Closed Bug 1348797 Opened 7 years ago Closed 7 years ago

Crash in <T>::operator() | mozilla::intl::LocaleService::NegotiateLanguages

Categories

(Core :: Internationalization, defect)

Product:
Core
Component:
Internationalization
Platform:
Unspecified
Windows 10
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla55
Tracking Flags:
Tracking Status
firefox-esr45 --- unaffected
firefox52 --- unaffected
firefox-esr52 --- unaffected
firefox53 --- unaffected
firefox54 --- unaffected
firefox55 --- fixed

People

(Reporter: marcia, Assigned: zbraniecki)

References

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

nego-crash.diff
1.74 KB, patch
jfkthame
: review+
Details | Diff | Splinter Review 
This bug was filed from the Socorro interface and is 
report bp-471a55bc-84a6-4aec-bbd0-022d82170314.
=============================================================

Seen while looking at nightly crash stats. This crash started in 20170308030207: http://bit.ly/2nVEXz2.

Bug 1337694 touched code in this area. ni on gandalf.
Flags: needinfo?(gandalf)
Wow.
My first crash!

I'll investigate as I think I know what might be causing it, but...

:marcia, is that normal that we get crashes from functions that are not used by anyone anywhere? Like, those calls have no extensions and there's nothing except of 2 tests in mozilla-central that would call it.
Flags: needinfo?(gandalf) → needinfo?(mozillamarcia.knous)
(In reply to Zibi Braniecki [:gandalf][:zibi] from comment #1)
> Wow.
> My first crash!
> 
> I'll investigate as I think I know what might be causing it, but...
> 
> :marcia, is that normal that we get crashes from functions that are not used
> by anyone anywhere? Like, those calls have no extensions and there's nothing
> except of 2 tests in mozilla-central that would call it.

Not sure about what is "normal" in crash stats. Sometimes you have to look further down in the stack to see what is really going on. In this case, we have 16 crashes total, but only 5 installs have hit it, so not very widespread by any means. I would ask someone in Engineering if you want a better answer, as I cannot really interpret much about what is going on.
Flags: needinfo?(mozillamarcia.knous)
> In this case, we have 16 crashes total, but only 5 installs have hit it

From what I can read, none of those crashes have any extensions, and since no code in Gecko calls this method (yet, I just added it!), I'm wondering how is it possible that someone triggered the crash, unless it's someone fuzzing or looking for crashers.

I'd like to NI someone who might know more about how we get crash reports for code that is not called from Gecko, do you know who should I NI?
Flags: needinfo?(mozillamarcia.knous)
I'll close this bug for now, because I'm adding STR to crash Firefox. If it doesn't require security flag, feel free to remove it.

STR:

1) Launch Firefox
2) Open browser console
3) Type: `Services.locale.negotiateLanguages([null],[]);` or `Services.locale.negotiateLanguages([undefined],[]);`

AR:
crash

ER:
Exception thrown
Assignee: nobody → gandalf
Group: core-security
Status: NEW → ASSIGNED
Has Regression Range: --- → yes
Has STR: --- → yes
Attached patch nego-crash.diffSplinter Review 
This fixes the crash by adding a null-check, but I still would like to use the opportunity to try to understand how is it possible that 16 people triggered an unused method in a very unusual way.
Attachment #8849195 - Flags: review?(jfkthame)
This seems... puzzling. Marcia, is it possible that crash reports are getting incorrect buildid information?

NegotiateLanguages was introduced by bug 1337694 in https://hg.mozilla.org/mozilla-central/rev/120c713a857f, which was pushed to autoland in the evening (GMT) of 2017-03-08, and merged to central early on 2017-03-09 (again, GMT).

But the report in bp-471a55bc-84a6-4aec-bbd0-022d82170314 claims to be for buildid 20170308030207, which even allowing for California time vs GMT, should have been created before that patch landed, and so NegotiateLanguages didn't even exist in the codebase. https://archive.mozilla.org/pub/firefox/nightly/2017/03/2017-03-08-03-02-07-mozilla-central/firefox-55.0a1.en-US.win32.txt says it is built from rev 58753259bfeb, which predates the landing of bug 1337694.

The source links in that crash report, however, go to rev c40ca7a1bdd9, which corresponds to the following day's Nightly build (with buildid 20170309030216), according to https://archive.mozilla.org/pub/firefox/nightly/2017/03/2017-03-09-03-02-16-mozilla-central/firefox-55.0a1.en-US.win32.txt.

So AFAICS the buildid in the crash report must be wrong. Or am I just totally confused?

(In reply to Zibi Braniecki [:gandalf][:zibi] from comment #5)
> Created attachment 8849195 [details] [diff] [review]
> nego-crash.diff
> 
> This fixes the crash by adding a null-check, but I still would like to use
> the opportunity to try to understand how is it possible that 16 people
> triggered an unused method in a very unusual way.

Nearer 6 than 16 people, I think (perhaps even fewer than that); it looks like there are multiple reports from a few installations, rather than all being independent.

I suspect someone (perhaps even within mozilla? but I don't know...) has fuzzing tools that automatically enumerate the methods available on an object and try calling them with a variety of "random" inputs, so it's not too surprising they'd end up passing [undefined] or similar in various places.
Attachment #8849195 - Flags: review?(jfkthame) → review+
Target Milestone: --- → mozilla55
Flags: needinfo?(mozillamarcia.knous)
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: