[Webkit-unassigned] [Bug 26860] New: Heap corruption leading to crashes on Yahoo sites when Yahoo Application State plugin loaded

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Jun 30 14:20:39 PDT 2009 

https://bugs.webkit.org/show_bug.cgi?id=26860

           Summary: Heap corruption leading to crashes on Yahoo sites when
                    Yahoo Application State plugin loaded
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Windows XP
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Plug-ins
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: sfalken at apple.com


A high volume crash is occuring due to heap corruption.

Some output from WinDbg !analyze -v:

FAULTING_IP: 
ntdll!RtlReportCriticalFailure+5b
7747015d eb1c            jmp     ntdll!RtlReportCriticalFailure+0x6f (7747017b)

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 7747015d (ntdll!RtlReportCriticalFailure+0x0000005b)
   ExceptionCode: c0000374
  ExceptionFlags: 00000001
NumberParameters: 1
   Parameter[0]: 7748c030

PROCESS_NAME:  Safari.exe

ERROR_CODE: (NTSTATUS) 0xc0000374 - A heap has been corrupted.

EXCEPTION_CODE: (NTSTATUS) 0xc0000374 - A heap has been corrupted.

EXCEPTION_PARAMETER1:  7748c030

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

LAST_CONTROL_TRANSFER:  from 00000000 to 77430531

FAULTING_THREAD:  ffffffff

BUGCHECK_STR: 
APPLICATION_FAULT_ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy_DOUBLE_FREE

PRIMARY_PROBLEM_CLASS:  ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy

DEFAULT_BUCKET_ID:  ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy

STACK_TEXT:  
77430531 ntdll!RtlFreeHeap+0x60
7619c56f kernel32!HeapFree+0x14
71c74c39 msvcr80!free+0xcd
67d2cf48 WebKit!_NPN_ReleaseVariantValue+0x68
67e42e0e WebKit!JSC::RuntimeMethod::getOwnPropertySlot+0x1fe


FOLLOWUP_IP: 
WebKit!_NPN_ReleaseVariantValue+68
67d2cf48 c7460c00000000  mov     dword ptr [esi+0Ch],0

SYMBOL_STACK_INDEX:  3

SYMBOL_NAME:  WebKit!_NPN_ReleaseVariantValue+68

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: WebKit

IMAGE_NAME:  WebKit.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  4a28ef44

STACK_COMMAND:  dds 7748c068 ; kb

FAILURE_BUCKET_ID: 
ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy_c0000374_WebKit.dll!_NPN_ReleaseVariantValue

BUCKET_ID: 
APPLICATION_FAULT_ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy_DOUBLE_FREE_WebKit!_NPN_ReleaseVariantValue+68

WATSON_STAGEONE_URL: 
http://watson.microsoft.com/StageOne/Safari_exe/4_530_17_0/4a28fedb/ntdll_dll/6_0_6001_18000/4791a7a6/c0000374/000b015d.htm?Retriage=1

Followup: MachineOwner


-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list