Closed Bug 608307 Opened 15 years ago Closed 15 years ago

Crash [@ varying signatures]

Categories

(Core :: General, defect)

Product:
Core
Component:
General
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: bc, Assigned: mounir)

References

(
URL
)

Details

(Keywords: crash, Whiteboard: [sg:critical?])

Crash Data

Attachments

(5 files)

spider.xpi
68.58 KB, application/x-xpinstall
Details
playground.ru.list
733 bytes, text/plain
Details
playground.ru.signatures
17.17 KB, text/plain
Details
current list of crashing urls as text
14.67 KB, text/plain
Details
current list of crashing urls as html
35.58 KB, text/html
Details
1. http://www.playground.ru/server/left4dead/ 2. crash 1.9.1/1.9.2/2.0.0 windows, mac, linux / intel, ppc sensitive due to all of the different stacks I am seeing. xp for 1.9.1 Operating system: Windows NT 5.1.2600 Service Pack 3 CPU: x86 GenuineIntel family 6 model 44 stepping 2 1 CPU Crash reason: EXCEPTION_ACCESS_VIOLATION_EXEC Crash address: 0xffffffffe281f855 Thread 0 (crashed) 0 0xe281f855 eip = 0xe281f855 esp = 0x0012d108 ebp = 0x0012d114 ebx = 0x7ffdf000 esi = 0x01c5b640 edi = 0x00000000 eax = 0xe281f855 ecx = 0x10b16be7 edx = 0x06f8a178 efl = 0x00050206 Found by: given as instruction pointer in context 1 xul.dll!nsRefPtr<nsGeolocationService>::operator=(nsGeolocationService *) [nsAutoPtr.h : 1003 + 0xb] eip = 0x10471a43 esp = 0x0012d11c ebp = 0x0012d124 Found by: previous frame's frame pointer 2 xul.dll!nsGeolocation::nsGeolocation(nsIDOMWindow *) [nsGeolocation.cpp : 594 + 0x10] eip = 0x10470a68 esp = 0x0012d12c ebp = 0x0012d158 Found by: call frame info 3 xul.dll!nsNavigator::GetGeolocation(nsIDOMGeoGeolocation * *) [nsGlobalWindow.cpp : 9800 + 0x23] eip = 0x10616b9f esp = 0x0012d160 ebp = 0x0012d17c Found by: call frame info 4 xul.dll!NS_InvokeByIndex_P [xptcinvoke.cpp : 102 + 0x2] eip = 0x10e56c37 esp = 0x0012d184 ebp = 0x0012d190 Found by: call frame info 5 xul.dll!XPCWrappedNative::CallMethod(XPCCallContext &,XPCWrappedNative::CallMode) [xpcwrappednative.cpp : 2456 + 0x1f] eip = 0x1006fd7a esp = 0x0012d198 ebp = 0x0012d4a8 Found by: call frame info 6 xul.dll!XPCWrappedNative::GetAttribute(XPCCallContext &) [xpcprivate.h : 2324 + 0xd] eip = 0x100810de esp = 0x0012d4b0 ebp = 0x0012d4b8 Found by: call frame info 7 xul.dll!XPC_WN_GetterSetter(JSContext *,JSObject *,unsigned int,int *,int *) [xpcwrappednativejsops.cpp : 1622 + 0xb] eip = 0x100810a5 esp = 0x0012d4c0 ebp = 0x0012d588 Found by: call frame info 8 js3250.dll!js_Invoke [jsinterp.cpp : 1386 + 0x19] eip = 0x006973e6 esp = 0x0012d590 ebp = 0x0012d674 Found by: call frame info 9 js3250.dll!js_InternalInvoke [jsinterp.cpp : 1447 + 0x14] eip = 0x00697cf2 esp = 0x0012d67c ebp = 0x0012d698 Found by: call frame info 10 js3250.dll!js_InternalGetOrSet [jsinterp.cpp : 1510 + 0x1e] eip = 0x00697ff5 esp = 0x0012d6a0 ebp = 0x0012d6cc Found by: call frame info 1.9.2 winxp ( and similar