crash in _chkstk | nsCookieService::GetEnumerator with OnetToolbar extension

RESOLVED FIXED

Status

()

--
critical
RESOLVED FIXED
3 years ago
2 years ago

People

(Reporter: philipp, Unassigned)

Tracking

({crash})

44 Branch
x86
Windows NT
crash
Points:
---

Firefox Tracking Flags

(firefox44 affected, firefox47 affected, firefox-esr45 affected)

Details

(crash signature)

(Reporter)

Description

3 years ago
This bug was filed from the Socorro interface and is 
report bp-2d4e1860-c7a4-43a3-8f3b-799102160127.
=============================================================
0 	xul.dll 	_chkstk 	f:/dd/vctools/crt/crtw32/startup/i386/chkstk.asm:99
1 	xul.dll 	nsCookieService::GetEnumerator(nsISimpleEnumerator**) 	netwerk/cookie/nsCookieService.cpp
2 	xul.dll 	NS_InvokeByIndex 	xpcom/reflect/xptcall/md/win32/xptcinvoke.cpp
3 	xul.dll 	XPCWrappedNative::GetAttribute(XPCCallContext&) 	js/xpconnect/src/xpcprivate.h
4 	xul.dll 	XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*) 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp
5 	xul.dll 	js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
6 	xul.dll 	nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>::ShrinkCapacity<nsTArrayInfallibleAllocator>(unsigned int, unsigned int) 	xpcom/glue/nsTArray-inl.h
7 	xul.dll 	mozilla::dom::ElementBinding::setAttribute 	obj-firefox/dom/bindings/ElementBinding.cpp
8 	xul.dll 	XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp
9 	xul.dll 	js::TypeScript::Monitor(JSContext*, JSScript*, unsigned char*, JS::Value const&) 	js/src/vm/TypeInference-inl.h
10 	xul.dll 	nsAString_internal::Assign(wchar_t const*, unsigned int, mozilla::fallible_t const&) 	xpcom/string/nsTSubstring.cpp

this crash signature is noticeably increasing in 44 and due to it crashing at startup 2/3 of the time this is at #10 of the crash score board for 44.0 at the moment.

looking into reports manually (no correlation data available as of yet) they all seem to have the following amo listed addon installed:
OnetToolbar 1.0.23.1-signed https://addons.mozilla.org/firefox/addon/onet/

therefore particularly polish user agents are affected:
1 	pl 	150 	69.12 %
2 	en-US 	43 	19.82 %
3 	fr 	13 	5.99 %
4 	en-GB 	4 	1.84 %
5 	ru 	3 	1.38 %

on a spot check i couldn't reproduce the issue by installing the addon myself, but it also didn't seem to work at all, based on what i was able to gather about its functionality from its description at amo.
(Reporter)

Comment 1

3 years ago
can we blocklist the extension under these circumstances?
Flags: needinfo?(jorge)
(Reporter)

Comment 2

3 years ago
now the correlation data is in:

  _chkstk | nsCookieService::GetEnumerator|EXCEPTION_STACK_OVERFLOW (64 crashes)
    100% (64/64) vs.   0% (66/30495) toolbar.addon@onet.pl
I sent a message to the developers. The add-on hasn't been updated in a couple of years, so it's possible that it's been abandoned. I'll give them some time to respond before making any decisions about this.
Flags: needinfo?(jorge)
The add-on is now marked as incompatible with Firefox 44 and above, so it should be disabled for anyone who currently has it installed. Please reopen if the crashes persist in the coming weeks.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
This spiked recently in Firefox 46, it's #53 top crasher.

Manually inspecting some reports reveals that they have `toolbar.addon%40onet.pl:1.0.23.1-signed.1-signed` installed.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
(Reporter)

Comment 6

2 years ago
it's a thousand crashes on release last week. it doesn't seem like marking the addon as incompatible helped.
Flags: needinfo?(jorge)
Most likely because we did a repackaging of all add-ons and that bumped up the maxVersion. I have extended the override to cover 1.*. Sorry about that.
Flags: needinfo?(jorge)
Please reopen if the crashes don't diminish.
Status: REOPENED → RESOLVED
Last Resolved: 3 years ago2 years ago
Resolution: --- → FIXED
Crash volume for signature '_chkstk | nsCookieService::GetEnumerator':
 - nightly (version 50): 0 crash from 2016-06-06.
 - aurora  (version 49): 0 crash from 2016-06-07.
 - beta    (version 48): 0 crash from 2016-06-06.
 - release (version 47): 2919 crashes from 2016-05-31.
 - esr     (version 45): 155 crashes from 2016-04-07.

Crash volume on the last weeks:
             Week N-1   Week N-2   Week N-3   Week N-4   Week N-5   Week N-6   Week N-7
 - nightly          0          0          0          0          0          0          0
 - aurora           0          0          0          0          0          0          0
 - beta             0          0          0          0          0          0          0
 - release        271        311        247        230        376       1020        386
 - esr             29          5         10         16         13         16         13

Affected platform: Windows
status-firefox47: --- → affected
status-firefox-esr45: --- → affected
You need to log in before you can comment on or make changes to this bug.