Closed
Bug 608994
Opened 14 years ago
Closed 12 years ago
ASSERTION: iconv failed: 'Error' | Crash [@ utf16_to_isolatin1 ] | [@ NS_CopyUnicodeToNative ]
Categories
(Core :: XPCOM, defect)
Tracking
()
People
(Reporter: bc, Unassigned)
References
()
Details
(Keywords: crash, Whiteboard: [sg:dupe 744541])
Crash Data
Attachments
(8 files, 5 obsolete files)
1. http://www.elpais.com.uy/10/10/11/index.asp 2. crash 1.9.1, 1.9.2, 2.0.0 Operating system: Linux 0.0.0 Linux 2.6.18-194.17.1.el5 #1 SMP Wed Sep 29 12:51:33 EDT 2010 i686 GNU/Linux CPU: x86 GenuineIntel family 11 model 44 stepping 2 1 CPU Crash reason: SIGSEGV Crash address: 0x1d09475 Thread 0 (crashed) 0 libxul.so!NS_CopyUnicodeToNative(nsAString_internal const&, nsACString_internal&) [nsNativeCharsetUtils.cpp : 868 + 0x1] eip = 0x01d09475 esp = 0xbfb0c23c ebp = 0xbfb0c538 ebx = 0x02343678 esi = 0x00bef846 edi = 0x01d157c2 eax = 0x00000000 ecx = 0x00000010 edx = 0x0007de60 efl = 0x00210286 Found by: given as instruction pointer in context
Reporter | ||
Comment 2•14 years ago
|
||
Reporter | ||
Comment 3•14 years ago
|
||
Reporter | ||
Comment 4•14 years ago
|
||
Reporter | ||
Comment 5•14 years ago
|
||
Reporter | ||
Comment 6•14 years ago
|
||
Although I've seen this several times, it is not easily reproducible. I'll report back when I have some more details I hope.
Keywords: stackwanted
Summary: Crash [@ NS_CopyUnicodeToNative] → Crash [@ utf16_to_isolatin1|@ NS_CopyUnicodeToNative]
Reporter | ||
Comment 7•14 years ago
|
||
valgrind shows some interesting messages: Igor? ==10379== Invalid read of size 4 ==10379== at 0x5C10697: js::MarkRangeConservatively(JSTracer*, unsigned int*, unsigned int*) (jsgc.cpp:711) ==10379== by 0x5C10762: js::MarkThreadDataConservatively(JSTracer*, JSThreadData*) (jsgc.cpp:728) ==10379== by 0x5C108B1: js::MarkConservativeStackRoots(JSTracer*) (jsgc.cpp:761) ==10379== by 0x5C120F2: js::MarkRuntime(JSTracer*) (jsgc.cpp:1620) ==10379== by 0x5C132CD: MarkAndSweep(JSContext*, JSGCInvocationKind) (jsgc.cpp:2171) ==10379== by 0x5C13EB4: GCUntilDone(JSContext*, JSGCInvocationKind) (jsgc.cpp:2515) ==10379== by 0x5C14049: js_GC(JSContext*, JSGCInvocationKind) (jsgc.cpp:2580) ==10379== by 0x5B938E2: JS_GC (jsapi.cpp:2513) ==10379== by 0x5170CEA: nsXPConnect::Collect() (nsXPConnect.cpp:404) ==10379== by 0x5170D49: nsXPConnect::GarbageCollect() (nsXPConnect.cpp:412) ==10379== by 0x4C51E43: nsJSContext::CC(nsICycleCollectorListener*) (nsJSEnvironment.cpp:3628) ==10379== by 0x4C520BD: nsJSContext::IntervalCC() (nsJSEnvironment.cpp:3733) ==10379== Address 0xbeb9d780 is not stack'd, malloc'd or (recently) free'd ==10379== bsmedberg? ==10379== Thread 2: ==10379== Syscall param socketcall.sendmsg(msg.msg_iov[i]) points to uninitialised byte(s) ==10379== at 0xC55018: sendmsg (in /lib/libpthread-2.5.so) ==10379== by 0x5A78BB9: IPC::Channel::ChannelImpl::Send(IPC::Message*) (ipc_channel_posix.cc:679) ==10379== by 0x5A792F6: IPC::Channel::Send(IPC::Message*) (ipc_channel_posix.cc:822) ==10379== by 0x579D1FF: void DispatchToMethod<IPC::Channel, bool (IPC::Channel::*)(IPC::Message*), IPC::Message*>(IPC::Channel*, bool (IPC::Channel::*)(IPC::Message*), Tuple1< ==10379== by 0x579D024: RunnableMethod<IPC::Channel, bool (IPC::Channel::*)(IPC::Message*), Tuple1<IPC::Message*> >::Run() (task.h:307) ==10379== by 0x5A11A81: MessageLoop::RunTask(Task*) (message_loop.cc:343) ==10379== by 0x5A11AEA: MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) (message_loop.cc:351) ==10379== by 0x5A11EC0: MessageLoop::DoWork() (message_loop.cc:451) ==10379== by 0x5A673E7: base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) (message_pump_libevent.cc:309) ==10379== by 0x5A115DE: MessageLoop::RunInternal() (message_loop.cc:219) ==10379== by 0x5A1155E: MessageLoop::RunHandler() (message_loop.cc:202) ==10379== by 0x5A11502: MessageLoop::Run() (message_loop.cc:176) ==10379== Address 0xeec9e10 is 88 bytes inside a block of size 128 alloc'd ==10379== at 0x4005A02: realloc (vg_replace_malloc.c:476) ==10379== by 0x59DD4B2: realloc (nsTraceMalloc.c:1224) ==10379== by 0x7158C56: moz_realloc (mozalloc.cpp:140) ==10379== by 0x5A1F501: Pickle::Resize(unsigned int) (pickle.cc:519) ==10379== by 0x5A1F005: Pickle::BeginWrite(unsigned int) (pickle.cc:417) ==10379== by 0x5A1F10D: Pickle::WriteBytes(void const*, int) (pickle.cc:438) ==10379== by 0x438F1A3: Pickle::WriteUInt64(unsigned long long) (pickle.h:133) ==10379== by 0x438F174: Pickle::WriteSize(unsigned int) (pickle.h:121) ==10379== by 0x438F209: IPC::ParamTraits<unsigned int>::Write(IPC::Message*, unsigned int const&) (ipc_message_utils.h:228) ==10379== by 0x57C49CD: void IPC::WriteParam<unsigned int>(IPC::Message*, unsigned int const&) (ipc_message_utils.h:124) ==10379== by 0x57C5121: IPC::ParamTraits<mozilla::plugins::NPRemoteWindow>::Write(IPC::Message*, mozilla::plugins::NPRemoteWindow const&) (PluginMessageUtils.h:358) ==10379== by 0x57C4B0E: void IPC::WriteParam<mozilla::plugins::NPRemoteWindow>(IPC::Message*, mozilla::plugins::NPRemoteWindow const&) (ipc_message_utils.h:124) ==10379== Uninitialised value was created by a stack allocation ==10379== at 0x5780343: mozilla::plugins::PluginInstanceParent::AsyncSetWindow(_NPWindow*) (PluginInstanceParent.cpp:532) Sal, I see lots of uses of uninitialized data. You might want to run valgrind on Linux and Mac. :-)
Reporter | ||
Comment 8•14 years ago
|
||
Comment 9•14 years ago
|
||
I'm not sure the IPC bits are actually a bug, NPRemoteWindow doesn't always have its members initialized.
Comment 10•14 years ago
|
||
Bob, ensure that you're building with --enable-valgrind and --disable-jemalloc, as well as running valgrind with --smc-check=all to reduce false positives.
Reporter | ||
Comment 11•14 years ago
|
||
built with mozconfig: mk_add_options MOZ_OBJDIR=@TOPSRCDIR@/firefox-debug mozconfig: mk_add_options MOZ_MAKE_FLAGS=-j${J} mozconfig: mk_add_options MOZ_CO_PROJECT=browser mozconfig: mozconfig: ac_add_options --enable-application=browser mozconfig: ac_add_options --enable-debug mozconfig: ac_add_options --disable-optimize mozconfig: ac_add_options --disable-jemalloc mozconfig: ac_add_options --enable-lib-xul mozconfig: ac_add_options --enable-debug-symbols="-gdwarf-2" mozconfig: # libxul required for packaging. mozconfig: ac_add_options --enable-libxul mozconfig: # do not strip symbols in packaged builds mozconfig: ac_add_options --disable-install-strip mozconfig: mozconfig: ac_add_options --enable-tests mozconfig: ac_add_options --enable-trace-malloc mozconfig: ac_add_options --enable-logrefcnt mozconfig: ac_add_options --with-valgrind mozconfig: ac_add_options --enable-valgrind mozconfig: mozconfig: ac_add_options --disable-installer mozconfig: ac_add_options --enable-official-branding mozconfig: mozconfig: CC=gcc44 mozconfig: CXX=g++44 mozconfig: mozconfig: export CFLAGS="-gdwarf-2" mozconfig: export CXXFLAGS="-gdwarf-2" mozconfig: mozconfig: # For NSS symbols mozconfig: export MOZ_DEBUG_SYMBOLS=1 mozconfig: mozconfig: # Needed to enable breakpad in application.ini mozconfig: export MOZILLA_OFFICIAL=1 run with valgrind --trace-children=yes --track-origins=yes --smc-check=all
Reporter | ||
Comment 12•14 years ago
|
||
Note: I just saw this running the mochitest-plain unittests on Linux x86_64 1335 INFO TEST-END | /tests/content/svg/content/test/test_viewport.html | finished in 188119ms 1336 INFO TEST-START | /tests/content/svg/content/test/test_zoom.xhtml Invalid read of size 8 at 0x718C999: js::MarkRangeConservatively(JSTracer*, unsigned long*, unsigned long*) (jsgc.cpp:711) by 0x718CA5D: js::MarkThreadDataConservatively(JSTracer*, JSThreadData*) (jsgc.cpp:728) by 0x718CB81: js::MarkConservativeStackRoots(JSTracer*) (jsgc.cpp:761) by 0x718E613: js::MarkRuntime(JSTracer*) (jsgc.cpp:1620) by 0x718F9D9: MarkAndSweep(JSContext*, JSGCInvocationKind) (jsgc.cpp:2171) by 0x719066E: GCUntilDone(JSContext*, JSGCInvocationKind) (jsgc.cpp:2515) by 0x719080C: js_GC(JSContext*, JSGCInvocationKind) (jsgc.cpp:2580) by 0x7107A29: JS_GC (jsapi.cpp:2513) by 0x668F7DF: nsXPConnect::Collect() (nsXPConnect.cpp:404) by 0x668F84E: nsXPConnect::GarbageCollect() (nsXPConnect.cpp:412) by 0x6110DA0: nsJSContext::CC(nsICycleCollectorListener*) (nsJSEnvironment.cpp:3628) by 0x6110FAD: nsJSContext::IntervalCC() (nsJSEnvironment.cpp:3733) Address 0x7feffa540 is just below the stack ptr. To suppress, use: --workaround-gcc296-bugs=yes See also bug 609103
Reporter | ||
Comment 13•13 years ago
|
||
update crash bugs to critical per guidelines.
