[tor-bugs] #16495 [Tor Browser]: Tor Browser 5.0a3 crashes on nytimes.com with security level set to "High"
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Jul 9 20:33:42 UTC 2015
#16495: Tor Browser 5.0a3 crashes on nytimes.com with security level set to "High"
-------------------------+-------------------------------------------------
Reporter: gk | Owner: mcs
Type: defect | Status: assigned
Priority: | Milestone:
critical | Version:
Component: Tor | Keywords: tbb-crash, tbb-5.0a,
Browser | TorBrowserTeam201507
Resolution: | Parent ID:
Actual Points: |
Points: |
-------------------------+-------------------------------------------------
Comment (by mcs):
I think the Github user page crash has the same root cause, but I am not
100% sure. Near the top of the backtrace,
layout/style/nsCSSRuleProcessor.cpp:3725 appears and the code there is
using a value returned by aElement->GetClasses(), which is the same call
that causes trouble in the NYT test case.
With my 32-bit debug build, I actually encounter an assertion failure
inside JS::AutoAssertOnGC::VerifyIsSafeToGC() before I reach the point of
crashing due to SVG (even with SVG enabled). I am not sure why that is,
but if I comment that out (living dangerously), I can reproduce the SVG-
related crash when loading a github user page. But my stack actually
looks more like the one from comment:4.
Unfortunately, Kathy and I are running out of time to work on this for
now, but I will post an in-progress patch and link to it here so those who
are interested can take an early look. I believe it avoids crashes for
both test cases mentioned in this ticket, but with static_cast thrown
about in the code it is difficult to know if we fixed all possible cases
that would lead to a crash :(
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16495#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list