Loading the testcase triggers: ###!!! ASSERTION: unexpected flow: 'mFrames.ContainsFrame(nextInFlow)', file /Users/jruderman/trunk/mozilla/layout/generic/nsInlineFrame.cpp, line 469 ###!!! ASSERTION: StealFrame failure: 'NS_SUCCEEDED(rv)', file /Users/jruderman/trunk/mozilla/layout/generic/nsContainerFrame.cpp, line 1116 Crash [@ IsPercentageAware]. Security-sensitive because the testcase is very similar to the testcase for bug 429968.

This is the same issue as bug 429968, I think. We're violating assumptions that inline frames make in initial reflow, and that causes bad things to happen.

Now I only get ###!!! ASSERTION: unexpected flow: 'mFrames.ContainsFrame(nextInFlow)', file /Users/jruderman/central/layout/generic/nsInlineFrame.cpp, line 467 and no crash.

This is definitely exploitable-looking on the 1.9.0 branch. If it's not crashing on mozilla-central (comment 2) maybe we can backport the fix. (43c.afc): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=035ae74c ebx=035aef14 ecx=035aef14 edx=0012dcbc esi=03236a94 edi=0012dcbc eip=035ae860 esp=0012d86c ebp=0012d890 iopl=0 nv up ei pl nz ac pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010216 035ae860 74b2 je 035ae814 [br=0] *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Mozilla Firefox 3.0\xul.dll - 0:000> !exploitable -v HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception Exception Faulting Address: 0x35ae860 First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception Sub-Type: Data Execution Protection (DEP) Violation Exception Hash (Major/Minor): 0x327f0d69.0x5b522b03 Stack Trace: Unknown xul!gfxWindowsPlatform::InitBadUnderlineList+0x1379 xul!gfxTextRun::SetSpaceGlyph+0x22d2 xul!gfxWindowsNativeDrawing::PaintToContext+0x2b24c xul!gfxWindowsNativeDrawing::PaintToContext+0x2b53d xul!gfxWindowsNativeDrawing::PaintToContext+0x2b7ff xul!gfxTextRun::SetSpaceGlyph+0x246e xul!gfxWindowsPlatform::InitBadUnderlineList+0x4cf4 xul!NS_UTF16ToCString_P+0x3cbe xul!NS_StringCopy_P+0x6293 xul!gfxPlatform::IsCMSEnabled+0x55fc xul!gfxPlatform::IsCMSEnabled+0x534c xul!gfxPlatform::IsCMSEnabled+0x12fe1 xul!gfxPlatform::IsCMSEnabled+0x13022 xul!gfxWindowsFontGroup::GetFontAt+0x7a22 xul!gfxWindowsPlatform::InitBadUnderlineList+0x49bc xul!gfxPlatform::IsCMSEnabled+0x5ad2 xul!gfxPlatform::IsCMSEnabled+0x5669 xul!gfxPlatform::IsCMSEnabled+0x534c xul!gfxPlatform::IsCMSEnabled+0x12fe1 xul!gfxPlatform::IsCMSEnabled+0x13022 xul!gfxWindowsFontGroup::GetFontAt+0x7a22 xul!gfxWindowsPlatform::InitBadUnderlineList+0x49bc xul!gfxPlatform::IsCMSEnabled+0x5ad2 xul!gfxPlatform::IsCMSEnabled+0x5669 xul!gfxPlatform::IsCMSEnabled+0x534c xul!gfxPlatform::IsCMSEnabled+0x12fe1 xul!gfxPlatform::IsCMSEnabled+0x13022 xul!gfxWindowsFontGroup::GetFontAt+0x7a22 xul!gfxWindowsPlatform::InitBadUnderlineList+0x49bc xul!gfxPlatform::IsCMSEnabled+0x5ad2 xul!gfxPlatform::IsCMSEnabled+0x5669 xul!gfxPlatform::IsCMSEnabled+0x534c xul!gfxPlatform::IsCMSEnabled+0x12fe1 xul!gfxPlatform::IsCMSEnabled+0x13022 xul!gfxWindowsFontGroup::GetFontAt+0x7a22 xul!gfxWindowsFontGroup::GetFontAt+0x96c6 xul!gfxPlatform::IsCMSEnabled+0x1127 xul!gfxWindowsFontGroup::GetFontAt+0x96c6 xul!gfxWindowsPlatform::ResolveFontName+0x7f4a xul!gfxPlatform::IsCMSEnabled+0xe570 xul!gfxTextRun::GetAdvanceWidth+0x29b7 xul!gfxWindowsFontGroup::GetFontAt+0x96c6 xul!gfxWindowsFontGroup::GetFontAt+0x981c xul!gfxWindowsFontGroup::GetFontAt+0x935 xul!gfxASurface::AddRef+0x293c xul!gfxWindowsPlatform::UpdateFontList+0x3fcb xul!NS_CycleCollectorForget_P+0x140db xul!NS_NewLocalFile_P+0x17458 xul!NS_CycleCollectorForget_P+0xe128 xul!gfxWindowsPlatform::FontEnumProc+0x4f7a xul!gfxFont::SanitizeMetrics+0xa0e xul!XRE_main+0xdb7 Unknown Unknown Instruction Address: 0x35ae860 Description: Data Execution Prevention Violation Short Description: DEPViolation Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - Data Execution Prevention Violation starting at Unknown Symbol @ 0x23521280092e190 (Hash=0x327f0d69.0x5b522b03) User mode DEP access violations are exploitable.

