Closed
Bug 805013
Opened 12 years ago
Closed 12 years ago
crash in mozilla::image::Image::SizeOfData
Categories
(Core :: Graphics: ImageLib, defect)
Tracking
()
RESOLVED
WORKSFORME
mozilla19
| Tracking | Status | |
|---|---|---|
| firefox17 | --- | unaffected |
| firefox18 | --- | unaffected |
| firefox19 | + | unaffected |
| firefox20 | --- | unaffected |
| firefox-esr10 | --- | unaffected |
People
(Reporter: scoobidiver, Assigned: jdm)
References
Details
(Keywords: crash, regression, sec-critical, Whiteboard: [leave open] fix-range-wanted)
Crash Data
Attachments
(1 file, 1 obsolete file)
It was wrongly classified as bug 801453 but it's apparently not because there are still crashes after the patch of bug 802485 landed. Thus, it was #7 top crasher in yesterday's build. So it first appeared in 19.0a1/20121014 with the following regression range: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=90857937b601&tochange=57304bbf9c0e Signature mozilla::image::Image::SizeOfData() More Reports Search UUID 2df44912-a546-40cb-ace4-1acc12121024 Date Processed 2012-10-24 14:25:17 Uptime 384 Last Crash 6.6 minutes before submission Install Age 28.9 minutes since version was first installed. Install Time 2012-10-24 13:56:11 Product Firefox Version 19.0a1 Build ID 20121024030643 Release Channel nightly OS Windows NT OS Version 6.1.7601 Service Pack 1 Build Architecture x86 Build Architecture Info GenuineIntel family 6 model 42 stepping 7 Crash Reason EXCEPTION_ACCESS_VIOLATION_READ Crash Address 0x6c App Notes AdapterVendorID: 0x10de, AdapterDeviceID: 0x0e3a, AdapterSubsysID: 14a41028, AdapterDriverVersion: 8.17.12.9635 Has dual GPUs. GPU #2: AdapterVendorID2: 0x8086, AdapterDeviceID2: 0x0126, AdapterSubsysID2: 04a41028, AdapterDriverVersion2: 8.15.10.2418D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ EMCheckCompatibility True Adapter Vendor ID 0x10de Adapter Device ID 0x0e3a Total Virtual Memory 4294836224 Available Virtual Memory 3746594816 System Memory Use Percentage 39 Available Page File 13145284608 Available Physical Memory 5153431552 Frame Module Signature Source 0 xul.dll mozilla::image::Image::SizeOfData image/src/Image.cpp:40 1 xul.dll imgRequest::UpdateCacheEntrySize image/src/imgRequest.cpp:360 2 xul.dll imgStatusTrackerObserver::OnDiscard image/src/imgStatusTracker.cpp:201 3 xul.dll mozilla::image::RasterImage::Discard image/src/RasterImage.cpp:2424 4 xul.dll mozilla::image::DiscardTracker::DiscardNow image/src/DiscardTracker.cpp:268 5 xul.dll nsTimerImpl::Fire xpcom/threads/nsTimerImpl.cpp:472 6 winmm.dll timeGetTime 7 xul.dll nsTimerEvent::Run xpcom/threads/nsTimerImpl.cpp:555 8 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:620 9 xul.dll mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:82 10 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:208 11 xul.dll MessageLoop::Run ipc/chromium/src/base/message_loop.cc:182 12 xul.dll nsBaseAppShell::Run widget/xpwidgets/nsBaseAppShell.cpp:163 13 xul.dll nsAppShell::Run widget/windows/nsAppShell.cpp:232 14 xul.dll nsAppStartup::Run toolkit/components/startup/nsAppStartup.cpp:290 15 xul.dll XREMain::XRE_mainRun toolkit/xre/nsAppRunner.cpp:3799 16 xul.dll XREMain::XRE_main toolkit/xre/nsAppRunner.cpp:3866 17 xul.dll XRE_main toolkit/xre/nsAppRunner.cpp:3941 18 firefox.exe wmain toolkit/xre/nsWindowsWMain.cpp:105 19 firefox.exe __tmainCRTStartup crtexe.c:552 20 kernel32.dll BaseThreadInitThunk 21 ntdll.dll __RtlUserThreadStart 22 ntdll.dll _RtlUserThreadStart More reports at: https://crash-stats.mozilla.com/report/list?signature=mozilla%3A%3Aimage%3A%3AImage%3A%3ASizeOfData%28%29
|
Reporter | |
Comment 1•12 years ago
|
||
More reports also at: https://crash-stats.mozilla.com/report/list?signature=imgRequest%3A%3AUpdateCacheEntrySize%28%29
Crash Signature: [@ mozilla::image::Image::SizeOfData()]
[@ @0x0 | mozilla::image::Image::SizeOfData()] → [@ mozilla::image::Image::SizeOfData()]
[@ @0x0 | mozilla::image::Image::SizeOfData()]
[@ imgRequest::UpdateCacheEntrySize()]
|
||
Comment 2•12 years ago
|
||
