528.37 KB, application/octet-stream
160.50 KB, application/octet-stream
2.89 KB, text/plain
3.65 KB, text/plain
4.03 KB, text/plain
User Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 Build ID: 20110615151330 Steps to reproduce: Used cross_fuzz with added server side logger. Firefox version: 5.0 about:buildconfig Source Built from http://hg.mozilla.org/releases/mozilla-release/rev/7b56ff900c2a Build platform target i686-pc-mingw32 Build tools Compiler Version Compiler flags d;D:\mozilla-build\msys\mozilla-build\python25\python2.5.exe -O e;D:\mozilla-build\msys\builds\moz2_slave\rel-rel-w32-bld\build\build\cl.py cl 14.00.50727.762 -TC -nologo -W3 -Gy -Fdgenerated.pdb -DNDEBUG -DTRIMMED -Zi -Zi -UDEBUG -DNDEBUG -GL -wd4624 -wd4952 -O1 d;D:\mozilla-build\msys\mozilla-build\python25\python2.5.exe -O e;D:\mozilla-build\msys\builds\moz2_slave\rel-rel-w32-bld\build\build\cl.py cl 14.00.50727.762 -GR- -TP -nologo -Zc:wchar_t- -W3 -Gy -Fdgenerated.pdb -wd4800 -DNDEBUG -DTRIMMED -Zi -Zi -UDEBUG -DNDEBUG -GL -wd4624 -wd4952 -O1 Configure arguments --enable-application=browser --enable-update-channel=release --enable-update-packaging --enable-jemalloc --enable-tests --enable-official-branding >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Build identifier: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> To reproduce use server/cross_fuzz/cross_fuzz_randomized_20110105_seed.html#-501598811 this will reproduce the bug.I am attachin rar files which contains logs and dump files steps to reproduce 1> start apache2 server 2>start firefox 5 attach debugger 3>on crash "grep -F firefox access.log >> firefox_crash" Actual results: Null pointer deference or USER AFTER FREE in xul.dll here is the call stack STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. 0012c254 102b5d42 0a8cffb0 0012c368 00000001 xul!XRE_LockProfileDirectory+0x2291a 0012c268 100b49de 03af3cf0 00000005 00000001 xul!NS_InvokeByIndex_P+0x27 0012c668 00525e90 03ca39e0 00000000 024001c0 xul!gfxPoint::gfxPoint+0x525b 00000000 00000000 00000000 00000000 00000000 mozjs!JS_CompareValues+0x2a60
> this will reproduce the bug.I am attachin rar files which contains logs and > dump files were you going to attach those? If they're too big for attachments here you can mail them to our security address (where they'll also be too big, but the mail address allows hand-moderation to get them in).
Severity: critical → normal
Comment on attachment 555714 [details] cross_fuzz with server side logger To use the logger you have to point the SERVER_URL variable to your server address.
The stack doesn't make sense. I think you need to use the symbol server for non-debug builds: https://developer.mozilla.org/en/Using_the_Mozilla_symbol_server
Created attachment 561967 [details] stack nsRefreshDriver::~nsRefreshDriver() Here's a stack I got from a mozilla-release (version 7.0) debug build on WinXP. It aborts in nsRefreshDriver::~nsRefreshDriver() on 119: NS_ABORT_IF_FALSE(ObserverCount() == 0, 120: "observers should have unregistered");
Component: Security → Layout
Product: Firefox → Core
QA Contact: firefox → layout
Does this happen in 3.6.x? if not the regression range might give us a pointer to the area of code where the bug lives. Jst says the parent pointer looks bogus, the second crash Mats got looks like an area where Olli recently made a change (though not as early as Fx5)
Assignee: nobody → matspal
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: XUL NULL pointer deference/USER AFTER FREE (Probably Exploitable) → Layout NULL pointer deference/USER AFTER FREE (Probably Exploitable)
status-firefox10: --- → affected
status-firefox6: --- → wontfix
status-firefox7: --- → wontfix
status-firefox8: --- → affected
status-firefox9: --- → affected
tracking-firefox10: --- → +
tracking-firefox6: --- → -
tracking-firefox7: --- → -
tracking-firefox8: --- → +
tracking-firefox9: --- → +
Mats, any updates here?
I think Olli made some improvements to node ownership recently that might help with the nsINode::GetNextNode crash. I'm trying to reproduce that or the ~nsRefreshDriver() crash in a trunk (10.0a1) Linux64 build (with patches in bug 693212 and bug 671484 applied) My trunk debug build on WinXP doesn't crash with the -501598811 seed, I'm running 3.6.x debug on WinXP (with bug 345094 applied) now...
Created attachment 566270 [details] 1.9.2 null-pointer crash in nsDOMTokenList::AddInternal 1.9.2 Fx debug build on WinXP crashed eventually (after ~2 hours) accessing 'mElement' null-pointer in nsDOMTokenList::AddInternal
Running cross_fuzz overnight on Linux64 -> no crash. The only crash in Layout I've seen is the abort-if-false in a Fx7 debug build (comment 6). The rest are DOM- related null-pointer crashes (also when using other seeds). Re-assigning accordingly.
Assignee: matspal → nobody
Component: Layout → DOM
OS: Windows XP → All
QA Contact: layout → general
Summary: Layout NULL pointer deference/USER AFTER FREE (Probably Exploitable) → NULL pointer dereference when running cross_fuzz
Whiteboard: [sg:critical?] → [sg:dos?]
status1.9.2: --- → wontfix
Keywords: crash, testcase
Dan, is this still an issue we want to track for FF9? This implies we are going to do something about this. Should we continue to track it?
Untracking for FF10 since this wasn't a concern for FF9. Please re-nominate if that's not true.
tracking-firefox10: + → -
You need to log in before you can comment on or make changes to this bug.