Closed Bug 660787 Opened 13 years ago Closed 12 years ago

EXCEPTION_ACCESS_VIOLATION_EXEC Crash [@ NPSWF32.dll@0x1abc8d] with Flash 10.3.181.14

Categories

(External Software Affecting Firefox Graveyard :: Flash (Adobe), defect)

Product:
External Software Affecting Firefox Graveyard
Component:
Flash (Adobe)
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(firefox-esr10- unaffected)

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr10 - unaffected

People

(Reporter: bc, Unassigned)

References

(
URL
)

Details

(Keywords: crash, Whiteboard: [sg:vector (flash)])

Crash Data

Attachments

(1 file)

crash report
18.08 KB, text/plain
Details
Attached file crash report 
1. http://wawa-mania.biz/dvdrip-salt/
2. Shutdown
3. Crash plugin-container process in Win7 in automation. I haven't been able to reproduce locally on xp (don't have win7)

Operating system: Windows NT
                  6.1.7601 Service Pack 1
CPU: x86
     GenuineIntel family 6 model 44 stepping 2
     2 CPUs

Crash reason:  EXCEPTION_ACCESS_VIOLATION_EXEC
Crash address: 0x20752520
Assertion: Unknown assertion type 0x00000000

Thread 8 (crashed)
 0  0x20752520
    eip = 0x20752520   esp = 0x044df97c   ebp = 0x044df9e8   ebx = 0x00000000
    esi = 0x03968000   edi = 0x039683b0   eax = 0x20752520   ecx = 0x03968000
    edx = 0x711d4fc8   efl = 0x00010202
    Found by: given as instruction pointer in context
 1  NPSWF32.dll + 0x1abc8d
    eip = 0x70e1bc8e   esp = 0x044df9f0   ebp = 0x044dfa5c
    Found by: previous frame's frame pointer
 2  NPSWF32.dll + 0x1abd0c
    eip = 0x70e1bd0d   esp = 0x044dfa64   ebp = 0x044dfa7c
    Found by: previous frame's frame pointer
 3  ntdll.dll + 0x39ed1
    eip = 0x77da9ed2   esp = 0x044dfa84   ebp = 0x044dfabc
    Found by: previous frame's frame pointer
 4  ntdll.dll + 0x39ea4
    eip = 0x77da9ea5   esp = 0x044dfac4   ebp = 0x044dfad4
    Found by: previous frame's frame pointer

breakpad's exploitable tool rates this as high.
Can you submit a crash-stats version of this so we can get real Flash backtraces?
bc: alternately, you can grab the Flash PDB files from \\fs2\Public\flash-symbols on the intranet. (I don't think I uploaded the Breakpad .sym files, so you'll have to either load the minidump in a debugger or run dump_syms on them yourself to use minidump_stackwalk.)
No guarantee this isn't BS.

0x20752520
NPSWF32!F241528326__________+0x21e
NPSWF32!F1632682690___________+0x7a
NPSWF32!F_1598865676____+0x9
NPSWF32!F_956477585________________+0xc
kernel32+0x133ca
ntdll+0x39ed2
ntdll+0x39ea5
i haven't had a chance to look at this yet because of URL restrictions.  when IT allows my request, i'll take a look then...
Sal, thanks. I haven't been able to reproduce it unfortunately even on one of the automation's win7 vms. I'll submit it to the automation again later this evening.
Tested in automation using Windows XP, Windows 7, Fedora 14 32bit, Fedora 14 64bit for 2.0.0, beta, aurora, nightly.

I couldn't reproduce this crash. :-( Linux crashes due to Java and Mac 10.5 does not crash at all.
It's possible the site you're testing changed.

Might or might not be fixed in the recent flash update?
Keywords: testcase-wanted
Whiteboard: [sg:vector (flash)]
I submitted this url along with the other flash urls to automation. Windows XP and Windows 7 completed and did not crash with this particular url though they did with http://www.tumejortv.com/.

I attempted to investigate closer by manually loading the urls in my local Windows XP instance with vc's debugger attached to plugin-container. It isn't completely reliable, but with yesterday's nighlty on winxp I got the corrupt heap error again (bug 657588) after manually loading the following urls while vc was attached to plugin-container

http://desporto.pt.msn.com/porto/article.aspx?cp-documentid=156735269
http://fortland.ru/index.html?action=catalog2%2526id=13%2526pid=109%2526pid2=109
http://www.flashgsm.ro/index.php?action=vezi_tot%252526id_brand=8&id=5376&nume_model=Vertu%20Ascent%20X
http://wawa-mania.biz/dvdrip-salt/
http://www.tumejortv.com/

A recurring theme of these sites is the Download Now, Play Now stuff and the same advertisements for avatars and free ipads.

With the ever changing advertisements, I think we need to get a handle on this corrupted heap before we can tell what is happening.
@bob are you seeing more of the issue on XP?  i haven't been able to reproduce the issue so far on either XP or Win7, but it would be better to focus on one if this is the case.  also,  which version of firefox are we talking about?  i've been using FF4.0.
Sal, I'm in the middle of retesting all of my flash urls and am seeing significant improvement in the automation results. Windows XP has completed and Windows 7 should complete in a few hours. Unfortunately Linux and Mac will take several days to complete due to the low number of test machines I have available. I am also rebuilding all of my branches locally on Windows XP, Linux and Mac so that I can test them with up to date builds.

It may be that bug 658741 is the root of many of my recent problems but I won't know for sure until I complete my local builds and retest the urls manually.

Note that in order to test the debug heap assertions you need to be using a debug build of Firefox. The corrupted heap may not result in a crash each time, so it is important to test with debug builds.

I'll have an update for you shortly.
(In reply to comment #8)

I could not manually reproduce flash related crashes on Windows XP or Linux on any of these urls with recent builds.

In the following, anything prior to 2011-06-06 would be with Flash 10.3.181.14 and anything on/after would be with Flash 10.3.181.22.

> http://desporto.pt.msn.com/porto/article.aspx?cp-documentid=156735269

Last reproducible automation flash related crash on Firefox 4.x on Linux on 2011-05-26 at address 0xdadadada and stack libexpat.so.1.5.2@0x2ad9 libflashplayer.so@0x351fff libgio-2.0.so.0.2600.0@0xb6b9f libfreetype.so.6.6.0@0x66fff libgio-2.0.so.0.2600.0@0xa9073

> http://fortland.ru/index.html?action=catalog2%2526id=13%2526pid=109%2526pid2=109

Laat reproducible automation flash related crash on Aurora on Linux 2011-05-26 at address 0x3d033b00 and stack SplitElementTxn::DoTransaction mai_key_snooper libfreetype.so.6.6.0@0x7703d libc-2.13.so@0x3aff libflashplayer.so@0xaa200e

> http://www.flashgsm.ro/index.php?action=vezi_tot%252526id_brand=8&id=5376&nume_model=Vertu%20Ascent%20X

Last reproducible automation flash related crash on Nightly on Linux 2011-06-10 at address 0x20646e75 stack ViewportFrame::InvalidateInternal BCPaintBorderIterator::First nsMouseWheelTransaction::OnFailToScrollTarget libflashplayer.so@0x50f134 libgtk-x11-2.0.so.0.2200.0@0x4b700

> http://wawa-mania.biz/dvdrip-salt/

Last reproducible automation flash related crash on Firefox 4.x on Windows 7 2011-05-30T at address 0x20752520 stack NPSWF32.dll@0x1abc8d NPSWF32.dll@0x1abd0c ntdll.dll@0x39ed1 ntdll.dll@0x39ea4

> http://www.tumejortv.com/

Last reproducible automation flash related crash on Aurora on Windows 7 at address 0x0 stack NPSWF32.dll@0x18fc8f NPSWF32.dll@0x11f70e NPSWF32.dll@0x49ee77 NPSWF32.dll@0x10b2e1 NPSWF32.dll@0x11f8e2

Sal, this *may* be only Windows 7 or it may have been fixed in Flash 10.3.181.22 or it may be transient crash caused by the particular ads that are served. I'll leave it open and security sensitive for now.
Crash Signature: [@ NPSWF32.dll@0x1abc8d]
Not reproducible in Beta/11, Aurora/12, Nightly/13 with Flash 11.1.102.62 -> FIXED.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
(In reply to Bob Clary [:bc:] from comment #12)
> Not reproducible in Beta/11, Aurora/12, Nightly/13 with Flash 11.1.102.62 ->
> FIXED.

Does this reproduce on FF10? We're trying to figure out whether or not the ESR is affected. Thanks!
tracking-firefox-esr10: --- → ?
I don't know. In comment 12 I tested using the crash automation using all of the urls in this bug for Mac, Linux, Windows XP and Windows 7 for all three branches but I didn't test using Firefox 10 or 10esr. This was either a bug in the Flash plugin or an instance of the Plugin heap corruption bug 657588.
Group: core-security → core-security-release
Version and milestone values are being reset to defaults as part of product refactoring.
Version: 10.3 → unspecified
Group: core-security-release
Product: External Software Affecting Firefox → External Software Affecting Firefox Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: