26860 2009-06-30 14:20:38 -0700 Heap corruption leading to crashes on Yahoo sites when Yahoo Application State plugin loaded 2009-06-30 15:07:13 -0700 1 1 1 Unclassified WebKit Plug-ins 528+ (Nightly build) PC Windows XP RESOLVED FIXED P2 Normal --- 1 sfalken webkit-unassigned oldest_to_newest 129161 0 sfalken 2009-06-30 14:20:38 -0700 A high volume crash is occuring due to heap corruption. Some output from WinDbg !analyze -v: FAULTING_IP: ntdll!RtlReportCriticalFailure+5b 7747015d eb1c jmp ntdll!RtlReportCriticalFailure+0x6f (7747017b) EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 7747015d (ntdll!RtlReportCriticalFailure+0x0000005b) ExceptionCode: c0000374 ExceptionFlags: 00000001 NumberParameters: 1 Parameter[0]: 7748c030 PROCESS_NAME: Safari.exe ERROR_CODE: (NTSTATUS) 0xc0000374 - A heap has been corrupted. EXCEPTION_CODE: (NTSTATUS) 0xc0000374 - A heap has been corrupted. EXCEPTION_PARAMETER1: 7748c030 NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 LAST_CONTROL_TRANSFER: from 00000000 to 77430531 FAULTING_THREAD: ffffffff BUGCHECK_STR: APPLICATION_FAULT_ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy_DOUBLE_FREE PRIMARY_PROBLEM_CLASS: ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy DEFAULT_BUCKET_ID: ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy STACK_TEXT: 77430531 ntdll!RtlFreeHeap+0x60 7619c56f kernel32!HeapFree+0x14 71c74c39 msvcr80!free+0xcd 67d2cf48 WebKit!_NPN_ReleaseVariantValue+0x68 67e42e0e WebKit!JSC::RuntimeMethod::getOwnPropertySlot+0x1fe FOLLOWUP_IP: WebKit!_NPN_ReleaseVariantValue+68 67d2cf48 c7460c00000000 mov dword ptr [esi+0Ch],0 SYMBOL_STACK_INDEX: 3 SYMBOL_NAME: WebKit!_NPN_ReleaseVariantValue+68 FOLLOWUP_NAME: MachineOwner MODULE_NAME: WebKit IMAGE_NAME: WebKit.dll DEBUG_FLR_IMAGE_TIMESTAMP: 4a28ef44 STACK_COMMAND: dds 7748c068 ; kb FAILURE_BUCKET_ID: ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy_c0000374_WebKit.dll!_NPN_ReleaseVariantValue BUCKET_ID: APPLICATION_FAULT_ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy_DOUBLE_FREE_WebKit!_NPN_ReleaseVariantValue+68 WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/Safari_exe/4_530_17_0/4a28fedb/ntdll_dll/6_0_6001_18000/4791a7a6/c0000374/000b015d.htm?Retriage=1 Followup: MachineOwner 129163 1 sfalken 2009-06-30 14:22:44 -0700 All instances of the crash show the module npystate.dll loaded, and the executing script in all cases (retrieved via the backtrace) is always from a Yahoo site. Seems to be the same as: https://bugzilla.mozilla.org/show_bug.cgi?id=419127 129164 2 sfalken 2009-06-30 14:23:07 -0700 <rdar://problem/6978781> 129165 3 sfalken 2009-06-30 14:27:20 -0700 Same bug in Chromium (they've also already fixed): http://code.google.com/p/chromium/issues/detail?id=3139 129184 4 32096 sfalken 2009-06-30 14:47:21 -0700 Created attachment 32096 blacklist yahoo plugin 129190 5 sfalken 2009-06-30 15:07:13 -0700 Fixed in r45403. 32096 2009-06-30 14:47:21 -0700 2009-06-30 15:03:56 -0700 blacklist yahoo plugin diff.txt text/plain 1634 sfalken SW5kZXg6IENoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBDaGFuZ2VMb2cJKHJldmlzaW9uIDQ1NDAw KQorKysgQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEsMTUgQEAKKzIwMDktMDYt MzAgIFN0ZXZlIEZhbGtlbmJ1cmcgIDxzZmFsa2VuQGFwcGxlLmNvbT4KKworICAgICAgICBodHRw czovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MjY4NjAKKworICAgICAgICBSZXZp ZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBCbGFja2xpc3QgWWFob28gQXBwbGlj YXRpb24gU3RhdGUgcGx1Zy1pbiBmb3IgdmVyc2lvbnMgcHJpb3IgdG8gMS4wLjAuNi4KKyAgICAg ICAgRWFybGllciB2ZXJzaW9ucyBjYXVzZSBjb3JydXB0aW9uIGNyYXNoZXMuCisKKyAgICAgICAg KiBwbHVnaW5zL3dpbi9QbHVnaW5QYWNrYWdlV2luLmNwcDoKKyAgICAgICAgKFdlYkNvcmU6OlBs dWdpblBhY2thZ2U6OmlzUGx1Z2luQmxhY2tsaXN0ZWQpOgorCiAyMDA5LTA2LTMwICBEYXZpZCBI eWF0dCAgPGh5YXR0QGFwcGxlLmNvbT4KIAogICAgICAgICBSZXZpZXdlZCBieSBCZXRoIERha2lu LgpJbmRleDogcGx1Z2lucy93aW4vUGx1Z2luUGFja2FnZVdpbi5jcHAKPT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0g cGx1Z2lucy93aW4vUGx1Z2luUGFja2FnZVdpbi5jcHAJKHJldmlzaW9uIDQ1MzgwKQorKysgcGx1 Z2lucy93aW4vUGx1Z2luUGFja2FnZVdpbi5jcHAJKHdvcmtpbmcgY29weSkKQEAgLTgxLDkgKzgx LDE2IEBAIGJvb2wgUGx1Z2luUGFja2FnZTo6aXNQbHVnaW5CbGFja2xpc3RlZCgKIAogICAgICAg ICBpZiAoY29tcGFyZUZpbGVWZXJzaW9uKHNsUGx1Z2luTWluUmVxdWlyZWQpIDwgMCkKICAgICAg ICAgICAgIHJldHVybiB0cnVlOwotICAgIH0gZWxzZSBpZiAoZmlsZU5hbWUoKSA9PSAibnBtb3ph eC5kbGwiKQorICAgIH0gZWxzZSBpZiAoZmlsZU5hbWUoKSA9PSAibnBtb3pheC5kbGwiKSB7CiAg ICAgICAgIC8vIEJ1ZyAxNTIxNzogTW96aWxsYSBBY3RpdmVYIGNvbnRyb2wgY29tcGxhaW5zIGFi b3V0IG1pc3NpbmcgeHBjb21fY29yZS5kbGwKICAgICAgICAgcmV0dXJuIHRydWU7CisgICAgfSBl bHNlIGlmIChuYW1lKCkgPT0gIllhaG9vIEFwcGxpY2F0aW9uIFN0YXRlIFBsdWdpbiIpIHsKKyAg ICAgICAgLy8gaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTI2ODYwCisg ICAgICAgIC8vIEJ1ZyBpbiBZYWhvbyBBcHBsaWNhdGlvbiBTdGF0ZSBwbHVnLWluIGVhcmxpZXIg dGhhbiAxLjAuMC42IGxlYWRzIHRvIGhlYXAgY29ycnVwdGlvbi4gCisgICAgICAgIHN0YXRpYyBj b25zdCBQbGF0Zm9ybU1vZHVsZVZlcnNpb24geWFob29BcHBTdGF0ZVBsdWdpbk1pblJlcXVpcmVk KDB4MDAwMDAwMDYsIDB4MDAwMTAwMDApOworICAgICAgICBpZiAoY29tcGFyZUZpbGVWZXJzaW9u KHlhaG9vQXBwU3RhdGVQbHVnaW5NaW5SZXF1aXJlZCkgPCAwKQorICAgICAgICAgICAgcmV0dXJu IHRydWU7CisgICAgfQogCiAgICAgcmV0dXJuIGZhbHNlOwogfQo=