Steps to reproduce: -> Load http://securityvulns.com/files/FirefoxIEOperaDoSExploit.xml (you might need to wait some seconds) --> Crash (also http://crash-stats.mozilla.com/report/index/832c42fe-aca6-4774-9604-f4ab92090828?p=1) Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception Exception Faulting Address: 0x30ffc Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception Sub-Type: Write Access Violation Exception Hash (Major/Minor): 0x7e697052.0x411c6343 Stack Trace: gklayout!nsINode::GetFlags+0xc gklayout!nsINode::HasFlag+0xf gklayout!nsBindingManager::GetBinding+0x1a gklayout!nsBindingManager::ChangeDocumentFor+0x77 gklayout!nsGenericElement::UnbindFromTree+0xc4 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 gklayout!nsGenericElement::UnbindFromTree+0x1a5 Instruction Address: 0x0000000002af437c Description: User Mode Write AV Short Description: WriteAV Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - User Mode Write AV starting at gklayout!nsINode::GetFlags+0x000000000000000c (Hash=0x7e697052.0x411c6343) User mode write access violations that are not near NULL are exploitable.

Related to bug 485941 and/or bug 323394?

also see to see this stack and related about 100 times a day. 108 total crashes for SelectorMatches on 20090826-crashdata.csv 33 start up crashes inside 3 minutes SelectorMatches signature breakdown signature list 104 SelectorMatches 3 SelectorMatchesTree 1 SelectorMatches(RuleProcessorData&, nsCSSSelector*, int, nsIAtom*, int*) distribution of versions where the crash was found on 20090826-crashdata.csv 59 Firefox 3.5.2 38 Firefox 3.0.13 4 Firefox 3.5.1 2 Firefox 3.0.12 2 Firefox 3.0.10 1 Firefox 3.5 1 Firefox 3.0.3 1 Firefox 3.0.11 domains of sites 19 // 18 http://www.facebook.com 3 http://www.youtube.com 3 http://www.google.com 3 about:blank// 3 \N// 2 http://www.msn.com 2 http://www.google.ro 2 http://nasza-klasa.pl 2 http://apps.facebook.com 1 https://cid-bcb5a56dc0014b07.skydrive.live.com 1 http://www1.hilton.com 1 http://www.ustream.tv 1 http://www.t-online.de 1 http://www.searchtempest.com 1 http://www.schuelervz.net 1 http://www.realestate.com.au and many more...

we might want to expedite the investigation and fixing of this one just in case.

Hmm. I'm confused. The crash on crash-stats is pretty clearly a busted stack. I would expect us to maybe hit infinite-recursion crashes on this testcase (though I don't on Windows). Where's the data in comment 0 coming from? A local debug run?

(In reply to comment #6) > Hmm. I'm confused. The crash on crash-stats is pretty clearly a busted stack. > I would expect us to maybe hit infinite-recursion crashes on this testcase > (though I don't on Windows). Where's the data in comment 0 coming from? A > local debug run? yes, its the data from a recent ( i think 12 hour old) 1.9.1 debug build. The Data about stack etc is from windbg (in combination with !exploitable).

btw, it seems that this is a windows only crash, does not crash on mac so far

Before blocking I'd want to see if we get a less scary DoS crash in an opt build since on the surface this looks like bug 485941 (and others).

note also crash on vista - stack : http://crash-stats.mozilla.com/report/index/7d07eb8a-3d95-494d-b09a-76f242090828?p=1

(In reply to comment #0) > (also > http://crash-stats.mozilla.com/report/index/832c42fe-aca6-4774-9604-f4ab92090828?p=1) The "Crash Reason" is EXCEPTION_STACK_OVERFLOW, but the stack is garbled after frame 3. (In reply to comment #10) > note also crash on vista - stack : > http://crash-stats.mozilla.com/report/index/7d07eb8a-3d95-494d-b09a-76f242090828?p=1 Note that the reason was also EXCEPTION_STACK_OVERFLOW, and the deep recursion is http://hg.mozilla.org/releases/mozilla-1.9.1/annotate/001b77ffc015/content/base/src/nsGenericElement.cpp#l2706 calling itself.

Yeah, comment 0 is the only non-stack-overflow I see around here.

I see the stack overflow in Firefox 4.0 Windows XP and 7 on the original url as well as http://inside.nike.com/blogs/nikefootball-vi_VN/feeds/posts Operating system: Windows NT 5.1.2600 Service Pack 3 CPU: x86 GenuineIntel family 6 model 44 stepping 2 1 CPU Crash reason: EXCEPTION_STACK_OVERFLOW Crash address: 0x10995443 Thread 0 (crashed) 0 xul.dll!SelectorMatches [nsCSSRuleProcessor.cpp : 1660 + 0x13] eip = 0x10995443 esp = 0x00032eec ebp = 0x00033270 ebx = 0x00000001 esi = 0x0733ea10 edi = 0x00000000 eax = 0xefcf8228 ecx = 0x073a3ac8 edx = 0x0003364c efl = 0x00010286 Found by: given as instruction pointer in context

On Mac I get XML Parsing Error: no element found Location: https://bug513224.bugzilla.mozilla.org/attachment.cgi?id=397268&t=4rBIk584Hj Line Number 1, Column 228891: Josh sees a crash on Windows (stack exhaustion)

On Windows 7 with today's trunk nightly build I get an immediate crash: https://crash-stats.mozilla.com/report/index/bp-40f9b21a-030a-4536-abcf-650162120309 Stack exhaustion.