Closed
Bug 805013
Opened 12 years ago
Closed 12 years ago
crash in mozilla::image::Image::SizeOfData
Categories
(Core :: Graphics: ImageLib, defect)
Tracking
()
RESOLVED
WORKSFORME
mozilla19
Tracking | Status | |
---|---|---|
firefox17 | --- | unaffected |
firefox18 | --- | unaffected |
firefox19 | + | unaffected |
firefox20 | --- | unaffected |
firefox-esr10 | --- | unaffected |
People
(Reporter: scoobidiver, Assigned: jdm)
References
Details
(Keywords: crash, regression, sec-critical, Whiteboard: [leave open] fix-range-wanted)
Crash Data
Attachments
(1 file, 1 obsolete file)
It was wrongly classified as bug 801453 but it's apparently not because there are still crashes after the patch of bug 802485 landed. Thus, it was #7 top crasher in yesterday's build.
So it first appeared in 19.0a1/20121014 with the following regression range:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=90857937b601&tochange=57304bbf9c0e
Signature mozilla::image::Image::SizeOfData() More Reports Search
UUID 2df44912-a546-40cb-ace4-1acc12121024
Date Processed 2012-10-24 14:25:17
Uptime 384
Last Crash 6.6 minutes before submission
Install Age 28.9 minutes since version was first installed.
Install Time 2012-10-24 13:56:11
Product Firefox
Version 19.0a1
Build ID 20121024030643
Release Channel nightly
OS Windows NT
OS Version 6.1.7601 Service Pack 1
Build Architecture x86
Build Architecture Info GenuineIntel family 6 model 42 stepping 7
Crash Reason EXCEPTION_ACCESS_VIOLATION_READ
Crash Address 0x6c
App Notes
AdapterVendorID: 0x10de, AdapterDeviceID: 0x0e3a, AdapterSubsysID: 14a41028, AdapterDriverVersion: 8.17.12.9635
Has dual GPUs. GPU #2: AdapterVendorID2: 0x8086, AdapterDeviceID2: 0x0126, AdapterSubsysID2: 04a41028, AdapterDriverVersion2: 8.15.10.2418D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+
EMCheckCompatibility True
Adapter Vendor ID 0x10de
Adapter Device ID 0x0e3a
Total Virtual Memory 4294836224
Available Virtual Memory 3746594816
System Memory Use Percentage 39
Available Page File 13145284608
Available Physical Memory 5153431552
Frame Module Signature Source
0 xul.dll mozilla::image::Image::SizeOfData image/src/Image.cpp:40
1 xul.dll imgRequest::UpdateCacheEntrySize image/src/imgRequest.cpp:360
2 xul.dll imgStatusTrackerObserver::OnDiscard image/src/imgStatusTracker.cpp:201
3 xul.dll mozilla::image::RasterImage::Discard image/src/RasterImage.cpp:2424
4 xul.dll mozilla::image::DiscardTracker::DiscardNow image/src/DiscardTracker.cpp:268
5 xul.dll nsTimerImpl::Fire xpcom/threads/nsTimerImpl.cpp:472
6 winmm.dll timeGetTime
7 xul.dll nsTimerEvent::Run xpcom/threads/nsTimerImpl.cpp:555
8 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:620
9 xul.dll mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:82
10 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:208
11 xul.dll MessageLoop::Run ipc/chromium/src/base/message_loop.cc:182
12 xul.dll nsBaseAppShell::Run widget/xpwidgets/nsBaseAppShell.cpp:163
13 xul.dll nsAppShell::Run widget/windows/nsAppShell.cpp:232
14 xul.dll nsAppStartup::Run toolkit/components/startup/nsAppStartup.cpp:290
15 xul.dll XREMain::XRE_mainRun toolkit/xre/nsAppRunner.cpp:3799
16 xul.dll XREMain::XRE_main toolkit/xre/nsAppRunner.cpp:3866
17 xul.dll XRE_main toolkit/xre/nsAppRunner.cpp:3941
18 firefox.exe wmain toolkit/xre/nsWindowsWMain.cpp:105
19 firefox.exe __tmainCRTStartup crtexe.c:552
20 kernel32.dll BaseThreadInitThunk
21 ntdll.dll __RtlUserThreadStart
22 ntdll.dll _RtlUserThreadStart
More reports at:
https://crash-stats.mozilla.com/report/list?signature=mozilla%3A%3Aimage%3A%3AImage%3A%3ASizeOfData%28%29
Reporter | ||
Comment 1•12 years ago
|
||
More reports also at:
https://crash-stats.mozilla.com/report/list?signature=imgRequest%3A%3AUpdateCacheEntrySize%28%29
Crash Signature: [@ mozilla::image::Image::SizeOfData()]
[@ @0x0 | mozilla::image::Image::SizeOfData()] → [@ mozilla::image::Image::SizeOfData()]
[@ @0x0 | mozilla::image::Image::SizeOfData()]
[@ imgRequest::UpdateCacheEntrySize()]
Comment 2•12 years ago
|
||
One Comment says "I was on flickr, I pressed backspace to go to the previous page."
URLs:
4 http://www.facebook.com/
2 https://www.edx.org/courses/MITx/3.091x/2012_Fall/book/0/
2 http://10.0.0.1/phone.html
2 https://www.google.com/search?q=Stiefvater,+Maggie+ballad+cover&oe=utf-8&aq=t&rl
2 about:newtab
2 http://nfs.mobile.bg/pcgi/photos.cgi
1 https://www.google.com/search?q=diablo+3+custom+banner+online&oe=utf-8&aq=t&rls=
1 http://www.flickr.com/photos/rmellway/6232367305/in/photostream/lightbox/
1 http://www.google.com.pa/search?hl=es&cp=16&gs_id=98&xhr=t&q=historia+del+calcul
1 http://omgpost.com/yesterday-you-said-tomorrow-just-do-it.html
1 http://www.google.com.ec/imgres?q=do%C3%B1a+b%C3%A1rbara+r%C3%B3mulo+gallegos&nu
1 http://i.imgur.com/315Mx.jpg
1 http://www.mangahere.com/manga/fujoshi_kanojo/v03/c010/34.html
1 https://groupees.com/uploads/bonus_products/240/cover/D7_cover2_text.jpg
1 http://comicsbook.ru/?p=2
1 http://www.notebooksbilliger.de/lenovo+thinkpad+edge+e530+nzq7cge/incrpc/topprod
1 http://www.oup.cz/slovniky/
1 http://www.shamchat.c.la/
1 http://freehqwallpapers.blogspot.in/2012/05/chota-bheem.html
1 http://www.google.com/imgres?hl=en&client=firefox-nightly&rls=org.mozilla:en-US:
1 http://lindaikeji.blogspot.ca/search?updated-max=2012-10-22T15:22:00%2B01:00&max
1 https://www.youtube.com/watch?v=ccpho8b5Vlw
1 http://www.skelbiu.lt/skelbimai/drabuziai-avalyne/moterims/sukneles/35?&category
1 http://tieba.baidu.com/f?kw=firefox
1 http://slipperyonion.com/content/hardcore-cum-mouth
Comment 3•12 years ago
|
||
Correlations from 2012-10-30:
mozilla::image::Image::SizeOfData()|EXCEPTION_ACCESS_VIOLATION_READ (53 crashes)
19% (10/53) vs. 3% (56/1624) {8620c15f-30dc-4dba-a131-7c5d20cf4a29} (Nightly Tester Tools, https://addons.mozilla.org/addon/6543)
19% (10/53) vs. 5% (83/1624) firebug@software.joehewitt.com (Firebug, https://addons.mozilla.org/addon/1843)
17% (9/53) vs. 5% (75/1624) elemhidehelper@adblockplus.org (Adblock Plus: Element Hiding Helper, https://addons.mozilla.org/addon/4364)
13% (7/53) vs. 4% (66/1624) {1018e4d6-728f-4b20-ad56-37578a4de76b} (Flagfox, https://addons.mozilla.org/addon/5791)
9% (5/53) vs. 0% (5/1624) 5055f6331c615@5055f6331c63f.com
9% (5/53) vs. 0% (5/1624) pagehacker@webalx.com
9% (5/53) vs. 0% (5/1624) info@cssUpdater.com
9% (5/53) vs. 0% (6/1624) firefile@strebitzer.at
11% (6/53) vs. 3% (43/1624) {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} (WOT, https://addons.mozilla.org/addon/3456)
11% (6/53) vs. 3% (46/1624) wrc@avast.com
100% (53/53) vs. 94% (1523/1624) {972ce4c6-7e08-4474-a285-3208198ce6fd} (Default, https://addons.mozilla.org/addon/8150)
13% (7/53) vs. 8% (126/1624) {e4a8a97b-f2ed-450b-b12d-ee082ba24781} (Greasemonkey, https://addons.mozilla.org/addon/748)
30% (16/53) vs. 25% (406/1624) {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} (Adblock Plus, https://addons.mozilla.org/addon/1865)
Comment 4•12 years ago
|
||
I saw at least two different crashes. One is a READ access violation at
http://hg.mozilla.org/mozilla-central/annotate/0947e291578a/image/src/Image.cpp#l31
--> it appears to be reading mError which probably means the image is a deleted object (that is, a use-after-free).
Another is an EXEC access violation at http://hg.mozilla.org/mozilla-central/annotate/f9acc2e4d4e3/image/src/Image.cpp#l40
--> appears to have called a virtual function pointing off into space, again most likely means the Image is being used after having been freed.
These are exploitable.
In that regression range the most relevant/likely fix is jdm's bug 505385, an 18-part patch for "Refactor Imagelib notifications"
Group: core-security
Keywords: sec-critical,
testcase-wanted
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
Assignee | ||
Updated•12 years ago
|
Assignee: nobody → josh
Assignee | ||
Comment 5•12 years ago
|
||
Attachment #678902 -
Flags: review?(joe)
Assignee | ||
Comment 6•12 years ago
|
||
We're planning to land this bandaid and see whether crash stats are affected. The results should clarify the nature of the problem, which is a bit mysterious right now.
Whiteboard: [leave open]
Comment 7•12 years ago
|
||
Comment on attachment 678902 [details] [diff] [review]
Diagnostic bandaid to ensure that all RasterImages are removed from the discard tracker.
more patch please
Attachment #678902 -
Flags: review?(joe) → review-
Assignee | ||
Comment 8•12 years ago
|
||
Now with 100% more patch.
Attachment #679167 -
Flags: review?(joe)
Assignee | ||
Updated•12 years ago
|
Attachment #678902 -
Attachment is obsolete: true
Comment 9•12 years ago
|
||
Comment on attachment 679167 [details] [diff] [review]
Diagnostic bandaid to ensure that all RasterImages are removed from the discard tracker.
Review of attachment 679167 [details] [diff] [review]:
-----------------------------------------------------------------
this has precisely enough patch
Attachment #679167 -
Flags: review?(joe) → review+
Assignee | ||
Comment 10•12 years ago
|
||
Assignee | ||
Comment 11•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/a0df3314bee0 for a followup to stop intermittent browser-chrome oranges.
Comment 12•12 years ago
|
||
Comment 13•12 years ago
|
||
(In reply to Josh Matthews [:jdm] from comment #11)
> https://hg.mozilla.org/integration/mozilla-inbound/rev/a0df3314bee0 for a
> followup to stop intermittent browser-chrome oranges.
https://hg.mozilla.org/mozilla-central/rev/a0df3314bee0
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla19
Assignee | ||
Comment 14•12 years ago
|
||
The tag to leave this bug open is still present.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Updated•12 years ago
|
status-firefox17:
--- → unaffected
Assignee | ||
Comment 15•12 years ago
|
||
Ok, the diagnostic patch did not seem to have an effect. That's a shame.
Assignee | ||
Comment 16•12 years ago
|
||
Judging by a bunch of the crash stacks, the fix for bug 803125 might help here. However, ones like https://crash-stats.mozilla.com/report/index/2a782af8-de6e-4c86-ad28-fe5132121112 still have me completely baffled.
Reporter | ||
Updated•12 years ago
|
Updated•12 years ago
|
Comment 17•12 years ago
|
||
Looking at crash stats this signature is limited to 19.0a1 users 100%. Something else must have fixed. Dunno if 30-ish crashes makes this a topcrash in 19, if so we should figure out the fix range and think about uplift. If it's not a topcrash maybe just forget about it.
tracking-firefox20:
+ → ---
Flags: needinfo?(scoobidiver)
Whiteboard: [leave open] → [leave open] fix-range-wanted
Reporter | ||
Comment 18•12 years ago
|
||
mozilla::image::Image::SizeOfData crashes stopped after 19.0a1/20121120. The working range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=bc69705c162d&tochange=4f19e7fd8bea
imgRequest::UpdateCacheEntrySize crashes almost (one crash in 19.0a1/20121124) stopped after 19.0a1/20121118. The working range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b959971b8219&tochange=4fddb9923ef0
Those ones are likely fixed by bug 803125.
Status: REOPENED → RESOLVED
Closed: 12 years ago → 12 years ago
Flags: needinfo?(scoobidiver)
Keywords: topcrash
Resolution: --- → WORKSFORME
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•9 years ago
|
Keywords: testcase-wanted
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•