799091 - Intermittent crash in browser_visibleTabs.js ("###!!! ABORT: PresArena: poison overwritten; wanted 7ffffffff0dea7ff found 5ffffffff0dea7ff errors in bits 2000000000000000: 'val == ARENA_POISON', file ../../../layout/base/nsPresArena.cpp, line 333")

Status: RESOLVED INVALID

(Core :: CSS Parsing and Computation, defect)

Description

[Ed Morley [:emorley]]

Rev4 MacOSX Lion 10.7 mozilla-central debug test mochitest-other on 2012-10-08 02:43:06 PDT for push d3113617c43a

slave: talos-r4-lion-025

https://tbpl.mozilla.org/php/getParsedLog.php?id=15917362&tree=Firefox

{
TEST-PASS | chrome://mochitests/content/browser/browser/base/content/test/browser_visibleTabs.js | it's the original tab
TEST-PASS | chrome://mochitests/content/browser/browser/base/content/test/browser_visibleTabs.js | still have 2 open tabs
WARNING: NS_ENSURE_TRUE(mMutable) failed: file ../../../../netwerk/base/src/nsSimpleURI.cpp, line 273
###!!! ABORT: PresArena: poison overwritten; wanted 7ffffffff0dea7ff found 5ffffffff0dea7ff errors in bits 2000000000000000: 'val == ARENA_POISON', file ../../../layout/base/nsPresArena.cpp, line 333
imgLoader::SupportImageWithMimeType(char const*)+0x002C5828 [/Users/cltbld/talos-slave/test/build/FirefoxNightlyDebug.app/Contents/MacOS/XUL +0x00561EF8]
imgLoader::SupportImageWithMimeType(char const*)+0x0029A2D2 [/Users/cltbld/talos-slave/test/build/FirefoxNightlyDebug.app/Contents/MacOS/XUL +0x005369A2]
imgLoader::SupportImageWithMimeType(char const*)+0x00289A5E [/Users/cltbld/talos-slave/test/build/FirefoxNightlyDebug.app/Contents/MacOS/XUL +0x0052612E]
imgLoader::SupportImageWithMimeType(char const*)+0x002A837A [/Users/cltbld/talos-slave/test/build/FirefoxNightlyDebug.app/Contents/MacOS/XUL +0x00544A4A]
imgLoader::SupportImageWithMimeType(char const*)+0x002BD06E [/Users/cltbld/talos-slave/test/build/FirefoxNightlyDebug.app/Contents/MacOS/XUL +0x0055973E]
imgLoader::SupportImageWithMimeType(char const*)+0x000B82D3 [/Users/cltbld/talos-slave/test/build/FirefoxNightlyDebug.app/Contents/MacOS/XUL +0x003549A3]
imgLoader::SupportImageWithMimeType(char const*)+0x000B72DE [/Users/cltbld/talos-slave/test/build/FirefoxNightlyDebug.app/Contents/MacOS/XUL +0x003539AE]
imgLoader::SupportImageWithMimeType(char const*)+0x000B7F27 [/Users/cltbld/talos-slave/test/build/FirefoxNightlyDebug.app/Contents/MacOS/XUL +0x003545F7]
imgLoader::SupportImageWithMimeType(char const*)+0x000B7F27 [/Users/cltbld/talos-slave/test/build/FirefoxNightlyDebug.app/Contents/MacOS/XUL +0x003545F7]
imgLoader::SupportImageWithMimeType(char const*)+0x000B7F27 [/Users/cltbld/talos-slave/test/build/FirefoxNightlyDebug.app/Contents/MacOS/XUL +0x003545F7]
imgLoader::SupportImageWithMimeType(char const*)+0x000B7F27 [/Users/cltbld/talos-slave/test/build/FirefoxNightlyDebug.app/Contents/MacOS/XUL +0x003545F7]
imgLoader::SupportImageWithMimeType(char const*)+0x000B8540 [/Users/cltbld/talos-slave/test/build/FirefoxNightlyDebug.app/Contents/MacOS/XUL +0x00354C10]
imgLoader::SupportImageWithMimeType(char const*)+0x00067457 [/Users/cltbld/talos-slave/test/build/FirefoxNightlyDebug.app/Contents/MacOS/XUL +0x00303B27]
imgLoader::SupportImageWithMimeType(char const*)+0x0004DD0B [/Users/cltbld/talos-slave/test/build/FirefoxNightlyDebug.app/Contents/MacOS/XUL +0x002EA3DB]
imgLoader::SupportImageWithMimeType(char const*)+0x0004D1B6 [/Users/cltbld/talos-slave/test/build/FirefoxNightlyDebug.app/Contents/MacOS/XUL +0x002E9886]
imgLoader::SupportImageWithMimeType(char const*)+0x0006C537 [/Users/cltbld/talos-slave/test/build/FirefoxNightlyDebug.app/Contents/MacOS/XUL +0x00308C07]
imgLoader::SupportImageWithMimeType(char const*)+0x000E3923 [/Users/cltbld/talos-slave/test/build/FirefoxNightlyDebug.app/Contents/MacOS/XUL +0x0037FFF3]
imgLoader::SupportImageWithMimeType(char const*)+0x003263C6 [/Users/cltbld/talos-slave/test/build/FirefoxNightlyDebug.app/Contents/MacOS/XUL +0x005C2A96]
imgLoader::SupportImageWithMimeType(char const*)+0x003249BB [/Users/cltbld/talos-slave/test/build/FirefoxNightlyDebug.app/Contents/MacOS/XUL +0x005C108B]
imgLoader::SupportImageWithMimeType(char const*)+0x00324A8D [/Users/cltbld/talos-slave/test/build/FirefoxNightlyDebug.app/Contents/MacOS/XUL +0x005C115D]
NS_InvokeByIndex_P+0x0000021D [/Users/cltbld/talos-slave/test/build/FirefoxNightlyDebug.app/Contents/MacOS/XUL +0x0181C68D]
xpc_LocalizeContext(JSContext*)+0x00019EE6 [/Users/cltbld/talos-slave/test/build/FirefoxNightlyDebug.app/Contents/MacOS/XUL +0x00FDBA06]
xpc_LocalizeContext(JSContext*)+0x00017C12 [/Users/cltbld/talos-slave/test/build/FirefoxNightlyDebug.app/Contents/MacOS/XUL +0x00FD9732]
xpc_LocalizeContext(JSContext*)+0x00022041 [/Users/cltbld/talos-slave/test/build/FirefoxNightlyDebug.app/Contents/MacOS/XUL +0x00FE3B61]
###!!! ABORT: PresArena: poison overwritten; wanted 7ffffffff0dea7ff found 5ffffffff0dea7ff errors in bits 2000000000000000: 'val == ARENA_POISON', file ../../../layout/base/nsPresArena.cpp, line 333
WARNING: shutting down early because of crash!: file ../../../../dom/plugins/ipc/PluginModuleChild.cpp, line 704
WARNING: plugin process _exit()ing: file ../../../../dom/plugins/ipc/PluginModuleChild.cpp, line 669
WARNING: shutting down early because of crash!: file ../../../../dom/plugins/ipc/PluginModuleChild.cpp, line 704
WARNING: plugin process _exit()ing: file ../../../../dom/plugins/ipc/PluginModuleChild.cpp, line 669
TEST-UNEXPECTED-FAIL | chrome://mochitests/content/browser/browser/base/content/test/browser_visibleTabs.js | Exited with code 1 during test run
INFO | automation.py | Application ran for: 0:05:48.271323
INFO | automation.py | Reading PID log: /var/folders/qd/srwd5f710sj0fcl9z464lkj00000gn/T/tmppAk5hVpidlog
Downloading symbols from: http://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-macosx64-debug/1349686534/firefox-18.0a1.en-US.mac64.crashreporter-symbols.zip
PROCESS-CRASH | chrome://mochitests/content/browser/browser/base/content/test/browser_visibleTabs.js | application crashed (minidump found)
Crash dump filename: /var/folders/qd/srwd5f710sj0fcl9z464lkj00000gn/T/tmpjuedeg/minidumps/B8EEDB3F-54A6-4390-BC55-4AF6085B0ECE.dmp
Operating system: Mac OS X
                  10.7.2 11C74
CPU: amd64
     family 6 model 23 stepping 10
     2 CPUs

Crash reason:  EXC_BAD_ACCESS / KERN_INVALID_ADDRESS
Crash address: 0x0

Thread 0 (crashed)
 0  libmozalloc.dylib!mozalloc_abort [mozalloc_abort.cpp : 23 + 0x0]
    rbx = 0x00007fff7605a630   r12 = 0x000000010334d5d7
    r13 = 0x0000000138b78768   r14 = 0x00007fff5fbf5c00
    r15 = 0x00007fff7605a630   rip = 0x00000001000cab64
    rsp = 0x00007fff5fbf5bb0   rbp = 0x00007fff5fbf5bc0
    Found by: given as instruction pointer in context
 1  XUL!Abort [nsDebugImpl.cpp : 423 + 0x4]
    rbx = 0x00007fff5fbf5bf0   r12 = 0x000000010334d5d7
    r13 = 0x0000000138b78768   r14 = 0x00007fff5fbf5c00
    r15 = 0x00007fff7605a630   rip = 0x0000000102809a19
    rsp = 0x00007fff5fbf5bd0   rbp = 0x00007fff5fbf5bd0
    Found by: call frame info
 2  XUL!NS_DebugBreak_P [nsDebugImpl.cpp : 380 + 0x7]
    rbx = 0x00007fff5fbf5bf0   r12 = 0x000000010334d5d7
    r13 = 0x0000000138b78768   r14 = 0x00007fff5fbf5c00
    r15 = 0x00007fff7605a630   rip = 0x00000001028097b9
    rsp = 0x00007fff5fbf5be0   rbp = 0x00007fff5fbf6020
    Found by: call frame info
 3  XUL!nsPresArena::State::Allocate [nsPresArena.cpp : 325 + 0x10]
    rbx = 0x00007fff5fbf6040   r12 = 0x0000000100cdcb78
    r13 = 0x000000010334d486   r14 = 0x0000000100cdcb48
    r15 = 0x000000010334d5d7   rip = 0x000000010136a180
    rsp = 0x00007fff5fbf6030   rbp = 0x00007fff5fbf60a0
    Found by: call frame info
 4  XUL!nsStyleMargin::operator new [nsIPresShell.h : 261 + 0xb]
    rbx = 0x0000000116002c50   r12 = 0x000000013e965d01
    r13 = 0x00007fff5fbf62e0   r14 = 0x0000000000000040
    r15 = 0x0000000000000000   rip = 0x0000000101561ef8
    rsp = 0x00007fff5fbf60b0   rbp = 0x00007fff5fbf60d0
    Found by: call frame info
 5  XUL!nsRuleNode::ComputeMarginData [nsRuleNode.cpp : 5662 + 0xc]
    rbx = 0x0000000116002c50   r12 = 0x000000013e965d01
    r13 = 0x00007fff5fbf62e0   r14 = 0x00000001052d32a0
    r15 = 0x000000013e90f9d8   rip = 0x00000001015369a2
    rsp = 0x00007fff5fbf60e0   rbp = 0x00007fff5fbf61c0
    Found by: call frame info
 6  XUL!nsRuleNode::WalkRuleTree [nsStyleStructList.h : 106 + 0x17]
    rbx = 0x0000000000000001   r12 = 0x000000013e965d90
    r13 = 0x0000000000010000   r14 = 0x0000000000000010
}

Comment 1

[Daniel Veditz [:dveditz]]

Normally a frame poisoned crash would be non-exploitable, but I'm not sureif the "PresArena: poison overwritten;" assertion means something worse.

Comment 2

[Zack Weinberg (:zwol)]

That assertion happens when nsPresArena goes to recycle memory from one of its free lists and discovers that something has modified that memory after it was freed.  We don't know exactly when that happened, and it's debug-only.  In a release build this could potentially mean a stale pointer now points to a new object.  The object we're trying to allocate is not a frame, so it's coming from one of the by-size pools, so that stale pointer could potentially have the wrong type for the new object.

So, yeah, potentially exploitable.

Comment 3

[Zack Weinberg (:zwol)]

Having said that, it's a single-bit error way up high in a 64-bit word, which makes me wonder about RAM errors.

Comment 4

[Ed Morley [:emorley]]

(In reply to Zack Weinberg (:zwol) from comment #3)
> Having said that, it's a single-bit error way up high in a 64-bit word,
> which makes me wonder about RAM errors.

In case it helps:
https://bugzilla.mozilla.org/show_bug.cgi?id=talos-r4-lion-025
https://secure.pub.build.mozilla.org/buildapi/recent/talos-r4-lion-025

Comment 5

[Mats Palmgren (inactive)]

Looking at the log in bug 789803 comment 4 using reftest-analyzer -- it's a
single-pixel error at the exact same coordinate in two different reftests where
it's supposed to be only white background.  I think that corroborates the
RAM error theory.

Resolving as hardware error on talos-r4-lion-025.