[tor-bugs] #9145 [Tor Browser]: TBB 3.0a1 crashes on startup on Win7 (TorBrowser has stopped working)
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Jan 15 11:52:28 UTC 2016
#9145: TBB 3.0a1 crashes on startup on Win7 (TorBrowser has stopped working)
-----------------------------------------------+---------------------------
Reporter: dope457 | Owner: erinn
Type: defect | Status:
Priority: High | needs_information
Component: Tor Browser | Milestone:
Severity: Normal | Version:
Keywords: tbb-3.0, tbb-crash, firefox-crash | Resolution:
Parent ID: | Actual Points:
Sponsor: | Points:
-----------------------------------------------+---------------------------
Comment (by cypherpunks):
Just found:
Analysis for call of GetPixelSize by (as example) [https://mxr.mozilla.org
/mozilla-esr38/source/gfx/cairo/cairo/src/cairo-d2d-surface.cpp#4254
_cairo_d2d_getextents]
MSVC generate code:
{{{
push ebp
mov ebp,esp
push ecx
push ecx
mov eax,[ebp][8]
lea edx,[ebp][-8]
push esi
mov esi,[ebp][00C]
push edx
and d,[esi],0
and d,[esi][4],0
mov eax,[eax][000000104]
push eax
mov ecx,[eax]
call d,[ecx][0000000D8]
mov eax,[ebp][-8]
mov [esi][8],eax
mov eax,[ebp][-4]
mov [esi][00C],eax
xor eax,eax
inc eax
pop esi
mov esp,ebp
pop ebp
retn
}}}
G++ (mingw) generated code:
{{{
push ebx
sub esp,018
mov ebx,[esp][024]
mov d,[ebx],0
mov d,[ebx][4],0
mov eax,[esp][020]
mov eax,[eax][000000104]
mov edx,[eax]
mov [esp],eax
call d,[edx][0000000D8]
sub esp,4
mov [ebx][8],eax
mov [ebx][00C],edx
mov eax,1
add esp,018
pop ebx
retn
}}}
C equivalent code for:
{{{
D2D1_SIZE_U size = d2dsurf->rt->GetPixelSize();
}}}
after decompile is looking like:
after MSVC
{{{
GetPixelSize(this, &size)
}}}
after G++ (mingw)
{{{
GetPixelSize(this)
}}}
GetPixelSize (d2d1.dll) crashing after dereferencing non exist argument.
Is that correct analysis?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9145#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list