Closed Bug 642734 Opened 14 years ago Closed 13 years ago

Crash [@ nsTArray_base<nsTArrayDefaultAllocator>::Length()] [@ nsCharSinkTraits<CalculateUTF8Size>::write] [@ gfxUserFontSet::LoadNext] [@ ashed) 0 xul.dll!CalculateUTF8Size::write(unsigned short const *,unsigned int)]with downloaded font

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla6
Tracking Flags:
Tracking Status
firefox5 + fixed
blocking2.0 --- -
status2.0 --- wanted
blocking1.9.2 --- .18+
status1.9.2 --- .18-fixed

People

(Reporter: bc, Assigned: jfkthame)

References

(
URL
)

Details

(Keywords: crash, Whiteboard: [sg:critical?] fixed by (dupe) of 650639 [qa-examined-192])

Crash Data

Attachments

(2 files)

patch, don't use proxy font entry after it has been replaced
1.63 KB, patch
jtd
: review+
asa
: approval-mozilla-aurora+
jst
: approval-mozilla-beta+
Details | Diff | Splinter Review
patch for 1.9.2 branch
1.56 KB, patch
dveditz
: approval1.9.2.18+
Details | Diff | Splinter Review 
1. http://www.arlovance.com/
2. sometimes crash. 

I haven't been able to reproduce locally on Mac OS X or Windows XP, but the automation has so far crashed on Windows 7 32bit, Fedora 14 32bit and 64bit. I have been able to reproduce locally on Fedora 14 32bit especially when running under gdb. I wasn't able to crash a nightly Linux build however. YMMV.

associated socorro signature: gfxUserFontSet::LoadNext 

Operating system: Windows NT
                  6.1.7601 Service Pack 1
CPU: x86
     GenuineIntel family 6 model 44 stepping 2
     1 CPU

Crash reason:  EXCEPTION_ACCESS_VIOLATION_READ
Crash address: 0xffffffffdddddddd

Thread 0 (crashed)
 0  xul.dll!nsTArray_base<nsTArrayDefaultAllocator>::Length() [nsTArray.h : 139 + 0x5]
    eip = 0x635d33bc   esp = 0x0017c394   ebp = 0x0017c398   ebx = 0x00000001
    esi = 0x00343e20   edi = 0x00000000   eax = 0x04c28238   ecx = 0xdddddddd
    edx = 0x04b55820   efl = 0x00010202
    Found by: given as instruction pointer in context
 1  xul.dll!gfxMixedFontFamily::RemoveFontEntry(gfxFontEntry *) [gfxUserFontSet.h : 113 + 0xa]
    eip = 0x63b193f4   esp = 0x0017c3a0   ebp = 0x0017c3b0
    Found by: call frame info
 2  xul.dll!gfxUserFontSet::LoadNext(gfxProxyFontEntry *) [gfxUserFontSet.cpp : 691 + 0xb]
    eip = 0x63b191ee   esp = 0x0017c3b8   ebp = 0x0017c7f0
    Found by: call frame info
 3  xul.dll!gfxUserFontSet::OnLoadComplete(gfxFontEntry *,unsigned char const *,unsigned int,unsigned int) [gfxUserFontSet.cpp : 586 + 0xe]
    eip = 0x63b17fe3   esp = 0x0017c7f8   ebp = 0x0017ce78
    Found by: call frame info
 4  xul.dll!nsFontFaceLoader::OnStreamComplete(nsIStreamLoader *,nsISupports *,unsigned int,unsigned int,unsigned char const *) [nsFontFaceLoader.cpp : 226 + 0x1f]
    eip = 0x63f12a7a   esp = 0x0017ce80   ebp = 0x0017cefc
    Found by: call frame info
 5  xul.dll!nsStreamLoader::OnStopRequest(nsIRequest *,nsISupports *,unsigned int) [nsStreamLoader.cpp : 125 + 0x3d]
    eip = 0x63bc4cc6   esp = 0x0017cf04   ebp = 0x0017cf24
    Found by: call frame info

Operating system: Linux
                  0.0.0 Linux 2.6.35.11-83.fc14.i686.PAE #1 SMP Mon Feb 7 06:57:55 UTC 2011 i686
CPU: x86
     GenuineIntel family 6 model 44 stepping 2
     1 CPU

Crash reason:  SIGSEGV
Crash address: 0x0

Thread 0 (crashed)
 0  libxul.so!nsTArray_base<nsTArrayDefaultAllocator>::Length [nsTArray.h : 139 + 0x5]
    eip = 0x00b1b84e   esp = 0xbf986d38   ebp = 0xbf986d38   ebx = 0x02ec255c
    esi = 0x08a70b90   edi = 0x00000020   eax = 0x00000000   ecx = 0x02ec255c
    edx = 0x00000004   efl = 0x00010216
    Found by: given as instruction pointer in context
 1  libxul.so!gfxMixedFontFamily::RemoveFontEntry [gfxUserFontSet.h : 113 + 0xd]
    eip = 0x021e5a78   esp = 0xbf986d40   ebp = 0xbf986d68   ebx = 0x02ec255c
    esi = 0x08a70b90   edi = 0x00000020
    Found by: call frame info
 2  libxul.so!gfxUserFontSet::LoadNext [gfxUserFontSet.cpp : 691 + 0x11]
    eip = 0x021e54db   esp = 0xbf986d70   ebp = 0xbf987118   ebx = 0x02ec255c
    esi = 0x08a70b90   edi = 0x00000020
    Found by: call frame info
 3  libxul.so!gfxUserFontSet::OnLoadComplete [gfxUserFontSet.cpp : 586 + 0x11]
    eip = 0x021e4e78   esp = 0xbf987120   ebp = 0xbf9876a8   ebx = 0x02ec255c
    esi = 0x095af330   edi = 0x0000b9c8
    Found by: call frame info
 4  libxul.so!nsFontFaceLoader::OnStreamComplete [nsFontFaceLoader.cpp : 226 + 0x31]
    eip = 0x00fd1540   esp = 0xbf9876b0   ebp = 0xbf987738   ebx = 0x02ec255c
    esi = 0x095af330   edi = 0x0000b9c8
    Found by: call frame info
 5  libxul.so!nsStreamLoader::OnStopRequest [nsStreamLoader.cpp : 125 + 0x4b]
    eip = 0x00bb5820   esp = 0xbf987740   ebp = 0xbf987788   ebx = 0x02ec255c
    esi = 0x095af330   edi = 0x0000b9c8
    Found by: call frame info

Operating system: Linux
                  0.0.0 Linux 2.6.35.11-83.fc14.i686.PAE #1 SMP Mon Feb 7 06:57:55 UTC 2011 i686
CPU: x86
     GenuineIntel family 6 model 44 stepping 2
     1 CPU

Crash reason:  SIGSEGV
Crash address: 0x9d36000

Thread 0 (crashed)
 0  libxul.so!nsCharSinkTraits<CalculateUTF8Size>::write [nsUTF8Utils.h : 604 + 0x3]
    eip = 0x01d60b00   esp = 0xbfb9b4b0   ebp = 0xbfb9b4f8   ebx = 0x02b2155c
    esi = 0x006f0063   edi = 0x00005e24   eax = 0x09d36000   ecx = 0x02da234c
    edx = 0x00273410   efl = 0x00010202
    Found by: given as instruction pointer in context
 1  libxul.so!copy_string<nsReadingIterator<short unsigned int>, CalculateUTF8Size> [nsAlgorithm.h : 93 + 0x31]
    eip = 0x01d5fd8a   esp = 0xbfb9b500   ebp = 0xbfb9b518   ebx = 0x02b2155c
    esi = 0x006f0063   edi = 0x00005e24
    Found by: call frame info
 2  libxul.so!AppendUTF16toUTF8 [nsReadableUtils.cpp : 200 + 0x12]
    eip = 0x01d5df9d   esp = 0xbfb9b520   ebp = 0xbfb9b578   ebx = 0x02b2155c
    esi = 0xbfb9b550   edi = 0x00005e24
    Found by: call frame info
 3  libxul.so!NS_ConvertUTF16toUTF8::NS_ConvertUTF16toUTF8 [nsString.h : 161 + 0x11]
    eip = 0x00776061   esp = 0xbfb9b580   ebp = 0xbfb9b598   ebx = 0x02b2155c
    esi = 0x09a8af50   edi = 0x00005e24
    Found by: call frame info
 4  libxul.so!gfxUserFontSet::OnLoadComplete [gfxUserFontSet.cpp : 477 + 0x1c]
    eip = 0x01e43950   esp = 0xbfb9b5a0   ebp = 0xbfb9bb28   ebx = 0x02b2155c
    esi = 0x09a8af50   edi = 0x00005e24
    Found by: call frame info
 5  libxul.so!nsFontFaceLoader::OnStreamComplete [nsFontFaceLoader.cpp : 226 + 0x31]
    eip = 0x00c30540   esp = 0xbfb9bb30   ebp = 0xbfb9bbb8   ebx = 0x02b2155c
    esi = 0x09a8af50   edi = 0x00005e24
    Found by: call frame info

ss since Windows 7 showed deleted heap in the crash address and ecx.
1. http://www.arlovance.com/sketches
2. crash 

13 windows crashes:

https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=CalculateUTF8Size%3A%3Awrite&date=03%2F23%2F2011%2016%3A12%3A18&range_value=1&range_unit=weeks&hang_type=any&process_type=any&plugin_field=&plugin_query_type=&plugin_query=&do_query=1&admin=&signature=CalculateUTF8Size%3A%3Awrite%28unsigned%20short%20const%2A%2C%20unsigned%20int%29

associated socorro signature gfxMixedFontFamily::RemoveFontEntry(gfxFontEntry*) 

116 windows crashes

https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=gfxMixedFontFamily%3A%3ARemoveFontEntry%28gfxFontEntry%2A%29&date=03%2F23%2F2011%2016%3A18%3A04&range_value=1&range_unit=weeks&hang_type=any&process_type=any&plugin_field=&plugin_query_type=&plugin_query=&do_query=1&admin=&signature=gfxMixedFontFamily%3A%3ARemoveFontEntry%28gfxFontEntry%2A%29

Operating system: Windows NT
                  5.1.2600 Service Pack 3
CPU: x86
     GenuineIntel family 6 model 44 stepping 2
     1 CPU

Crash reason:  EXCEPTION_ACCESS_VIOLATION_READ
Crash address: 0x4

Thread 0 (crashed)
 0  xul.dll!CalculateUTF8Size::write(unsigned short const *,unsigned int) [nsUTF8Utils.h : 604 + 0x3]
    eip = 0x114f8da5   esp = 0x0012ceac   ebp = 0x0012cebc   ebx = 0x00000001
    esi = 0x0107ff78   edi = 0x00000000   eax = 0x00000004   ecx = 0x030268f0
    edx = 0x00000004   efl = 0x00010283
    Found by: given as instruction pointer in context
 1  xul.dll!nsCharSinkTraits<CalculateUTF8Size>::write(CalculateUTF8Size &,unsigned short const *,unsigned int) [nsCharTraits.h : 812 + 0xf]
    eip = 0x114f8d63   esp = 0x0012cec4   ebp = 0x0012cecc
    Found by: call frame info
 2  xul.dll!copy_string<nsReadingIterator<unsigned short>,CalculateUTF8Size>(nsReadingIterator<unsigned short> const &,nsReadingIterator<unsigned short> const &,CalculateUTF8Size &) [nsAlgorithm.h : 93 + 0x26]
    eip = 0x114f82da   esp = 0x0012ced4   ebp = 0x0012cee0
    Found by: call frame info
 3  xul.dll!AppendUTF16toUTF8(nsAString_internal const &,nsACString_internal &) [nsReadableUtils.cpp : 200 + 0x22]
    eip = 0x114f6b21   esp = 0x0012cee8   ebp = 0x0012cf20
    Found by: call frame info
 4  xul.dll!NS_ConvertUTF16toUTF8::NS_ConvertUTF16toUTF8(nsAString_internal const &) [nsString.h : 161 + 0xc]
    eip = 0x100569dc   esp = 0x0012cf28   ebp = 0x0012cf34
    Found by: call frame info
 5  xul.dll!gfxUserFontSet::OnLoadComplete(gfxFontEntry *,unsigned char const *,unsigned int,unsigned int) [gfxUserFontSet.cpp : 477 + 0x13]
    eip = 0x10587cff   esp = 0x0012cf3c   ebp = 0x0012d5bc
    Found by: call frame info
Summary: Crash [@ nsTArray_base<nsTArrayDefaultAllocator>::Length()] [@ nsCharSinkTraits<CalculateUTF8Size>::write] [@ gfxUserFontSet::LoadNext] with downloaded font → Crash [@ nsTArray_base<nsTArrayDefaultAllocator>::Length()] [@ nsCharSinkTraits<CalculateUTF8Size>::write] [@ gfxUserFontSet::LoadNext] [@ ashed) 0 xul.dll!CalculateUTF8Size::write(unsigned short const *,unsigned int)]with downloaded font
We really need to capture testcases for this one. Is this a bunch of different crashes at the same site, or are we so screwed up we can crash in such different places. Is it UTF8 conversion or Fonts that are the problem?
Keywords: testcase-wanted
Whiteboard: [sg:critical?]
John, Jonathan - ideas?
John, can you please have a look here before we loose the testcase etc?
Assignee: nobody → jdaggett
John, we need some traction on this security bug. If you're not the right owner, please make that clear...
tracking-firefox5: --- → +
Is this still an issue on trunk? I don't see how we could hit a crash like this now that bug 623711 has landed. (Bug 650639 could be a more recent but somewhat similar scenario, but I believe that is now fixed as well.)
comment 5 showed a crash after bug 623711 check ins to mc.
My guess is that this is bug 650639 but I'll see if I can reproduce this with builds prior to that fix to try and confirm this.
Looks like this was fixed by the checkin for bug 650639, which landed on 4/27 at 22:14 PDT.

Running on Windows 7 with the 64-bit binary with the startup page set to www.arlovance.com.  Page uses typekit, and includes some custom swizzling behavior for FF to hide font loads for 3 seconds (not necessary in FF4 and above).

Crashes:
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:6.0a1) Gecko/20110427 Firefox/6.0a1

Doesn't crash:
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:6.0a1) Gecko/20110428 Firefox/6.0a1
If I'm understanding correctly, this is a crash signature that you could have gotten from bug 650639 in debug builds because of the userfont logging code that tries to access the font family name; in builds without logging, you'd see the ReplaceFontEntry crash signature instead.
(In reply to comment #11)
> If I'm understanding correctly, this is a crash signature that you could have
> gotten from bug 650639 in debug builds because of the userfont logging code
> that tries to access the font family name; in builds without logging, you'd see
> the ReplaceFontEntry crash signature instead.

That makes sense.  

I verified that the changeset for bug 650639 is the precise point at which the fix landed.  Using tinderbox builds from:

ftp://ftp.mozilla.org/pub/firefox/tinderbox-builds/mozilla-central-win32/

The submit time on the checkin is 1303967711.  Comparing with the build just before it, 1303949796, the crash occurs with the build before the checkin but not after.

Mark as a duplicate?  Sounds like we need to land the fixes for bug 650639 (and 623711) on 4.x/Aurora ASAP.
Marking this depend on bug 650639 since that's where the fix is, but keeping this bug open for its testcase so it gets verified as a security bug when fixed.
blocking2.0: --- → -
status2.0: --- → wanted
Depends on: 650639
Whiteboard: [sg:critical?] → [sg:critical?] fixed by (dupe) of 650639
Did the patch in bug 650639 take care of this?

Btw it's possible that bug 655138 is related.
update crash bugs to critical per guidelines.
Severity: major → critical
automation found another crash

nsCharSinkTraits<CalculateUTF8Size>::write
copy_string<nsReadingIterator<short unsigned int>, CalculateUTF8Size> ToNewUTF8String nsGlobalWindow::Dump
nsIDOMJSWindow_Dump

at http://www.anthopoulosphotos.gr/ORK/AEI/2011_04_11_1400/index.html on Mac (locally I hit an OOM though). Original url doesn't reproduce for me but it never did locally. Perhaps the font related issue is fixed and these others are unrelated.
This patch is *just* the snippet from bug 650639 that is relevant for mozilla-beta.

(It was suggested that we need bug 650639 on mozilla-beta because it fixed a crash issue. However, most of that patch is not actually applicable because bug 633299 landed after the m-c -> aurora merge on 4/11.)
Assignee: jdaggett → jfkthame
Attachment #533553 - Flags: review?(jdaggett)
Attachment #533553 - Flags: approval-mozilla-beta?
Attachment #533553 - Flags: review?(jdaggett) → review+
Attachment #533553 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Comment on attachment 533553 [details] [diff] [review]
patch, don't use proxy font entry after it has been replaced

Please land this change on both Aurora and Beta. (In the future, getting changes in during Aurora will save you this extra step.)
Attachment #533553 - Flags: approval-mozilla-aurora+
Landed on both:
http://hg.mozilla.org/releases/mozilla-aurora/rev/ba68d5ae818c
http://hg.mozilla.org/releases/mozilla-beta/rev/f2b5e55cb53b
Status: NEW → RESOLVED
Closed: 13 years ago
status-firefox5: --- → fixed
Resolution: --- → FIXED
Is PR_LOGging enabled in non-debug builds in this module? This patch looks like it applies to the 1.9.2 branch and we don't want to 0-day ourselves by fixing it only in Fx5 if there's a security bug here on branches too.
blocking1.9.2: --- → ?
status1.9.2: --- → ?
It looks like unless you configure with --disable-logging, the MOZ_LOGGING symbol will be defined, and this will enable PR_LOGging here. And trying it with a copy of Fx3.6.17 here confirms that logging in the userfonts module is enabled.

So yes, we probably want to take this on 1.9.2 as well. In any case, I don't see any risk in the patch; it's a clear and simple fix.
This is the equivalent patch for the 1.9.2 branch.
Attachment #538277 - Flags: approval1.9.2.18?
Comment on attachment 538277 [details] [diff] [review]
patch for 1.9.2 branch

Approved for 1.9.2.18, a=dveditz for release-drivers
Attachment #538277 - Flags: approval1.9.2.18? → approval1.9.2.18+
Crash Signature: [@ nsTArray_base<nsTArrayDefaultAllocator>::Length()] [@ nsCharSinkTraits<CalculateUTF8Size>::write] [@ gfxUserFontSet::LoadNext] [@ ashed) 0 xul.dll!CalculateUTF8Size::write(unsigned short const *,unsigned int)]
blocking1.9.2: ? → .18+
Crash Signature: [@ nsTArray_base<nsTArrayDefaultAllocator>::Length()] [@ nsCharSinkTraits<CalculateUTF8Size>::write] [@ gfxUserFontSet::LoadNext] [@ ashed) 0 xul.dll!CalculateUTF8Size::write(unsigned short const *,unsigned int)] → [@ nsTArray_base<nsTArrayDefaultAllocator>::Length()] [@ nsCharSinkTraits<CalculateUTF8Size>::write] [@ gfxUserFontSet::LoadNext] [@ ashed) 0 xul.dll!CalculateUTF8Size::write(unsigned short const *,unsigned int)]
I can't reproduce any crash on http://www.arlovance.com/sketches with 1.9.2.17 on XP. It makes it difficult to verify the fix in 1.9.2.18. :-)
Whiteboard: [sg:critical?] fixed by (dupe) of 650639 → [sg:critical?] fixed by (dupe) of 650639 [qa-examined-192]
Group: core-security
Target Milestone: --- → mozilla6
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: