crash [@ strlen | nsACString_internal::Assign(char const*, unsigned int) ] [@ free | nsPluginInstanceOwner::~nsPluginInstanceOwner() ]

RESOLVED DUPLICATE of bug 575836

Status

()

--
critical
RESOLVED DUPLICATE of bug 575836
9 years ago
8 years ago

People

(Reporter: al_9x, Assigned: benjamin)

Tracking

({crash, regression})

1.9.2 Branch
x86
Windows XP
crash, regression
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(blocking2.0 beta3+)

Details

(Whiteboard: [sg:dupe 575836], crash signature, URL)

(Reporter)

Description

9 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.7) Gecko/20100713 Firefox/3.6.7
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.7) Gecko/20100713 Firefox/3.6.7

new profile, default settings, no extensions
no crash in 3.6.6

Reproducible: Always
(Reporter)

Comment 1

9 years ago
QuickTime 7.66.71.0
Confirmed, the page loads in 3.6.6, and it consistently crashes on 3.6.7, using QT 7.6.6.0.

http://crash-stats.mozilla.com/report/index/f977caff-3bfc-4dd6-9afb-be9582100721
Status: UNCONFIRMED → NEW
blocking1.9.2: --- → ?
Ever confirmed: true
Keywords: regression
Summary: Fx 3.6.7 regression: page with quicktime crashes Fx → crash [@ strlen | nsACString_internal::Assign(char const*, unsigned int) ]

Comment 3

9 years ago
Signature	strlen | nsACString_internal::Assign(char const*, unsigned int)
UUID	f977caff-3bfc-4dd6-9afb-be9582100721
Time 	2010-07-21 22:33:16.106393
Uptime	15
Install Age	1115 seconds (18.6 minutes) since version was first installed.
Product	Firefox
Version	3.6.7
Build ID	20100713130626
Branch	1.9.2
OS	Windows NT
OS Version	5.1.2600 Service Pack 3
CPU	x86
CPU Info	GenuineIntel family 6 model 23 stepping 6
Crash Reason	EXCEPTION_ACCESS_VIOLATION
Crash Address	0x464
User Comments	open keynotes on itunes, crash
Processor Notes 	
EMCheckCompatibility	False

Crashing Thread
Frame 	Module 	Signature [Expand] 	Source
0 	mozcrt19.dll 	strlen 	strlen.asm:81
1 	xul.dll 	nsACString_internal::Assign 	xpcom/string/src/nsTSubstring.cpp:352
2 	xul.dll 	nsCString::nsCString 	obj-firefox/dist/include/nsTString.h:86
3 	xul.dll 	mozilla::plugins::NullableString 	obj-firefox/dist/include/mozilla/plugins/PluginMessageUtils.h:256

npqtplugin.dll  	7.6.6.0  	CC100D73B2F7483198E611E7D32B679D1  	npqtplugin.pdb
Severity: normal → critical
Component: Security → Plug-ins
Keywords: crash
Product: Firefox → Core
QA Contact: firefox → plugins
Version: unspecified → 1.9.2 Branch
(Assignee)

Comment 4

9 years ago
cjones, did you happen to change serialization or something related between 3.6.6 and 3.6.7?
Assignee: nobody → benjamin
(Assignee)

Comment 5

9 years ago
Hrm, I got http://crash-stats.mozilla.com/report/index/da4fa239-c30c-4b6c-babf-a70cd2100722 which is [@ free | nsPluginInstanceOwner::~nsPluginInstanceOwner() ]
(Assignee)

Comment 6

9 years ago
But I have it in recording, and so this is probably the same as bug 581020.
Blocks: 581020
(Assignee)

Comment 7

9 years ago
This is caused by a logical mismatch in nsPluginInstanceOwner::EnsureCachedAttrParamArrays

http://mxr.mozilla.org/mozilla1.9.2/source/layout/generic/nsObjectFrame.cpp?mark=3590-3595,3651-3655#3584

If there is a data="" parameter, the block at 3590 will increment mNumCachedAttrs but data is an empty string. The condition at 3651 will not be true and nextAttrParamIndex will become out of sync with reality.

This logic error was made worse in bug 572985 because the subsequent hunks for cached param values are now using nextAttrParamIndex and not mNumCachedAttrs + 1 + c.
Blocks: 572985
blocking2.0: --- → beta3+
(Assignee)

Updated

9 years ago
Summary: crash [@ strlen | nsACString_internal::Assign(char const*, unsigned int) ] → crash [@ strlen | nsACString_internal::Assign(char const*, unsigned int) ] [@ free | nsPluginInstanceOwner::~nsPluginInstanceOwner() ]
(Assignee)

Updated

9 years ago
Duplicate of this bug: 581020
(Assignee)

Updated

9 years ago
Group: core-security
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 575836

Updated

9 years ago
No longer blocks: 572985
blocking1.9.2: ? → ---
Whiteboard: [sg:dupe 575836]
Whiteboard: [sg:dupe 575836] → [sg:dupe 575836][regression-from: 572985]
Whiteboard: [sg:dupe 575836][regression-from: 572985] → [sg:dupe 575836]
NM, wrong bug.
Group: core-security
Crash Signature: [@ strlen | nsACString_internal::Assign(char const*, unsigned int) ] [@ free | nsPluginInstanceOwner::~nsPluginInstanceOwner() ]
You need to log in before you can comment on or make changes to this bug.