266 gklayout!CanvasFrame::Reflow+0x13c 0012f1ec 023995ae gklayout!nsContainerFrame::ReflowChild+0xe6 0012f330 023997c3 gklayout!nsHTMLScrollFrame::ReflowScrolledFrame+0x32e 0012f3fc 0239a089 gklayout!nsHTMLScrollFrame::ReflowContents+0x53 0012f520 02360266 gklayout!nsHTMLScrollFrame::Reflow+0x249 0012f564 0237e39d gklayout!nsContainerFrame::ReflowChild+0xe6 0012f7a8 022af52b gklayout!ViewportFrame::Reflow+0x15d 0012f94c 022afc13 gklayout!PresShell::DoReflow+0x2eb 0012f980 022aa4d2 gklayout!PresShell::ProcessReflowCommands+0xf3 0012f9ac 022aef41 gklayout!PresShell::DoFlushPendingNotifications+0x162 0012f9c8 0030260a gklayout!PresShell::ReflowEvent::Run+0x81 0012fa04 00296303 xpcom_core!nsThread::ProcessNextEvent+0x1fa 0012fa20 01b4b87d xpcom_core!NS_ProcessNextEvent_P+0x53 0012fa34 01d5433b gkwidget!nsBaseAppShell::Run+0x5d quit:
Flags: blocking1.9.0.12?
Whiteboard: sg:investigate
Related to bug 482578?
Whiteboard: sg:investigate → [sg:investigate]
Build identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b5pre) Gecko/20090513 Shiretoko/3.5b5pre doesn't crash and *does* seem to finish loading the page ok.
no crash for me on windows xp fx 3.0.7
re: commennt 3 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7
and no crash on Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10
GranParadiso/3.0.11pre regression?
Flags: blocking1.9.0.11?
Doesn't crash 1.9.0.11pre on OS X or on XP (Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729).
er...1.9.0.10.
Doesn't crash 1.9.0.11pre on OS X: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.11pre) Gecko/2009051804 GranParadiso/3.0.11pre Crashes on XP though: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11pre) Gecko/2009051806 GranParadiso/3.0.11pre (.NET CLR 3.5.30729). Seems to be a regression.
will see that i can find a regression window!
Keywords: regression, regressionwindow-wanted
Flags: wanted1.9.0.x+
Keywords: testcase-wanted
regression range: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10pre) Gecko/2009041805 GranParadiso/3.0.10pre -> does not crash Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10pre) Gecko/2009041905 GranParadiso/3.0.10pre -> crash http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=all&branch=HEAD&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2009-04-18+05%3A00%3A00&maxdate=2009-04-19+05%3A00%3A00&cvsroot=%2Fcvsroot
Keywords: regressionwindow-wanted
Ew. So this is either from bug 479560 (Blake) or bug 486269 (Johnny). mrbkap, jst: Can you look and see which one of those might have cause this regression on the stable branch?
I tested (via local backout) and I still crash on that page with both of the fingered patches backed out. However, when visiting the site, I do get: ###!!! ASSERTION: Already have an undisplayed context entry for aContent: '!GetUndisplayedContent(aContent)', file /home/mrbkap/work/1.9.0/mozilla/layout/base/nsFrameManager.cpp, line 576 and ###!!! ASSERTION: node in map twice: 'Not Reached', file /home/mrbkap/work/1.9.0/mozilla/layout/base/nsFrameManager.cpp, line 1733 and ###!!! ASSERTION: Shouldn't happen: 'aPresContext->GetPresShell()->GetPrimaryFrameFor(mContent) == this', file /home/mrbkap/work/1.9.0/mozilla/layout/generic/nsFrameFrame.cpp, line 518 before crashing with a null mInnerView in nsSubDocumentFrame::Reflow. I tried the patch from bug 489050, but I still crash. I don't have any clue what would have caused this regression, though.
I have no idea offhand either. Reducing the page would be really useful. I can try to look at this in a few days, I guess...
Attached file unminimized testcase
I've minimized it to this, thus far. The iframe content points to http://martijn.martijn.googlepages.com/orphus.htm That page has an absolutely positioned iframe, that probably is involved with the crash. It's difficult to minimize further, because the crash is not really consistent for me.
Severity: normal → critical
Flags: blocking1.9.0.11?
roc: Can you investigate this bug, especially as it may or may not relate to bug 482578, a topcrasher on 1.9.0?
Assignee: nobody → roc
Flags: blocking1.9.0.12?
Whiteboard: [sg:investigate] → [sg:investigate] [1.9.0 branch only]
Keywords: testcasetestcase-wanted
Whiteboard: [sg:investigate] [1.9.0 branch only] → [sg:critical?] [1.9.0 branch only]
Is it worth investing time in this bug since we're going to drop support for 1.9.0 soon?
Soon being "in a week" here.
1.9.0.x is EOL.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → WONTFIX
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: