Opened 6 years ago

Closed 4 years ago

#8981 closed defect (fixed)

Segfault after extended use in imgCacheValidator::OnStartRequest (mRequest is null when channelURI is non-null)

Reported by: Superfluous Owned by: tbb-team
Priority: High Milestone: TorBrowserBundle 2.3.x-stable
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-crash, tbb-firefox-patch
Cc: g.koppen@…, erinn Actual Points:
Parent ID: Points:
Reviewer: Sponsor:



When I use the Tor Browser Bundle (2.3.25-8, based on Portable Apps's Firefox ESR 17.0.6, Vidalia 0.2.21, and Tor on Windows, it crashes ("tbb-browser.exe has stopped working") after about a whole day of use on a particular discussion site with many other tabs open (maybe 15-20). The regular Firefox stable (now on version 22) almost never crashes for me, with typically double the number of tabs open, plugins, etc.

The second time it crashed, OllyDbg was unable to attach to the crashed process, so I restarted TBB and attached OllyDbg to tbb-browser.exe and waited. After about 6-8 hours, it finally crashed:

Access violation when reading [0x00000028] in CPU - main thread at xul+0xE271B (xul.66B6271B) - Application was unable to process exception.

When this happened, ollydbg.exe and tbb-browser.exe together had a total of 260MB allocated, which is next to nothing (I have another 1GB of free memory).

The crash occurs here:

CPU Disasm
Address   Hex dump          Command                                  Comments
66B62704  |.  8B0F          MOV ECX,DWORD PTR DS:[EDI]
66B62706  |.  50            PUSH EAX
66B62707  |.  57            PUSH EDI
66B62708  |.  FF51 3C       CALL DWORD PTR DS:[ECX+3C]
66B6270B  |.  8B45 08       MOV EAX,DWORD PTR SS:[EBP+8]
66B6270E  |.  3BC3          CMP EAX,EBX
66B62710  |.- 74 13         JE SHORT 66B62725
66B62712  |.  8B08          MOV ECX,DWORD PTR DS:[EAX]
66B62714  |.  8D55 13       LEA EDX,[EBP+13]
66B62717  |.  52            PUSH EDX
66B62718  |.  8B56 24       MOV EDX,DWORD PTR DS:[ESI+24]
66B6271B  |.  FF72 28       PUSH DWORD PTR DS:[EDX+28]               ; Crash
66B6271E  |.  50            PUSH EAX
66B6271F  |.  FF51 58       CALL DWORD PTR DS:[ECX+58]
66B62722  |.  8B45 08       MOV EAX,DWORD PTR SS:[EBP+8]
66B62725  |>  385D 12       CMP BYTE PTR SS:[EBP+12],BL

The registers are:

ECX 673BDCB8 xul.673BDCB8
EDX 00000000
EBX 00000000
ESP 0042D1C4
EBP 0042D214
ESI 1D7606E0
EDI 1741DBB0
EIP 66B6271B xul.66B6271B

C 0  ES 002B 32bit 0(FFFFFFFF)
P 0  CS 0023 32bit 0(FFFFFFFF)
A 0  SS 002B 32bit 0(FFFFFFFF)
Z 0  DS 002B 32bit 0(FFFFFFFF)
S 0  FS 0053 32bit FFFDD000(FFF)
T 0  GS 002B 32bit 0(FFFFFFFF)
D 0
O 0  LastErr 00000000 ERROR_SUCCESS
EFL 00010202 (NO,NB,NE,A,NS,PO,GE,G)

ST0 empty 0.0
ST1 empty 529.00000000000000000
ST2 empty 8192.0000000000000000
ST3 empty 0.0
ST4 empty 1058.0000000000000000
ST5 empty -0.0
ST6 empty 2147746065.0000000000
ST7 empty 2147746065.0000000000
               3 2 1 0      E S P U O Z D I
FST 4020  Cond 1 0 0 0  Err 0 0 1 0 0 0 0 0 (EQ)
FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1
Last cmnd 0000:00000000

XMM0 00000000 00000000 00000000 00000000
XMM1 00000000 00000000 00000000 00000000
XMM2 00000000 00000000 00000000 00000000
XMM3 00000000 00000000 00000000 00000000
XMM4 00000000 00000000 00000000 00000000
XMM5 00000000 00000000 00000000 00000000
XMM6 226C6D74 68782F39 3939312F 67726F2E
XMM7 68206174 656D3C0A 3E646165 683C0A3E
                                P U O Z D I
MXCSR 00001FA1  FZ 0 DZ 0  Err  1 0 0 0 0 1
                Rnd NEAR   Mask 1 1 1 1 1 1

As this was with the precompiled TBB binary which lacks debugging symbols, a string referenced further down in the function helped me identify that the crash occurred in imgCacheValidator::OnStartRequest(), implemented in mozilla-esr17/image/src/imgLoader.cpp.

The disassembly given above corresponds to the following code (line 2086 of imgLoader.cpp):

    if (channelURI)
      channelURI->Equals(mRequest->mCurrentURI, &sameURI);

For whatever reason, mRequest was null at this instance when channelURI was non-null. This error is, as far as everything seems, perfectly recoverable (TBB will resume working) if you return if mRequest was null. (Similar segfaults will occur at xul+0xE2CC3 (xul.66B62CC3), xul+0xE2818 (xul.66B62818), and so in which is why you must actually leave imgCacheValidator::OnStartRequest.)

I'm attaching a partial stack dump and the memory of the relevant objects. As to whether the bug was introduced by Mozilla, Portable Apps, or Tor, I'm not certain, so I'm just reporting it to all three.

Child Tickets

Attachments (2)

tor-browser-2.3.25-8-dump.txt (10.9 KB) - added by Superfluous 6 years ago.
imgLoader.cpp.patch (532 bytes) - added by Superfluous 6 years ago.

Download all attachments as: .zip

Change History (9)

Changed 6 years ago by Superfluous

comment:1 Changed 6 years ago by mikeperry

Keywords: tbb-crash added

Changed 6 years ago by Superfluous

Attachment: imgLoader.cpp.patch added

comment:2 Changed 6 years ago by gk

Cc: g.koppen@… added

comment:3 Changed 6 years ago by erinn

Cc: erinn added

comment:4 Changed 5 years ago by erinn

Keywords: tbb-firefox-patch added

comment:5 Changed 5 years ago by erinn

Component: Firefox Patch IssuesTor Browser
Owner: changed from mikeperry to tbb-team

comment:6 Changed 4 years ago by cypherpunks

Severity: Normal

Notes for history purpose: Superfluous sent this bug to Bugzilla. It's Bug 876568, alas "This bug does not meet the ESR landing criteria" and marked as unconfirmed.

Anyway, it was addressed later by Bug 1148640:

Bail if OnStartRequest is delivered more than once to imgCacheValidator

It was for Target Milestone: mozilla39, and seems like fixed for ESR-38 as well.

This ticket should be resolved as fixed.

comment:7 Changed 4 years ago by gk

Resolution: fixed
Status: newclosed

Thanks for pointing this out, done.

Note: See TracTickets for help on using tickets.