Created attachment 382589 [details] testcase See testcase, which usually crashes within 20 seconds or so, when you hava a content policy installed in your profile. You have a content policy installed when you have Adblock Plus installed: https://addons.mozilla.org/en-US/firefox/addon/1865 You can also follow the directions in bug 439316: - copy the file in that bug in the Components directory of where Firefox is installed. - Create a file .autoreg file (an empty file) in your profile (use bash mv command to rename under windows) http://crash-stats.mozilla.com/report/index/86df7519-0594-449e-bcbc-2f6052090610?p=1 0 ntdll.dll ntdll.dll@0xe514 1 kernel32.dll kernel32.dll@0x2541 2 xul.dll google_breakpad::ExceptionHandler::WriteMinidumpOnHandlerThread toolkit/crashreporter/google-breakpad/src/client/windows/handler/exception_handler.cc:562 3 xul.dll google_breakpad::ExceptionHandler::HandlePureVirtualCall toolkit/crashreporter/google-breakpad/src/client/windows/handler/exception_handler.cc:506 4 mozcrt19.dll _purecall obj-firefox/memory/jemalloc/crtsrc/purevirt.c:47 5 xul.dll CallQueryInterface<nsIContent,nsIDOMElement> obj-firefox/dist/include/nsISupportsUtils.h:203 6 xul.dll xul.dll@0x8f2197 7 @0x2 8 @0x62 This regressed between 2008-06-22 and 2008-06-23: http://hg.mozilla.org/mozilla-central/pushloghtml?startdate=2008-06-22+05%3A00%3A00&enddate=2008-06-23+08%3A00%3A00 I think a regression from bug 344258.
Created attachment 382693 [details] testcase2 Ok, this is a testcase that also crashes with this same stacktrace after 10s or so, but doesn't seem to have the need for a content policy, so it crashes directly, without the need for the Adblock Plus extension.
The !exploitable tool says this: Exploitability Classification: PROBABLY_EXPLOITABLE Recommended Bug Title: Probably Exploitable - Data from Faulting Address controls Code Flow starting at gklayout!CallQueryInterface<nsIContent,nsIDOMElement>+0x0000000000000067 (Hash=0x7b706479.0x53120335) So marking security sensitive for now.
Martijn, can you retest to see if this crash is still reproducible. I wasn't able to see the crash on trunk or a 1.9.2 build.
Thanks for confirming. I did reproduce the crash, by the way, in Firefox 3.5 but not in 3.5.7.