Closed
Bug 1373601
Opened 7 years ago
Closed 3 years ago
Crash in nsINode::GetParent with Avira Browser Safety extension
Categories
(Core :: Layout, defect, P3)
Tracking
()
RESOLVED
WORKSFORME
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox54 | + | wontfix |
firefox55 | --- | wontfix |
firefox56 | --- | wontfix |
firefox57 | --- | fix-optional |
People
(Reporter: philipp, Unassigned)
References
Details
(4 keywords)
Crash Data
This bug was filed from the Socorro interface and is report bp-1eb9f2ae-96ab-4350-a143-559540170616. ============================================================= Crashing Thread (0) Frame Module Signature Source 0 xul.dll nsINode::GetParent() obj-firefox/dist/include/nsINode.h:919 1 xul.dll InvalidateCanvasIfNeeded layout/base/nsCSSFrameConstructor.cpp:8697 2 xul.dll nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsIContent*, nsILayoutHistoryState*, bool, TreeMatchContext*) layout/base/nsCSSFrameConstructor.cpp:8183 3 xul.dll nsCSSFrameConstructor::ContentInserted(nsIContent*, nsIContent*, nsILayoutHistoryState*, bool) layout/base/nsCSSFrameConstructor.cpp:7722 4 xul.dll nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, bool, nsCSSFrameConstructor::RemoveFlags, nsIContent**) layout/base/nsCSSFrameConstructor.cpp:9829 5 xul.dll mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) layout/base/RestyleManager.cpp:1516 6 xul.dll mozilla::GeckoRestyleManager::ComputeAndProcessStyleChange(nsIFrame*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&) layout/base/GeckoRestyleManager.cpp:3486 7 xul.dll nsTArray_Impl<unsigned int, nsTArrayInfallibleAllocator>::AppendElement<unsigned int, nsTArrayInfallibleAllocator>(unsigned int&&) obj-firefox/dist/include/nsTArray.h:2128 8 xul.dll nsCSSFrameConstructor::MaybeRecreateFramesForElement(mozilla::dom::Element*) layout/base/nsCSSFrameConstructor.cpp:9434 crash reports with this signature are spiking up in the last couple of days: https://crash-stats.mozilla.com/signature/?product=Firefox&signature=nsINode%3A%3AGetParent&date=>%3D2016-12-16T09%3A34%3A59.000Z#graphs these are all from 32bit versions on windows with the Avira Browser Safety addon (abs@avira.com, 2.4.1.16401) installed. it's a product from a german company so de builds are unproportionally affected. Correlations for Firefox Release (100.0% in signature vs 00.58% overall) address = 0x18 (100.0% in signature vs 01.12% overall) Addon "Avira Browser Safety" = true (89.19% in signature vs 08.61% overall) useragent_locale = de [100.0% vs 06.66% if process_type = null] at this point i'm unsure if it's something in 54 that triggered this spike or an update of the addon. if it's something on our part, timing-wise it would have most likely been a patch landing between 54.0b12 and b13: https://hg.mozilla.org/releases/mozilla-beta/pushloghtml?fromchange=FIREFOX_54_0b12_RELEASE&tochange=FIREFOX_54_0b13_RELEASE
Updated•7 years ago
|
Component: Untriaged → Layout
Comment 1•7 years ago
|
||
For now, this is #15 top crasher in Firefox 54. Could you take a look?
Comment 2•7 years ago
|
||
Hmm, aEndChild is not a sibling of aStartChild? That seems weird. I guess we could wallpaper this with a null-check if needed to stop the crashes. It'd be nice to figure out why this is happening though...
Comment 3•7 years ago
|
||
I opened up the addon.xpi [1] from avira.com and found that it was last updated on June 1. I think it's more likely that a change in the addon is interacting with Firefox in a weird way (likely still our bug though.) Note the latest version online at avira.com is is 2.4.0.16391, not 2.4.1.16401 as listed here. I'm not sure if the vendor rolled back to an earlier version? [1] http://package.avira.com/package/abs/firefox/abs-webext.xpi
Comment 4•7 years ago
|
||
(In reply to Jet Villegas (:jet) from comment #3) > Note the latest version online at avira.com is is 2.4.0.16391, not > 2.4.1.16401 as listed here. Correction: the manifest inside the XPI does identify itself as 2.4.1.16401
Comment 5•7 years ago
|
||
> Hmm, aEndChild is not a sibling of aStartChild? That seems weird. Indeed. Specifically, we are coming from nsCSSFrameConstructor::ContentInserted which passes aChild and aChild->GetNextSibling() respectively to ContentRangeInserted. See https://hg.mozilla.org/releases/mozilla-release/annotate/e832ed037a3c/layout/base/nsCSSFrameConstructor.cpp#l7722 linked from the stack there. So the most likely explanation is that something between when ContentRangeInserted was called and the line where we call InvalidateCanvasIfNeeded mutated the DOM. That's not supposed to happen. We do dispatch all sorts of internal notifications here, and if this extensions involves binary code it could be doing something like that. But I thought we no longer allowed binary code in extensions? Has anyone tried reproducing this locally so far?
