1080073 - Lost 10% of my passwords since the conversion to logins.json

Reporter

Description

•

11 years ago

Attached file Bad username JSON prettified — Details

I had 481 passwords in logins.json after an initial conversion but recently I noticed I was missing many passwords that were previously saved but it wasn't all sites. I created a new profile and re-migrated from signons.sqlite and 50 logins (10%) that weren't in my normal profile were in the new conversion. I *think* this problem started sometime after the conversion but I also use Sync so I don't know if we are failing to serialize some logins to disk sometimes or if Sync is losing my passwords. One of the weird things with logins.json is this one login which had 婚 (\u5a5a) repeated 34816 times in the middle of one of the property names and seems to be the result of munging two logins together: {"id":416,"hostname":"https://bug583578.bugzilla.mozilla.org","httpRealm":null,"formSubmitURL":"https://bug583578.bugzilla.mozilla.org","usernameField":"log","passwordField":"pwd","encryptedUsername":"MEoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECDLHnHDCN+gDBCBj0TL/fxGliYL1ChE6GD5ZC49RJto/hF8rdpFkgyM7Gg==","encryptedPassword":"MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECP8XQ8SZ0LO+BBCzVGG+EoySFsStEef6HcSn","guid":"{a5346f59-9e09-c545-b03d-87e1a50d2b04}","encType":1,"ti婚婚婚婚婚婚婚婚婚婚婚婚婚婚婚婚婚婚婚婚婚婚婚婚婚婚婚婚婚婚婚婚婚婚婚婚婚婚婚婚婚婚婚婚…婚婚婚婚婚婚婚formSubmitURL":"https://wordpress.com","timeCreated":1398114900272,"timeLastUsed":1398791579777,"timePasswordChanged":1398114900272,"timesUsed":2}, Note the duplicated formSubmitURL property. Yoric, do you know of any OS.File bug which could cause this? The code is in https://mxr.mozilla.org/mozilla-central/source/toolkit/components/passwordmgr/LoginStore.jsm

Flags: needinfo?(dteller)

David Teller [:Yoric] - still alive but not very active

Comment 1

•

11 years ago

Interesting. I do not know of any OS.File bugs that could cause this, but if there is one, I am seriously interested.

Flags: needinfo?(dteller)

David Teller [:Yoric] - still alive but not very active

Comment 2

•

11 years ago

Have you tried reproducing this already, btw?

Matthew N. [:MattN]

Reporter

Comment 3

•

11 years ago

I haven't tried to reproduce. The only ideas I have would be to crash in the middle of writing or something. I didn't look at the code closely. The initial conversion works fine if I copy the sqlite file to a new profile so it may have happened after that during everyday use but I don't know when it happened or what caused it.

David Teller [:Yoric] - still alive but not very active

Comment 4

•

11 years ago

The write takes place as follows: - write (in a single libc call) to a temporary file; - rename the temporary file to its destination. So, a process crash should not be able to corrupt anything, and a OS crash/power outage only has a very small window of opportunity to corrupt anything. Now, I notice in the source code of LoginStore.jsm that the, while the file is always written by OS.File, it may be read by the main thread. I don't know if this can have caused your issue, but it seems a little dangerous to me.

Matthew N. [:MattN]

Reporter

Comment 5

•

11 years ago

OK, so the two issues (婚 [\u5a5a] and the 50 lost passwords) are the same problem. The corrupted login had id=416 and every login after that one was lost so it seems like after the corruption happened, we didn't read the rest of the file.

David Teller [:Yoric] - still alive but not very active

Comment 6

•

11 years ago

Corruption in the middle of the file could be a hardware issue, too, btw.

Matthew N. [:MattN]

Reporter

Comment 7

•

11 years ago

tracking-firefox33: --- → ?

Sylvestre Ledru [:Sylvestre]

Comment 8

•

11 years ago

David, do you see something you could do here? I guess it is too late for 33.1 but we could take a patch for 34. Thanks

status-firefox33: --- → affected

status-firefox34: --- → affected

status-firefox35: --- → affected

status-firefox36: --- → affected

tracking-firefox33: ? → -

tracking-firefox34: --- → +

tracking-firefox35: --- → +

tracking-firefox36: --- → +

Flags: needinfo?(dteller)

David Teller [:Yoric] - still alive but not very active

Comment 9

•

11 years ago

I have spent some more time looking at the code, and I can't see any visible bug. The first possibility is that we have a big problem somewhere in OS.File, TextEncoder, JSON.stringify or mozStorage. Unlikely, but possible. The second possibility is that this is due to an external factor, such as a hardware issue, the OS or an anti-virus. Also unlikely but possible. My third scenario, which I believe is more possible, is the following: - using the old API, a blob of characters was written to the database as a string, but for some reason, this blob of characters is not a valid Unicode string, perhaps due to an encoding issue; - when we import this blob, for some reason, we do not provide the right encoding, so the decoding results in something that is not a proper Unicode string (JS strings can contain non-proper Unicode strings); - finally, when we call JSON.stringify, the result is corrupted. Marco, Paolo, does this seem possible to you? If this third hypothesis is correct, the bad change is probably around bug 853549. I made another pass at understanding what's going on, and I have no clue what caused the error, I'm afraid. The code looks good, so afaict, either we have a big problem somewhere in the implementation of OS.File, TextEncoder or JSON.stringify, or it's an external factor such as hardware issue, an antivirus, etc. Either way, we are not going to have anything in time for 34, unless we find out what's wrong.

Flags: needinfo?(paolo.mozmail)

Flags: needinfo?(mak77)

Flags: needinfo?(dteller)

:Paolo Amadini

Comment 10

•

11 years ago

(In reply to David Rajchenbach-Teller [:Yoric] (use "needinfo") from comment #9) > something that is not a proper Unicode > string (JS strings can contain non-proper Unicode strings); > - finally, when we call JSON.stringify, the result is corrupted. In Matt's case, the corruption crossed the boundary between a property value and another property's name, so it doesn't seem related to the contents of a single string. > The code looks good, so afaict, either we have a big problem somewhere in > the implementation of OS.File, TextEncoder or JSON.stringify, or it's an > external factor such as hardware issue, an antivirus, etc. Seems more likely to me. Also, we have no evidence that the increase in reports about lost passwords is in any way related to Matt's issue described in this bug. A variety of edge cases may happen - and some of them, like the same profile being routinely used with multiple versions of Firefox, are known not to work, and supporting them in the product was a non-goal from the start (there are advanced techniques to recover passwords in these cases).

Flags: needinfo?(paolo.mozmail)

Flags: needinfo?(mak77)

David Teller [:Yoric] - still alive but not very active

Comment 11

•

11 years ago

> In Matt's case, the corruption crossed the boundary between a property value and another property's name, so it doesn't seem related to the contents of a single string. Why? JSON.stringify certainly doesn't check its input, so if it has non-Unicode JS strings, it will happily produce a non-Unicode JS string. I'm pretty sure that TextEncoder assumes that the string is correct, without further checks, so it will output something that is garbled, but which may well be parseable as JSON – except the resulting JSON will not match the original data.

Sylvestre Ledru [:Sylvestre]

Comment 12

•

11 years ago

> Either way, we are not going to have anything in time for 34, unless we find out what's wrong. Ok. I am going to untrack them. Please resubmit for tracking if you have a clue!

status-firefox33: affected → wontfix

status-firefox34: affected → wontfix

Nicolas B. Pierron [:nbp]

Comment 13

•

11 years ago

<nbp> what is 5a5a5a5a <firebot> iirc, 5a5a5a5a is freed memory

Emanuel Hoogeveen [:ehoogeveen]

Comment 14

•

11 years ago

That's a good point - memory poisoning for small allocations was enabled in bug 860254, so perhaps the corruption is caused by a use-after-free that used to be harmless most of the time (simply because the memory was still mapped by jemalloc and not yet overwritten).

Nicolas B. Pierron [:nbp]

Comment 15

•

11 years ago

Note that 0x5a corresponds to "Z", so the fact that it appears as 婚 (\u5a5a) suggests that the string was already encoded in UTF-16 at the time of the corruption. I assume, that such JSON file is more likely to be encoded in ASCII when it is being manipulated by the JS engine. If the corruption happened before the creation of the JSON file, then we should expect that the encoding of the UTF-16 string would be terminated by 0, as the key precisely ends on "fromSubmitURL". Which sounds unlikely, and thus suggests that the corruption happened after the creation of the JSON file content. So, in any case, I think that we successfully produced the result of JSON.stringify. I guess, we should look where the result of JSON.stringify is copied into, and ensure that the buffers in which this text it is copied into cannot be freed before we copy into it. > had 婚 (\u5a5a) repeated 34816 times Side note, this implies that the size of the memory allocation is 0x11000 or smaller.

:Paolo Amadini

Comment 16

•

11 years ago

(In reply to David Rajchenbach-Teller [:Yoric] (use "needinfo") from comment #11) > Why? JSON.stringify certainly doesn't check its input, so if it has > non-Unicode JS strings, it will happily produce a non-Unicode JS string. I'm > pretty sure that TextEncoder assumes that the string is correct, without > further checks, so it will output something that is garbled, but which may > well be parseable as JSON – except the resulting JSON will not match the > original data. Probably we're saying the same thing... what I'm saying is that this doesn't look like an encoding problem (like losing a character because of an unmatched UTF-16 lead surrogate), and also that looking at the start and end points ("ti婚 which would be one of the "time" properties, and 婚formSubmitURL" which is another property) it seems unlikely this happened on the input side of "stringify", so this isn't where I would look first. What you're saying, as I understand it, is that there could be a serious bug in one of TextEncoder or JSON.stringify, maybe triggered by unmatched pairs, which I also deem possible. Regardless of the exact cause, per comments 13 and 14, this may be an allocation bug, and it could be at any point in the code path, including OS.File.

[:philipp]

Comment 17

•

11 years ago

there is now also an unusual amount of users reporting lost passwords after updating to firefox 33 on the SUMO forum - i've filed bug 1091854 for it.

Matthew N. [:MattN]

Reporter

Updated

•

11 years ago

Comment 18

•

10 years ago

We've had no significant volume of input from users about this issue, untracking.

tracking-firefox35: + → -

tracking-firefox36: + → -

Matthew N. [:MattN]

Reporter

Updated

•

10 years ago

Status: NEW → RESOLVED

Closed: 10 years ago

Resolution: --- → WORKSFORME