Last Comment Bug 705347 - Crash [@ nsCOMPtr<imgIDecoderObserver>::nsCOMPtr<imgIDecoderObserver>]
: Crash [@ nsCOMPtr<imgIDecoderObserver>::nsCOMPtr<imgIDecoderObserver>]
Status: RESOLVED WORKSFORME
[sg:critical] fixed by bug 432391
: crash, verified1.9.2
Product: Core
Classification: Components
Component: ImageLib (show other bugs)
: 9 Branch
: x86 All
: -- normal (vote)
: mozilla10
Assigned To: Joe Drew (not getting mail)
:
: Milan Sreckovic [:milan]
Mentors:
http://nizhnegorsk.at.ua/index/veb_ka...
Depends on: 432391
Blocks: 532972
  Show dependency treegraph
 
Reported: 2011-11-25 11:37 PST by Bob Clary [:bc:]
Modified: 2015-10-16 11:50 PDT (History)
15 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
-
wontfix
-
wontfix
fixed
fixed
fixed
.26+
.26-fixed
wontfix


Attachments
video.html (57 bytes, text/html)
2011-11-25 11:46 PST, Bob Clary [:bc:]
no flags Details
transplant 81665fc485dd from mozilla-central (2.30 KB, patch)
2012-01-12 15:13 PST, Joe Drew (not getting mail)
jmuizelaar: review+
Details | Diff | Splinter Review
updated for review comments (2.61 KB, patch)
2012-01-16 13:23 PST, Joe Drew (not getting mail)
joe: review+
Details | Diff | Splinter Review
updated for review comments (2.61 KB, patch)
2012-01-16 13:25 PST, Joe Drew (not getting mail)
joe: review+
dveditz: approval1.9.2.26+
Details | Diff | Splinter Review

Description Bob Clary [:bc:] 2011-11-25 11:37:46 PST
+++ This bug was initially created as a clone of Bug #587720 +++

1. http://nizhnegorsk.at.ua/index/veb_kamery_nizhnegorska/0-13
2. Crash ?

Beta/9 Windows XP/7 ( I couldn't reproduce this locally)

Operating system: Windows NT
                  5.1.2600 Service Pack 3
CPU: x86
     GenuineIntel family 6 model 44 stepping 2
     1 CPU

Crash reason:  EXCEPTION_ACCESS_VIOLATION_READ
Crash address: 0xffffffffdddddde1

Thread 0 (crashed)
 0  xul.dll!nsCOMPtr<imgIDecoderObserver>::nsCOMPtr<imgIDecoderObserver>(imgIDecoderObserver *) [nsCOMPtr.h : 600 + 0xd]
    eip = 0x01819694   esp = 0x0012d228   ebp = 0x0012d230   ebx = 0x00000001
    esi = 0x00902848   edi = 0x00000000   eax = 0x06db8e10   ecx = 0xdddddddd
    edx = 0x0012d260   efl = 0x00210202
    Found by: given as instruction pointer in context
 1  xul.dll!imgRequestProxy::OnStopRequest(int) [imgRequestProxy.cpp : 737 + 0x11]
    eip = 0x01818f0a   esp = 0x0012d238   ebp = 0x0012d2c4
    Found by: call frame info
 2  xul.dll!imgStatusTracker::EmulateRequestFinished(imgRequestProxy *,unsigned int,int) [imgStatusTracker.cpp : 291 + 0x9]
    eip = 0x0181b633   esp = 0x0012d2cc   ebp = 0x0012d2d8
    Found by: call frame info
 3  xul.dll!imgRequest::RemoveProxy(imgRequestProxy *,unsigned int,int) [imgRequest.cpp : 320 + 0x19]
    eip = 0x01812891   esp = 0x0012d2e0   ebp = 0x0012d410
    Found by: call frame info
 4  xul.dll!imgRequestProxy::DoCancel(unsigned int) [imgRequestProxy.cpp : 294 + 0x1b]
    eip = 0x01817e82   esp = 0x0012d418   ebp = 0x0012d428
    Found by: call frame info
 5  xul.dll!imgRequestProxy::imgCancelRunnable::Run() [imgRequestProxy.h : 157 + 0x18]
    eip = 0x01817dec   esp = 0x0012d430   ebp = 0x0012d434
    Found by: call frame info

Beta/9 Mac OS X

1. http://nizhnegorsk.at.ua/index/veb_kamery_nizhnegorska/0-13
2. Shutdown
3. Crash. I can reproduce this locally on Mac OS X.

Operating system: Mac OS X
                  10.6.8 10K549
CPU: amd64
     family 6 model 23 stepping 10
     2 CPUs

Crash reason:  EXC_BAD_ACCESS / 0x0000000d
Crash address: 0x0

Thread 0 (crashed)
 0  XUL!nsCOMPtr<imgIDecoderObserver>::nsCOMPtr [nsCOMPtr.h : 600 + 0xe]
    rbx = 0x0000000118a29b28   r12 = 0x0000000102a268c8
    r13 = 0x0000000100119150   r14 = 0x0000000100118c30
    r15 = 0x0000000000000000   rip = 0x00000001015471c3
    rsp = 0x00007fff5fbf9400   rbp = 0x00007fff5fbf9410
    Found by: given as instruction pointer in context
 1  XUL!imgRequestProxy::OnStopRequest [imgRequestProxy.cpp : 737 + 0x16]
    rbx = 0x0000000118a29b28   r12 = 0x0000000102a268c8
    r13 = 0x0000000100119150   r14 = 0x0000000100118c30
    r15 = 0x0000000000000000   rip = 0x00000001015446af
    rsp = 0x00007fff5fbf9420   rbp = 0x00007fff5fbf9500
    Found by: call frame info
 2  XUL!imgStatusTracker::EmulateRequestFinished [imgStatusTracker.cpp : 291 + 0xd]
    rbx = 0x0000000118a36280   r12 = 0x0000000102a268c8
    r13 = 0x0000000100119150   r14 = 0x0000000100118c30
    r15 = 0x0000000000000000   rip = 0x000000010154935c
    rsp = 0x00007fff5fbf9510   rbp = 0x00007fff5fbf9540
    Found by: call frame info
 3  XUL!imgRequest::RemoveProxy [imgRequest.cpp : 320 + 0x25]
    rbx = 0x0000000118a36280   r12 = 0x0000000102a268c8
    r13 = 0x0000000100119150   r14 = 0x0000000100118c30
    r15 = 0x0000000000000000   rip = 0x000000010153f1bb
    rsp = 0x00007fff5fbf9550   rbp = 0x00007fff5fbf96d0
    Found by: call frame info

running under gdb with scribble malloc enabled I get

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x55555559
0x05339067 in nsCOMPtr<imgIDecoderObserver>::nsCOMPtr (this=0xbfffcc08, aRawPtr=0x2888f240) at nsCOMPtr.h:600
600	            NSCAP_ADDREF(this, mRawPtr);
(gdb) bt
#0  0x05339067 in nsCOMPtr<imgIDecoderObserver>::nsCOMPtr (this=0xbfffcc08, aRawPtr=0x2888f240) at nsCOMPtr.h:600
#1  0x05336732 in imgRequestProxy::OnStopRequest (this=0x2888f1a0, lastPart=0) at /work/mozilla/builds/beta/mozilla/modules/libpr0n/src/imgRequestProxy.cpp:737
#2  0x0533aab1 in imgStatusTracker::SendStopRequest (this=0x2557d8f0, aProxy=0x2888f1a0, aLastPart=0, aStatus=0) at /work/mozilla/builds/beta/mozilla/modules/libpr0n/src/imgStatusTracker.cpp:522
#3  0x053309ec in imgRequest::OnStopRequest (this=0x255149b0, aRequest=0x28783380, ctxt=0x0, status=0) at /work/mozilla/builds/beta/mozilla/modules/libpr0n/src/imgRequest.cpp:948
#4  0x05154b67 in nsPartChannel::SendOnStopRequest (this=0x28783380, aContext=0x0, aStatus=0) at /work/mozilla/builds/beta/mozilla/netwerk/streamconv/converters/nsMultiMixedConv.cpp:120
#5  0x05154bd9 in nsMultiMixedConv::SendStop (this=0x287b78a0, aStatus=0) at /work/mozilla/builds/beta/mozilla/netwerk/streamconv/converters/nsMultiMixedConv.cpp:857

(gdb) info registers
eax            0x55555559	1431655769
ecx            0x0	0
edx            0xbfffcc08	-1073755128
ebx            0x5336644	87254596
esp            0xbfffcb70	0xbfffcb70
ebp            0xbfffcb88	0xbfffcb88
esi            0x288b09f8	680200696
edi            0x5320cf8	87166200
eip            0x5339067	0x5339067 <nsCOMPtr<imgIDecoderObserver>::nsCOMPtr(imgIDecoderObserver*)+33>
eflags         0x210206	2163206
cs             0x17	23
ss             0x1f	31
ds             0x1f	31
es             0x1f	31
fs             0x0	0
gs             0x37	55

I can reproduce on Mac with a saved version. Reducing now.
Comment 1 Bob Clary [:bc:] 2011-11-25 11:46:55 PST
Created attachment 576978 [details]
video.html

<video poster="http://konica.strace.net:7890/">
</video>

The contents of the url is an unbounded? jpeg?

Content-Type: image/jpeg
Content-Length: 6067
Comment 2 Joe Drew (not getting mail) 2011-11-25 20:35:41 PST
Seems like konica.strace.net:7890 isn't responding right now; unsurprisingly, I can't reproduce.
Comment 3 Bob Clary [:bc:] 2011-11-29 18:07:51 PST
It is up right now. I just crashed on shutdown with pure virtual method called.
Comment 4 Johnny Stenback (:jst, jst@mozilla.com) 2012-01-05 13:39:40 PST
Joe, ping?
Comment 5 Joe Drew (not getting mail) 2012-01-05 13:43:59 PST
It is likely that we will give George trial-by-fire on this bug. :)
Comment 6 Joe Drew (not getting mail) 2012-01-11 19:36:31 PST
George will be looking for something new to do in the near future, and this is going to be it. :)
Comment 7 Joe Drew (not getting mail) 2012-01-12 12:59:11 PST
This still crashes in 9.0.1, but the latest 10 beta has apparently fixed that crash. We should probably get a fix window, but for now let's just call this WFM.
Comment 8 Daniel Veditz [:dveditz] 2012-01-12 13:47:46 PST
Yes, we need a fix window because the still-supported 1.9.2 branch has this bug, too.
Comment 9 Joe Drew (not getting mail) 2012-01-12 14:33:47 PST
Fix window: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=9fa62f76f1cf&tochange=311fdb9b38b7

From that, I suspect https://hg.mozilla.org/mozilla-central/rev/81665fc485dd

Going to work on a 1.9.2 build to figure out if that is indeed the fix.
Comment 10 Joe Drew (not getting mail) 2012-01-12 15:10:30 PST
Boris' patch does fix this bug. I've transplanted it to 1.9.2, but the code had drifted a little, so it was not strictly a trivial merge. Thus, I'm going to get review on it.
Comment 11 Joe Drew (not getting mail) 2012-01-12 15:13:21 PST
Created attachment 588205 [details] [diff] [review]
transplant 81665fc485dd from mozilla-central

The main difference here between the patch committed to mozilla-central (https://hg.mozilla.org/mozilla-central/rev/81665fc485dd) and this patch is the addition of !mOwner in the early exit in imgRequestProxy::CancelAndForgetObserver. This is due to bug 572520, part 6, which Jeff reviewed. Thus, I'm going to get him to review this patch.
Comment 12 Jeff Muizelaar [:jrmuizel] 2012-01-16 12:35:11 PST
Comment on attachment 588205 [details] [diff] [review]
transplant 81665fc485dd from mozilla-central

Split the if to it more clear. If you can make a test in a reasonable time of time, that would be nice too.
Comment 13 Joe Drew (not getting mail) 2012-01-16 13:23:01 PST
Created attachment 588987 [details] [diff] [review]
updated for review comments

Unfortunately, creating a reliable testcase is non-trivial. We'll just go with this for now.
Comment 14 Joe Drew (not getting mail) 2012-01-16 13:23:53 PST
Comment on attachment 588987 [details] [diff] [review]
updated for review comments

Wrong version of the patch.
Comment 15 Joe Drew (not getting mail) 2012-01-16 13:25:19 PST
Created attachment 588989 [details] [diff] [review]
updated for review comments
Comment 16 Daniel Veditz [:dveditz] 2012-01-23 09:36:25 PST
For security bugs a branch status of "fixed" is better than "unaffected" for tracking purposes. Especially when the fix was identified to the point of being able to backport it :-)
Comment 17 Daniel Veditz [:dveditz] 2012-01-23 16:12:59 PST
Comment on attachment 588989 [details] [diff] [review]
updated for review comments

approved for 1.9.2.26, a=dveditz
Comment 18 Daniel Veditz [:dveditz] 2012-01-23 18:28:35 PST
https://hg.mozilla.org/releases/mozilla-1.9.2/rev/173bc943fe0d
Comment 19 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-01-24 14:15:32 PST
Verified fixed for Firefox 3.6.26 comparing the testcase in comment 0 with mozilla-1.9.2-debug from 2012-01-11 and 2012-01-24.
Comment 20 Huzaifa Sidhpurwala 2012-01-31 00:48:51 PST
Is there a CVE for this issue yet?

Note You need to log in before you can comment on or make changes to this bug.