607305 - Crash with Adblock plus [@ PL_DHashTableOperate][@ PL_DHashTableOperate | nsScriptSecurityManager::LookupPolicy] at crash address 0x2c8

Status: RESOLVED DUPLICATE of bug 606667

(Core :: Security: CAPS, defect)

Description

[Scoobidiver (away)]

It is a new crash signature.
It happens only with Adblock plus.
It is #43 top crasher in 4.0b8pre for the last week.

Signature	PL_DHashTableOperate
UUID	878eef07-5092-45e0-b379-0b9d92101026
Time 	2010-10-26 03:39:25.604585
Uptime	499630
Last Crash	1622695 seconds (2.7 weeks) before submission
Install Age	499630 seconds (5.8 days) since version was first installed.
Product	Firefox
Version	4.0b8pre
Build ID	20101020045139
Branch	2.0
OS	Windows NT
OS Version	6.1.7600
CPU	x86
CPU Info	GenuineIntel family 6 model 23 stepping 7
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0x2c8
App Notes 	AdapterVendorID: 10de, AdapterDeviceID: 0e22

Frame 	Module 	Signature [Expand] 	Source
0 	xul.dll 	PL_DHashTableOperate 	obj-firefox/xpcom/build/pldhash.c:615

More reports at:
http://crash-stats.mozilla.com/report/list?range_value=4&range_unit=weeks&signature=PL_DHashTableOperate&version=Firefox%3A4.0b8pre

Comment 1

[Wladimir Palant]

First occurrence seems to be 20101019041714 build. All reports list 0x2c8 as crash address (null pointer dereference?), crashing at
http://hg.mozilla.org/mozilla-central/annotate/26c47ba8064f/xpcom/glue/pldhash.c#l615. I found one report without extensions (http://crash-stats.mozilla.com/report/index/c7be0895-c36a-493a-92ff-46ad52101026) which might indicate that Adblock Plus only makes this crash more likely. Others have Adblock Plus installed - either version 1.2.2 or 1.3b, doesn't seem to matter.

Unfortunately, the stack is missing. Is there any way to get some more info on where the crash is coming from?

Comment 2

[Wladimir Palant]

bp-5bdf503e-e09a-47b0-802f-751c72101022 is the same crash and has extensions - but no Adblock Plus. That's the only one, all other reports either mention Adblock Plus or have no extensions at all.

Comment 3

[timeless]

bp-c7be0895-c36a-493a-92ff-46ad52101026 had a .dmp, and there's really no stack trace that windbg can make out. sorry.

Comment 4

[[Baboo]]

Having NoScript installed and using the SuperGenPass bookmarklet on a site with password fields I can reliably trigger a crash with the same signature with the latest nightly builds.
I believe this might related also because there are some similarities between ABP and NS (and both were affected by the introductions of compartments).

Comment 5

[[Baboo]]

Automated crash reports from two different machines running different OS on new profiles with only the the latest dev version of the NoScript add-on installed:

on Windows 7
http://crash-stats.mozilla.com/report/index/91102161-b161-46c1-9392-943622101116
http://crash-stats.mozilla.com/report/index/5001ccb4-be91-405e-9e72-c7eee2101116

on Ubuntu
http://crash-stats.mozilla.com/report/index/38b56af8-02df-42ec-93cc-b04232101116

Comment 6

[timeless]

Signature	PL_DHashTableOperate | nsScriptSecurityManager::LookupPolicy
UUID	38b56af8-02df-42ec-93cc-b04232101116
Time 	2010-11-16 06:25:03.557417
Uptime	14
Last Crash	72 seconds before submission
Install Age	76194 seconds (21.2 hours) since version was first installed.
Product	Firefox-4.0
Version	4.0b8pre
Build ID	20101112074138
OS	Linux
OS Version	0.0.0 Linux 2.6.37-3-generic-pae #11-Ubuntu SMP Fri Nov 12 02:27:02 UTC 2010 i686
CPU	x86
CPU Info	GenuineIntel family 6 model 15 stepping 13
Crash Reason	SIGSEGV
Crash Address	0x24
User Comments	SuperGenPass bookmarklet
Processor Notes 	
EMCheckCompatibility	False
Bugzilla - Report this Crash
Crashing Thread
Frame 	Module 	Signature [Expand] 	Source
0 	libxul.so 	PL_DHashTableOperate 	pldhash.c:615
1 	libxul.so 	nsScriptSecurityManager::LookupPolicy 	nsScriptSecurityManager.cpp:1216
2 	libxul.so 	nsScriptSecurityManager::CheckPropertyAccessImpl 	nsScriptSecurityManager.cpp:721
3 	libxul.so 	nsScriptSecurityManager::CanAccess 	nsScriptSecurityManager.cpp:3177
4 	libxul.so 	XPCWrappedNative::CallMethod 	xpcwrappednative.cpp:2258
5 	libxul.so 	XPCWrappedNative::GetAttribute 	xpcprivate.h:2646
6 	libxul.so 	XPC_WN_GetterSetter 	xpcwrappednativejsops.cpp:1636
7 	libxul.so 	js::Invoke 	jscntxtinlines.h:684
8 	libxul.so 	js::ExternalInvoke 	jsinterp.cpp:881
9 	libxul.so 	js::ExternalGetOrSet 	jsinterp.h:954
10 	libxul.so 	js_GetProperty 	jsscopeinlines.h:246
11 	libxul.so 	JSWrapper::get 	jsobj.h:1075
12 	libxul.so 	js::proxy_GetProperty 	jsproxy.cpp:763
13 	libxul.so 	InlineGetProp 	jsobj.h:1075
14 	libxul.so 	js::mjit::stubs::GetProp 	StubCalls.cpp:1997
15 		@0xad451109 	
16 	libxul.so 	js::mjit::JaegerShot 	MethodJIT.cpp:739
17 	libxul.so 	js::Invoke 	jsinterp.cpp:662
18 	libxul.so 	js_fun_apply 	jsfun.cpp:2341
19 		@0xae5b6194 	
20 	libxul.so 	js::mjit::JaegerShot 	MethodJIT.cpp:739
21 	libxul.so 	js::Invoke 	jsinterp.cpp:662
22 	libxul.so 	js::ExternalInvoke 	jsinterp.cpp:881
23 	libxul.so 	JS_CallFunctionValue 	jsinterp.h:954
24 	libxul.so 	nsXPCWrappedJSClass::CallMethod 	xpcwrappedjsclass.cpp:1694
25 	libxul.so 	nsXPCWrappedJS::CallMethod 	xpcwrappedjs.cpp:577
26 	libxul.so 	PrepareAndDispatch 	xptcstubs_gcc_x86_unix.cpp:95
27 	libxul.so 	nsEventListenerManager::HandleEventSubType 	nsEventListenerManager.cpp:1112
28 	libxul.so 	nsEventListenerManager::HandleEventInternal 	nsEventListenerManager.cpp:1208
29 	libxul.so 	nsEventTargetChainItem::HandleEvent 	nsEventDispatcher.cpp:212
30 	libxul.so 	nsEventTargetChainItem::HandleEventTargetChain 	nsEventDispatcher.cpp:341

Comment 7

[timeless]

sounds like a domain policy got killed and caps got confused