Created attachment 512471 [details] Here is the WinDbg output cross_fuzzv3 on firefox4b11 32bit windowsxp FAILURE_BUCKET_ID: NULL_POINTER_READ_c0000005_xul.dll!nsPluginStreamListenerPeer::GetInterfaceGlobal
Component: XUL → Plug-ins
QA Contact: xptoolkit.widgets → plugins
Attachment #512471 - Attachment mime type: application/octet-stream → text/plain
What was the cross-fuzz log/salt to reproduce? Do you know what plugin was being used at the time?
As far a I know there is no possibility in cross_fuzz to get these info. Look at : http://lcamtuf.blogspot.com/2011/01/announcing-crossfuzz-potential-0-day-in.html The dialog between Johan an Michael Zalewski. When you know more, please point me on.
I only used an early version, but I was pretty sure there was a logging feature or somesuch.
I´ve googled for that, but there seems to be nothing. The fuzzer mangleme has this feature, but it is not implemented in cross_fuzz. Anyway, when you have a link that shows other, please send it to me.
If you load cross_fuzz with #42 it should use seed 42.
Created attachment 535856 [details] crash report 1. http://ru.pokerstrategy.com/strategy/1550/print/ 2. shutdown 3. Crash Linux 32bit 2.0, beta, aurora, nightly I haven't tried to reproduce locally yet (building atm), but this *may* require Spider. Operating system: Linux 0.0.0 Linux 22.214.171.124-91.fc14.i686.PAE #1 SMP Tue May 3 13:29:55 UTC 2011 i686 CPU: x86 GenuineIntel family 6 model 44 stepping 2 1 CPU Crash reason: SIGSEGV Crash address: 0x0 Thread 0 (crashed) 0 libxul.so!nsPluginStreamListenerPeer::GetInterfaceGlobal [nsPluginStreamListenerPeer.cpp : 1327 + 0xb] eip = 0x01f9ea61 esp = 0xbf9636d0 ebp = 0xbf963728 ebx = 0x03235414 esi = 0x00000000 edi = 0x0a462910 eax = 0x00000000 ecx = 0x037b534c edx = 0x00000001 efl = 0x00010282 Found by: given as instruction pointer in context 1 libxul.so!nsPluginStreamListenerPeer::GetInterface [nsPluginStreamListenerPeer.cpp : 1344 + 0x18] eip = 0x01f9eb34 esp = 0xbf963730 ebp = 0xbf963748 ebx = 0x03235414 esi = 0x00000000 edi = 0x0a0b4b14 Found by: call frame info 2 libxul.so!NS_QueryNotificationCallbacks [nsNetUtil.h : 1295 + 0x1f] eip = 0x00ee204e esp = 0xbf963750 ebp = 0xbf963778 ebx = 0x03235414 esi = 0x00000000 edi = 0x0a0b4b14 Found by: call frame info 3 libxul.so!mozilla::net::HttpBaseChannel::GetCallback<nsIProgressEventSink> [HttpBaseChannel.h : 204 + 0x59] eip = 0x00fe287e esp = 0xbf963780 ebp = 0xbf9637b8 ebx = 0x03235414 esi = 0x00000000 edi = 0x0a0b4b14 Found by: call frame info 4 libxul.so!nsHttpChannel::OnTransportStatus [nsHttpChannel.cpp : 4130 + 0x14] eip = 0x00fde47d esp = 0xbf9637c0 ebp = 0xbf9638f8 ebx = 0x03235414 esi = 0x00000000 edi = 0x00000000 Found by: call frame info 5 libxul.so!nsHttpChannel::OnDataAvailable [nsHttpChannel.cpp : 4099 + 0x3e] eip = 0x00fde372 esp = 0xbf963900 ebp = 0xbf963968 ebx = 0x03235414 esi = 0x00000000 edi = 0x00000000 Found by: call frame info
Created attachment 731702 [details] crash report Other examples though the stacks are somewhat different probably due to changes in the last couple of years: ABORT: You can't dereference a NULL nsCOMPtr with operator->().: 'mRawPtr != 0' https://manslmt.lv/lv/icenter/info.php https://www.ov-chipkaart.nl/mijnovchipkaart/reizenentransacties/mijnreizenentransacties/transactiesprinten/ Load url and then shutdown to see the crash. Haven't been able to reproduce with a locally saved version. Occurs on Beta/20, Aurora/21, Nightly/22 and Window+Linux at least.
(In reply to Bob Clary [:bc:] from comment #7) > Load url and then shutdown to see the crash. Shutdown as in "close fx" or "shutdown the system"?
OS: Windows XP → All
Priority: -- → P2
Assignee: georg.fritzsche → nobody
automation no longer crashes on http://ru.pokerstrategy.com/strategy/1550/print/
2 years ago
Crash Signature: [@ nsPluginStreamListenerPeer::GetInterfaceGlobal]
Closing because no crashes reported for 12 weeks.
Status: NEW → RESOLVED
Last Resolved: 27 days ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.