mac os x ) Operating system: Windows NT 5.1.2600 Service Pack 3 CPU: x86 GenuineIntel family 6 model 44 stepping 2 1 CPU Crash reason: EXCEPTION_ACCESS_VIOLATION_READ Crash address: 0x10 Thread 0 (crashed) 0 xul.dll!nsRefPtr<nsGeolocationService>::assign_with_AddRef(nsGeolocationService *) [nsAutoPtr.h : 927 + 0x9] eip = 0x104a8936 esp = 0x0012ceec ebp = 0x0012cef4 ebx = 0x00000000 esi = 0x00000003 edi = 0x00000000 eax = 0x03ac1048 ecx = 0x0000000c edx = 0x03ac1048 efl = 0x00210206 Found by: given as instruction pointer in context 1 xul.dll!nsRefPtr<nsGeolocationService>::operator=(nsGeolocationService *) [nsAutoPtr.h : 1003 + 0xb] eip = 0x104a8073 esp = 0x0012cefc ebp = 0x0012cf04 Found by: call frame info 2 xul.dll!nsGeolocation::Init(nsIDOMWindow *) [nsGeolocation.cpp : 757 + 0x10] eip = 0x104a7109 esp = 0x0012cf0c ebp = 0x0012cf48 Found by: call frame info 3 xul.dll!nsNavigator::GetGeolocation(nsIDOMGeoGeolocation * *) [nsGlobalWindow.cpp : 10068 + 0x1a] eip = 0x1066264e esp = 0x0012cf50 ebp = 0x0012cf7c Found by: call frame info 4 xul.dll!NS_InvokeByIndex_P [xptcinvoke.cpp : 102 + 0x2] eip = 0x11030cc7 esp = 0x0012cf84 ebp = 0x0012cf90 Found by: call frame info 5 xul.dll!XPCWrappedNative::CallMethod(XPCCallContext &,XPCWrappedNative::CallMode) [xpcwrappednative.cpp : 2722 + 0x1f] eip = 0x1007aa23 esp = 0x0012cf98 ebp = 0x0012d360 Found by: call frame info 6 xul.dll!XPCWrappedNative::GetAttribute(XPCCallContext &) [xpcprivate.h : 2535 + 0xd] eip = 0x1008e4ee esp = 0x0012d368 ebp = 0x0012d370 Found by: call frame info 7 xul.dll!XPC_WN_GetterSetter(JSContext *,JSObject *,unsigned int,int *,int *) [xpcwrappednativejsops.cpp : 1784 + 0xb] eip = 0x1008e4b4 esp = 0x0012d378 ebp = 0x0012d440 Found by: call frame info 8 js3250.dll!js_Invoke [jsinterp.cpp : 1360 + 0x16] eip = 0x006abe4d esp = 0x0012d448 ebp = 0x0012d51c Found by: call frame info 9 js3250.dll!js_InternalInvoke [jsinterp.cpp : 1423 + 0x14] eip = 0x006ac6f2 esp = 0x0012d524 ebp = 0x0012d540 Found by: call frame info 10 js3250.dll!js_InternalGetOrSet [jsinterp.cpp : 1486 + 0x1e] eip = 0x006ac90f esp = 0x0012d548 ebp = 0x0012d56c Found by: call frame info and another dump for same crash Operating system: Windows NT 5.1.2600 Service Pack 3 CPU: x86 GenuineIntel family 6 model 44 stepping 2 1 CPU Crash reason: EXCEPTION_ACCESS_VIOLATION_READ Crash address: 0x0 Thread 0 (crashed) 0 js3250.dll!OBJ_SCOPE [jsscope.h : 346 + 0x5] eip = 0x00649b88 esp = 0x0012ce44 ebp = 0x0012ce44 ebx = 0x00000001 esi = 0x00000004 edi = 0x00000000 eax = 0x035540a8 ecx = 0x00000000 edx = 0x0000cf7c efl = 0x00210216 Found by: given as instruction pointer in context 1 js3250.dll!js_LookupPropertyWithFlags [jsobj.cpp : 3758 + 0x8] eip = 0x006e5397 esp = 0x0012ce4c ebp = 0x0012cec4 Found by: call frame info 2 js3250.dll!js_LookupProperty [jsobj.cpp : 3730 + 0x22] eip = 0x006e5336 esp = 0x0012cecc ebp = 0x0012cee4 Found by: call frame info 