Closed
Bug 787089
Opened 12 years ago
Closed 12 years ago
Crash [@ nsStyleContext::GetRuleNode()] with deleted this
Categories
(Core :: Layout, defect)
Tracking
()
RESOLVED
FIXED
mozilla18
People
(Reporter: bc, Assigned: roc)
References
()
Details
(Keywords: crash, reproducible, sec-critical, Whiteboard: [adv-track-main17+][adv-track-esr17-])
Crash Data
Attachments
(1 file)
|
15.59 KB,
patch
|
MatsPalmgren_bugz
:
review+
lsblakk
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
1. http://altfoto.com/2012/08/el-sucio-sucio-secreto-de-las-grandes-marcas-y-sus-sensores-defectuosos
2. Crash nsStyleContext::GetRuleNode() nsIFrame::PresContext() nsRootPresContext::RequestUpdatePluginGeometry(nsIFrame*) PresShell::DoReflow(nsIFrame*, bool) PresShell::ProcessReflowCommands(bool)
Nightly Linux 32bit and Windows 7 64bit
See bug 781279 comment 15
crash address in Windows when you don't get a Flash related crash is 0xffffffffddddddf9 while in Linux it is 0xdadadaf6
On Linux I see nsStyleContext::GetRuleNode (this=0xdadadada) at ../../dist/include/nsStyleContext.h:190
bp-e7968d4a-42bb-4df7-98ef-920df2120830
Not very reproducible in opt build but pretty much so in debug.
|
||
Comment 1•12 years ago
|
||
This looks like a crash in nsRootPresContext::RequestUpdatePluginGeometry
doing mUpdatePluginGeometryForFrame->PresContext() on a deleted frame.
If so, I think it's mitigated by frame-poisoning.
It could be the same underlying problem as top-crash bug 785808.
Whiteboard: [mitigated by frame-poisoning]
|
||
Comment 2•12 years ago
|
||
On 32-bit Nightly: bp-69bfff59-550b-46bc-82d6-0cae32120902.
On 64-bit Nightly: bp-0200cf0c-f76c-4e8f-b271-0e4d82120902.
Blocks: 785808
Crash Signature: [@ nsStyleContext::GetRuleNode()]
[@ nsRootPresContext::RequestUpdatePluginGeometry] → [@ nsStyleContext::GetRuleNode()]
[@ nsRootPresContext::RequestUpdatePluginGeometry]
[@ mozalloc_abort(char const* const) | NS_DebugBreak_P | nsIFrame::GetOffsetToCrossDoc(nsIFrame const* int)]
[@ mozalloc_abort(char const* const) | NS_DebugBreak_P | n…
Keywords: reproducible
|
Assignee | |
Comment 3•12 years ago
|
||
I cannot reproduce this.
|
||
Comment 4•12 years ago
|
||
Nor I, on Linux x64 or Windows 7 x64, and not on WinXP in VirtualBox.
|
|
Assignee | |
Comment 5•12 years ago
|
||
I don't think this is worth having.
Assignee: nobody → roc
Attachment #657970 -
Flags: review?(matspal)
|
|
Assignee | |
Comment 6•12 years ago
|
||
bclary, if you can reproduce this, it would be helpful if you can determine whether the above patch fixes it. Thanks!
|
|
||
Comment 7•12 years ago
|
||
I can't reproduce in a debug or asan build. After a lot a stress testing --
opening the URL in 30 or so tabs, reload-all-tabs, closing/reloading tabs,
all while resizing the window, I finally got one crash in a Nightly Linux64:
bp-e2ef7c12-29f6-44da-b6d9-e9d952120904
|
|
||
Updated•12 years ago
|
Attachment #657970 -
Flags: review?(matspal) → review+
|
Reporter | |
Comment 8•12 years ago
|
||
(In reply to Robert O'Callahan (:roc) (Mozilla Corporation) from comment #6)
> bclary, if you can reproduce this, it would be helpful if you can determine
> whether the above patch fixes it. Thanks!
I applied it to Linux Nightly and was no longer able to reproduce it there on any of the 182 urls where was originally detected. The unpatched Windows 7 builds on Nightly and Aurora and the unpatched builds on Linux Aurora were able to reproduce the original crash on a few of the urls. This crash has a very low reproducibility rate, but given the data I have I agree this patch fixes the issue at hand.
|
|
Assignee | |
Comment 9•12 years ago
|
||
|
||
Comment 10•12 years ago
|
||
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla18
|
||
Comment 11•12 years ago
|
||
(In reply to Mats Palmgren [:mats] from comment #1)
> If so, I think it's mitigated by frame-poisoning.
The addresses in comment 0 don't look very mitigated, those are deleted memory pointers. Frame-poisoned addresses are in a different range. changing to sec-critical unless I'm missing something.
If it is sec-critical we should fix on older branches, especially if live web-content is triggering this crash which might increase the odds of discovery.
status-firefox-esr10:
--- → affected
status-firefox16:
--- → affected
status-firefox17:
--- → affected
status-firefox18:
--- → fixed
tracking-firefox-esr10:
--- → 16+
tracking-firefox16:
--- → +
tracking-firefox17:
--- → +
tracking-firefox18:
--- → +
Keywords: sec-other → sec-critical
Whiteboard: [mitigated by frame-poisoning]
|
|
Assignee | |
Comment 12•12 years ago
|
||
I think most of these crashes are regression from bug 775965, which is only in FF17 and up. So I'll go for Aurora but not other branches at this time.
|
|
Assignee | |
Comment 13•12 years ago
|
||
Comment on attachment 657970 [details] [diff] [review]
rip out mUpdatePluginGeometryForFrame optimization
Review of attachment 657970 [details] [diff] [review]:
-----------------------------------------------------------------
Removes fragile optimization, so should be safe.
Attachment #657970 -
Flags: approval-mozilla-aurora?
|
||
Comment 14•12 years ago
|
||
Comment on attachment 657970 [details] [diff] [review]
rip out mUpdatePluginGeometryForFrame optimization
Approving for Aurora - does this mean that we should untrack/mark unaffected for 16?
Attachment #657970 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
|
Assignee | |
Comment 15•12 years ago
|
||
(In reply to Lukas Blakk [:lsblakk] from comment #14)
> Approving for Aurora - does this mean that we should untrack/mark unaffected
> for 16?
Probably, but you might want to confirm my guess that this bug doesn't happen (or happens at much lower rate) on 16.
|
|
||
Comment 16•12 years ago
|
||
(In reply to Robert O'Callahan (:roc) (Mozilla Corporation) from comment #15)
> Probably, but you might want to confirm my guess that this bug doesn't
> happen (or happens at much lower rate) on 16.
This crash signature is #13 top browser crasher in 16.0b2 (partially tracked by bug 754380) but I don't know if it's related to this bug.
|
||
Comment 17•12 years ago
|
||
(In reply to Robert O'Callahan (:roc) (Mozilla Corporation) from comment #13)
> Comment on attachment 657970 [details] [diff] [review]
> rip out mUpdatePluginGeometryForFrame optimization
>
> Review of attachment 657970 [details] [diff] [review]:
> -----------------------------------------------------------------
>
> Removes fragile optimization, so should be safe.
Do we know what the regressing bug was here?
|
|
||
Comment 18•12 years ago
|
||
I see comment 12 now. Sounds like this wouldn't help bug 754380 in that case, unless we find other related regressing bugs.
|
|
Assignee | |
Comment 19•12 years ago
|
||
|
|
||
Updated•12 years ago
|
|
|
||
Comment 20•12 years ago
|
||
(In reply to Scoobidiver from comment #16)
> (In reply to Robert O'Callahan (:roc) (Mozilla Corporation) from comment #15)
> > Probably, but you might want to confirm my guess that this bug doesn't
> > happen (or happens at much lower rate) on 16.
> This crash signature is #13 top browser crasher in 16.0b2 (partially tracked
> by bug 754380) but I don't know if it's related to this bug.
I'm not seeing the crash signatures here, or the one listed in bug 754380, at high volume in b3. I don't believe we need to track for that version any longer. Please renominate if you disagree.
QA Contact: jbecerra
|
|
||
Comment 21•12 years ago
|
||
Please prepare a patch for the mozilla-esr10 branch the next opportunity you get. Thanks!
|
||
Comment 22•12 years ago
|
||
Any update on an ESR patch for this? It has been weeks and this is a sec-critical.
|
|
Assignee | |
Comment 23•12 years ago
|
||
Sorry, I lost track of the request in comment #21 for some reason.
I don't think this needs to be fixed on esr10 because the crashes were primarily caused by bug 775965 which never landed on esr10.
|
|
||
Comment 24•12 years ago
|
||
(In reply to Robert O'Callahan (:roc) (Mozilla Corporation) from comment #23)
> Sorry, I lost track of the request in comment #21 for some reason.
>
> I don't think this needs to be fixed on esr10 because the crashes were
> primarily caused by bug 775965 which never landed on esr10.
Thanks roc, marking as unaffected on ESR10 given that.
|
|
||
Updated•12 years ago
|
Whiteboard: [adv-track-main17+]
|
|
||
Updated•12 years ago
|
tracking-firefox-esr10:
17+ → ---
Whiteboard: [adv-track-main17+] → [adv-track-main17+][adv-track-esr17-]
|
||
Updated•12 years ago
|
Summary: Crash [@ nsStyleContext::GetRuleNode()} with deleted this → Crash [@ nsStyleContext::GetRuleNode()] with deleted this
|
|
||
Updated•12 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•