Investigate crash [@ gfxFontGroup::FontListLength]




8 years ago
3 years ago


(Reporter: bsterne, Assigned: sicking)


Windows XP

Firefox Tracking Flags

(blocking2.0 final+, status1.9.2 unaffected, status1.9.1 unaffected)


(Whiteboard: [sg:critical?][fix-range-wanted])


(1 attachment)



8 years ago
Created attachment 473216 [details]
testcase (crashes Fx4b4)

wushi reported the following Firefox 4 beta 4 crash to security@m.o:


    there is another bug I found, the stack like this:

101c6e02 8b4020          mov     eax,dword ptr [eax+20h] ds:0023:f0de801f=????????
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
0012cccc 100826ad xul!JS_ClearScriptTraps+0x302
0012cdb8 10052d85 xul!gfxFontGroup::FontListLength+0x45f4
0012cde4 1005e6b6 xul!gfxFont::Measure+0x71c5
0012ce0c 1006dd44 xul!gfxTextRun::SetSpaceGlyph+0x47d6
0012ce10 10030e17 xul!gfxContext::RoundedRectangle+0x4dc4
0012ce24 1006dd67 xul!gfxTextRun::GetAdvanceWidth+0xb17
0012ce3c 1006dd67 xul!gfxContext::RoundedRectangle+0x4de7

maybe you need to refresh some times .

Blocking on the investigation. This is likely a gfx bug, not a JS bug - link-time optimization probably put the symbols in the same place.
Assignee: nobody → jdaggett
blocking2.0: --- → final+
Joe, can you find a different owner than John?  I suspect he's a bit overloaded at the moment.  Maybe Kew?


8 years ago
Summary: Investigate crash [@JS_ClearScriptTraps] → Investigate crash [@ gfxFontGroup::FontListLength]
Assignee: jdaggett → jfkthame
I'm not at all sure this is a gfx crash; certainly not anything to do with gfxFontGroup::FontListLength, which is a one-line (virtual) function - an offset of 0x45f4 from there means something quite unrelated.

The testcase doesn't load for me - it reports an XML parse error:
  XML Parsing Error: no element found
  Line Number 109, Column 1:

Reloading repeatedly, I can occasionally get some text displayed, along with a message about missing plugins (but trying to proceed with installing the Java Runtime Environment failed in my current build, at least). Or sometimes I get the XML parse error, along with the missing plugins notification.

Given the inconsistency - sometimes the testcase appears to load, often it gives me an XML parse error - I'd guess we should be looking for some kind of instability or indeterminate behavior on the parsing or content side of things.
QA will look into this a bit more to try to repro.
marcia will work on trying to reproduce this.
Using  Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b8pre) Gecko/20101019 Firefox/4.0b8pre, I am not able to reproduce this. I tried refreshing the page several times. I also tried on a few other machines and have not had any luck yet.
Jonas, can you please try to load the attachment Kew's referring to in comment 3 and figure out where the parse errors are coming from?  Just need to pull this apart and find the real issue.
Assignee: jfkthame → jonas

Comment 9

8 years ago
Jonas, can you spend some time on this, see if we can figure out why we randomly get an XML error?

Comment 11

8 years ago
The XML-parsing inconsistency seems like bug 322034 + bug 521378.  The root element in the testcase is unclosed.

Other than that, sounds like WFM on trunk. Same for you, wushi?
Last Resolved: 8 years ago
Resolution: --- → WORKSFORME

Comment 12

8 years ago
It seems patched. I remember it cause a crash in 4b4. Next time maybe I should upload the memory dump file. By the way, find vulns in beta versions could get rewards?

Comment 13

8 years ago
Vulnerabilities in beta versions can get rewards, yes.

I'm not sure what to do in this case: we supposedly fixed it in another bug report, but since we don't know which bug report it was, we don't know whether your bug report predated that one.

Comment 14

8 years ago
That's Ok , I ask this because I have another vulns in beta version(test on 4b7).
I will find them out in few days. 

wushi asked if this was patched on 11/3, prior to b7 release. If he's testing betas that means b6 released back in September. b6 only fixed a few things so most likely the bug was fixed in b5 which was released the day the bug was filed. In that scenario it sounds like a pre-existing bug and not eligible for the bounty.

If wushi's testing nightlies now and the bug was only fixed in late Octoberish then this bug quite possibly predates whatever other bug fixed the problem and may qualify for the bounty.

wushi: next steps if you're interested in the bounty.
1) see if your bug crashes in b5 and b6. If it doesn't it may not be worth pursuing further.
2) if it does see if you can narrow the nightly fix range using builds from and from there we'll try to figure out which bug fixed it.
Whiteboard: [sg:critical?] → [sg:critical?][fix-range-wanted]
status1.9.1: --- → unaffected
status1.9.2: --- → unaffected


3 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.