Closed
Bug 660787
Opened 13 years ago
Closed 12 years ago
EXCEPTION_ACCESS_VIOLATION_EXEC Crash [@ NPSWF32.dll@0x1abc8d] with Flash 10.3.181.14
Categories
(External Software Affecting Firefox Graveyard :: Flash (Adobe), defect)
External Software Affecting Firefox Graveyard
Flash (Adobe)
x86
Windows 7
Tracking
(firefox-esr10- unaffected)
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
firefox-esr10 | - | unaffected |
People
(Reporter: bc, Unassigned)
References
()
Details
(Keywords: crash, Whiteboard: [sg:vector (flash)])
Crash Data
Attachments
(1 file)
18.08 KB,
text/plain
|
Details |
1. http://wawa-mania.biz/dvdrip-salt/ 2. Shutdown 3. Crash plugin-container process in Win7 in automation. I haven't been able to reproduce locally on xp (don't have win7) Operating system: Windows NT 6.1.7601 Service Pack 1 CPU: x86 GenuineIntel family 6 model 44 stepping 2 2 CPUs Crash reason: EXCEPTION_ACCESS_VIOLATION_EXEC Crash address: 0x20752520 Assertion: Unknown assertion type 0x00000000 Thread 8 (crashed) 0 0x20752520 eip = 0x20752520 esp = 0x044df97c ebp = 0x044df9e8 ebx = 0x00000000 esi = 0x03968000 edi = 0x039683b0 eax = 0x20752520 ecx = 0x03968000 edx = 0x711d4fc8 efl = 0x00010202 Found by: given as instruction pointer in context 1 NPSWF32.dll + 0x1abc8d eip = 0x70e1bc8e esp = 0x044df9f0 ebp = 0x044dfa5c Found by: previous frame's frame pointer 2 NPSWF32.dll + 0x1abd0c eip = 0x70e1bd0d esp = 0x044dfa64 ebp = 0x044dfa7c Found by: previous frame's frame pointer 3 ntdll.dll + 0x39ed1 eip = 0x77da9ed2 esp = 0x044dfa84 ebp = 0x044dfabc Found by: previous frame's frame pointer 4 ntdll.dll + 0x39ea4 eip = 0x77da9ea5 esp = 0x044dfac4 ebp = 0x044dfad4 Found by: previous frame's frame pointer breakpad's exploitable tool rates this as high.
Comment 1•13 years ago
|
||
Can you submit a crash-stats version of this so we can get real Flash backtraces?
Comment 2•13 years ago
|
||
bc: alternately, you can grab the Flash PDB files from \\fs2\Public\flash-symbols on the intranet. (I don't think I uploaded the Breakpad .sym files, so you'll have to either load the minidump in a debugger or run dump_syms on them yourself to use minidump_stackwalk.)
Reporter | ||
Comment 3•13 years ago
|
||
No guarantee this isn't BS. 0x20752520 NPSWF32!F241528326__________+0x21e NPSWF32!F1632682690___________+0x7a NPSWF32!F_1598865676____+0x9 NPSWF32!F_956477585________________+0xc kernel32+0x133ca ntdll+0x39ed2 ntdll+0x39ea5
i haven't had a chance to look at this yet because of URL restrictions. when IT allows my request, i'll take a look then...
Reporter | ||
Comment 5•13 years ago
|
||
Sal, thanks. I haven't been able to reproduce it unfortunately even on one of the automation's win7 vms. I'll submit it to the automation again later this evening.
Reporter | ||
Comment 6•13 years ago
|
||
Tested in automation using Windows XP, Windows 7, Fedora 14 32bit, Fedora 14 64bit for 2.0.0, beta, aurora, nightly. I couldn't reproduce this crash. :-( Linux crashes due to Java and Mac 10.5 does not crash at all.
Comment 7•13 years ago
|
||
It's possible the site you're testing changed. Might or might not be fixed in the recent flash update?
Keywords: testcase-wanted
Whiteboard: [sg:vector (flash)]
Reporter | ||
Comment 8•13 years ago
|
||
I submitted this url along with the other flash urls to automation. Windows XP and Windows 7 completed and did not crash with this particular url though they did with http://www.tumejortv.com/. I attempted to investigate closer by manually loading the urls in my local Windows XP instance with vc's debugger attached to plugin-container. It isn't completely reliable, but with yesterday's nighlty on winxp I got the corrupt heap error again (bug 657588) after manually loading the following urls while vc was attached to plugin-container http://desporto.pt.msn.com/porto/article.aspx?cp-documentid=156735269 http://fortland.ru/index.html?action=catalog2%2526id=13%2526pid=109%2526pid2=109 http://www.flashgsm.ro/index.php?action=vezi_tot%252526id_brand=8&id=5376&nume_model=Vertu%20Ascent%20X http://wawa-mania.biz/dvdrip-salt/ http://www.tumejortv.com/ A recurring theme of these sites is the Download Now, Play Now stuff and the same advertisements for avatars and free ipads. With the ever changing advertisements, I think we need to get a handle on this corrupted heap before we can tell what is happening.
@bob are you seeing more of the issue on XP? i haven't been able to reproduce the issue so far on either XP or Win7, but it would be better to focus on one if this is the case. also, which version of firefox are we talking about? i've been using FF4.0.
Reporter | ||
Comment 10•13 years ago
|
||
Sal, I'm in the middle of retesting all of my flash urls and am seeing significant improvement in the automation results. Windows XP has completed and Windows 7 should complete in a few hours. Unfortunately Linux and Mac will take several days to complete due to the low number of test machines I have available. I am also rebuilding all of my branches locally on Windows XP, Linux and Mac so that I can test them with up to date builds. It may be that bug 658741 is the root of many of my recent problems but I won't know for sure until I complete my local builds and retest the urls manually. Note that in order to test the debug heap assertions you need to be using a debug build of Firefox. The corrupted heap may not result in a crash each time, so it is important to test with debug builds. I'll have an update for you shortly.
Reporter | ||
Comment 11•13 years ago
|
||
(In reply to comment #8) I could not manually reproduce flash related crashes on Windows XP or Linux on any of these urls with recent builds. In the following, anything prior to 2011-06-06 would be with Flash 10.3.181.14 and anything on/after would be with Flash 10.3.181.22. > http://desporto.pt.msn.com/porto/article.aspx?cp-documentid=156735269 Last reproducible automation flash related crash on Firefox 4.x on Linux on 2011-05-26 at address 0xdadadada and stack libexpat.so.1.5.2@0x2ad9 libflashplayer.so@0x351fff libgio-2.0.so.0.2600.0@0xb6b9f libfreetype.so.6.6.0@0x66fff libgio-2.0.so.0.2600.0@0xa9073 > http://fortland.ru/index.html?action=catalog2%2526id=13%2526pid=109%2526pid2=109 Laat reproducible automation flash related crash on Aurora on Linux 2011-05-26 at address 0x3d033b00 and stack SplitElementTxn::DoTransaction mai_key_snooper libfreetype.so.6.6.0@0x7703d libc-2.13.so@0x3aff libflashplayer.so@0xaa200e > http://www.flashgsm.ro/index.php?action=vezi_tot%252526id_brand=8&id=5376&nume_model=Vertu%20Ascent%20X Last reproducible automation flash related crash on Nightly on Linux 2011-06-10 at address 0x20646e75 stack ViewportFrame::InvalidateInternal BCPaintBorderIterator::First nsMouseWheelTransaction::OnFailToScrollTarget libflashplayer.so@0x50f134 libgtk-x11-2.0.so.0.2200.0@0x4b700 > http://wawa-mania.biz/dvdrip-salt/ Last reproducible automation flash related crash on Firefox 4.x on Windows 7 2011-05-30T at address 0x20752520 stack NPSWF32.dll@0x1abc8d NPSWF32.dll@0x1abd0c ntdll.dll@0x39ed1 ntdll.dll@0x39ea4 > http://www.tumejortv.com/ Last reproducible automation flash related crash on Aurora on Windows 7 at address 0x0 stack NPSWF32.dll@0x18fc8f NPSWF32.dll@0x11f70e NPSWF32.dll@0x49ee77 NPSWF32.dll@0x10b2e1 NPSWF32.dll@0x11f8e2 Sal, this *may* be only Windows 7 or it may have been fixed in Flash 10.3.181.22 or it may be transient crash caused by the particular ads that are served. I'll leave it open and security sensitive for now.
Assignee | ||
Updated•13 years ago
|
Crash Signature: [@ NPSWF32.dll@0x1abc8d]
Reporter | ||
Comment 12•12 years ago
|
||
Not reproducible in Beta/11, Aurora/12, Nightly/13 with Flash 11.1.102.62 -> FIXED.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Comment 13•12 years ago
|
||
(In reply to Bob Clary [:bc:] from comment #12) > Not reproducible in Beta/11, Aurora/12, Nightly/13 with Flash 11.1.102.62 -> > FIXED. Does this reproduce on FF10? We're trying to figure out whether or not the ESR is affected. Thanks!
tracking-firefox-esr10:
--- → ?
Reporter | ||
Comment 14•12 years ago
|
||
I don't know. In comment 12 I tested using the crash automation using all of the urls in this bug for Mac, Linux, Windows XP and Windows 7 for all three branches but I didn't test using Firefox 10 or 10esr. This was either a bug in the Flash plugin or an instance of the Plugin heap corruption bug 657588.
Updated•12 years ago
|
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•9 years ago
|
Keywords: testcase-wanted
Comment 15•8 years ago
|
||
Version and milestone values are being reset to defaults as part of product refactoring.
Version: 10.3 → unspecified
Updated•8 years ago
|
Group: core-security-release
Updated•2 years ago
|
Product: External Software Affecting Firefox → External Software Affecting Firefox Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•