Severity: normal → critical
Assignee | ||
Updated•13 years ago
|
Crash Signature: [@ utf16_to_isolatin1|@ NS_CopyUnicodeToNative]
Reporter | ||
Updated•12 years ago
|
Group: core-security
Crash Signature: [@ utf16_to_isolatin1|@ NS_CopyUnicodeToNative] → [@ utf16_to_isolatin1]
[@ NS_CopyUnicodeToNative]
Reporter | ||
Updated•12 years ago
|
Attachment #489487 -
Attachment is obsolete: true
Reporter | ||
Updated•12 years ago
|
Attachment #489488 -
Attachment is obsolete: true
Reporter | ||
Updated•12 years ago
|
Attachment #489489 -
Attachment is obsolete: true
Reporter | ||
Updated•12 years ago
|
Attachment #489490 -
Attachment is obsolete: true
Reporter | ||
Updated•12 years ago
|
Attachment #489521 -
Attachment is obsolete: true
Reporter | ||
Comment 14•12 years ago
|
||
http://noticias.latam.msn.com/co/especiales/smartphones/articulos.aspx?cp-documentid=32204467 ###!!! ASSERTION: iconv failed: 'Error', file /work/mozilla/builds/beta/mozilla/xpcom/io/nsNativeCharsetUtils.cpp, line 573 nsNativeCharsetConverter::UnicodeToNative [/work/mozilla/builds/beta/mozilla/xpcom/io/nsNativeCharsetUtils.cpp:576] NS_CopyUnicodeToNative [/work/mozilla/builds/beta/mozilla/xpcom/io/nsNativeCharsetUtils.cpp:862] WriteConsoleLog [/work/mozilla/builds/beta/mozilla/toolkit/xre/nsConsoleWriter.cpp:125] ScopedXPCOMStartup::~ScopedXPCOMStartup [/work/mozilla/builds/beta/mozilla/toolkit/xre/nsAppRunner.cpp:1113] XRE_main [/work/mozilla/builds/beta/mozilla/toolkit/xre/nsAppRunner.cpp:3282] do_main [/work/mozilla/builds/beta/mozilla/browser/app/nsBrowserApp.cpp:205] main [/work/mozilla/builds/beta/mozilla/browser/app/nsBrowserApp.cpp:295] WARNING: shutting down early because of crash!: file /work/mozilla/builds/beta/mozilla/dom/plugins/ipc/PluginModuleChild.cpp, line 746 WARNING: plugin process _exit()ing: file /work/mozilla/builds/beta/mozilla/dom/plugins/ipc/PluginModuleChild.cpp, line 711 Crash reason: SIGSEGV Crash address: 0xdbdbdbdb Thread 0 (crashed) 0 0xdbdbdbdb eip = 0xdbdbdbdb esp = 0xbf9100f0 ebp = 0xdbdbdbdb ebx = 0xb70af748 esi = 0xdbdbdbdb edi = 0xb60ea7d8 eax = 0x00000000 ecx = 0x00000003 edx = 0x0004cfef efl = 0x00210286 Found by: given as instruction pointer in context
Reporter | ||
Comment 15•12 years ago
|
||
Reporter | ||
Comment 16•12 years ago
|
||
http://www.google.com/m/place?cid=6112785236465726008&q=ashleys%2Bfurniture%2Bstore&fb=1&gl=us&hq=ashleys%2Bfurniture%2Bstore&hnear=0x872b5acddb390801:0xc54e9be72da06824%2CSun%2BCity%2BGrand%2BQuail%2BRun%2C%2BSurprise%2C%2BAZ ##!!! ASSERTION: iconv failed: 'Error', file /work/mozilla/builds/aurora/mozilla/xpcom/io/nsNativeCharsetUtils.cpp, line 573 nsNativeCharsetConverter::UnicodeToNative [/work/mozilla/builds/aurora/mozilla/xpcom/io/nsNativeCharsetUtils.cpp:576] NS_CopyUnicodeToNative [/work/mozilla/builds/aurora/mozilla/xpcom/io/nsNativeCharsetUtils.cpp:862] WriteConsoleLog [/work/mozilla/builds/aurora/mozilla/toolkit/xre/nsConsoleWriter.cpp:125] ScopedXPCOMStartup::~ScopedXPCOMStartup [/work/mozilla/builds/aurora/mozilla/toolkit/xre/nsAppRunner.cpp:1112] XRE_main [/work/mozilla/builds/aurora/mozilla/toolkit/xre/nsAppRunner.cpp:3300] do_main [/work/mozilla/builds/aurora/mozilla/browser/app/nsBrowserApp.cpp:205] main [/work/mozilla/builds/aurora/mozilla/browser/app/nsBrowserApp.cpp:295] Crash reason: SIGSEGV Crash address: 0xcdcdcdcd Thread 0 (crashed) 0 0xcdcdcdcd eip = 0xcdcdcdcd esp = 0xbfd2e1e0 ebp = 0xcdcdcdcd ebx = 0xb7093a20 esi = 0xcdcdcdcd edi = 0xb60070e2 eax = 0x00000000 ecx = 0x00000003 edx = 0x0000f638 efl = 0x00210286 Found by: given as instruction pointer in context
Reporter | ||
Comment 17•12 years ago
|
||
Reporter | ||
Comment 18•12 years ago
|
||
http://www.google.com/m/place?hl=en_US&ppmode=google_reviews&start=0&cid=15705102864717293798 ###!!! ASSERTION: iconv failed: 'Error', file /work/mozilla/builds/aurora/mozilla/xpcom/io/nsNativeCharsetUtils.cpp, line 573 nsNativeCharsetConverter::UnicodeToNative [/work/mozilla/builds/aurora/mozilla/xpcom/io/nsNativeCharsetUtils.cpp:576] NS_CopyUnicodeToNative [/work/mozilla/builds/aurora/mozilla/xpcom/io/nsNativeCharsetUtils.cpp:862] WriteConsoleLog [/work/mozilla/builds/aurora/mozilla/toolkit/xre/nsConsoleWriter.cpp:125] ScopedXPCOMStartup::~ScopedXPCOMStartup [/work/mozilla/builds/aurora/mozilla/toolkit/xre/nsAppRunner.cpp:1112] XRE_main [/work/mozilla/builds/aurora/mozilla/toolkit/xre/nsAppRunner.cpp:3300] do_main [/work/mozilla/builds/aurora/mozilla/browser/app/nsBrowserApp.cpp:205] main [/work/mozilla/builds/aurora/mozilla/browser/app/nsBrowserApp.cpp:295] Crash reason: SIGSEGV Crash address: 0xbfdaa000 Thread 0 (crashed) 0 libxul.so!utf16_to_isolatin1 [nsNativeCharsetUtils.cpp : 123 + 0xd] eip = 0xb5ffebf6 esp = 0xbfda2208 ebp = 0xbfda2208 ebx = 0xb709ac80 esi = 0xb586e1f6 edi = 0xb600e2d8 eax = 0xbfdaa000 ecx = 0x00000000 edx = 0x0000cdcd efl = 0x00010202 Found by: given as instruction pointer in context
Reporter | ||
Comment 19•12 years ago
|
||
Reporter | ||
Comment 20•12 years ago
|
||
http://www.google.com/m/place?cid=6112785236465726008&q=ashleys%2Bfurniture%2Bstore&fb=1&gl=us&hq=ashleys%2Bfurniture%2Bstore&hnear=0x872b5acddb390801:0xc54e9be72da06824%2CSun%2BCity%2BGrand%2BQuail%2BRun%2C%2BSurprise%2C%2BAZ ###!!! ASSERTION: iconv failed: 'Error', file /work/mozilla/builds/beta/mozilla/xpcom/io/nsNativeCharsetUtils.cpp, line 573 nsNativeCharsetConverter::UnicodeToNative [/work/mozilla/builds/beta/mozilla/xpcom/io/nsNativeCharsetUtils.cpp:576] NS_CopyUnicodeToNative [/work/mozilla/builds/beta/mozilla/xpcom/io/nsNativeCharsetUtils.cpp:862] WriteConsoleLog [/work/mozilla/builds/beta/mozilla/toolkit/xre/nsConsoleWriter.cpp:125] ScopedXPCOMStartup::~ScopedXPCOMStartup [/work/mozilla/builds/beta/mozilla/toolkit/xre/nsAppRunner.cpp:1113] XRE_main [/work/mozilla/builds/beta/mozilla/toolkit/xre/nsAppRunner.cpp:3282] do_main [/work/mozilla/builds/beta/mozilla/browser/app/nsBrowserApp.cpp:205] main [/work/mozilla/builds/beta/mozilla/browser/app/nsBrowserApp.cpp:295] libc.so.6 + 0x2169d firefox + 0x10d9 Crash reason: SIGSEGV Crash address: 0x0 Thread 0 (crashed) 0 libxul.so!NS_CopyUnicodeToNative [nsNativeCharsetUtils.cpp : 869 + 0x9] rbx = 0xdadadadadadadada r12 = 0x00007f402277968a r13 = 0x00007f40227481e2 r14 = 0x0000000002165e30 r15 = 0x0000000002169260 rip = 0x00007f402276a0ee rsp = 0x00007fffdc9b7e18 rbp = 0xdadadadadadadada Found by: given as instruction pointer in context 1 0xdadadadadadadad9 rbx = 0xdadadadadadadada r12 = 0x00007f402277968a r13 = 0x00007f40227481e2 r14 = 0x0000000002165e30 r15 = 0x0000000002169260 rip = 0xdadadadadadadada rsp = 0x00007fffdc9b7e20 rbp = 0xdadadadadadadada Found by: call frame info
Reporter | ||
Comment 21•12 years ago
|
||
Reporter | ||
Comment 22•12 years ago
|
||
This occurs in automation on Fedora 16 32bit and 64 Linux for all 3 branches and has been happening for a while. I keep trying to reproduce locally but can't for some reason. The common thread is the iconv failed assertion and the bogus execution on shutdown beginning at what appears to be either uninitialized heap, deleted js heap, or deleted js hash. Numerous other crashes without the obvious bogus addresses happens as well. It appears to me the execution address on shutdown is potentially controlled by user content. For those of you with access to the mpt vpn and who wish to view these crash reports in the Bughunter application, please contact me.
Summary: Crash [@ utf16_to_isolatin1|@ NS_CopyUnicodeToNative] → Crash [@ utf16_to_isolatin1 ] | [@ NS_CopyUnicodeToNative ]
Reporter | ||
Updated•12 years ago
|
Whiteboard: [sg:critical]
Reporter | ||
Updated•12 years ago
|
Summary: Crash [@ utf16_to_isolatin1 ] | [@ NS_CopyUnicodeToNative ] → ASSERTION: iconv failed: 'Error' | Crash [@ utf16_to_isolatin1 ] | [@ NS_CopyUnicodeToNative ]
Comment 23•12 years ago
|
||
Looks hard to move on, let's track for 13.
status-firefox10:
--- → wontfix
status-firefox11:
--- → wontfix
status-firefox12:
--- → wontfix
status-firefox13:
--- → affected
tracking-firefox10:
--- → -
tracking-firefox11:
--- → -
tracking-firefox12:
--- → -
tracking-firefox13:
--- → +
Updated•12 years ago
|
status-firefox-esr10:
--- → affected
Comment 24•12 years ago
|
||
Considering that 1) UTF-8 is the "native" on practically all Linux distros these days 2) We have our own converters that could target legacy "native" why do we even use iconv?
Updated•12 years ago
|
status-firefox14:
--- → affected
tracking-firefox14:
--- → +
Comment 25•12 years ago
|
||
Bug 744541 should fix this I think. It only affects Linux/Unix/BSDs, excluding OSX and Android. For non-debug builds, it only occurs for file: URLs or if window.dump has been enabled. See bug 744541 for details.
Depends on: CVE-2012-1947
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:critical] → [sg:dupe 744541]
(In reply to Lukas Blakk [:lsblakk] from comment #27) > Removing tracking flags since this is now duped. I thought we left these tracked in case we ever un-dup?
Updated•12 years ago
|
Group: core-security
Updated•5 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•