Closed Bug 533516 Opened 15 years ago Closed 15 years ago

[1.9.1.x] crash [@ nsSupportsArray::Clear] referencing deleted object

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Version:
1.9.1 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
status1.9.2 --- unaffected
blocking1.9.1 --- .8+
status1.9.1 --- .8-fixed

People

(Reporter: cbook, Assigned: MatsPalmgren_bugz)

References

(
URL
)

Details

(Keywords: crash, testcase, verified1.9.1, Whiteboard: [sg:critical?] fixed by 528493 [need to know if this affects 1.9.0.x])

Crash Data

Attachments

(1 file)

testcase html source
31.73 KB, text/html
Details
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.6) Gecko/20091207 Shiretoko/3.5.6 Steps to reproduce: -> Load http://blog.huayuworld.org/unionmandarin --> Crashes after a few seconds (714.74c): Access violation - code c0000005 (!!! second chance !!!) eax=dddddddd ebx=7ffde000 ecx=057e10d8 edx=071bd9b4 esi=00d1b3f0 edi=00e8c640 eip=002ae55e esp=0012ebc0 ebp=0012ebc4 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 xpcom_core!nsSupportsArray::Clear+0x4e: 002ae55e 8b4808 mov ecx,dword ptr [eax+8] ds:0023:dddddde5=???????? 0:000> cdb: Reading initial command '!load winext\msec.dll;.logappend;!exploitab le;k;q' Exploitability Classification: PROBABLY_EXPLOITABLE Recommended Bug Title: Probably Exploitable - Data from Faulting Address control s Code Flow starting at xpcom_core!nsSupportsArray::Clear+0x000000000000004e (Ha sh=0x2861080d.0x7f3b792f) The data from the faulting address is later used as the target for a branch. ChildEBP RetAddr 0012ebc4 01e19d89 xpcom_core!nsSupportsArray::Clear+0x4e 0012ebe8 01e19d0f gklayout!nsScrollPortView::~nsScrollPortView+0x39 0012ebf4 01e184aa gklayout!nsScrollPortView::`scalar deleting destructor'+0xf 0012ec10 01e18121 gklayout!nsIView::Destroy+0x2a 0012ec34 01e17f9f gklayout!nsView::~nsView+0x81 0012ec40 01e184aa gklayout!nsView::`scalar deleting destructor'+0xf 0012ec5c 01a7833d gklayout!nsIView::Destroy+0x2a 0012ec84 01ae99dd gklayout!nsFrame::Destroy+0x10d 0012ec90 01aa5d81 gklayout!nsSplittableFrame::Destroy+0x2d 0012ecc4 01adfc3a gklayout!nsContainerFrame::Destroy+0x181 0012ecd0 01aa4547 gklayout!nsHTMLScrollFrame::Destroy+0x1a 0012ece4 01aa5c31 gklayout!nsFrameList::DestroyFrames+0x37 0012ed18 01ac30fe gklayout!nsContainerFrame::Destroy+0x31 0012ed24 01a40516 gklayout!ViewportFrame::Destroy+0x1e 0012ed3c 019e1c35 gklayout!nsFrameManager::Destroy+0x76 0012eda0 01a0a3c9 gklayout!PresShell::Destroy+0x435 0012edd0 01a035d2 gklayout!DocumentViewerImpl::DestroyPresShell+0xd9 0012ee14 01844812 gklayout!DocumentViewerImpl::Hide+0x182 0012ee28 01ad0131 docshell!nsDocShell::SetVisibility+0x62 0012ee68 01acffcf gklayout!nsSubDocumentFrame::HideViewer+0x151 quit:
there have been a few different signatures show up on this site. we might need to start grabbing content and maybe need to split off several bugs. 20091101 nsRuleNode::GetStyleDisplay(nsStyleContext*, int) 3.5.4 Windows NT 5.1.2600 Service Pack 3 http://blog.huayuworld.org/unionmandarin 20091105 nsRuleNode::GetStyleDisplay(nsStyleContext*, int) 3.5.4 Windows NT 6.0.6002 Service Pack 2 http://blog.huayuworld.org/unionmandarin 20091106 nsCSSFrameConstructor::DoContentStateChanged(nsIContent*, int) 3.5.5 Windows NT 6.0.6002 Service Pack 2 http://blog.huayuworld.org/unionmandarin 20091109-crashdata.csv: nsRuleNode::GetStyleDisplay(nsStyleContext*, int) 3.5.4 Mac OS X 10.5.8 9L31a http://blog.huayuworld.org/unionmandarin/11927/2009/11/02/45231 20091115-crashdata.csv: nsIFrame::GetClosestView(nsPoint*) 3.5.5 Windows NT 6.0.6001 Service Pack 1 http://blog.huayuworld.org/unionmandarin 20091121-crashdata.csv: nsNativeThemeWin::ThemeSupportsWidget(nsPresContext*, nsIFrame*, unsigned char) 3.5.5 Windows NT 5.1.2600 Service Pack 3 http://blog.huayuworld.org/unionmandarin 20091125crashdata.csv: nsCSSFrameConstructor::DoContentStateChanged(nsIContent*, int) 3.5.5 Windows NT 6.0.6002 Service Pack 2 http://blog.huayuworld.org/unionmandarin 20091121-crashdata.csv: nsRuleNode::GetStyleDisplay(nsStyleContext*, int) 3.5.5 Windows NT 6.0.6001 Service Pack 1 http://blog.huayuworld.org/unionmandarin 20091122-crashdata.csv: nsNativeThemeWin::ThemeSupportsWidget(nsPresContext*, nsIFrame*, unsigned char) 3.5.5 Windows NT 5.1.2600 Service Pack 3 http://blog.huayuworld.org/unionmandarin 20091122-crashdata.csv: nsNativeThemeWin::ThemeSupportsWidget(nsPresContext*, nsIFrame*, unsigned char) 3.5.5 Windows NT 6.0.6001 Service Pack 1 http://blog.huayuworld.org/unionmandarin 20091122-crashdata.csv:nsRuleNode::GetStyleDisplay(nsStyleContext*, int) 3.5.5 Windows NT 5.1.2600 Service Pack 3 http://blog.huayuworld.org/unionmandarin 20091121-crashdata.csv:nsRuleNode::GetStyleDisplay(nsStyleContext*, int) 3.5.5 Windows NT 5.1.2600 Service Pack 3 http://blog.huayuworld.org/unionmandarin/11927/2009/11/10/38256 20091123-crashdata.csv: xul.dll@0x2bd931 3.5.5 Windows NT 5.1.2600 Service Pack 3 http://blog.huayuworld.org/unionmandarin/11261/2009/11/23/47869 20091204-crashdata.csv: nsRuleNode::GetStyleDisplay(nsStyleContext*, int) 3.5.5 Windows NT 5.1.2600 Service Pack 3 http://blog.huayuworld.org/unionmandarin/11833/2009/12/04/48985 20091108: xul.dll@0x2bd931 3.5.5 Windows NT 5.1.2600 Service Pack 3 http://blog.huayuworld.org/unionmandarin/11927/2009/11/08/38256 20091109 nsCSSFrameConstructor::DoContentStateChanged(nsIContent*, int) 3.5.4 Mac OS X 10.5.8 9L31a http://blog.huayuworld.org/unionmandarin/11927/2009/11/02/45231
Is this 1.9.1 only? Mats, can you look into it?
(In reply to comment #2) > Is this 1.9.1 only? > Mats, can you look into it? yes only crashed on 1.9.1 - on 1.9.1 i got the assertion from bug 459095 - but no crash
Tomcat: can you capture the crashing code from the page and attach to this bug?
Assignee: nobody → matspal
blocking1.9.1: ? → .7+
status1.9.1: --- → wanted
Keywords: testcase-wanted
Summary: Probably Exploitable - Data from Faulting Address control s Code Flow starting at xpcom_core!nsSupportsArray::Clear+0x000000000000004e → [1.9.0.x] crash [@ nsSupportsArray::Clear] referencing deleted object
Whiteboard: [sg:critical?]
I think Dan meant 1.9.1.x...
Summary: [1.9.0.x] crash [@ nsSupportsArray::Clear] referencing deleted object → [1.9.1.x] crash [@ nsSupportsArray::Clear] referencing deleted object
Attached file testcase html source
