Closed Bug 507274 Opened 15 years ago Closed 12 years ago

Breakpoint starting at ntdll!DbgBreakPoint+0x0000000000000000 called from xpcom_core+0x000000000008c28f

Categories

(Core :: General, defect)

Product:
Core
Component:
General
Version:
1.9.1 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INCOMPLETE
Tracking Flags:
Tracking Status
status1.9.1 --- wanted

People

(Reporter: cbook, Unassigned)

References

(
URL
)

Details

(Keywords: crash, Whiteboard: [sg:needinfo]) 

steps to reproduce: Load http://milwaukee.brewers.mlb.com/index.jsp?c_id=mil 

da0.edc): Break instruction exception - code 80000003 (first chance)
eax=00000001 ebx=7ffd4000 ecx=7c9175d4 edx=7c97e178 esi=0000e718 edi=00c8f6f0
eip=7c90120e esp=00126998 ebp=00126cb4 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
ntdll!DbgBreakPoint:
7c90120e cc              int     3

Event Type: Exception
Exception Faulting Address: 0x7c90120e
First Chance Exception Type: STATUS_BREAKPOINT (0x80000003)

Faulting Instruction:7c90120e int 3

Basic Block:
    7c90120e int 3

Exception Hash (Major/Minor): 0x5f7e4e79.0x5f624e1c

Stack Trace:
ntdll!DbgBreakPoint+0x0
xpcom_core+0x8c28f
xpcom_core+0x8bd94
gklayout+0x1249b8
gklayout+0xe4baf
gklayout+0xe4872
gklayout+0xe25e2
gklayout+0xe12b1
gklayout+0xdeb91
gklayout+0x12f5a3
gklayout+0xe3a23
gklayout+0xe23f2
gklayout+0xe12b1
gklayout+0xdeb91
gklayout+0xd6969
gklayout+0x1103ee
gklayout+0x110603
gklayout+0x110ec9
gklayout+0x12c76d
gklayout+0x12be3c
gklayout+0xdf338
gklayout+0x12f5a3
gklayout+0xe3a23
gklayout+0xe23f2
gklayout+0xe12b1
gklayout+0xdeb91
gklayout+0x12f5a3
gklayout+0xe3a23
gklayout+0xe23f2
gklayout+0xe12b1
gklayout+0xdeb91
gklayout+0x12f5a3
gklayout+0xe3a23
gklayout+0xe23f2
gklayout+0xe12b1
gklayout+0xdeb91
gklayout+0x12f5a3
gklayout+0xe3a23
gklayout+0xe23f2
gklayout+0xe12b1
gklayout+0xdeb91
gklayout+0xd6969
gklayout+0x1103ee
gklayout+0x110603
gklayout+0x110ec9
gklayout+0x12f5a3
gklayout+0xe3a23
gklayout+0xe23f2
gklayout+0xe12b1
gklayout+0xdeb91
gklayout+0x12f5a3
gklayout+0xe3a23
gklayout+0xe23f2
gklayout+0xe12b1
gklayout+0xdeb91
gklayout+0xd6969
gklayout+0xf254b
gklayout+0xd6969
gklayout+0x1103ee
gklayout+0x110603
gklayout+0x110ec9
gklayout+0xd6969
gklayout+0xf31ed
gklayout+0x21048
Instruction Address: 0x000000007c90120e

Description: Breakpoint
Short Description: Breakpoint
Exploitability Classification: UNKNOWN
Recommended Bug Title: Breakpoint starting at ntdll!DbgBreakPoint+0x0000000000000000 called from xpcom_core+0x000000000008c28f (Hash=0x5f7e4e79.0x5f624e1c)

While a breakpoint itself is probably not exploitable, it may also be an indication that an attacker is testing a target. In either case breakpoints should not exist in production code.
more information:

ChildEBP RetAddr  
001268d4 0030c28f ntdll!DbgBreakPoint
00126bf4 0030bd94 xpcom_core!Break(char * aMsg = 0x00126c14 "###!!! ASSERTION: bad width: 'Not Reached', file c:/work/mozilla/builds/1.9.1/mozilla/layout/generic/nsLineLayout.cpp, line 182")+0x22f [c:\work\mozilla\builds\1.9.1\mozilla\xpcom\base\nsdebugimpl.cpp @ 491]
*** WARNING: Unable to verify checksum for c:\work\mozilla\builds\1.9.1\mozilla\firefox-debug\dist\bin\components\gklayout.dll
0012700c 033049b8 xpcom_core!NS_DebugBreak_P(unsigned int aSeverity = 1, char * aStr = 0x03bf6ae4 "bad width", char * aExpr = 0x03bf6ad8 "Not Reached", char * aFile = 0x03bf6a90 "c:/work/mozilla/builds/1.9.1/mozilla/layout/generic/nsLineLayout.cpp", int aLine = 182)+0x2a4 [c:\work\mozilla\builds\1.9.1\mozilla\xpcom\base\nsdebugimpl.cpp @ 364]
0012703c 032c4baf gklayout!nsLineLayout::BeginLineReflow(int aX = 0, int aY = 0, int aWidth = 606960, int aHeight = 1073741824, int aImpactedByFloats = 0, int aIsTopOfPage = 0)+0x98 [c:\work\mozilla\builds\1.9.1\mozilla\layout\generic\nslinelayout.cpp @ 182]
001270dc 032c4872 gklayout!nsBlockFrame::DoReflowInlineFrames(class nsBlockReflowState * aState = 0x00127750, class nsLineLayout * aLineLayout = 0x00127110, class nsLineList_iterator aLine = class nsLineList_iterator, int * aKeepReflowGoing = 0x00127460, LineReflowStatus * aLineReflowStatus = 0x001271d0, int aAllowPullUp = 1)+0x10f [c:\work\mozilla\builds\1.9.1\mozilla\layout\generic\nsblockframe.cpp @ 3393]
001271d8 032c25e2 gklayout!nsBlockFrame::ReflowInlineFrames(class nsBlockReflowState * aState = 0x00127750, class nsLineList_iterator aLine = class nsLineList_iterator, int * aKeepReflowGoing = 0x00127460)+0xf2 [c:\work\mozilla\builds\1.9.1\mozilla\layout\generic\nsblockframe.cpp @ 3276]
001272d8 032c12b1 gklayout!nsBlockFrame::ReflowLine(class nsBlockReflowState * aState = 0x00127750, class nsLineList_iterator aLine = class nsLineList_iterator, int * aKeepReflowGoing = 0x00127460)+0x2c2 [c:\work\mozilla\builds\1.9.1\mozilla\layout\generic\nsblockframe.cpp @ 2331]
00127490 032beb91 gklayout!nsBlockFrame::ReflowDirtyLines(class nsBlockReflowState * aState = 0x00127750)+0x561 [c:\work\mozilla\builds\1.9.1\mozilla\layout\generic\nsblockframe.cpp @ 1911]
00127860 0330f5a3 gklayout!nsBlockFrame::Reflow(class nsPresContext * aPresContext = 0x064760a0, struct nsHTMLReflowMetrics * aMetrics = 0x00127bc4, struct nsHTMLReflowState * aReflowState = 0x00127ae0, unsigned int * aStatus = 0x00127b88)+0x251 [c:\work\mozilla\builds\1.9.1\mozilla\layout\generic\nsblockframe.cpp @ 955]
0012789c 032c3a23 gklayout!nsBlockReflowContext::ReflowBlock(struct nsRect * aSpace = 0x00127acc, int aApplyTopMargin = 1, struct nsCollapsingMargin * aPrevMargin = 0x00128240, int aClearance = 0, int aIsAdjacentWithTop = 1, class nsLineBox * aLine = 0x07b65710, struct nsHTMLReflowState * aFrameRS = 0x00127ae0, unsigned int * aFrameReflowStatus = 0x00127b88, class nsBlockReflowState * aState = 0x001281b8)+0x1a3 [c:\work\mozilla\builds\1.9.1\mozilla\layout\generic\nsblockreflowcontext.cpp @ 310]
00127c40 032c23f2 gklayout!nsBlockFrame::ReflowBlockFrame(class nsBlockReflowState * aState = 0x001281b8, class nsLineList_iterator aLine = class nsLineList_iterator, int * aKeepReflowGoing = 0x00127ec8)+0x6b3 [c:\work\mozilla\builds\1.9.1\mozilla\layout\generic\nsblockframe.cpp @ 3004]
00127d40 032c12b1 gklayout!nsBlockFrame::ReflowLine(class nsBlockReflowState * aState = 0x001281b8, class nsLineList_iterator aLine = class nsLineList_iterator, int * aKeepReflowGoing = 0x00127ec8)+0xd2 [c:\work\mozilla\builds\1.9.1\mozilla\layout\generic\nsblockframe.cpp @ 2276]
00127ef8 032beb91 gklayout!nsBlockFrame::ReflowDirtyLines(class nsBlockReflowState * aState = 0x001281b8)+0x561 [c:\work\mozilla\builds\1.9.1\mozilla\layout\generic\nsblockframe.cpp @ 1911]
001282c8 032b6969 gklayout!nsBlockFrame::Reflow(class nsPresContext * aPresContext = 0x064760a0, struct nsHTMLReflowMetrics * aMetrics = 0x001284d4, struct nsHTMLReflowState * aReflowState = 0x00128388, unsigned int * aStatus = 0x00128434)+0x251 [c:\work\mozilla\builds\1.9.1\mozilla\layout\generic\nsblockframe.cpp @ 955]
0012830c 032f03ee gklayout!nsContainerFrame::ReflowChild(class nsIFrame * aKidFrame = 0x07b65428, class nsPresContext * aPresContext = 0x064760a0, struct nsHTMLReflowMetrics * aDesiredSize = 0x001284d4, struct nsHTMLReflowState * aReflowState = 0x00128388, int aX = 0, int aY = 0, unsigned int aFlags = 3, unsigned int * aStatus = 0x00128434, class nsOverflowContinuationTracker * aTracker = 0x00000000)+0xe9 [c:\work\mozilla\builds\1.9.1\mozilla\layout\generic\nscontainerframe.cpp @ 821]
00128448 032f0603 gklayout!nsHTMLScrollFrame::ReflowScrolledFrame(struct ScrollReflowState * aState = 0x00128578, int aAssumeHScroll = 0, int aAssumeVScroll = 0, struct nsHTMLReflowMetrics * aMetrics = 0x001284d4, int aFirstPass = 1)+0x32e [c:\work\mozilla\builds\1.9.1\mozilla\layout\generic\nsgfxscrollframe.cpp @ 528]
00128514 032f0ec9 gklayout!nsHTMLScrollFrame::ReflowContents(struct ScrollReflowState * aState = 0x00128578, struct nsHTMLReflowMetrics * aDesiredSize = 0x00128a3c)+0x53 [c:\work\mozilla\builds\1.9.1\mozilla\layout\generic\nsgfxscrollframe.cpp @ 622]
00128638 0330c76d gklayout!nsHTMLScrollFrame::Reflow(class nsPresContext * aPresContext = 0x064760a0, struct nsHTMLReflowMetrics * aDesiredSize = 0x00128a3c, struct nsHTMLReflowState * aReflowState = 0x00128980, unsigned int * aStatus = 0x00128b04)+0x249 [c:\work\mozilla\builds\1.9.1\mozilla\layout\generic\nsgfxscrollframe.cpp @ 823]
00128a98 0330be3c gklayout!nsAbsoluteContainingBlock::ReflowAbsoluteFrame(class nsIFrame * aDelegatingFrame = 0x07b65270, class nsPresContext * aPresContext = 0x064760a0, struct nsHTMLReflowState * aReflowState = 0x001291a0, int aContainingBlockWidth = 59400, int aContainingBlockHeight = 0, int aConstrainHeight = 1, class nsIFrame * aKidFrame = 0x07b65360, unsigned int * aStatus = 0x00128b04, struct nsRect * aChildBounds = 0x00128d64)+0x37d [c:\work\mozilla\builds\1.9.1\mozilla\layout\generic\nsabsolutecontainingblock.cpp @ 436]
00128b2c 032bf338 gklayout!nsAbsoluteContainingBlock::Reflow(class nsContainerFrame * aDelegatingFrame = 0x07b65270, class nsPresContext * aPresContext = 0x064760a0, struct nsHTMLReflowState * aReflowState = 0x001291a0, unsigned int * aReflowStatus = 0x00128e28, int aContainingBlockWidth = 59400, int aContainingBlockHeight = 0, int aConstrainHeight = 1, int aCBWidthChanged = 1, int aCBHeightChanged = 0, struct nsRect * aChildBounds = 0x00128d64)+0xcc [c:\work\mozilla\builds\1.9.1\mozilla\layout\generic\nsabsolutecontainingblock.cpp @ 158]


FAULTING_IP: 
ntdll!DbgBreakPoint+0
7c90120e cc              int     3

EXCEPTION_RECORD:  ffffffff -- (.exr ffffffffffffffff)
ExceptionAddress: 7c90120e (ntdll!DbgBreakPoint)
   ExceptionCode: 80000003 (Break instruction exception)
  ExceptionFlags: 00000000
NumberParameters: 3
   Parameter[0]: 00000000
   Parameter[1]: 7c9175d4
   Parameter[2]: 7c97e178

FAULTING_THREAD:  0000073c

BUGCHECK_STR:  80000003

DEFAULT_BUCKET_ID:  STATUS_BREAKPOINT

PROCESS_NAME:  firefox.exe

ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION}  Breakpoint  A breakpoint has been reached.

LAST_CONTROL_TRANSFER:  from 0030c28f to 7c90120e

FOLLOWUP_IP: 
xpcom_core!Break+22f [c:\work\mozilla\builds\1.9.1\mozilla\xpcom\base\nsdebugimpl.cpp @ 491]
0030c28f 8da5e8fcffff    lea     esp,[ebp-318h]

FAULTING_SOURCE_CODE:  
   487:    asm("int $3");
   488: #else
   489:    // don't know how to break on this platform
   490: #endif
>  491: }
   492: 
   493: static const nsDebugImpl kImpl;
   494: 
   495: NS_METHOD
   496: nsDebugImpl::Create(nsISupports* outer, const nsIID& aIID, void* *aInstancePtr)


SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  xpcom_core!Break+22f

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: xpcom_core

IMAGE_NAME:  xpcom_core.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  4a6de20b

STACK_COMMAND:  ~0s ; kb

FAILURE_BUCKET_ID:  80000003_xpcom_core!Break+22f

BUCKET_ID:  80000003_xpcom_core!Break+22f
Where does it crash when it's not a debug build?

Can we capture the web page, or better, a reduced copy?
blocking1.9.1: ? → ---
status1.9.1: --- → wanted
Keywords: crash, testcase-wanted
Whiteboard: [sg:needinfo]
Resolving as incomplete after over two years.

Tomcat, please reopen if it is still occurring and you can give us the data that Dan wanted.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → INCOMPLETE
Group: core-security
You need to log in before you can comment on or make changes to this bug.