Closed Bug 604900 Opened 10 years ago Closed 9 years ago

Poison-frame crash [@ nsPluginInstanceOwner::ReleasePluginPort]

Categories

(Core :: Plug-ins, defect)

x86
Windows Vista
defect
Not set
critical

Tracking

()

RESOLVED INCOMPLETE
Tracking Status
status1.9.2 --- wanted
status1.9.1 --- unaffected

People

(Reporter: bc, Unassigned)

References

(Blocks 1 open bug, )

Details

(Keywords: crash, reproducible, Whiteboard: [sg:dos (critical w/out frame-poisoning)])

Crash Data

1. http://www.cebichetv.com/2010/05/telefutura-en-vivo-por-internet.html
2. crash 1.9.2, 2.0.0 *Windows Vista*, not XP, Linux or Mac OS X. Don't know about Windows 7.

FramePoisonBase = 00000000f0de0000

2.0.0:

Operating system: Windows NT
                  6.0.6002 Service Pack 2
CPU: x86
     GenuineIntel family 6 model 44 stepping 2
     1 CPU

Crash reason:  EXCEPTION_ACCESS_VIOLATION
Crash address: 0xfffffffff0de8043

Thread 0 (crashed)
 0  xul.dll!nsCOMPtr<nsIWidget>::get() [nsCOMPtr.h : 800 + 0x3]
    eip = 0x678a0aba   esp = 0x0015c168   ebp = 0x0015c16c   ebx = 0x05ef03e0
    esi = 0x00000000   edi = 0x0c5742a0   eax = 0xf0de8043   ecx = 0xf0de8043
    edx = 0x00000000   efl = 0x00010292
    Found by: given as instruction pointer in context
 1  xul.dll!nsCOMPtr<nsIWidget>::operator nsIWidget *() [nsCOMPtr.h : 813 + 0x7]
    eip = 0x679374cf   esp = 0x0015c174   ebp = 0x0015c178
    Found by: call frame info
 2  xul.dll!nsPluginInstanceOwner::ReleasePluginPort(void *) [nsObjectFrame.cpp : 6129 + 0xa]
    eip = 0x6810bbf4   esp = 0x0015c180   ebp = 0x0015c188
    Found by: call frame info
 3  xul.dll!nsObjectFrame::CallSetWindow() [nsObjectFrame.cpp : 1134 + 0x18]
    eip = 0x68102ba0   esp = 0x0015c190   ebp = 0x0015c218
    Found by: call frame info
 4  xul.dll!nsObjectFrame::ReflowFinished() [nsObjectFrame.cpp : 986 + 0xa]
    eip = 0x681025c9   esp = 0x0015c220   ebp = 0x0015c224
    Found by: call frame info

1.9.2:

Operating system: Windows NT
                  6.0.6002 Service Pack 2
CPU: x86
     GenuineIntel family 6 model 44 stepping 2
     1 CPU

Crash reason:  EXCEPTION_ACCESS_VIOLATION
Crash address: 0xfffffffff0de804b

Thread 0 (crashed)
 0  xul.dll!nsCOMPtr<nsIWidget>::get() [nsCOMPtr.h : 777 + 0x3]
    eip = 0x6674176a   esp = 0x00274a50   ebp = 0x00274a54   ebx = 0x00000000
    esi = 0xffffc400   edi = 0x00000000   eax = 0xf0de804b   ecx = 0xf0de804b
    edx = 0x00000000   efl = 0x00210296
    Found by: given as instruction pointer in context
 1  xul.dll!nsCOMPtr<nsIWidget>::operator nsIWidget *() [nsCOMPtr.h : 790 + 0x7]
    eip = 0x66a7d01f   esp = 0x00274a5c   ebp = 0x00274a60
    Found by: call frame info
 2  xul.dll!nsPluginInstanceOwner::ReleasePluginPort(nsPluginPort *) [nsObjectFrame.cpp : 5707 + 0xa]
    eip = 0x67005804   esp = 0x00274a68   ebp = 0x00274a70
    Found by: call frame info
 3  xul.dll!nsObjectFrame::CallSetWindow() [nsObjectFrame.cpp : 1110 + 0x18]
    eip = 0x66ffd33e   esp = 0x00274a78   ebp = 0x00274ab8
    Found by: call frame info
 4  xul.dll!nsObjectFrame::DidReflow(nsPresContext *,nsHTMLReflowState const *,int) [nsObjectFrame.cpp : 1202 + 0x7]
    eip = 0x66ffd6b1   esp = 0x00274ac0   ebp = 0x00274adc
    Found by: call frame info

I picked Core:Layout over Core:Plugins due to the apparent frame-poisoned crashing address. Sensitive for the same reason.
Does it have to be run in the sisyphus framework like another recent bug? Fwiw I don't crash on a trunk nightly running on a Windows 7 starter-edition (netbook). It's also possible the page changed. Other than all the flash content it doesn't seem like a complicated page.
I take all of comment 1 back -- while I was writing that comment the netbook crashed behind my back just sitting on that page.
bp-f535fdf8-eabe-4192-add7-8a04e2101019

Different stack--[@ nsPluginInstanceOwner::ReleasePluginPort(void*)]--so maybe a different bug, but it is also a frame-poisoned address (crash-stats links to bug 562442, but there's not much in that one).
Also seeing the crash in 1.9.2 like bclary, but can't reproduce in 1.9.1

bp-e7ede334-2b63-48c0-9391-786822101019 (nsPluginInstanceOwner::Paint)
bp-da9d0739-60bc-4f3e-ba68-30eef2101019 (nsPluginInstanceOwner::ReleasePluginPort)
Component: Layout → Plug-ins
QA Contact: layout → plugins
Summary: Crash [@ nsCOMPtr<nsIWidget>::get()] during reflow at frame-poisoned address → Poison-frame crash [@ nsPluginInstanceOwner::ReleasePluginPort]
dveditz's stack and bc's stack are the same except that some nsCOMPtr functions were inlined in dveditz's build.
Whiteboard: [sg:dos (critical w/out frame-poisoning)]
(In reply to comment #1)
> Does it have to be run in the sisyphus framework like another recent bug?

I guess not re comment 2 but does appear to be Vista or Windows 7 only.
update crash bugs to critical per guidelines.
Severity: normal → critical
Crash Signature: [@ nsPluginInstanceOwner::ReleasePluginPort]
Assignee: nobody → joshmoz
Reported URL is no longer valid.
Group: core-security
Assignee: joshmoz → nobody
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.