attached file crashed on load on 1.9.1 debug build on xp: (8fc.440): Access violation - code c0000005 (!!! second chance !!!) eax=dddddddd ebx=7ffd8000 ecx=04b5cdf0 edx=06cdc46c esi=00d1abd0 edi=00240000 eip=002ae55e esp=0012eb70 ebp=0012eb74 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 *** WARNING: Unable to verify checksum for c:\work\mozilla\builds\1.9.1\mozilla\ firefox-debug\dist\bin\xpcom_core.dll xpcom_core!nsSupportsArray::Clear+0x4e: 002ae55e 8b4808 mov ecx,dword ptr [eax+8] ds:0023:dddddde5=???????? 0:000> cdb: Reading initial command '!load winext\msec.dll;.logappend;!exploitab le;k;q' Opened log file 'dbgeng.log' Exploitability Classification: PROBABLY_EXPLOITABLE Recommended Bug Title: Probably Exploitable - Data from Faulting Address control s Code Flow starting at xpcom_core!nsSupportsArray::Clear+0x000000000000004e (Ha sh=0x2861080d.0x13086521) The data from the faulting address is later used as the target for a branch. ChildEBP RetAddr 0012eb74 02a3a9c9 xpcom_core!nsSupportsArray::Clear+0x4e 0012eb98 02a3a94f gklayout!nsScrollPortView::~nsScrollPortView+0x39 0012eba4 02a390ea gklayout!nsScrollPortView::`scalar deleting destructor'+0xf 0012ebc0 02a38d61 gklayout!nsIView::Destroy+0x2a 0012ebe4 02a38bdf gklayout!nsView::~nsView+0x81 0012ebf0 02a390ea gklayout!nsView::`scalar deleting destructor'+0xf 0012ec0c 0269833d gklayout!nsIView::Destroy+0x2a 0012ec34 027099fd gklayout!nsFrame::Destroy+0x10d 0012ec40 026c5d81 gklayout!nsSplittableFrame::Destroy+0x2d 0012ec74 026ffc5a gklayout!nsContainerFrame::Destroy+0x181 0012ec80 026c4547 gklayout!nsHTMLScrollFrame::Destroy+0x1a 0012ec94 026c5c31 gklayout!nsFrameList::DestroyFrames+0x37 0012ecc8 026e311e gklayout!nsContainerFrame::Destroy+0x31 0012ecd4 02660516 gklayout!ViewportFrame::Destroy+0x1e 0012ecec 02601c35 gklayout!nsFrameManager::Destroy+0x76 0012ed50 0262a3c9 gklayout!PresShell::Destroy+0x435 0012ed80 026235d2 gklayout!DocumentViewerImpl::DestroyPresShell+0xd9 0012edc4 03474812 gklayout!DocumentViewerImpl::Hide+0x182 0012edd8 026f0151 docshell!nsDocShell::SetVisibility+0x62 0012ee18 026effef gklayout!nsSubDocumentFrame::HideViewer+0x151 quit:
Another url where this crash is http://jb.panjk.com/200703/200703105799.shtml Crashes debug 1.9.1 build on load and 1.9.1 opt builds after a little while. CrashReporter ID for the opt build crash: http://crash-stats.mozilla.com/report/index/bp-1d0fdc9f-2302-46e5-9a21-1d0c82091223
Keywords: testcase-wantedtestcase
Mats: how is the fix for this blocker coming?
status1.9.2: --- → unaffected
It was fixed on 1.9.2 in the range 2009-11-19-03 -- 2009-11-20-03: http://hg.mozilla.org/releases/mozilla-1.9.2/pushloghtml?fromchange=a2af57fed584&tochange=978fa137b516 Bug 528493 is in that range. Applying the "1.9.1 rollup" patch in that bug to my local 1.9.1 debug build makes the crash go away.
Depends on: 528493
OS: Windows XP → All
Hardware: x86 → All
Whiteboard: [sg:critical?] → [sg:critical?] fixed by 529493
Whiteboard: [sg:critical?] fixed by 529493 → [sg:critical?] fixed by 528493
qawanted: Assuming fixed now that bug 528493 has landed on the 1.9.1 branch -- needs verification.
status1.9.1: wanted.8-fixed
Keywords: qawanted
No crash with 3.5.8 build1 on Linux: http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/3.5.8-candidates/build1/linux-i686/en-US/
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Verified fixed for 1.9.1 with 3.5.8pre debug build on XP: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8pre) Gecko/20100202 Shiretoko/3.5.8pre (.NET CLR 3.5.30729). There was no crash and I observed the same crash on my pre-fix debug build on the same machine.
Keywords: qawantedverified1.9.1
Flags: wanted1.9.0.x?
Whiteboard: [sg:critical?] fixed by 528493 → [sg:critical?] fixed by 528493 [need to know if this affects 1.9.0.x]
Group: core-security
Crash Signature: [@ nsSupportsArray::Clear]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: