Open Bug 680745 Opened 9 years ago Updated 2 years ago

NULL pointer dereference when running cross_fuzz


(Core :: DOM: Core & HTML, defect, P5)

5 Branch



Tracking Status
firefox6 - wontfix
firefox7 - wontfix
firefox8 + affected
firefox9 + affected
firefox10 - affected
status1.9.2 --- wontfix


(Reporter: sachinshinde11, Unassigned)


(Keywords: crash, testcase, Whiteboard: [sg:dos?])


(5 files)

User Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0
Build ID: 20110615151330

Steps to reproduce:

Used cross_fuzz with added server side logger.

Firefox version: 5.0 

Built from
Build platform
Build tools
Compiler 	Version 	Compiler flags
d;D:\mozilla-build\msys\mozilla-build\python25\python2.5.exe -O e;D:\mozilla-build\msys\builds\moz2_slave\rel-rel-w32-bld\build\build\ cl 	14.00.50727.762 	-TC -nologo -W3 -Gy -Fdgenerated.pdb -DNDEBUG -DTRIMMED -Zi -Zi -UDEBUG -DNDEBUG -GL -wd4624 -wd4952 -O1
d;D:\mozilla-build\msys\mozilla-build\python25\python2.5.exe -O e;D:\mozilla-build\msys\builds\moz2_slave\rel-rel-w32-bld\build\build\ cl 	14.00.50727.762 	-GR- -TP -nologo -Zc:wchar_t- -W3 -Gy -Fdgenerated.pdb -wd4800 -DNDEBUG -DTRIMMED -Zi -Zi -UDEBUG -DNDEBUG -GL -wd4624 -wd4952 -O1
Configure arguments

--enable-application=browser --enable-update-channel=release --enable-update-packaging --enable-jemalloc --enable-tests --enable-official-branding


Build identifier: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0


To reproduce use 


this will reproduce the bug.I am attachin rar files which contains logs and dump files

steps to reproduce
1> start apache2 server
2>start firefox 5 attach debugger
3>on crash "grep -F firefox access.log >> firefox_crash"

Actual results:

Null pointer deference or USER AFTER FREE in xul.dll 
here is the call stack

WARNING: Stack unwind information not available. Following frames may be wrong.
0012c254 102b5d42 0a8cffb0 0012c368 00000001 xul!XRE_LockProfileDirectory+0x2291a
0012c268 100b49de 03af3cf0 00000005 00000001 xul!NS_InvokeByIndex_P+0x27
0012c668 00525e90 03ca39e0 00000000 024001c0 xul!gfxPoint::gfxPoint+0x525b
00000000 00000000 00000000 00000000 00000000 mozjs!JS_CompareValues+0x2a60
Severity: normal → critical
> this will reproduce the bug.I am attachin rar files which contains logs and
> dump files

were you going to attach those? If they're too big for attachments here you can mail them to our security address (where they'll also be too big, but the mail address allows hand-moderation to get them in).
Severity: critical → normal
Comment on attachment 555714 [details]
cross_fuzz with server side logger

To use the logger you have to point the SERVER_URL variable to your server address.
Severity: normal → critical
The stack doesn't make sense.  I think you need to use the symbol server
for non-debug builds:
Here's a stack I got from a mozilla-release (version 7.0) debug build
on WinXP.  It aborts in nsRefreshDriver::~nsRefreshDriver() on

119:  NS_ABORT_IF_FALSE(ObserverCount() == 0,
120:                    "observers should have unregistered");
Component: Security → Layout
Product: Firefox → Core
QA Contact: firefox → layout
Does this happen in 3.6.x? if not the regression range might give us a pointer to the area of code where the bug lives. Jst says the parent pointer looks bogus, the second crash Mats got looks like an area where Olli recently made a change (though not as early as Fx5)
Assignee: nobody → matspal
Ever confirmed: true
Summary: XUL NULL pointer deference/USER AFTER FREE (Probably Exploitable) → Layout NULL pointer deference/USER AFTER FREE (Probably Exploitable)
Whiteboard: [sg:critical?]
Mats, any updates here?
I think Olli made some improvements to node ownership recently that might help with
the nsINode::GetNextNode crash.  I'm trying to reproduce that or the
~nsRefreshDriver() crash in a trunk (10.0a1) Linux64 build (with patches in
bug 693212 and bug 671484 applied)
My trunk debug build on WinXP doesn't crash with the -501598811 seed, I'm running
3.6.x debug on WinXP (with bug 345094 applied) now...
1.9.2 Fx debug build on WinXP crashed eventually (after ~2 hours) accessing
'mElement' null-pointer in nsDOMTokenList::AddInternal
Running cross_fuzz overnight on Linux64 -> no crash.  The only crash in Layout
I've seen is the abort-if-false in a Fx7 debug build (comment 6).  The rest are DOM-
related null-pointer crashes (also when using other seeds). Re-assigning accordingly.
Assignee: matspal → nobody
Component: Layout → DOM
OS: Windows XP → All
QA Contact: layout → general
Summary: Layout NULL pointer deference/USER AFTER FREE (Probably Exploitable) → NULL pointer dereference when running cross_fuzz
Whiteboard: [sg:critical?] → [sg:dos?]
Group: core-security
Keywords: crash, testcase
Dan, is this still an issue we want to track for FF9? This implies we are going to do something about this. Should we continue to track it?
Untracking for FF10 since this wasn't a concern for FF9. Please re-nominate if that's not true.

Move all DOM bugs that haven't been updated in more than 3 years and has no one currently assigned to P5.

If you have questions, please contact :mdaly.
Priority: -- → P5
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.