Closed
Bug 680745
Opened 13 years ago
Closed 3 years ago
NULL pointer dereference when running cross_fuzz
Categories
(Core :: DOM: Core & HTML, defect, P5)
Tracking
()
People
(Reporter: sachinshinde11, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, testcase, Whiteboard: [sg:dos?])
Attachments
(5 files)
User Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0
Build ID: 20110615151330
Steps to reproduce:
Used cross_fuzz with added server side logger.
Firefox version: 5.0
about:buildconfig
Source
Built from http://hg.mozilla.org/releases/mozilla-release/rev/7b56ff900c2a
Build platform
target
i686-pc-mingw32
Build tools
Compiler Version Compiler flags
d;D:\mozilla-build\msys\mozilla-build\python25\python2.5.exe -O e;D:\mozilla-build\msys\builds\moz2_slave\rel-rel-w32-bld\build\build\cl.py cl 14.00.50727.762 -TC -nologo -W3 -Gy -Fdgenerated.pdb -DNDEBUG -DTRIMMED -Zi -Zi -UDEBUG -DNDEBUG -GL -wd4624 -wd4952 -O1
d;D:\mozilla-build\msys\mozilla-build\python25\python2.5.exe -O e;D:\mozilla-build\msys\builds\moz2_slave\rel-rel-w32-bld\build\build\cl.py cl 14.00.50727.762 -GR- -TP -nologo -Zc:wchar_t- -W3 -Gy -Fdgenerated.pdb -wd4800 -DNDEBUG -DTRIMMED -Zi -Zi -UDEBUG -DNDEBUG -GL -wd4624 -wd4952 -O1
Configure arguments
--enable-application=browser --enable-update-channel=release --enable-update-packaging --enable-jemalloc --enable-tests --enable-official-branding
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Build identifier: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
To reproduce use
server/cross_fuzz/cross_fuzz_randomized_20110105_seed.html#-501598811
this will reproduce the bug.I am attachin rar files which contains logs and dump files
steps to reproduce
1> start apache2 server
2>start firefox 5 attach debugger
3>on crash "grep -F firefox access.log >> firefox_crash"
Actual results:
Null pointer deference or USER AFTER FREE in xul.dll
here is the call stack
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
0012c254 102b5d42 0a8cffb0 0012c368 00000001 xul!XRE_LockProfileDirectory+0x2291a
0012c268 100b49de 03af3cf0 00000005 00000001 xul!NS_InvokeByIndex_P+0x27
0012c668 00525e90 03ca39e0 00000000 024001c0 xul!gfxPoint::gfxPoint+0x525b
00000000 00000000 00000000 00000000 00000000 mozjs!JS_CompareValues+0x2a60
Reporter | ||
Updated•13 years ago
|
Severity: normal → critical
Comment 1•13 years ago
|
||
> this will reproduce the bug.I am attachin rar files which contains logs and
> dump files
were you going to attach those? If they're too big for attachments here you can mail them to our security address (where they'll also be too big, but the mail address allows hand-moderation to get them in).
Severity: critical → normal
Reporter | ||
Comment 2•13 years ago
|
||
Reporter | ||
Comment 3•13 years ago
|
||
Reporter | ||
Comment 4•13 years ago
|
||
Comment on attachment 555714 [details]
cross_fuzz with server side logger
To use the logger you have to point the SERVER_URL variable to your server address.
Reporter | ||
Updated•13 years ago
|
Severity: normal → critical
Comment 5•13 years ago
|
||
The stack doesn't make sense. I think you need to use the symbol server
for non-debug builds:
https://developer.mozilla.org/en/Using_the_Mozilla_symbol_server
Comment 6•13 years ago
|
||
Here's a stack I got from a mozilla-release (version 7.0) debug build
on WinXP. It aborts in nsRefreshDriver::~nsRefreshDriver() on
119: NS_ABORT_IF_FALSE(ObserverCount() == 0,
120: "observers should have unregistered");
Updated•13 years ago
|
Component: Security → Layout
Product: Firefox → Core
QA Contact: firefox → layout
Comment 7•13 years ago
|
||
Comment 8•13 years ago
|
||
Does this happen in 3.6.x? if not the regression range might give us a pointer to the area of code where the bug lives. Jst says the parent pointer looks bogus, the second crash Mats got looks like an area where Olli recently made a change (though not as early as Fx5)
Assignee: nobody → matspal
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: XUL NULL pointer deference/USER AFTER FREE (Probably Exploitable) → Layout NULL pointer deference/USER AFTER FREE (Probably Exploitable)
Whiteboard: [sg:critical?]
Updated•13 years ago
|
status-firefox10:
--- → affected
status-firefox6:
--- → wontfix
status-firefox7:
--- → wontfix
status-firefox8:
--- → affected
status-firefox9:
--- → affected
tracking-firefox10:
--- → +
tracking-firefox6:
--- → -
tracking-firefox7:
--- → -
tracking-firefox8:
--- → +
tracking-firefox9:
--- → +
Comment 9•13 years ago
|
||
Mats, any updates here?
Comment 10•13 years ago
|
||
I think Olli made some improvements to node ownership recently that might help with
the nsINode::GetNextNode crash. I'm trying to reproduce that or the
~nsRefreshDriver() crash in a trunk (10.0a1) Linux64 build (with patches in
bug 693212 and bug 671484 applied)
My trunk debug build on WinXP doesn't crash with the -501598811 seed, I'm running
3.6.x debug on WinXP (with bug 345094 applied) now...
Comment 11•13 years ago
|
||
1.9.2 Fx debug build on WinXP crashed eventually (after ~2 hours) accessing
'mElement' null-pointer in nsDOMTokenList::AddInternal
Comment 12•13 years ago
|
||
Running cross_fuzz overnight on Linux64 -> no crash. The only crash in Layout
I've seen is the abort-if-false in a Fx7 debug build (comment 6). The rest are DOM-
related null-pointer crashes (also when using other seeds). Re-assigning accordingly.
Assignee: matspal → nobody
Component: Layout → DOM
OS: Windows XP → All
QA Contact: layout → general
Summary: Layout NULL pointer deference/USER AFTER FREE (Probably Exploitable) → NULL pointer dereference when running cross_fuzz
Whiteboard: [sg:critical?] → [sg:dos?]
Updated•13 years ago
|
Comment 13•13 years ago
|
||
Dan, is this still an issue we want to track for FF9? This implies we are going to do something about this. Should we continue to track it?
Comment 14•13 years ago
|
||
Untracking for FF10 since this wasn't a concern for FF9. Please re-nominate if that's not true.
Comment 15•6 years ago
|
||
https://bugzilla.mozilla.org/show_bug.cgi?id=1472046
Move all DOM bugs that haven't been updated in more than 3 years and has no one currently assigned to P5.
If you have questions, please contact :mdaly.
Priority: -- → P5
Assignee | ||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
Comment 16•3 years ago
|
||
Hey Daniel,
Is this issue still occurring for you or should we close it?
Flags: needinfo?(dveditz)
Comment 17•3 years ago
|
||
That's a better question for the fuzzing team, but I'd expect our current fuzzer to catch whatever cross-fuzz was able to 10 years ago.
Flags: needinfo?(dveditz) → needinfo?(twsmith)
Comment 18•3 years ago
|
||
I had a look and I'm not seeing any results that look like this from the fuzzers. We are still running cross-fuzz and it is not reporting this issue.
Perhaps there is a duplicate logged that I'm not seeing but this is likely no longer an issue.
Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(twsmith)
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•