Closed Bug 526866 Opened 11 years ago Closed 11 years ago

Firefox 3.6 and 3.7 Crash [@ nsIFrame::InvalidateInternal(nsRect const&, int, int, nsIFrame*, unsigned int) ] address 0xfffffffff0dea933

Categories

(Core :: Layout, defect)

x86
macOS
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: chofmann, Assigned: cbook)

References

(Blocks 1 open bug)

Details

(Keywords: crash, Whiteboard: [sg:critical? mitigated by frame-poisoning] [no steps to reproduce])

Crash Data

spin off from  Bug 526587 -  new crashes as fall out of frame poisoning

reports at 

http://crash-stats.mozilla.com/report/list?product=Firefox&version=Firefox%3A3.6a1&version=Firefox%3A3.6a1pre&version=Firefox%3A3.6a2pre&version=Firefox%3A3.6b1&version=Firefox%3A3.6b1pre&version=Firefox%3A3.6b2pre&version=Firefox%3A3.7a1pre&query_search=signature&query_type=exact&query=nsIFrame%3A%3AInvalidateInternal%28nsRect%20const%26%2C%20int%2C%20int%2C%20nsIFrame*%2C%20unsigned%20int%29&date=&range_value=4&range_unit=weeks&do_query=1&signature=nsIFrame%3A%3AInvalidateInternal%28nsRect%20const%26%2C%20int%2C%20int%2C%20nsIFrame*%2C%20unsigned%20int%29

stacks like

Frame  	Module  	Signature [Expand]  	Source
0 	xul.dll 	nsIFrame::InvalidateInternal 	layout/generic/nsFrame.cpp:3691
1 	xul.dll 	nsIFrame::InvalidateWithFlags 	layout/generic/nsFrame.cpp:3626
2 	xul.dll 	nsIFrame::Invalidate 	obj-firefox/dist/include/nsIFrame.h:1748
3 	xul.dll 	nsImageFrame::FrameChanged 	layout/generic/nsImageFrame.cpp:623
4 	xul.dll 	nsImageListener::FrameChanged 	layout/generic/nsImageFrame.cpp:1928
5 	xul.dll 	nsImageLoadingContent::FrameChanged 	content/base/src/nsImageLoadingContent.cpp:166
6 	xul.dll 	imgRequestProxy::FrameChanged 	modules/libpr0n/src/imgRequestProxy.cpp:507
7 	xul.dll 	imgRequest::FrameChanged 	modules/libpr0n/src/imgRequest.cpp:552
8 	xul.dll 	imgContainer::Notify 	modules/libpr0n/src/imgContainer.cpp:1455
9 	xul.dll 	nsTimerImpl::Fire 	xpcom/threads/nsTimerImpl.cpp:472
10 	xul.dll 	nsTimerEvent::Run 	xpcom/threads/nsTimerImpl.cpp:519
11 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:527
12 	xul.dll 	nsBaseAppShell::Run 	widget/src/xpwidgets/nsBaseAppShell.cpp:170
13 	nspr4.dll 	PR_GetEnv 	
14 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:110
15 	firefox.exe 	__tmainCRTStartup 	obj-firefox/memory/jemalloc/crtsrc/crtexe.c:591
16 	kernel32.dll 	BaseProcessStart

this same signature has many other reports for 3.0.x and 3.5.x that may or may not be connected to new crash at the result of frame poisoning.
Summary: Friefox 3.6 and 3.7 Crash [@ nsIFrame::InvalidateInternal(nsRect const&, int, int, nsIFrame*, unsigned int) ] → Friefox 3.6 and 3.7 Crash [@ nsIFrame::InvalidateInternal(nsRect const&, int, int, nsIFrame*, unsigned int) ] address 0xfffffffff0dea933
Summary: Friefox 3.6 and 3.7 Crash [@ nsIFrame::InvalidateInternal(nsRect const&, int, int, nsIFrame*, unsigned int) ] address 0xfffffffff0dea933 → Firefox 3.6 and 3.7 Crash [@ nsIFrame::InvalidateInternal(nsRect const&, int, int, nsIFrame*, unsigned int) ] address 0xfffffffff0dea933
Severity: normal → critical
Whiteboard: [sg:critical? mitigated by frame-poisoning]
Whiteboard: [sg:critical? mitigated by frame-poisoning] → [sg:critical? mitigated by frame-poisoning] [no steps to reproduce]
will get new url lists and will do retesting :)
Assignee: nobody → cbook
I put an up-to-date list of urls for all the fp bugs up in the tracking bug.
testing for this bug is done via the general fp bug list, so far still searching for crashes
no crash so far. maybe fixed ?
marking worksforme for now, since not reproducible currently. Will reopen if we found steps to reproduce
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WORKSFORME
I think this looks like a common way to crash if you leak frames (which was, prior to frame poisoning, considered exploitable because of this).
Crash Signature: [@ nsIFrame::InvalidateInternal(nsRect const&, int, int, nsIFrame*, unsigned int) ]
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.