Block old versions of RoboForm Toolbar for Firefox (pre 7.9.21)

RESOLVED FIXED

Status

()

Toolkit
Blocklisting
RESOLVED FIXED
a year ago
a year ago

People

(Reporter: marco, Unassigned)

Tracking

Trunk
Points:
---

Firefox Tracking Flags

(firefox51 affected)

Details

Attachments

(1 attachment)

(Reporter)

Description

a year ago
Extension name: RoboForm Toolbar for Firefox
Extension UUID: {22119944-ED35-4ab1-910B-E619EA06A115}
Extension versions to block: <= 7.9.18
Applications, versions, and platforms affected: Firefox 48 and later on Windows
Block severity: tbd

Homepage, AMO listing, other references and contact info: vm@roboform.com

Reasons: old versions of RoboForm Toolbar for Firefox cause an increase in crashes with the signature JS::Heap<T>::~Heap<T> (currently #34)

RoboForm agreed to be blocklisted, in bug 1261015.
The last version signed for {22119944-ED35-4ab1-910B-E619EA06A115} is 7.9.18 so we'd be blocking all versions - there is no 7.9.20 under {22119944-ED35-4ab1-910B-E619EA06A115}.  I'll ask in bug 1261015
Is it still worth blocking this?  From bug 1261015 it seems the issue is in the dll so blocking arbitrary versions of the addon won't help.  If we are still to proceed, please clarify what max version to block - 7.9.18 would block all versions.
(Reporter)

Comment 3

a year ago
The answers from the developer are a bit misleading, he said we could block versions <= 7.9.18, but didn't say that 7.9.20 hadn't been published yet...
he said that, but he was talking about versions of the dll, not the add-on in https://bugzilla.mozilla.org/show_bug.cgi?id=1261015#c21.
(Reporter)

Comment 5

a year ago
Looks like 7.9.21 contains a fix for the crash. Was it signed?
Flags: needinfo?(awilliamson)
Summary: Block old versions of RoboForm Toolbar for Firefox (pre 7.9.18) → Block old versions of RoboForm Toolbar for Firefox (pre 7.9.21)
Yes. I see versions 7.9.21 and 7.9.21.1, both signed.
Flags: needinfo?(awilliamson)
(Reporter)

Comment 7

a year ago
(In reply to Jorge Villalobos [:jorgev] from comment #6)
> Yes. I see versions 7.9.21 and 7.9.21.1, both signed.

OK, then given bug 1261015 comment 31 and following, I think we can assume that the crash is fixed in 7.9.21 and we can block the extension if the version is < 7.9.21.

Let's wait a few more days for confirmation. Needinfoing me to check this again in a few days (this URL is useful https://crash-analysis.mozilla.com/rkaiser/datil/searchcompare/?common=product%3DFirefox&p1=addons%3D%7E7.9.18&p2=addons%3D%7E7.9.21).

For future reference, is there a way for me to check whether an extension is signed without nagging you?
Flags: needinfo?(mcastelluccio)
(Reporter)

Comment 8

a year ago
Interesting as well, the crashes with addon version 7.9.21 (there are too few crashes for now to tell that the JS::Heap one is totally gone): https://crash-stats.mozilla.com/search/?product=Firefox&addons=~7.9.21&_sort=-date&_facets=signature&_facets=addons&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-signature.
(In reply to Marco Castelluccio [:marco] from comment #7)
> For future reference, is there a way for me to check whether an extension is
> signed without nagging you?

No, at the moment it's a bit of a hassle to find unlisted add-ons, even when you're an admin. When we have a better admin dashboard it may be possible to give more people access.
(Reporter)

Comment 10

a year ago
We have more reports now, and there are no crashes with the signature from bug 1261015, so I think the bug is actually fixed in 7.9.21.

Can we block < 7.9.21?
Flags: needinfo?(mcastelluccio) → needinfo?(awilliamson)
blocked 
https://addons.mozilla.org/en-US/firefox/blocked/i1267
Flags: needinfo?(awilliamson)
Had to re-use https://addons.mozilla.org/en-US/admin/models/blocklist/blocklistdetail/45/ instead
Status: NEW → RESOLVED
Last Resolved: a year ago
Resolution: --- → FIXED

Comment 13

a year ago
I am confused about this add-on block (https://addons.mozilla.org/en-US/firefox/blocked/i45). Have any of you actually tested Roboform 7.9.21 with Firefox 48.0.2? I ask because I recently had to reinstall the previous version of Roboform in order to regain usability with Firefox.

I have tried Roboform 7.9.21 and Firefox 48.0.2 on three different Windows PC’s (Win7 & 8.1) and even created a new, vanilla Win7x64 VM with only Firefox 48.0.2 and Roboform 7.9.21. The RF add-on does not work on any of those installs. The RF toolbar and all buttons are visible but nothing happens when you click on any of the buttons.

After encountering this issue, I re-installed the previous version of RF and all was working fine for a few days until this morning. This morning I get the warning that all versions of RF prior to 7.9.21 are blocked!

So I’m confused as to why all previous versions are blocked when they do in fact work (I’ve never encountered a crash) and version 7.9.21 is not blocked even though it does not work, at all.
(Reporter)

Comment 14

a year ago
Created attachment 8787923 [details]
JS::Heap<T>::~Heap<T> crash reports graph

(In reply to Jeff from comment #13)
> So I’m confused as to why all previous versions are blocked when they do in
> fact work (I’ve never encountered a crash) and version 7.9.21 is not blocked
> even though it does not work, at all.

The Roboform developers have fixed a crash in 7.9.21. Most crashes are not reproducible
by *everyone*, this would explain why you have never encountered it, but the crash
was indeed there (otherwise we wouldn't have so many people, more than 200 per day,
reporting it!).
If you're curious, here's the graph of the crash reports for one of the crashes caused by
Roboform (there are more than one fixed in 7.9.21). You can clearly see how the number of
reported crashes was reduced drastically after the deployment of the block.

As to why 7.9.21 doesn't work for you, I'm not sure. We haven't tested it directly because
it's Roboform who develops it, but we do have reports of users successfully using it.
You can use the Roboform support system to report your issue (https://www.roboform.com/php/rtss/main/).
You need to log in before you can comment on or make changes to this bug.