3 xul.dll!nsRefPtr<nsGeolocationService>::assign_with_AddRef(nsGeolocationService *) [nsAutoPtr.h : 927 + 0xd] eip = 0x104a893b esp = 0x0012ceec ebp = 0x0012cef4 Found by: call frame info 4 xul.dll!nsRefPtr<nsGeolocationService>::operator=(nsGeolocationService *) [nsAutoPtr.h : 1003 + 0xb] eip = 0x104a8073 esp = 0x0012cefc ebp = 0x0012cf04 Found by: call frame info 5 xul.dll!nsGeolocation::Init(nsIDOMWindow *) [nsGeolocation.cpp : 757 + 0x10] eip = 0x104a7109 esp = 0x0012cf0c ebp = 0x0012cf48 Found by: call frame info 6 xul.dll!nsNavigator::GetGeolocation(nsIDOMGeoGeolocation * *) [nsGlobalWindow.cpp : 10068 + 0x1a] eip = 0x1066264e esp = 0x0012cf50 ebp = 0x0012cf7c Found by: call frame info 7 xul.dll!NS_InvokeByIndex_P [xptcinvoke.cpp : 102 + 0x2] eip = 0x11030cc7 esp = 0x0012cf84 ebp = 0x0012cf90 Found by: call frame info 8 xul.dll!XPCWrappedNative::CallMethod(XPCCallContext &,XPCWrappedNative::CallMode) [xpcwrappednative.cpp : 2722 + 0x1f] eip = 0x1007aa23 esp = 0x0012cf98 ebp = 0x0012d360 Found by: call frame info 9 xul.dll!XPCWrappedNative::GetAttribute(XPCCallContext &) [xpcprivate.h : 2535 + 0xd] eip = 0x1008e4ee esp = 0x0012d368 ebp = 0x0012d370 Found by: call frame info 10 xul.dll!XPC_WN_GetterSetter(JSContext *,JSObject *,unsigned int,int *,int *) [xpcwrappednativejsops.cpp : 1784 + 0xb] eip = 0x1008e4b4 esp = 0x0012d378 ebp = 0x0012d440 Found by: call frame info and xp on 2.0.0 Operating system: Windows NT 5.1.2600 Service Pack 3 CPU: x86 GenuineIntel family 6 model 44 stepping 2 1 CPU Crash reason: EXCEPTION_ACCESS_VIOLATION_EXEC Crash address: 0xffffffffe281f855 Thread 0 (crashed) 0 0xe281f855 eip = 0xe281f855 esp = 0x0012c3a4 ebp = 0x0012c3b0 ebx = 0x049e01c0 esi = 0x070d3dcc edi = 0xffff0007 eax = 0xe281f855 ecx = 0x1129716c edx = 0x078acec8 efl = 0x00010202 Found by: given as instruction pointer in context 1 xul.dll!nsRefPtr<nsGeolocationService>::operator=(nsGeolocationService *) [nsAutoPtr.h : 1025 + 0xb] eip = 0x10d58063 esp = 0x0012c3b8 ebp = 0x0012c3c0 Found by: previous frame's frame pointer 2 xul.dll!nsGeolocation::Init(nsIDOMWindow *) [nsGeolocation.cpp : 922 + 0x10] eip = 0x10d56da9 esp = 0x0012c3c8 ebp = 0x0012c404 Found by: call frame info 3 xul.dll!nsNavigator::GetGeolocation(nsIDOMGeoGeolocation * *) [nsGlobalWindow.cpp : 10750 + 0x1a] eip = 0x10d14f5e esp = 0x0012c40c ebp = 0x0012c438 Found by: call frame info 4 xul.dll!NS_InvokeByIndex_P [xptcinvoke.cpp : 102 + 0x2] eip = 0x114b45f7 esp = 0x0012c440 ebp = 0x0012c44c Found by: call frame info 5 xul.dll!CallMethodHelper::Invoke() [xpcwrappednative.cpp : 3054 + 0x1b] eip = 0x11129368 esp = 0x0012c454 ebp = 0x0012c484 Found by: call frame info 6 xul.dll!CallMethodHelper::Call() [xpcwrappednative.cpp : 2321 + 0x7] eip = 0x111274af esp = 0x0012c48c ebp = 0x0012c498 Found by: call frame info 7 xul.dll!XPCWrappedNative::CallMethod(XPCCallContext &,XPCWrappedNative::CallMode) [xpcwrappednative.cpp : 2285 + 0x15] eip = 0x1112723d esp = 0x0012c4a0 ebp = 0x0012c61c Found by: call frame info 8 xul.dll!XPCWrappedNative::GetAttribute(XPCCallContext &) [xpcprivate.h : 2572 + 0xd] eip = 0x111160ae esp = 0x0012c624 ebp = 0x0012c62c Found by: call frame info 9 xul.dll!XPC_WN_GetterSetter(JSContext *,unsigned int,jsval_layout *) [xpcwrappednativejsops.cpp : 1678 + 0xb] eip = 0x1111606c esp = 0x0012c634 ebp = 0x0012c708 Found by: call frame info 10 mozjs.dll!js::CallJSNative(JSContext *,int (*)(JSContext *,unsigned int,js::Value *),unsigned int,js::Value *) [jscntxtinlines.h : 652 + 0xe] eip = 0x0070c3b4 esp = 0x0012c710 ebp = 0x0012c72c Found by: call frame info mac os x 1.9.1 intel Operating system: Mac OS X 10.5.8 9L34 CPU: x86 GenuineIntel family 6 model 10 stepping 5 1 CPU Crash reason: EXC_BAD_ACCESS / KERN_PROTECTION_FAILURE Crash address: 0x0 Thread 0 (crashed) 0 XUL!nsTArray_base::Length() const [nsTArray.h : 66 + 0x5] eip = 0x02d0ccfb esp = 0xbfff70b0 ebp = 0xbfff70b8 ebx = 0x035e437c esi = 0x0ecc5c60 edi = 0x02ef5a68 eax = 0x00000000 ecx = 0x115bc9b4 edx = 0x115bc9cc efl = 0x00210282 Found by: given as instruction pointer in context 1 XUL!nsGeolocation** nsTArray<nsGeolocation*>::AppendElements<nsGeolocation*>(nsGeolocation* const*, unsigned int) [nsTArray.h : 551 + 0xa] eip = 0x035e66fb esp = 0xbfff70c0 ebp = 0xbfff70f8 Found by: previous frame's frame pointer 2 XUL!nsGeolocation** nsTArray<nsGeolocation*>::AppendElement<nsGeolocation*>(nsGeolocation* const&) [nsTArray.h : 568 + 0x19] eip = 0x035e67a4 esp = 0xbfff7100 ebp = 0xbfff7118 Found by: previous frame's frame pointer 3 XUL!nsGeolocationService::AddLocator(nsGeolocation*) [nsGeolocation.cpp : 542 + 0x14] eip = 0x035e3805 esp = 0xbfff7120 ebp = 0xbfff7138 Found by: previous frame's frame pointer 4 XUL + 0x96e58c eip = 0x035e458d esp = 0xbfff7140 ebp = 0xbfff7188 Found by: previous frame's frame pointer 5 XUL!nsNavigator::GetGeolocation(nsIDOMGeoGeolocation**) [nsGlobalWindow.cpp : 9800 + 0x26] eip = 0x0355de20 esp = 0xbfff7190 ebp = 0xbfff71e8 Found by: previous frame's frame pointer 6 XUL!NS_InvokeByIndex_P [xptcinvoke_unixish_x86.cpp : 179 + 0x41] eip = 0x03d977bf esp = 0xbfff71f0 ebp = 0xbfff7248 Found by: previous frame's frame pointer 7 XUL!XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) [xpcwrappednative.cpp : 2456 + 0x2d] eip = 0x02d1fce8 esp = 0xbfff7250 ebp = 0xbfff75b8 Found by: previous frame's frame pointer 8 XUL!XPCWrappedNative::GetAttribute(XPCCallContext&) [xpcprivate.h : 2324 + 0x12] eip = 0x02d2f32f esp = 0xbfff75c0 ebp = 0xbfff75d8 Found by: previous frame's frame pointer 9 XUL!XPC_WN_GetterSetter(JSContext*, JSObject*, unsigned int, long*, long*) [xpcwrappednativejsops.cpp : 1622 + 0xd] eip = 0x02d2afc6 esp = 0xbfff75e0 ebp = 0xbfff76d8 Found by: previous frame's frame pointer 10 libmozjs.dylib!js_Invoke [jsinterp.cpp : 1386 + 0x32] eip = 0x00315c71 esp = 0xbfff76e0 ebp = 0xbfff77e8 Found by: previous frame's frame pointer 1
