[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #9145 [Tor Browser]: TBB 3.0a1 crashes on startup on Win7 (TorBrowser has stopped working)

#9145: TBB 3.0a1 crashes on startup on Win7 (TorBrowser has stopped working)
-----------------------------------------------+---------------------------
 Reporter:  dope457                            |          Owner:  erinn
     Type:  defect                             |         Status:
 Priority:  High                               |  needs_information
Component:  Tor Browser                        |      Milestone:
 Severity:  Normal                             |        Version:
 Keywords:  tbb-3.0, tbb-crash, firefox-crash  |     Resolution:
Parent ID:                                     |  Actual Points:
  Sponsor:                                     |         Points:
-----------------------------------------------+---------------------------

Comment (by cypherpunks):

 Just found:
 Analysis for call of GetPixelSize by (as example) [https://mxr.mozilla.org
 /mozilla-esr38/source/gfx/cairo/cairo/src/cairo-d2d-surface.cpp#4254
 _cairo_d2d_getextents]

 MSVC generate code:
 {{{
  push        ebp
  mov         ebp,esp
  push        ecx
  push        ecx
  mov         eax,[ebp][8]
  lea         edx,[ebp][-8]
  push        esi
  mov         esi,[ebp][00C]
  push        edx
  and         d,[esi],0
  and         d,[esi][4],0
  mov         eax,[eax][000000104]
  push        eax
  mov         ecx,[eax]
  call        d,[ecx][0000000D8]
  mov         eax,[ebp][-8]
  mov         [esi][8],eax
  mov         eax,[ebp][-4]
  mov         [esi][00C],eax
  xor         eax,eax
  inc         eax
  pop         esi
  mov         esp,ebp
  pop         ebp
  retn
 }}}

 G++ (mingw) generated code:
 {{{
  push        ebx
  sub         esp,018
  mov         ebx,[esp][024]
  mov         d,[ebx],0
  mov         d,[ebx][4],0
  mov         eax,[esp][020]
  mov         eax,[eax][000000104]
  mov         edx,[eax]
  mov         [esp],eax
  call        d,[edx][0000000D8]
  sub         esp,4
  mov         [ebx][8],eax
  mov         [ebx][00C],edx
  mov         eax,1
  add         esp,018
  pop         ebx
  retn
 }}}

 C equivalent code for:
 {{{
  D2D1_SIZE_U size = d2dsurf->rt->GetPixelSize();
 }}}
 after decompile is looking like:

 after MSVC
 {{{
 GetPixelSize(this, &size)
 }}}

 after G++ (mingw)
 {{{
 GetPixelSize(this)
 }}}

 GetPixelSize (d2d1.dll) crashing after dereferencing non exist argument.

 Is that correct analysis?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9145#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs