Crash [@ nsTArray_base<nsTArrayDefaultAllocator>::Length()] [@ nsCharSinkTraits<CalculateUTF8Size>::write] [@ gfxUserFontSet::LoadNext] [@ ashed) 0 xul.dll!CalculateUTF8Size::write(unsigned short const *,unsigned int)]with downloaded font

RESOLVED FIXED in Firefox 5

Status

()

Core
Graphics
--
critical
RESOLVED FIXED
6 years ago
2 years ago

People

(Reporter: bc, Assigned: jfkthame)

Tracking

(Blocks: 1 bug, {crash})

Trunk
mozilla6
x86
All
crash
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox5+ fixed, blocking2.0 -, status2.0 wanted, blocking1.9.2 .18+, status1.9.2 .18-fixed)

Details

(Whiteboard: [sg:critical?] fixed by (dupe) of 650639 [qa-examined-192], crash signature, URL)

Attachments

(2 attachments)

(Reporter)

Description

6 years ago
1. http://www.arlovance.com/
2. sometimes crash. 

I haven't been able to reproduce locally on Mac OS X or Windows XP, but the automation has so far crashed on Windows 7 32bit, Fedora 14 32bit and 64bit. I have been able to reproduce locally on Fedora 14 32bit especially when running under gdb. I wasn't able to crash a nightly Linux build however. YMMV.

associated socorro signature: gfxUserFontSet::LoadNext 

Operating system: Windows NT
                  6.1.7601 Service Pack 1
CPU: x86
     GenuineIntel family 6 model 44 stepping 2
     1 CPU

Crash reason:  EXCEPTION_ACCESS_VIOLATION_READ
Crash address: 0xffffffffdddddddd

Thread 0 (crashed)
 0  xul.dll!nsTArray_base<nsTArrayDefaultAllocator>::Length() [nsTArray.h : 139 + 0x5]
    eip = 0x635d33bc   esp = 0x0017c394   ebp = 0x0017c398   ebx = 0x00000001
    esi = 0x00343e20   edi = 0x00000000   eax = 0x04c28238   ecx = 0xdddddddd
    edx = 0x04b55820   efl = 0x00010202
    Found by: given as instruction pointer in context
 1  xul.dll!gfxMixedFontFamily::RemoveFontEntry(gfxFontEntry *) [gfxUserFontSet.h : 113 + 0xa]
    eip = 0x63b193f4   esp = 0x0017c3a0   ebp = 0x0017c3b0
    Found by: call frame info
 2  xul.dll!gfxUserFontSet::LoadNext(gfxProxyFontEntry *) [gfxUserFontSet.cpp : 691 + 0xb]
    eip = 0x63b191ee   esp = 0x0017c3b8   ebp = 0x0017c7f0
    Found by: call frame info
 3  xul.dll!gfxUserFontSet::OnLoadComplete(gfxFontEntry *,unsigned char const *,unsigned int,unsigned int) [gfxUserFontSet.cpp : 586 + 0xe]
    eip = 0x63b17fe3   esp = 0x0017c7f8   ebp = 0x0017ce78
    Found by: call frame info
 4  xul.dll!nsFontFaceLoader::OnStreamComplete(nsIStreamLoader *,nsISupports *,unsigned int,unsigned int,unsigned char const *) [nsFontFaceLoader.cpp : 226 + 0x1f]
    eip = 0x63f12a7a   esp = 0x0017ce80   ebp = 0x0017cefc
    Found by: call frame info
 5  xul.dll!nsStreamLoader::OnStopRequest(nsIRequest *,nsISupports *,unsigned int) [nsStreamLoader.cpp : 125 + 0x3d]
    eip = 0x63bc4cc6   esp = 0x0017cf04   ebp = 0x0017cf24
    Found by: call frame info

Operating system: Linux
                  0.0.0 Linux 2.6.35.11-83.fc14.i686.PAE #1 SMP Mon Feb 7 06:57:55 UTC 2011 i686
CPU: x86
     GenuineIntel family 6 model 44 stepping 2
     1 CPU

Crash reason:  SIGSEGV
Crash address: 0x0

Thread 0 (crashed)
 0  libxul.so!nsTArray_base<nsTArrayDefaultAllocator>::Length [nsTArray.h : 139 + 0x5]
    eip = 0x00b1b84e   esp = 0xbf986d38   ebp = 0xbf986d38   ebx = 0x02ec255c
    esi = 0x08a70b90   edi = 0x00000020   eax = 0x00000000   ecx = 0x02ec255c
    edx = 0x00000004   efl = 0x00010216
    Found by: given as instruction pointer in context
 1  libxul.so!gfxMixedFontFamily::RemoveFontEntry [gfxUserFontSet.h : 113 + 0xd]
    eip = 0x021e5a78   esp = 0xbf986d40   ebp = 0xbf986d68   ebx = 0x02ec255c
    esi = 0x08a70b90   edi = 0x00000020
    Found by: call frame info
 2  libxul.so!gfxUserFontSet::LoadNext [gfxUserFontSet.cpp : 691 + 0x11]
    eip = 0x021e54db   esp = 0xbf986d70   ebp = 0xbf987118   ebx = 0x02ec255c
    esi = 0x08a70b90   edi = 0x00000020
    Found by: call frame info
 3  libxul.so!gfxUserFontSet::OnLoadComplete [gfxUserFontSet.cpp : 586 + 0x11]
    eip = 0x021e4e78   esp = 0xbf987120   ebp = 0xbf9876a8   ebx = 0x02ec255c
    esi = 0x095af330   edi = 0x0000b9c8
    Found by: call frame info
 4  libxul.so!nsFontFaceLoader::OnStreamComplete [nsFontFaceLoader.cpp : 226 + 0x31]
    eip = 0x00fd1540   esp = 0xbf9876b0   ebp = 0xbf987738   ebx = 0x02ec255c
    esi = 0x095af330   edi = 0x0000b9c8
    Found by: call frame info
 5  libxul.so!nsStreamLoader::OnStopRequest [nsStreamLoader.cpp : 125 + 0x4b]
    eip = 0x00bb5820   esp = 0xbf987740   ebp = 0xbf987788   ebx = 0x02ec255c
    esi = 0x095af330   edi = 0x0000b9c8
    Found by: call frame info

Operating system: Linux
                  0.0.0 Linux 2.6.35.11-83.fc14.i686.PAE #1 SMP Mon Feb 7 06:57:55 UTC 2011 i686
CPU: x86
     GenuineIntel family 6 model 44 stepping 2
     1 CPU

Crash reason:  SIGSEGV
Crash address: 0x9d36000

Thread 0 (crashed)
 0  libxul.so!nsCharSinkTraits<CalculateUTF8Size>::write [nsUTF8Utils.h : 604 + 0x3]
    eip = 0x01d60b00   esp = 0xbfb9b4b0   ebp = 0xbfb9b4f8   ebx = 0x02b2155c
    esi = 0x006f0063   edi = 0x00005e24   eax = 0x09d36000   ecx = 0x02da234c
    edx = 0x00273410   efl = 0x00010202
    Found by: given as instruction pointer in context
 1  libxul.so!copy_string<nsReadingIterator<short unsigned int>, CalculateUTF8Size> [nsAlgorithm.h : 93 + 0x31]
    eip = 0x01d5fd8a   esp = 0xbfb9b500   ebp = 0xbfb9b518   ebx = 0x02b2155c
    esi = 0x006f0063   edi = 0x00005e24
    Found by: call frame info
 2  libxul.so!AppendUTF16toUTF8 [nsReadableUtils.cpp : 200 + 0x12]
    eip = 0x01d5df9d   esp = 0xbfb9b520   ebp = 0xbfb9b578   ebx = 0x02b2155c
    esi = 0xbfb9b550   edi = 0x00005e24
    Found by: call frame info
 3  libxul.so!NS_ConvertUTF16toUTF8::NS_ConvertUTF16toUTF8 [nsString.h : 161 + 0x11]
    eip = 0x00776061   esp = 0xbfb9b580   ebp = 0xbfb9b598   ebx = 0x02b2155c
    esi = 0x09a8af50   edi = 0x00005e24
    Found by: call frame info
 4  libxul.so!gfxUserFontSet::OnLoadComplete [gfxUserFontSet.cpp : 477 + 0x1c]
    eip = 0x01e43950   esp = 0xbfb9b5a0   ebp = 0xbfb9bb28   ebx = 0x02b2155c
    esi = 0x09a8af50   edi = 0x00005e24
    Found by: call frame info
 5  libxul.so!nsFontFaceLoader::OnStreamComplete [nsFontFaceLoader.cpp : 226 + 0x31]
    eip = 0x00c30540   esp = 0xbfb9bb30   ebp = 0xbfb9bbb8   ebx = 0x02b2155c
    esi = 0x09a8af50   edi = 0x00005e24
    Found by: call frame info

ss since Windows 7 showed deleted heap in the crash address and ecx.
(Reporter)

Comment 1

6 years ago
1. http://www.arlovance.com/sketches
2. crash 

13 windows crashes:

https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=CalculateUTF8Size%3A%3Awrite&date=03%2F23%2F2011%2016%3A12%3A18&range_value=1&range_unit=weeks&hang_type=any&process_type=any&plugin_field=&plugin_query_type=&plugin_query=&do_query=1&admin=&signature=CalculateUTF8Size%3A%3Awrite%28unsigned%20short%20const%2A%2C%20unsigned%20int%29

associated socorro signature gfxMixedFontFamily::RemoveFontEntry(gfxFontEntry*) 

116 windows crashes

https://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=gfxMixedFontFamily%3A%3ARemoveFontEntry%28gfxFontEntry%2A%29&date=03%2F23%2F2011%2016%3A18%3A04&range_value=1&range_unit=weeks&hang_type=any&process_type=any&plugin_field=&plugin_query_type=&plugin_query=&do_query=1&admin=&signature=gfxMixedFontFamily%3A%3ARemoveFontEntry%28gfxFontEntry%2A%29

Operating system: Windows NT
                  5.1.2600 Service Pack 3
CPU: x86
     GenuineIntel family 6 model 44 stepping 2
     1 CPU

Crash reason:  EXCEPTION_ACCESS_VIOLATION_READ
Crash address: 0x4

Thread 0 (crashed)
 0  xul.dll!CalculateUTF8Size::write(unsigned short const *,unsigned int) [nsUTF8Utils.h : 604 + 0x3]
    eip = 0x114f8da5   esp = 0x0012ceac   ebp = 0x0012cebc   ebx = 0x00000001
    esi = 0x0107ff78   edi = 0x00000000   eax = 0x00000004   ecx = 0x030268f0
    edx = 0x00000004   efl = 0x00010283
    Found by: given as instruction pointer in context
 1  xul.dll!nsCharSinkTraits<CalculateUTF8Size>::write(CalculateUTF8Size &,unsigned short const *,unsigned int) [nsCharTraits.h : 812 + 0xf]
    eip = 0x114f8d63   esp = 0x0012cec4   ebp = 0x0012cecc
    Found by: call frame info
 2  xul.dll!copy_string<nsReadingIterator<unsigned short>,CalculateUTF8Size>(nsReadingIterator<unsigned short> const &,nsReadingIterator<unsigned short> const &,CalculateUTF8Size &) [nsAlgorithm.h : 93 + 0x26]
    eip = 0x114f82da   esp = 0x0012ced4   ebp = 0x0012cee0
    Found by: call frame info
 3  xul.dll!AppendUTF16toUTF8(nsAString_internal const &,nsACString_internal &) [nsReadableUtils.cpp : 200 + 0x22]
    eip = 0x114f6b21   esp = 0x0012cee8   ebp = 0x0012cf20
    Found by: call frame info
 4  xul.dll!NS_ConvertUTF16toUTF8::NS_ConvertUTF16toUTF8(nsAString_internal const &) [nsString.h : 161 + 0xc]
    eip = 0x100569dc   esp = 0x0012cf28   ebp = 0x0012cf34
    Found by: call frame info
 5  xul.dll!gfxUserFontSet::OnLoadComplete(gfxFontEntry *,unsigned char const *,unsigned int,unsigned int) [gfxUserFontSet.cpp : 477 + 0x13]
    eip = 0x10587cff   esp = 0x0012cf3c   ebp = 0x0012d5bc
    Found by: call frame info
Summary: Crash [@ nsTArray_base<nsTArrayDefaultAllocator>::Length()] [@ nsCharSinkTraits<CalculateUTF8Size>::write] [@ gfxUserFontSet::LoadNext] with downloaded font → Crash [@ nsTArray_base<nsTArrayDefaultAllocator>::Length()] [@ nsCharSinkTraits<CalculateUTF8Size>::write] [@ gfxUserFontSet::LoadNext] [@ ashed) 0 xul.dll!CalculateUTF8Size::write(unsigned short const *,unsigned int)]with downloaded font
We really need to capture testcases for this one. Is this a bunch of different crashes at the same site, or are we so screwed up we can crash in such different places. Is it UTF8 conversion or Fonts that are the problem?
Keywords: testcase-wanted
Whiteboard: [sg:critical?]
John, Jonathan - ideas?
John, can you please have a look here before we loose the testcase etc?
Assignee: nobody → jdaggett
(Reporter)

Comment 5

6 years ago
ditto http://themes.amplus.gambit.ph/?page_id=375
John, we need some traction on this security bug. If you're not the right owner, please make that clear...
tracking-firefox5: --- → +
(Assignee)

Comment 7

6 years ago
Is this still an issue on trunk? I don't see how we could hit a crash like this now that bug 623711 has landed. (Bug 650639 could be a more recent but somewhat similar scenario, but I believe that is now fixed as well.)
(Reporter)

Comment 8

6 years ago
comment 5 showed a crash after bug 623711 check ins to mc.

Comment 9

6 years ago
My guess is that this is bug 650639 but I'll see if I can reproduce this with builds prior to that fix to try and confirm this.

Comment 10

6 years ago
Looks like this was fixed by the checkin for bug 650639, which landed on 4/27 at 22:14 PDT.

Running on Windows 7 with the 64-bit binary with the startup page set to www.arlovance.com.  Page uses typekit, and includes some custom swizzling behavior for FF to hide font loads for 3 seconds (not necessary in FF4 and above).

Crashes:
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:6.0a1) Gecko/20110427 Firefox/6.0a1

Doesn't crash:
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:6.0a1) Gecko/20110428 Firefox/6.0a1
(Assignee)

Comment 11

6 years ago
If I'm understanding correctly, this is a crash signature that you could have gotten from bug 650639 in debug builds because of the userfont logging code that tries to access the font family name; in builds without logging, you'd see the ReplaceFontEntry crash signature instead.

Comment 12

6 years ago
(In reply to comment #11)
> If I'm understanding correctly, this is a crash signature that you could have
> gotten from bug 650639 in debug builds because of the userfont logging code
> that tries to access the font family name; in builds without logging, you'd see
> the ReplaceFontEntry crash signature instead.

That makes sense.  

I verified that the changeset for bug 650639 is the precise point at which the fix landed.  Using tinderbox builds from:

ftp://ftp.mozilla.org/pub/firefox/tinderbox-builds/mozilla-central-win32/

The submit time on the checkin is 1303967711.  Comparing with the build just before it, 1303949796, the crash occurs with the build before the checkin but not after.

Mark as a duplicate?  Sounds like we need to land the fixes for bug 650639 (and 623711) on 4.x/Aurora ASAP.
Marking this depend on bug 650639 since that's where the fix is, but keeping this bug open for its testcase so it gets verified as a security bug when fixed.
blocking2.0: --- → -
status2.0: --- → wanted
Depends on: 650639
Whiteboard: [sg:critical?] → [sg:critical?] fixed by (dupe) of 650639

Updated

6 years ago
tracking-firefox5: + → ---

Comment 14

6 years ago
Did the patch in bug 650639 take care of this?

Btw it's possible that bug 655138 is related.
(Reporter)

Comment 15

6 years ago
update crash bugs to critical per guidelines.
Severity: major → critical
(Reporter)

Comment 16

6 years ago
automation found another crash

nsCharSinkTraits<CalculateUTF8Size>::write
copy_string<nsReadingIterator<short unsigned int>, CalculateUTF8Size> ToNewUTF8String nsGlobalWindow::Dump
nsIDOMJSWindow_Dump

at http://www.anthopoulosphotos.gr/ORK/AEI/2011_04_11_1400/index.html on Mac (locally I hit an OOM though). Original url doesn't reproduce for me but it never did locally. Perhaps the font related issue is fixed and these others are unrelated.
(Assignee)

Comment 17

6 years ago
Created attachment 533553 [details] [diff] [review]
patch, don't use proxy font entry after it has been replaced

This patch is *just* the snippet from bug 650639 that is relevant for mozilla-beta.

(It was suggested that we need bug 650639 on mozilla-beta because it fixed a crash issue. However, most of that patch is not actually applicable because bug 633299 landed after the m-c -> aurora merge on 4/11.)
Assignee: jdaggett → jfkthame
Attachment #533553 - Flags: review?(jdaggett)
Attachment #533553 - Flags: approval-mozilla-beta?

Updated

6 years ago
Attachment #533553 - Flags: review?(jdaggett) → review+

Updated

6 years ago
tracking-firefox5: --- → +

Updated

6 years ago
Attachment #533553 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Comment 18

6 years ago
Comment on attachment 533553 [details] [diff] [review]
patch, don't use proxy font entry after it has been replaced

Please land this change on both Aurora and Beta. (In the future, getting changes in during Aurora will save you this extra step.)
Attachment #533553 - Flags: approval-mozilla-aurora+
(Assignee)

Comment 19

6 years ago
Landed on both:
http://hg.mozilla.org/releases/mozilla-aurora/rev/ba68d5ae818c
http://hg.mozilla.org/releases/mozilla-beta/rev/f2b5e55cb53b
Status: NEW → RESOLVED
Last Resolved: 6 years ago
status-firefox5: --- → fixed
Resolution: --- → FIXED
Is PR_LOGging enabled in non-debug builds in this module? This patch looks like it applies to the 1.9.2 branch and we don't want to 0-day ourselves by fixing it only in Fx5 if there's a security bug here on branches too.
blocking1.9.2: --- → ?
status1.9.2: --- → ?
(Assignee)

Comment 21

6 years ago
It looks like unless you configure with --disable-logging, the MOZ_LOGGING symbol will be defined, and this will enable PR_LOGging here. And trying it with a copy of Fx3.6.17 here confirms that logging in the userfonts module is enabled.

So yes, we probably want to take this on 1.9.2 as well. In any case, I don't see any risk in the patch; it's a clear and simple fix.
(Assignee)

Comment 22

6 years ago
Created attachment 538277 [details] [diff] [review]
patch for 1.9.2 branch

This is the equivalent patch for the 1.9.2 branch.
Attachment #538277 - Flags: approval1.9.2.18?
Comment on attachment 538277 [details] [diff] [review]
patch for 1.9.2 branch

Approved for 1.9.2.18, a=dveditz for release-drivers
Attachment #538277 - Flags: approval1.9.2.18? → approval1.9.2.18+
(Assignee)

Comment 24

6 years ago
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/43ee26cdf2b6
status1.9.2: ? → .18-fixed
Crash Signature: [@ nsTArray_base<nsTArrayDefaultAllocator>::Length()] [@ nsCharSinkTraits<CalculateUTF8Size>::write] [@ gfxUserFontSet::LoadNext] [@ ashed) 0 xul.dll!CalculateUTF8Size::write(unsigned short const *,unsigned int)]
blocking1.9.2: ? → .18+
Crash Signature: [@ nsTArray_base<nsTArrayDefaultAllocator>::Length()] [@ nsCharSinkTraits<CalculateUTF8Size>::write] [@ gfxUserFontSet::LoadNext] [@ ashed) 0 xul.dll!CalculateUTF8Size::write(unsigned short const *,unsigned int)] → [@ nsTArray_base<nsTArrayDefaultAllocator>::Length()] [@ nsCharSinkTraits<CalculateUTF8Size>::write] [@ gfxUserFontSet::LoadNext] [@ ashed) 0 xul.dll!CalculateUTF8Size::write(unsigned short const *,unsigned int)]
I can't reproduce any crash on http://www.arlovance.com/sketches with 1.9.2.17 on XP. It makes it difficult to verify the fix in 1.9.2.18. :-)
Whiteboard: [sg:critical?] fixed by (dupe) of 650639 → [sg:critical?] fixed by (dupe) of 650639 [qa-examined-192]
Group: core-security

Updated

6 years ago
Target Milestone: --- → mozilla6
Keywords: testcase-wanted
You need to log in before you can comment on or make changes to this bug.