713386 - Crash [@ mozilla::net::CallOnStop::Run] at address 0xffffffffdddddddd on shutdown

Status: RESOLVED DUPLICATE of bug 712572

(Core :: Networking: WebSockets, defect)

Description

[Bob Clary [:bc] (inactive)]

Attachment: crash report from automation

1. http://www.bilibili.tv/video/bangumi.html and many others on this site.
2. CPU pegs, consumes RAM until OOM crash but this bug is *not* about the OOM. To reproduce you need to exit the browser some time after the cpu pegs and the ram begins to increase but before the OOM abort. I've had best luck starting the browser under WinDBG.

Reproducible on Windows/Linux Aurora/11, Nightly/12.

Nightly on Windows XP with WinDBG and !exploitable says

eax=feeefeee ebx=7ffdf000 ecx=080c1b5c edx=feeefeee esi=00398490 edi=0094f558
eip=017785f0 esp=0012f1e8 ebp=0012f1f8 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210206
xul!mozilla::net::CallOnStop::Run+0x40:
017785f0 8b08            mov     ecx,dword ptr [eax]  ds:0023:feeefeee=????????
0:000> !load winext/msec.dll
0:000> !exploitable
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\kernel32.dll - 
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Data from Faulting Address controls Code Flow starting at xul!mozilla::net::CallOnStop::Run+0x0000000000000040 (Hash=0x7618023a.0x3a133d0b)

The data from the faulting address is later used as the target for a branch.

Comment 1

[Josh Aas]

Jason, can you look into this?

Comment 2

[Patrick McManus [:mcmanus]]

this is essentially a dup of 712572

Comment 3

[Jason Duell]

> Jason, can you look into this?

Yes.

> this is essentially a dup of 712572

Does look that way.  Do we want to make that bug secure too?  Not sure this issue needs to be hidden.