One Comment says "I was on flickr, I pressed backspace to go to the previous page." URLs: 4 http://www.facebook.com/ 2 https://www.edx.org/courses/MITx/3.091x/2012_Fall/book/0/ 2 http://10.0.0.1/phone.html 2 https://www.google.com/search?q=Stiefvater,+Maggie+ballad+cover&oe=utf-8&aq=t&rl 2 about:newtab 2 http://nfs.mobile.bg/pcgi/photos.cgi 1 https://www.google.com/search?q=diablo+3+custom+banner+online&oe=utf-8&aq=t&rls= 1 http://www.flickr.com/photos/rmellway/6232367305/in/photostream/lightbox/ 1 http://www.google.com.pa/search?hl=es&cp=16&gs_id=98&xhr=t&q=historia+del+calcul 1 http://omgpost.com/yesterday-you-said-tomorrow-just-do-it.html 1 http://www.google.com.ec/imgres?q=do%C3%B1a+b%C3%A1rbara+r%C3%B3mulo+gallegos&nu 1 http://i.imgur.com/315Mx.jpg 1 http://www.mangahere.com/manga/fujoshi_kanojo/v03/c010/34.html 1 https://groupees.com/uploads/bonus_products/240/cover/D7_cover2_text.jpg 1 http://comicsbook.ru/?p=2 1 http://www.notebooksbilliger.de/lenovo+thinkpad+edge+e530+nzq7cge/incrpc/topprod 1 http://www.oup.cz/slovniky/ 1 http://www.shamchat.c.la/ 1 http://freehqwallpapers.blogspot.in/2012/05/chota-bheem.html 1 http://www.google.com/imgres?hl=en&client=firefox-nightly&rls=org.mozilla:en-US: 1 http://lindaikeji.blogspot.ca/search?updated-max=2012-10-22T15:22:00%2B01:00&max 1 https://www.youtube.com/watch?v=ccpho8b5Vlw 1 http://www.skelbiu.lt/skelbimai/drabuziai-avalyne/moterims/sukneles/35?&category 1 http://tieba.baidu.com/f?kw=firefox 1 http://slipperyonion.com/content/hardcore-cum-mouth
|
|
||
Comment 3•12 years ago
|
||
Correlations from 2012-10-30:
mozilla::image::Image::SizeOfData()|EXCEPTION_ACCESS_VIOLATION_READ (53 crashes)
19% (10/53) vs. 3% (56/1624) {8620c15f-30dc-4dba-a131-7c5d20cf4a29} (Nightly Tester Tools, https://addons.mozilla.org/addon/6543)
19% (10/53) vs. 5% (83/1624) firebug@software.joehewitt.com (Firebug, https://addons.mozilla.org/addon/1843)
17% (9/53) vs. 5% (75/1624) elemhidehelper@adblockplus.org (Adblock Plus: Element Hiding Helper, https://addons.mozilla.org/addon/4364)
13% (7/53) vs. 4% (66/1624) {1018e4d6-728f-4b20-ad56-37578a4de76b} (Flagfox, https://addons.mozilla.org/addon/5791)
9% (5/53) vs. 0% (5/1624) 5055f6331c615@5055f6331c63f.com
9% (5/53) vs. 0% (5/1624) pagehacker@webalx.com
9% (5/53) vs. 0% (5/1624) info@cssUpdater.com
9% (5/53) vs. 0% (6/1624) firefile@strebitzer.at
11% (6/53) vs. 3% (43/1624) {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} (WOT, https://addons.mozilla.org/addon/3456)
11% (6/53) vs. 3% (46/1624) wrc@avast.com
100% (53/53) vs. 94% (1523/1624) {972ce4c6-7e08-4474-a285-3208198ce6fd} (Default, https://addons.mozilla.org/addon/8150)
13% (7/53) vs. 8% (126/1624) {e4a8a97b-f2ed-450b-b12d-ee082ba24781} (Greasemonkey, https://addons.mozilla.org/addon/748)
30% (16/53) vs. 25% (406/1624) {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} (Adblock Plus, https://addons.mozilla.org/addon/1865)
|
||
Comment 4•12 years ago
|
||
I saw at least two different crashes. One is a READ access violation at http://hg.mozilla.org/mozilla-central/annotate/0947e291578a/image/src/Image.cpp#l31 --> it appears to be reading mError which probably means the image is a deleted object (that is, a use-after-free). Another is an EXEC access violation at http://hg.mozilla.org/mozilla-central/annotate/f9acc2e4d4e3/image/src/Image.cpp#l40 --> appears to have called a virtual function pointing off into space, again most likely means the Image is being used after having been freed. These are exploitable. In that regression range the most relevant/likely fix is jdm's bug 505385, an 18-part patch for "Refactor Imagelib notifications"
Group: core-security
Keywords: sec-critical,
testcase-wanted
|
|
||
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
|
Assignee | |
Updated•12 years ago
|
Assignee: nobody → josh
|
|
Assignee | |
Comment 5•12 years ago
|
||
Attachment #678902 -
Flags: review?(joe)
|
|
Assignee | |
Comment 6•12 years ago
|
||
We're planning to land this bandaid and see whether crash stats are affected. The results should clarify the nature of the problem, which is a bit mysterious right now.
Whiteboard: [leave open]
|
||
Comment 7•12 years ago
|
||
Comment on attachment 678902 [details] [diff] [review] Diagnostic bandaid to ensure that all RasterImages are removed from the discard tracker. more patch please
Attachment #678902 -
Flags: review?(joe) → review-
|
|
Assignee | |
Comment 8•12 years ago
|
||
Now with 100% more patch.
Attachment #679167 -
Flags: review?(joe)
|
|
Assignee | |
Updated•12 years ago
|
Attachment #678902 -
Attachment is obsolete: true
|
|
||
Comment 9•12 years ago
|
||
Comment on attachment 679167 [details] [diff] [review] Diagnostic bandaid to ensure that all RasterImages are removed from the discard tracker. Review of attachment 679167 [details] [diff] [review]: ----------------------------------------------------------------- this has precisely enough patch
Attachment #679167 -
Flags: review?(joe) → review+
|
|
Assignee | |
Comment 10•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/799074867286
|
|
Assignee | |
Comment 11•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/a0df3314bee0 for a followup to stop intermittent browser-chrome oranges.
|
||
Comment 12•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/799074867286 https://hg.mozilla.org/mozilla-central/rev/00cd00ba0ac2
|
||
Comment 13•12 years ago
|
||
(In reply to Josh Matthews [:jdm] from comment #11) > https://hg.mozilla.org/integration/mozilla-inbound/rev/a0df3314bee0 for a > followup to stop intermittent browser-chrome oranges. https://hg.mozilla.org/mozilla-central/rev/a0df3314bee0
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla19
|
|
Assignee | |
Comment 14•12 years ago
|
||
The tag to leave this bug open is still present.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
||
Updated•12 years ago
|
status-firefox17:
--- → unaffected
|
|
Assignee | |
Comment 15•12 years ago
|
||
Ok, the diagnostic patch did not seem to have an effect. That's a shame.
|
|
Assignee | |
Comment 16•12 years ago
|
||
Judging by a bunch of the crash stacks, the fix for bug 803125 might help here. However, ones like https://crash-stats.mozilla.com/report/index/2a782af8-de6e-4c86-ad28-fe5132121112 still have me completely baffled.
|
|
Reporter | |
Updated•12 years ago
|
|
|
||
Updated•12 years ago
|
|
|
||
Comment 17•12 years ago
|
||
Looking at crash stats this signature is limited to 19.0a1 users 100%. Something else must have fixed. Dunno if 30-ish crashes makes this a topcrash in 19, if so we should figure out the fix range and think about uplift. If it's not a topcrash maybe just forget about it.
tracking-firefox20:
+ → ---
Flags: needinfo?(scoobidiver)
Whiteboard: [leave open] → [leave open] fix-range-wanted
|
|
Reporter | |
Comment 18•12 years ago
|
||
mozilla::image::Image::SizeOfData crashes stopped after 19.0a1/20121120. The working range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=bc69705c162d&tochange=4f19e7fd8bea imgRequest::UpdateCacheEntrySize crashes almost (one crash in 19.0a1/20121124) stopped after 19.0a1/20121118. The working range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b959971b8219&tochange=4fddb9923ef0 Those ones are likely fixed by bug 803125.
Status: REOPENED → RESOLVED
Closed: 12 years ago → 12 years ago
Flags: needinfo?(scoobidiver)
Keywords: topcrash
Resolution: --- → WORKSFORME
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•9 years ago
|
Keywords: testcase-wanted
|
|
||
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•