Assignee: nobody → doug.turner
Whiteboard: [sg:critical?]
Attached file spider.xpi
Attached file playground.ru.list
This file contains the list of crashing urls I am concerned about.
This is a summarized list of the crash signatures I've seen so far with this site.
Attachment #487723 - Attachment mime type: application/octet-stream → text/plain
setting this to core:general since I really don't think this has anything to do with geolocation. Steps to reproduce: 1. install spider.xpi extension 2. from command line load url from the playground.ru.list firefox -spider -url '<insert url here>' -depth 0 -start -quit The crash occurs when the page times out and the spider tries to shutdown the browser. dveditz: I am concerned this entire site is malware. Can we get Google to take a look?
Assignee: doug.turner → nobody
Component: Geolocation → General
QA Contact: geolocation → general
Summary: Crash [@ nsRefPtr<nsGeolocationService>::operator=(nsGeolocationService *)|nsRefPtr<nsGeolocationService>::assign_with_AddRef(nsGeolocationService *)|OBJ_SCOPE] → Crash [@ varying signatures]
Mounir, can you investigate here and see what you find?
Assignee: nobody → mounir.lamouri
I tried to reproduce this bug with a debug trunk build and a 3.6 release (GNU/Linux and MacOS X) and I got no crash. When I run a command like this: `firefox -spider -url http://www.playground.ru/server/left4dead/ -depth 0 -start -quit` (I tried with different URLs), the UI of the spider extension appears and after a few seconds, it's shutting down with no crash. Is there something I'm missing?
Place this file on a local web server and run: firefox -P test -spider -url 'http://local/playground-ru-urls.html' -depth 1 -start -quit That will load each page from the list. I ran it with a current 1.9.2/Mac OS X build from this morning and didn't see any crashes. I'll resubmit these to the crash automation as soon as I complete some maintenance and will try to test other branches/os later today.
I've tried again today and everything was fine. Did you try with other branches?
I've just tried the entire list with 1.9.2.2 on MacOS X and it does not crash.
Bob, no update on this?
Sorry for the delay. I've been wrestling with url searches in my crash database. The crashes appear to have stopped for the most part around 11/10 which coincides with the latest Flash update. I've seen a couple of crashes with similar GeoLocation signatures on http://mofunzone.com/, http://imageshack.us/, and http://www.kongregate.com/games/gmentat/sieger?tab=achievements since then on Linux but they are not reproducible. My best "guess" is this was Flash overwriting memory and causing the crashes. -> WFM until something else pops up.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → WORKSFORME
Crash Signature: [@ varying signatures]
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: