Closed Bug 497448 Opened 15 years ago Closed 14 years ago

Crash [@ CallQueryInterface<nsIContent,nsIDOMElement>] with bindings, script, observes, etc and content policy installed

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
status1.9.1 --- unaffected

People

(Reporter: martijn.martijn, Unassigned)

References

Details

(Keywords: crash, regression, testcase)

Crash Data

Attachments

(2 files)

testcase
983 bytes, application/vnd.mozilla.xul+xml
Details
testcase2
975 bytes, application/vnd.mozilla.xul+xml
Details
Attached file testcase 
See testcase, which usually crashes within 20 seconds or so, when you hava a content policy installed in your profile.

You have a content policy installed when you have Adblock Plus installed:
https://addons.mozilla.org/en-US/firefox/addon/1865

You can also follow the directions in bug 439316:
- copy the file in that bug in the Components directory of where Firefox is installed.
- Create a file .autoreg file (an empty file) in your profile (use bash mv command to rename under windows)

http://crash-stats.mozilla.com/report/index/86df7519-0594-449e-bcbc-2f6052090610?p=1
0  	ntdll.dll  	ntdll.dll@0xe514  	
1 	kernel32.dll 	kernel32.dll@0x2541 	
2 	xul.dll 	google_breakpad::ExceptionHandler::WriteMinidumpOnHandlerThread 	toolkit/crashreporter/google-breakpad/src/client/windows/handler/exception_handler.cc:562
3 	xul.dll 	google_breakpad::ExceptionHandler::HandlePureVirtualCall 	toolkit/crashreporter/google-breakpad/src/client/windows/handler/exception_handler.cc:506
4 	mozcrt19.dll 	_purecall 	obj-firefox/memory/jemalloc/crtsrc/purevirt.c:47
5 	xul.dll 	CallQueryInterface<nsIContent,nsIDOMElement> 	obj-firefox/dist/include/nsISupportsUtils.h:203
6 	xul.dll 	xul.dll@0x8f2197 	
7 		@0x2 	
8 		@0x62 

This regressed between 2008-06-22 and 2008-06-23:
http://hg.mozilla.org/mozilla-central/pushloghtml?startdate=2008-06-22+05%3A00%3A00&enddate=2008-06-23+08%3A00%3A00
I think a regression from bug 344258.
Attached file testcase2 
Ok, this is a testcase that also crashes with this same stacktrace after 10s or so, but doesn't seem to have the need for a content policy, so it crashes directly, without the need for the Adblock Plus extension.
The !exploitable tool says this:
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Data from Faulting Address controls Code Flow starting at gklayout!CallQueryInterface<nsIContent,nsIDOMElement>+0x0000000000000067 (Hash=0x7b706479.0x53120335)

So marking security sensitive for now.
Group: core-security
Blocks: 498639
Martijn, can you retest to see if this crash is still reproducible.  I wasn't able to see the crash on trunk or a 1.9.2 build.
Whiteboard: [sg:needinfo]
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → WORKSFORME
Thanks for confirming.  I did reproduce the crash, by the way, in Firefox 3.5 but not in 3.5.7.
status1.9.1: --- → unaffected
Whiteboard: [sg:needinfo]
Crash Signature: [@ CallQueryInterface<nsIContent,nsIDOMElement>]
Group: core-security → core-security-release
Group: core-security-release
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: