User Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko) Ubuntu/11.04 Chromium/12.0.742.112 Chrome/12.0.742.112 Safari/534.30 Steps to reproduce: Hi, I was playing with a fuzzer on firefox 5 (firefox 5.0+build1+nobinonly-0ubuntu0.11.04.2), and got the crash below: Program received signal SIGSEGV, Segmentation fault. 0xb777fb06 in PrepareAndDispatch (methodIndex=<value optimized out>, self=0xa2ae7650, args=0xbfffe564) at /build/buildd/firefox-5.0+build1+nobinonly/build-tree/mozilla/xpcom/reflect/xptcall/src/md/unix/xptcstubs_gcc_x86_unix.cpp:189 due to the nature of the fuzzer it will be hard to get a test case, but i can reproduce it if needed. Regards, David Maciejak Fortinet's FortiGuard Global Security Research Team Actual results: firefox crashed, so i run it in gdb, find the full trace enclosed Expected results: no crash

We would definitely need more details than you have provided here: at least a backtrace, and probably a reproducible testcase. With our internal fuzzers we work pretty hard to make sure that they at least log their actions to try and make bugs reproducible.

Oh, the backtrace is in the attachment. There's still not enough details to evaluate this: we're operating on a dead object pointer. With a testcase, a valgrind log would probably produce the most useful information.

I would like to provide a testcase too, but it's not easy to identify from the fuzzer which is based on cross_fuzz. I will try to do a smaller fuzz file and i will generate a valgrind log too.

Benjamin, pls tell me which valgrind option you want, seems firefox -g -d valgrind -a "-v --leak-check=full" is not giving much info

https://developer.mozilla.org/en/Debugging_Mozilla_with_valgrind has the details.

i have to rebuild firefox ? :S

i uploaded a smaller version of the fuzzer, running the cli command below with root is reproducing the issue in my lab after about 30s #firefox -g -private-toggle file:///fuzzcase/cross_fuzz_seed_ftnt.html#864324348

Peter, this looks like it might be a bogus nsINode pointer making it into the DOM code, maybe something not working right in the offset table magic we do when unwrapping, or somesuch? Can you have a look?

We ran out of time to take a fix for 6 safely here, but we're tracking this for 7 and beyond. Peter, if you happen to get a fix for this and it's trivial and really safe, we could consider this for 6, but we're pushing the limits there IMO.

How different is your version of cross_fuzz from upstream cross_fuzz?

In fact, for the version i sent the core is not changed, i just played with different document types, adding for example svg samples, webgl and more.

fyi i can't reproduce it in ff 6.0

It's quite possible one of the many engine changes in Firefox 6 fixed this bug, but there's no way to say for sure. If you can no longer reproduce it we need to move on to other bugs. If the bug recurs please reopen the bug with the additional information (or send mail to security at mozilla.org and we'll do it).

I tried reproducing this on trunk but couldn't either. I also looked at the code, didn't see anything obviously wrong.