(In reply to comment #3) > This is definitely exploitable-looking on the 1.9.0 branch. If it's not > crashing on mozilla-central (comment 2) maybe we can backport the fix. Nominating blocking1.9.0.10? due to comment #3.

qawanted: if this is truly fixed by bug 429969 this should be fixed on trunk and 1.9.1 -- can we get that verified please?

(In reply to comment #5) > qawanted: if this is truly fixed by bug 429969 this should be fixed on trunk > and 1.9.1 -- can we get that verified please? It doesn't crash on mac or windows with either builds, but running in debug I am seeing an assertion on both 1.9.1 and 1.9.2. However, on 1.9.1 the assertion is accompainied by a SQLLite warning, which I find odd. Everytime I reload the test on 1.9.1 I get the SQLLite warning. Here is what I get on 1.9.1 (Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4pre) Gecko/20090417 Shiretoko/3.5b4pre): WARNING: 1 sort operation has occurred for the SQL statement 'SELECT b.id FROM moz_bookmarks b JOIN ( SELECT id FROM moz_places_temp WHERE url = ?1 UNION ALL SELECT id FROM moz_places WHERE url = ?1 AND +id NOT IN (SELECT id FROM moz_places_temp) ) AS h ON b.fk = h.id WHERE b.type = ?2 ORDER BY MAX(IFNULL(b.lastModified, 0), b.dateAdded) DESC, b.id DESC'. This may indicate an opportunity to improve performance through the careful use of indexes.: file /Users/clint/code/moz1.9.1/src/storage/src/mozStoragePrivateHelpers.cpp, line 105 ###!!! ASSERTION: unexpected flow: 'mFrames.ContainsFrame(nextInFlow)', file /Users/clint/code/moz1.9.1/src/layout/generic/nsInlineFrame.cpp, line 472 And on 1.9.2 (Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090417 Minefield/3.6a1pre) I don't get the SQL lite warning: ###!!! ASSERTION: unexpected flow: 'mFrames.ContainsFrame(nextInFlow)', file /Users/clint/code/mozcentral/src/layout/generic/nsInlineFrame.cpp, line 460 Hopefully that's what you needed, if not let us know. Removing qaWanted.

I just filed bug 491547, which has a similar stacktrace, but seems like a regression. But perhaps still related to this?

(In reply to comment #7) > I just filed bug 491547, which has a similar stacktrace, but seems like a > regression. But perhaps still related to this? I think it's more like bug 460389

The 1.9.0 patch in bug 429968 fixes this crash on that branch. I still see the "unexpected flow" assertion, but no crash.

This crash does not happen on Firefox 2.0.0.20

Checked bug 429969, fixing this for the 1.9.0.11 release. As far as the "sg:critical" crash goes this bug is now fixed, so I think the remaining assertion can go into another bug. There was bug 402380, but that was fixed a while ago.

Verified for 1.9.0.11 using testcase with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.11pre) Gecko/2009051804 GranParadiso/3.0.11pre. Crashes in 1.9.0.10.

Verified for trunk with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090517 Minefield/3.6a1pre.

Crashtest added: http://hg.mozilla.org/mozilla-central/rev/bf3a4f5dd798