Bug 26860

Summary: Heap corruption leading to crashes on Yahoo sites when Yahoo Application State plugin loaded
Product: WebKit Reporter: Steve Falkenburg <sfalken>
Component: Plug-insAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal    
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Windows XP   
Attachments:
Description Flags
blacklist yahoo plugin sam: review+

Steve Falkenburg
Reported 2009-06-30 14:20:38 PDT
A high volume crash is occuring due to heap corruption. Some output from WinDbg !analyze -v: FAULTING_IP: ntdll!RtlReportCriticalFailure+5b 7747015d eb1c jmp ntdll!RtlReportCriticalFailure+0x6f (7747017b) EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 7747015d (ntdll!RtlReportCriticalFailure+0x0000005b) ExceptionCode: c0000374 ExceptionFlags: 00000001 NumberParameters: 1 Parameter[0]: 7748c030 PROCESS_NAME: Safari.exe ERROR_CODE: (NTSTATUS) 0xc0000374 - A heap has been corrupted. EXCEPTION_CODE: (NTSTATUS) 0xc0000374 - A heap has been corrupted. EXCEPTION_PARAMETER1: 7748c030 NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 LAST_CONTROL_TRANSFER: from 00000000 to 77430531 FAULTING_THREAD: ffffffff BUGCHECK_STR: APPLICATION_FAULT_ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy_DOUBLE_FREE PRIMARY_PROBLEM_CLASS: ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy DEFAULT_BUCKET_ID: ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy STACK_TEXT: 77430531 ntdll!RtlFreeHeap+0x60 7619c56f kernel32!HeapFree+0x14 71c74c39 msvcr80!free+0xcd 67d2cf48 WebKit!_NPN_ReleaseVariantValue+0x68 67e42e0e WebKit!JSC::RuntimeMethod::getOwnPropertySlot+0x1fe FOLLOWUP_IP: WebKit!_NPN_ReleaseVariantValue+68 67d2cf48 c7460c00000000 mov dword ptr [esi+0Ch],0 SYMBOL_STACK_INDEX: 3 SYMBOL_NAME: WebKit!_NPN_ReleaseVariantValue+68 FOLLOWUP_NAME: MachineOwner MODULE_NAME: WebKit IMAGE_NAME: WebKit.dll DEBUG_FLR_IMAGE_TIMESTAMP: 4a28ef44 STACK_COMMAND: dds 7748c068 ; kb FAILURE_BUCKET_ID: ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy_c0000374_WebKit.dll!_NPN_ReleaseVariantValue BUCKET_ID: APPLICATION_FAULT_ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy_DOUBLE_FREE_WebKit!_NPN_ReleaseVariantValue+68 WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/Safari_exe/4_530_17_0/4a28fedb/ntdll_dll/6_0_6001_18000/4791a7a6/c0000374/000b015d.htm?Retriage=1 Followup: MachineOwner
Attachments
blacklist yahoo plugin (1.60 KB, patch)
2009-06-30 14:47 PDT, Steve Falkenburg 		sam: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Steve Falkenburg
Comment 1 2009-06-30 14:22:44 PDT
All instances of the crash show the module npystate.dll loaded, and the executing script in all cases (retrieved via the backtrace) is always from a Yahoo site. Seems to be the same as: https://bugzilla.mozilla.org/show_bug.cgi?id=419127
Steve Falkenburg
Comment 2 2009-06-30 14:23:07 PDT
<rdar://problem/6978781>
Steve Falkenburg
Comment 3 2009-06-30 14:27:20 PDT
Same bug in Chromium (they've also already fixed): http://code.google.com/p/chromium/issues/detail?id=3139
Steve Falkenburg
Comment 4 2009-06-30 14:47:21 PDT
Created attachment 32096 [details] blacklist yahoo plugin
Steve Falkenburg
Comment 5 2009-06-30 15:07:13 PDT
Fixed in r45403.
Note You need to log in before you can comment on or make changes to this bug.