Bug 26860 - Heap corruption leading to crashes on Yahoo sites when Yahoo Application State plugin loaded
Summary: Heap corruption leading to crashes on Yahoo sites when Yahoo Application Stat...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Plug-ins (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Windows XP
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-06-30 14:20 PDT by Steve Falkenburg
Modified: 2009-06-30 15:07 PDT (History)
0 users

See Also:


Attachments
blacklist yahoo plugin (1.60 KB, patch)
2009-06-30 14:47 PDT, Steve Falkenburg
sam: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Steve Falkenburg 2009-06-30 14:20:38 PDT
A high volume crash is occuring due to heap corruption.

Some output from WinDbg !analyze -v:

FAULTING_IP: 
ntdll!RtlReportCriticalFailure+5b
7747015d eb1c            jmp     ntdll!RtlReportCriticalFailure+0x6f (7747017b)

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 7747015d (ntdll!RtlReportCriticalFailure+0x0000005b)
   ExceptionCode: c0000374
  ExceptionFlags: 00000001
NumberParameters: 1
   Parameter[0]: 7748c030

PROCESS_NAME:  Safari.exe

ERROR_CODE: (NTSTATUS) 0xc0000374 - A heap has been corrupted.

EXCEPTION_CODE: (NTSTATUS) 0xc0000374 - A heap has been corrupted.

EXCEPTION_PARAMETER1:  7748c030

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

LAST_CONTROL_TRANSFER:  from 00000000 to 77430531

FAULTING_THREAD:  ffffffff

BUGCHECK_STR:  APPLICATION_FAULT_ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy_DOUBLE_FREE

PRIMARY_PROBLEM_CLASS:  ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy

DEFAULT_BUCKET_ID:  ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy

STACK_TEXT:  
77430531 ntdll!RtlFreeHeap+0x60
7619c56f kernel32!HeapFree+0x14
71c74c39 msvcr80!free+0xcd
67d2cf48 WebKit!_NPN_ReleaseVariantValue+0x68
67e42e0e WebKit!JSC::RuntimeMethod::getOwnPropertySlot+0x1fe


FOLLOWUP_IP: 
WebKit!_NPN_ReleaseVariantValue+68
67d2cf48 c7460c00000000  mov     dword ptr [esi+0Ch],0

SYMBOL_STACK_INDEX:  3

SYMBOL_NAME:  WebKit!_NPN_ReleaseVariantValue+68

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: WebKit

IMAGE_NAME:  WebKit.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  4a28ef44

STACK_COMMAND:  dds 7748c068 ; kb

FAILURE_BUCKET_ID:  ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy_c0000374_WebKit.dll!_NPN_ReleaseVariantValue

BUCKET_ID:  APPLICATION_FAULT_ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy_DOUBLE_FREE_WebKit!_NPN_ReleaseVariantValue+68

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/Safari_exe/4_530_17_0/4a28fedb/ntdll_dll/6_0_6001_18000/4791a7a6/c0000374/000b015d.htm?Retriage=1

Followup: MachineOwner
Comment 1 Steve Falkenburg 2009-06-30 14:22:44 PDT
All instances of the crash show the module npystate.dll loaded, and the executing script in all cases (retrieved via the backtrace) is always from a Yahoo site.

Seems to be the same as:
https://bugzilla.mozilla.org/show_bug.cgi?id=419127
Comment 2 Steve Falkenburg 2009-06-30 14:23:07 PDT
<rdar://problem/6978781>
Comment 3 Steve Falkenburg 2009-06-30 14:27:20 PDT
Same bug in Chromium (they've also already fixed): http://code.google.com/p/chromium/issues/detail?id=3139
Comment 4 Steve Falkenburg 2009-06-30 14:47:21 PDT
Created attachment 32096 [details]
blacklist yahoo plugin
Comment 5 Steve Falkenburg 2009-06-30 15:07:13 PDT
Fixed in r45403.