Closed
Bug 693053
Opened 13 years ago
Closed 13 years ago
crash with destroyed nsPluginArray instance when running cross_fuzz
Categories
(Core Graveyard :: Plug-ins, defect)
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: MatsPalmgren_bugz, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, Whiteboard: [sg:critical?])
Crash Data
Attachments
(3 files)
STEPS TO REPRODUCE
1. download cross-fuzz from: http://lcamtuf.coredump.cx/cross_fuzz/
2. turn off popup blocking, turn off slow script warnings, turn off
the pref "Open new windows in a new tab instead"
3. load
file:///c:/cross_fuzz/cross_fuzz_randomized_2011010c5_seed.html#-501598811
ACTUAL RESULT
nsPluginArray::AllowPlugins
nsPluginArray::GetLength
nsMimeTypeArray::GetMimeTypes
nsNavigator::JavaEnabled
NS_InvokeByIndex_P
...
ADDITIONAL INFORMATION
Bug occurs in a local mozilla-central (10.0a1) DEBUG build on Windows XP.
https://crash-stats.mozilla.com/ have 5 reported crashes in the past 4 weeks.
Example: bp-01b9cf5d-c450-44db-af7d-2ba172111005
(Fx 4.0.1, 5.0 and 6.0.2)
Comment 1•13 years ago
|
||
CC'ing Jesse in case he wants to look into differences between original cross-fuzz and cross-fuzz-like functionality incorporated into his fuzzers that led to this being missed (doesn't seem to be a dupe).
Keywords: testcase-wanted
Comment 2•13 years ago
|
||
Bobby, can you look into this? Might be fixable by code inspection, even.
Assignee: nobody → bobbyholley+bmo
status-firefox10:
--- → affected
status-firefox7:
--- → wontfix
status-firefox8:
--- → affected
status-firefox9:
--- → affected
tracking-firefox10:
--- → +
tracking-firefox7:
--- → -
tracking-firefox8:
--- → +
tracking-firefox9:
--- → +
Comment 3•13 years ago
|
||
(In reply to Johnny Stenback (:jst, jst@mozilla.com) from comment #2)
> Bobby, can you look into this? Might be fixable by code inspection, even.
sure thing.
Comment 4•13 years ago
|
||
Added some guesses to my DOM fuzzer in rev 99a9fca5c37f. Let me know if you make a testcase.
Comment 5•13 years ago
|
||
I'm able to quickly reproduce bug 671484 with the fuzzer. But after I comment out that assertion and run it for 5 minutes or so, I still don't see this crash. :\
I'm running on macos rather than windows, which may have something to do with it. But I'm also curious as to why the filename seems to be different than the one mats posted in the bug. I've been trying with http://lcamtuf.coredump.cx/cross_fuzz/cross_fuzz_randomized_20110105_seed.html#-501598811
mats, can you confirm that this is reproducible with that url?
Code inspection doesn't seem all that helpful here, unfortunately, since the code seems relatively innocuous. We've got this function:
http://mxr.mozilla.org/mozilla-central/source/dom/base/nsPluginArray.cpp#102
Which calls into:
http://mxr.mozilla.org/mozilla-central/source/docshell/base/nsDocShell.cpp#1923
If we believe the stack, then the only explanation is that mDocShell is garbage, which seems unlikely. The stack appears to be PGO-ed though, so it might be a few methods deeper than it appears.
Comment 6•13 years ago
|
||
Hmm, I gave this a try on a windows box too and after setting assertions to warn only and commenting out the modal dialog opening code in nsGlobalWindow::Find(), I've had it running for an hour so far and got no crashes. It's still running, and I can leave it go, but so far nothing...
Comment 7•13 years ago
|
||
Ok, my bad, I had *not* set the pref to open new windows as windows instead of tabs, with that changed, I started seeing crashes in SVG code, but not this one yet.
Comment 8•13 years ago
|
||
(In reply to Johnny Stenback (:jst, jst@mozilla.com) from comment #7)
> Ok, my bad, I had *not* set the pref to open new windows as windows instead
> of tabs, with that changed, I started seeing crashes in SVG code, but not
> this one yet.
Yeah, that matches my experience. I commented out the NS_ABORT_IF_FALSE.
I'm curious if the seed mats provided is still valid...
Comment 9•13 years ago
|
||
Ok, even with the right prefs set and asserts disabled and the NS_ABORT_IF_FALSE that bholley pointed out commented out, I still have been unable to reproduce this crash.
Reporter | ||
Comment 10•13 years ago
|
||
Re-running the test with an up-to-date build resulted in a different crash.
(with the wallpaper in bug 671484 applied)
This is with the same seed as before:
file://.../cross_fuzz_randomized_20110105_seed.html#-501598811
I'll restart it again and see if I can trigger the original crash...
Reporter | ||
Comment 11•13 years ago
|
||
(In reply to Bobby Holley (:bholley) from comment #5)
> But I'm also curious as to why the filename seems to be different
> than the one mats posted in the bug.
Sorry, the URL in comment 0 has a copy-paste error or something...
the URL I use is:
file://path-to-cross_fuzz/cross_fuzz_randomized_20110105_seed.html#-501598811
> I've been trying with
> http://lcamtuf.coredump.cx/cross_fuzz/cross_fuzz_randomized_20110105_seed.
> html#-501598811
I think you get different results if you download it and load it using
a file:// URL.
Comment 12•13 years ago
|
||
(In reply to Mats Palmgren [:mats] from comment #11)
> I think you get different results if you download it and load it using
> a file:// URL.
Oh, I did (mirrored the whole thing using httrack). I was just pointing to the file to avoid any ambiguity.
Reporter | ||
Comment 13•13 years ago
|
||
Reporter | ||
Comment 14•13 years ago
|
||
I can't reproduce the crash @nsPluginArray::AllowPlugins after running
the test for a few days with the -501598811 seed (trunk debug on XP).
I got the crashes in comment 10 and comment 13, but only once.
(using wallpapers for the SVG abort in bug 671484 and JS abort in bug 693212)
Summary: crash [@ nsPluginArray::AllowPlugins() ] → crash when running cross_fuzz
Comment 15•13 years ago
|
||
Seems we have nothing to go on here, w/o a testcase that reproduces this problem I find it hard to believe that we'll make much progress here :(
Not tracking for 8 any more.
Comment 16•13 years ago
|
||
I checked crash stats for this signature. There are 6 crashes in the last few weeks. All of them seem to be foreign language sites.
http://www.seznam.cz/
http://www.adiglobal.cz/iiWWW/cz/produkty110.nsf/w?Readform&c2=11001&c3=1100104
http://zalukaj.tv/
http://yandex.ru/yandsearch?text=%D0%BC%D0%B5%D1%84%D0%BE%D0%B4%D0%B8%D0%B9+%D0%B1%D1%83%D1%81%D0%BB%D0%B0%D0%B5%D0%B2+%D1%81%D0%B2%D0%B5%D1%82%D0%BB%D1%8B%D0%B5+%D0%BA%D1%80%D1%8B%D0%BB%D1%8C%D1%8F+%D0%B4%D0%BB%D1%8F+%D1%82%D0%B5%D0%BC%D0%BD%D0%BE%D0%B3%&lr=84
I tried testing them in a Windows XP VM but I did not have any luck reproducing any crashes.
Comment 18•13 years ago
|
||
This is looking like WORKSFORME-ville -- any objections to opening it up? Possible this got fixed along the way since Jesse's fuzzers also include cross-fuzz-like functionality.
Summary: crash when running cross_fuzz → crash with destroyed nsPluginArray instance when running cross_fuzz
Comment 19•13 years ago
|
||
WORKSFORME, but leaving this closed in case this is reproducible on older versions that are still shipping.
Status: NEW → RESOLVED
Closed: 13 years ago
status-firefox10:
affected → ---
status-firefox7:
wontfix → ---
status-firefox8:
wontfix → ---
status-firefox9:
affected → ---
tracking-firefox10:
+ → ---
tracking-firefox7:
- → ---
tracking-firefox8:
- → ---
tracking-firefox9:
+ → ---
Resolution: --- → WORKSFORME
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•9 years ago
|
Keywords: testcase-wanted
Updated•9 years ago
|
Group: core-security-release
Updated•2 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•