Bug 26860

Summary:

Heap corruption leading to crashes on Yahoo sites when Yahoo Application State plugin loaded

Product:

WebKit

Reporter:

Steve Falkenburg <sfalken>

Component:

Plug-ins

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

Priority:

Version:

528+ (Nightly build)

Hardware:

OS:

Windows XP

Attachments:

Description	Flags
blacklist yahoo plugin	sam: review+

Description Steve Falkenburg 2009-06-30 14:20:38 PDT

A high volume crash is occuring due to heap corruption.

Some output from WinDbg !analyze -v:

FAULTING_IP: 
ntdll!RtlReportCriticalFailure+5b
7747015d eb1c            jmp     ntdll!RtlReportCriticalFailure+0x6f (7747017b)

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 7747015d (ntdll!RtlReportCriticalFailure+0x0000005b)
   ExceptionCode: c0000374
  ExceptionFlags: 00000001
NumberParameters: 1
   Parameter[0]: 7748c030

PROCESS_NAME:  Safari.exe

ERROR_CODE: (NTSTATUS) 0xc0000374 - A heap has been corrupted.

EXCEPTION_CODE: (NTSTATUS) 0xc0000374 - A heap has been corrupted.

EXCEPTION_PARAMETER1:  7748c030

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

LAST_CONTROL_TRANSFER:  from 00000000 to 77430531

FAULTING_THREAD:  ffffffff

BUGCHECK_STR:  APPLICATION_FAULT_ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy_DOUBLE_FREE

PRIMARY_PROBLEM_CLASS:  ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy

DEFAULT_BUCKET_ID:  ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy

STACK_TEXT:  
77430531 ntdll!RtlFreeHeap+0x60
7619c56f kernel32!HeapFree+0x14
71c74c39 msvcr80!free+0xcd
67d2cf48 WebKit!_NPN_ReleaseVariantValue+0x68
67e42e0e WebKit!JSC::RuntimeMethod::getOwnPropertySlot+0x1fe


FOLLOWUP_IP: 
WebKit!_NPN_ReleaseVariantValue+68
67d2cf48 c7460c00000000  mov     dword ptr [esi+0Ch],0

SYMBOL_STACK_INDEX:  3

SYMBOL_NAME:  WebKit!_NPN_ReleaseVariantValue+68

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: WebKit

IMAGE_NAME:  WebKit.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  4a28ef44

STACK_COMMAND:  dds 7748c068 ; kb

FAILURE_BUCKET_ID:  ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy_c0000374_WebKit.dll!_NPN_ReleaseVariantValue

BUCKET_ID:  APPLICATION_FAULT_ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy_DOUBLE_FREE_WebKit!_NPN_ReleaseVariantValue+68

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/Safari_exe/4_530_17_0/4a28fedb/ntdll_dll/6_0_6001_18000/4791a7a6/c0000374/000b015d.htm?Retriage=1

Followup: MachineOwner

Comment 1 Steve Falkenburg 2009-06-30 14:22:44 PDT

All instances of the crash show the module npystate.dll loaded, and the executing script in all cases (retrieved via the backtrace) is always from a Yahoo site.

Seems to be the same as:
https://bugzilla.mozilla.org/show_bug.cgi?id=419127

Comment 2 Steve Falkenburg 2009-06-30 14:23:07 PDT

<rdar://problem/6978781>

Comment 3 Steve Falkenburg 2009-06-30 14:27:20 PDT

Same bug in Chromium (they've also already fixed): http://code.google.com/p/chromium/issues/detail?id=3139

Comment 4 Steve Falkenburg 2009-06-30 14:47:21 PDT

Created attachment 32096 [details]
blacklist yahoo plugin

Comment 5 Steve Falkenburg 2009-06-30 15:07:13 PDT

Fixed in r45403.