Closed
Bug 1225678
Opened 10 years ago
Closed 9 years ago
startup crash in nsGlobalWindow::SetDocShell
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: u279076, Unassigned)
Details
(Keywords: crash, topcrash-win, Whiteboard: [malware?])
Crash Data
Attachments
(1 file)
|
33.60 KB,
image/png
|
Details |
Crash Curve Visualization
This bug was filed from the Socorro interface and is
report bp-630afc12-4496-4b50-93d0-674f22151116.
=============================================================
0 xul.dll nsGlobalWindow::SetDocShell(nsIDocShell*) dom/base/nsGlobalWindow.cpp
Ø 1 {9a887e1c-4078-4827-9a31-aafc133f05ec}.xpi {9a887e1c-4078-4827-9a31-aafc133f05ec}.xpi@0x2a93
2 xul.dll nsObserverList::NotifyObservers(nsISupports*, char const*, wchar_t const*) xpcom/ds/nsObserverList.cpp
3 xul.dll nsObserverService::NotifyObservers(nsISupports*, char const*, wchar_t const*) xpcom/ds/nsObserverService.cpp
4 xul.dll nsContentSink::NotifyDocElementCreated(nsIDocument*) dom/base/nsContentSink.cpp
5 xul.dll nsDocElementCreatedNotificationRunner::Run() dom/base/nsDocElementCreatedNotificationRunner.h
6 xul.dll nsHTMLDocument::EndUpdate(unsigned int) dom/html/nsHTMLDocument.cpp
7 xul.dll nsHtml5DocumentBuilder::EndDocUpdate() parser/html/nsHtml5DocumentBuilder.h
8 xul.dll nsHtml5TreeOpExecutor::StartLayout() parser/html/nsHtml5TreeOpExecutor.cpp
9 xul.dll nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**) parser/html/nsHtml5TreeOperation.cpp
10 xul.dll nsHtml5TreeOpExecutor::RunFlushLoop() parser/html/nsHtml5TreeOpExecutor.cpp
11 xul.dll nsHtml5ExecutorFlusher::Run() parser/html/nsHtml5StreamParser.cpp
12 xul.dll nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp
13 xul.dll mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp
14 xul.dll MessageLoop::RunHandler() ipc/chromium/src/base/message_loop.cc
15 xul.dll nsThreadManager::NewThread(unsigned int, unsigned int, nsIThread**) xpcom/threads/nsThreadManager.cpp
16 xul.dll nsAppShell::Run() widget/windows/nsAppShell.cpp
17 xul.dll XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp
18 xul.dll XREMain::XRE_main(int, char** const, nsXREAppData const*) toolkit/xre/nsAppRunner.cpp
19 xul.dll XRE_main toolkit/xre/nsAppRunner.cpp
20 windows.storage.dll FileExplorerTelemetry::DefView_Group::StopActivity()
=============================================================
https://crash-stats.mozilla.com/report/list?product=Firefox&signature=nsGlobalWindow%3A%3ASetDocShell
This is a startup crash that appears to be spiking with Firefox Aurora 44.0a2. 10% of the reports correlate to the firefox@zenmate.com addon but most the reports have an xpi with different UUIDs in the second frame of the crashing thread.
Hiding the bug for now since all reports show high exploitibility.
[Tracking Requested - why for this release]: nominating to track since this is the #4 topcrash in Aurora.
status-firefox44:
--- → affected
tracking-firefox44:
--- → ?
Based on the data this starts with Firefox 44.0a1 20151028030432:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=9a8f2342fb3116d23989087e026448d38a3768c5&tochange=fc706d376f0658e560a59c3dd520437b18e8c4a4
|
||
Comment 3•10 years ago
|
||
baku, khuey: any thoughts here? (I'm starting with you mostly randomly based on blame)
Flags: needinfo?(khuey)
Flags: needinfo?(amarchesini)
|
||
Comment 4•10 years ago
|
||
It seems that that window is not valid anymore. Could it be that a previous observer deleted the document?
Flags: needinfo?(amarchesini)
Why does the stack have a .xpi in it?
Flags: needinfo?(khuey) → needinfo?(ted)
|
|
||
Comment 6•10 years ago
|
||
(In reply to Kyle Huey [:khuey] (khuey@mozilla.com) from comment #5)
> Why does the stack have a .xpi in it?
Looking around it seems that often we see the XPI UUID of the default FF theme.
Tracked for FF44 since it's a top crash.
|
||
Updated•10 years ago
|
Group: core-security → dom-core-security
|
||
Comment 8•10 years ago
|
||
This is certainly puzzling! The full path to that file is C:\Users\wawa\AppData\Local\Temp\{9A887E1C-4078-4827-9A31-AAFC133F05EC}.xpi . I noticed it has a version number specified, so it can't be an actual XPI file (or it wouldn't have valid version information). Googling that version number (1.0.5798.16892) only pulled up 5 results, all of which are malware listings:
https://www.reasoncoresecurity.com/plugin.exe-2d6ae36b7b42f66c359d4273c505ddc0e182821d.aspx
Dollars to donuts this is some variant of that malware.
Flags: needinfo?(ted)
Andrew, is there any chance we might get a dev to investigate this some more? On 44.0b, this is data for last 28 days:
Product Version Percentage Number Of Crashes
Firefox 44.0a2 86.05% 870
Firefox 44.0b1 8.31% 84
Flags: needinfo?(overholt)
|
|
||
Comment 10•10 years ago
|
||
Given comment 8 I'm not sure who'd be best to look into this more. Benjamin, in the past I would have guessed dmajor; any suggestions?
Flags: needinfo?(overholt) → needinfo?(benjamin)
|
|
||
Comment 11•10 years ago
|
||
(In reply to Ted Mielczarek [:ted.mielczarek] from comment #8)
> This is certainly puzzling! The full path to that file is
> C:\Users\wawa\AppData\Local\Temp\{9A887E1C-4078-4827-9A31-AAFC133F05EC}.xpi
Wondering if we can have this XPI.
|
|
||
Comment 12•10 years ago
|
||
FWIW, it's not really an XPI, it's a DLL file disguised as an XPI. Apparently the malware that distributes this file also sometimes calls it "plugin.exe" or "plugin-container.exe". The page I linked in comment 8 says the software is called "Nugget Find", but I could not find anywhere to download an installer. Various pages claim that it's installed as a drive-by packaged in other software's installers.
|
||
Comment 13•10 years ago
|
||
I don't see why this bug needs to be marked s-s.
If this weren't a topcrash, I'd recommend WONTFIX.
As a topcrash, we would take a DLL blocklist or an addon blocklist fix if that could be effective. If this is a random DLL name, though, we don't have enough for a blocklist.
Best bet might be to reach out and try to get this added to Windows Defender; I think Kev may have contacts for that. Mostly useful if there is an actual sample of the malware, though.
Flags: needinfo?(benjamin)
|
||
Updated•10 years ago
|
Group: dom-core-security
Whiteboard: [malware?]
|
|
||
Comment 14•10 years ago
|
||
(In reply to Benjamin Smedberg [:bsmedberg] from comment #13)
> Best bet might be to reach out and try to get this added to Windows
> Defender; I think Kev may have contacts for that. Mostly useful if there is
> an actual sample of the malware, though.
Kev, what say you?
Flags: needinfo?(kev)
|
|
||
Comment 15•9 years ago
|
||
This doesn't look like a top crasher anymore (but I could be mis-reading crash-stats). Ritu, should we continue to track it?
Flags: needinfo?(rkothari)
|
Reporter | |
Comment 16•9 years ago
|
||
Actually, I think this can be closed. Volume has basically dropped apart from a handful of crashes (3 in Beta over the last week). Attached is a visualization showing the curve for this crash over the last six months.
|
|
Reporter | |
Comment 17•9 years ago
|
||
I'm going to go ahead and close this as per my previous comment. Feel free to reopen if you think this bug needs further action.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WORKSFORME
(In reply to Andrew Overholt [:overholt] from comment #15)
> This doesn't look like a top crasher anymore (but I could be mis-reading
> crash-stats). Ritu, should we continue to track it?
Hi Andrew, yup, this crash is basically very low volume now. We hit it only 11 times in the past week and not on late 44 beta builds at all. With that I am willing to mark this as fixed.
Flags: needinfo?(rkothari)
|
||
Updated•9 years ago
|
Flags: needinfo?(kev)
|
Assignee | |
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•