Last Comment Bug 429969 - Crash [@ IsPercentageAware] with :first-letter, rtl
: Crash [@ IsPercentageAware] with :first-letter, rtl
Status: VERIFIED FIXED
: [sg:critical] Fixed by bug 429968, po...
: crash, testcase, verified1.9.0.11
Product: Core
Classification: Components
Component: Layout
: Trunk
: x86 Mac OS X
: -- critical (vote)
: ---
Assigned To: Robert O'Callahan (:roc) (Mozilla Corporation)
: layout
:
: 429968 493652
: 331889 493402
  Show dependency treegraph
 
Reported: 2008-04-20 18:03 PDT by Jesse Ruderman
Modified: 2009-06-13 13:02 PDT (History)
10 users (show)
dveditz: blocking1.9.0.11+
dveditz: wanted1.9.0.x+
dveditz: wanted1.8.1.x-
jruderman: in‑testsuite+
See Also:
Crash Signature:
[@ IsPercentageAware]


Attachments
testcase (crashes Firefox when loaded) (363 bytes, text/html)
2008-04-20 18:03 PDT, Jesse Ruderman
no flags Details

Summon comment box

Description Jesse Ruderman 2008-04-20 18:03:28 PDT
Created attachment 316745 [details]
testcase (crashes Firefox when loaded)

Loading the testcase triggers:

###!!! ASSERTION: unexpected flow: 'mFrames.ContainsFrame(nextInFlow)', file /Users/jruderman/trunk/mozilla/layout/generic/nsInlineFrame.cpp, line 469

###!!! ASSERTION: StealFrame failure: 'NS_SUCCEEDED(rv)', file /Users/jruderman/trunk/mozilla/layout/generic/nsContainerFrame.cpp, line 1116

Crash [@ IsPercentageAware].

Security-sensitive because the testcase is very similar to the testcase for bug 429968.
Comment 1 Boris Zbarsky (:bz) 2008-07-24 17:36:45 PDT
This is the same issue as bug 429968, I think.  We're violating assumptions that inline frames make in initial reflow, and that causes bad things to happen.
Comment 2 Jesse Ruderman 2009-01-07 22:18:06 PST
Now I only get

###!!! ASSERTION: unexpected flow: 'mFrames.ContainsFrame(nextInFlow)', file /Users/jruderman/central/layout/generic/nsInlineFrame.cpp, line 467

and no crash.
Comment 3 Daniel Veditz 2009-04-02 23:26:23 PDT
This is definitely exploitable-looking on the 1.9.0 branch. If it's not crashing on mozilla-central (comment 2) maybe we can backport the fix.

(43c.afc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=035ae74c ebx=035aef14 ecx=035aef14 edx=0012dcbc esi=03236a94 edi=0012dcbc
eip=035ae860 esp=0012d86c ebp=0012d890 iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010216
035ae860 74b2            je      035ae814                                [br=0]
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Mozilla Firefox 3.0\xul.dll - 
0:000> !exploitable -v
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x35ae860
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Data Execution Protection (DEP) Violation

Exception Hash (Major/Minor): 0x327f0d69.0x5b522b03

Stack Trace:
Unknown
xul!gfxWindowsPlatform::InitBadUnderlineList+0x1379
xul!gfxTextRun::SetSpaceGlyph+0x22d2
xul!gfxWindowsNativeDrawing::PaintToContext+0x2b24c
xul!gfxWindowsNativeDrawing::PaintToContext+0x2b53d
xul!gfxWindowsNativeDrawing::PaintToContext+0x2b7ff
xul!gfxTextRun::SetSpaceGlyph+0x246e
xul!gfxWindowsPlatform::InitBadUnderlineList+0x4cf4
xul!NS_UTF16ToCString_P+0x3cbe
xul!NS_StringCopy_P+0x6293
xul!gfxPlatform::IsCMSEnabled+0x55fc
xul!gfxPlatform::IsCMSEnabled+0x534c
xul!gfxPlatform::IsCMSEnabled+0x12fe1
xul!gfxPlatform::IsCMSEnabled+0x13022
xul!gfxWindowsFontGroup::GetFontAt+0x7a22
xul!gfxWindowsPlatform::InitBadUnderlineList+0x49bc
xul!gfxPlatform::IsCMSEnabled+0x5ad2
xul!gfxPlatform::IsCMSEnabled+0x5669
xul!gfxPlatform::IsCMSEnabled+0x534c
xul!gfxPlatform::IsCMSEnabled+0x12fe1
xul!gfxPlatform::IsCMSEnabled+0x13022
xul!gfxWindowsFontGroup::GetFontAt+0x7a22
xul!gfxWindowsPlatform::InitBadUnderlineList+0x49bc
xul!gfxPlatform::IsCMSEnabled+0x5ad2
xul!gfxPlatform::IsCMSEnabled+0x5669
xul!gfxPlatform::IsCMSEnabled+0x534c
xul!gfxPlatform::IsCMSEnabled+0x12fe1
xul!gfxPlatform::IsCMSEnabled+0x13022
xul!gfxWindowsFontGroup::GetFontAt+0x7a22
xul!gfxWindowsPlatform::InitBadUnderlineList+0x49bc
xul!gfxPlatform::IsCMSEnabled+0x5ad2
xul!gfxPlatform::IsCMSEnabled+0x5669
xul!gfxPlatform::IsCMSEnabled+0x534c
xul!gfxPlatform::IsCMSEnabled+0x12fe1
xul!gfxPlatform::IsCMSEnabled+0x13022
xul!gfxWindowsFontGroup::GetFontAt+0x7a22
xul!gfxWindowsFontGroup::GetFontAt+0x96c6
xul!gfxPlatform::IsCMSEnabled+0x1127
xul!gfxWindowsFontGroup::GetFontAt+0x96c6
xul!gfxWindowsPlatform::ResolveFontName+0x7f4a
xul!gfxPlatform::IsCMSEnabled+0xe570
xul!gfxTextRun::GetAdvanceWidth+0x29b7
xul!gfxWindowsFontGroup::GetFontAt+0x96c6
xul!gfxWindowsFontGroup::GetFontAt+0x981c
xul!gfxWindowsFontGroup::GetFontAt+0x935
xul!gfxASurface::AddRef+0x293c
xul!gfxWindowsPlatform::UpdateFontList+0x3fcb
xul!NS_CycleCollectorForget_P+0x140db
xul!NS_NewLocalFile_P+0x17458
xul!NS_CycleCollectorForget_P+0xe128
xul!gfxWindowsPlatform::FontEnumProc+0x4f7a
xul!gfxFont::SanitizeMetrics+0xa0e
xul!XRE_main+0xdb7
Unknown
Unknown
Instruction Address: 0x35ae860

Description: Data Execution Prevention Violation
Short Description: DEPViolation
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Data Execution Prevention Violation starting at Unknown Symbol @ 0x23521280092e190 (Hash=0x327f0d69.0x5b522b03)

User mode DEP access violations are exploitable.
Comment 4 Gary Kwong [:nth10sd] 2009-04-16 08:14:34 PDT
(In reply to comment #3)
> This is definitely exploitable-looking on the 1.9.0 branch. If it's not
> crashing on mozilla-central (comment 2) maybe we can backport the fix.

Nominating blocking1.9.0.10? due to comment #3.
Comment 5 Daniel Veditz 2009-04-17 10:14:31 PDT
qawanted: if this is truly fixed by bug 429969 this should be fixed on trunk and 1.9.1 -- can we get that verified please?
Comment 6 Clint Talbert ( :ctalbert ) calendar-drivers 2009-04-17 17:32:41 PDT
(In reply to comment #5)
> qawanted: if this is truly fixed by bug 429969 this should be fixed on trunk
> and 1.9.1 -- can we get that verified please?

It doesn't crash on mac or windows with either builds, but running in debug I am seeing an assertion on both 1.9.1 and 1.9.2.  However, on 1.9.1 the assertion is accompainied by a SQLLite warning, which I find odd.  Everytime I reload the test on 1.9.1 I get the SQLLite warning. Here is what I get on 1.9.1 (Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4pre) Gecko/20090417 Shiretoko/3.5b4pre):

WARNING: 1 sort operation has occurred for the SQL statement 'SELECT b.id FROM moz_bookmarks b JOIN ( SELECT id FROM moz_places_temp WHERE url = ?1 UNION ALL SELECT id FROM moz_places WHERE url = ?1 AND +id NOT IN (SELECT id FROM moz_places_temp) ) AS h ON b.fk = h.id WHERE b.type = ?2 ORDER BY MAX(IFNULL(b.lastModified, 0), b.dateAdded) DESC, b.id DESC'.  This may indicate an opportunity to improve performance through the careful use of indexes.: file /Users/clint/code/moz1.9.1/src/storage/src/mozStoragePrivateHelpers.cpp, line 105
###!!! ASSERTION: unexpected flow: 'mFrames.ContainsFrame(nextInFlow)', file /Users/clint/code/moz1.9.1/src/layout/generic/nsInlineFrame.cpp, line 472

And on 1.9.2 (Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090417 Minefield/3.6a1pre) I don't get the SQL lite warning:
###!!! ASSERTION: unexpected flow: 'mFrames.ContainsFrame(nextInFlow)', file /Users/clint/code/mozcentral/src/layout/generic/nsInlineFrame.cpp, line 460

Hopefully that's what you needed, if not let us know. Removing qaWanted.
Comment 7 Martijn Wargers [:mw22] (QA - IRC nick: mw22) 2009-05-05 12:55:08 PDT
I just filed bug 491547, which has a similar stacktrace, but seems like a regression. But perhaps still related to this?
Comment 8 Simon Montagu 2009-05-14 03:36:58 PDT
(In reply to comment #7)
> I just filed bug 491547, which has a similar stacktrace, but seems like a
> regression. But perhaps still related to this?

I think it's more like bug 460389
Comment 9 Daniel Veditz 2009-05-15 08:10:14 PDT
The 1.9.0 patch in bug 429968 fixes this crash on that branch. I still see the "unexpected flow" assertion, but no crash.
Comment 10 Daniel Veditz 2009-05-16 12:16:27 PDT
This crash does not happen on Firefox 2.0.0.20
Comment 11 Daniel Veditz 2009-05-16 12:44:57 PDT
Checked bug 429969, fixing this for the 1.9.0.11 release.

As far as the "sg:critical" crash goes this bug is now fixed, so I think the remaining assertion can go into another bug. There was bug 402380, but that was fixed a while ago.
Comment 12 Al Billings [:abillings] 2009-05-18 12:03:43 PDT
Verified for 1.9.0.11 using testcase with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.11pre) Gecko/2009051804 GranParadiso/3.0.11pre. Crashes in 1.9.0.10.
Comment 13 Al Billings [:abillings] 2009-05-18 12:05:48 PDT
Verified for trunk with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090517 Minefield/3.6a1pre.
Comment 14 Jesse Ruderman 2009-06-13 13:02:34 PDT
Crashtest added:

http://hg.mozilla.org/mozilla-central/rev/bf3a4f5dd798

Note You need to log in before you can comment on or make changes to this bug.