If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Crash [@ CallQueryInterface<nsIContent,nsIDOMElement>] with bindings, script, observes, etc and content policy installed

RESOLVED WORKSFORME

Status

()

Core
DOM
--
critical
RESOLVED WORKSFORME
8 years ago
2 years ago

People

(Reporter: Martijn Wargers (dead), Unassigned)

Tracking

({crash, regression, testcase})

Trunk
x86
Windows XP
crash, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(status1.9.1 unaffected)

Details

(crash signature)

Attachments

(2 attachments)

983 bytes, application/vnd.mozilla.xul+xml
Details
975 bytes, application/vnd.mozilla.xul+xml
Details
(Reporter)

Description

8 years ago
Created attachment 382589 [details]
testcase

See testcase, which usually crashes within 20 seconds or so, when you hava a content policy installed in your profile.

You have a content policy installed when you have Adblock Plus installed:
https://addons.mozilla.org/en-US/firefox/addon/1865

You can also follow the directions in bug 439316:
- copy the file in that bug in the Components directory of where Firefox is installed.
- Create a file .autoreg file (an empty file) in your profile (use bash mv command to rename under windows)

http://crash-stats.mozilla.com/report/index/86df7519-0594-449e-bcbc-2f6052090610?p=1
0  	ntdll.dll  	ntdll.dll@0xe514  	
1 	kernel32.dll 	kernel32.dll@0x2541 	
2 	xul.dll 	google_breakpad::ExceptionHandler::WriteMinidumpOnHandlerThread 	toolkit/crashreporter/google-breakpad/src/client/windows/handler/exception_handler.cc:562
3 	xul.dll 	google_breakpad::ExceptionHandler::HandlePureVirtualCall 	toolkit/crashreporter/google-breakpad/src/client/windows/handler/exception_handler.cc:506
4 	mozcrt19.dll 	_purecall 	obj-firefox/memory/jemalloc/crtsrc/purevirt.c:47
5 	xul.dll 	CallQueryInterface<nsIContent,nsIDOMElement> 	obj-firefox/dist/include/nsISupportsUtils.h:203
6 	xul.dll 	xul.dll@0x8f2197 	
7 		@0x2 	
8 		@0x62 

This regressed between 2008-06-22 and 2008-06-23:
http://hg.mozilla.org/mozilla-central/pushloghtml?startdate=2008-06-22+05%3A00%3A00&enddate=2008-06-23+08%3A00%3A00
I think a regression from bug 344258.
(Reporter)

Comment 1

8 years ago
Created attachment 382693 [details]
testcase2

Ok, this is a testcase that also crashes with this same stacktrace after 10s or so, but doesn't seem to have the need for a content policy, so it crashes directly, without the need for the Adblock Plus extension.
(Reporter)

Comment 2

8 years ago
The !exploitable tool says this:
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Data from Faulting Address controls Code Flow starting at gklayout!CallQueryInterface<nsIContent,nsIDOMElement>+0x0000000000000067 (Hash=0x7b706479.0x53120335)

So marking security sensitive for now.
Group: core-security
(Reporter)

Updated

8 years ago
Blocks: 498639
Martijn, can you retest to see if this crash is still reproducible.  I wasn't able to see the crash on trunk or a 1.9.2 build.
Whiteboard: [sg:needinfo]
(Reporter)

Updated

8 years ago
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → WORKSFORME
Thanks for confirming.  I did reproduce the crash, by the way, in Firefox 3.5 but not in 3.5.7.
status1.9.1: --- → unaffected
Whiteboard: [sg:needinfo]
(Assignee)

Updated

6 years ago
Crash Signature: [@ CallQueryInterface<nsIContent,nsIDOMElement>]

Updated

2 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.