Flags: needinfo?(bzbarsky)
Comment 6•7 years ago
|
||
Interestingly a lot of reports have both Avira Browser Safety and AdBlock Plus: (98.44% in signature vs 01.39% overall) Addon "Avira Browser Safety" = true (95.31% in signature vs 19.53% overall) Addon "Adblock Plus" = true
Comment 8•7 years ago
|
||
Hi Florin, Do you think QE can help reproduce the issue?
Flags: needinfo?(florin.mezei)
Comment 9•7 years ago
|
||
I'll add this to the list of bugs to investigate. We'll see who has bandwidth to look into this. Keeping the needinfo until we have an answer.
Comment 10•7 years ago
|
||
I tried to reproduce the crash on Win 10 x32 using Fx 54.0 Build ID: 20170608105825 with "Avira Browser Safety Add-on" enabled with no luck. Unable to reproduce the issue with multiple add-on installed including AdBlock Plus or by following the users steps from the crash report comments section.
Updated•7 years ago
|
Flags: needinfo?(florin.mezei)
Comment 11•7 years ago
|
||
One of comments in a crash report says:
> Cada vez que abro esta pagina web (www.pordede.es) da estos problemas.
(Every time I open this web page I get this problem: www.pordede.es (but that site doesn't seem to exist... :/)
Comment 12•7 years ago
|
||
Marco, do we have contacts at Avira? Have you contacted them around this problem? Gabi, what version of the addon were you using? We're not sure if perhaps Avira has rolled out a new version of the addon that doesn't trigger this problem. We also have one crash in 55, so marking as such.
Comment 13•7 years ago
|
||
(In reply to Nathan Froyd [:froydnj] from comment #12) > Marco, do we have contacts at Avira? Have you contacted them around this > problem? Yes, I've sent them an email last week, but they haven't replied yet.
Flags: needinfo?(mcastelluccio)
Comment 14•7 years ago
|
||
Hi there I'm Markus from the Avira extensions team. We released version 2.4.1.16401 on June 6th. I also tried to reproduce this issue with 54.0 (32-bit) but no luck so far. Is there more information about the context this would happen in?
Comment 15•7 years ago
|
||
(In reply to Nathan Froyd [:froydnj] from comment #12) > Marco, do we have contacts at Avira? Have you contacted them around this > problem? > > Gabi, what version of the addon were you using? We're not sure if perhaps > Avira has rolled out a new version of the addon that doesn't trigger this > problem. > > We also have one crash in 55, so marking as such. Nathan, Avira Browser Safety 2.4.1.16401: https://www.avira.com/en/avira-browser-safety
Updated•7 years ago
|
Flags: needinfo?(gasofie)
Comment 16•7 years ago
|
||
Doesn't sound like we can reproduce this (yet). Philipp tried for a couple of hours (with de locale set). If the crash rate gets much worse, we can try to investigate again.
Comment 17•7 years ago
|
||
Markus, have you tried installing AdBlock Plus alongside your extension? It seems like most users that are crashing have both extensions installed. I also noticed a lot of users are crashing on video-playing websites. Other than the "usual ones", I see a lot of vivo.sx URLs (e.g. https://vivo.sx/f353008d3c), a lot of filmpalast.to (e.g. http://filmpalast.to/movies/view/transformers-5-the-last-knight).
Flags: needinfo?(markus.hartung)
Comment 18•7 years ago
|
||
We did try this, we also tried two tested two extensions which redirect the same request to two different data urls, so far we haven't been able to reproduce any crashes. I also tested specifically the pages you mentioned.
Flags: needinfo?(markus.hartung)
Reporter | ||
Comment 19•7 years ago
|
||
the crash signature [@ nsIFrame::SetStyleContext] has a fairly striking correlation to avira & adblock and is rising with firefox 54 too.
See Also: → 1343287
Comment 20•7 years ago
|
||
Is where a way to determine which API calls might be causing this, is it more likely to relate to the webRequest API or more like have something to do with content scripts injecting elements or styles?
Comment 21•7 years ago
|
||
Several users are mentioning opening a new tab with Ctrl+Click and containers (https://testpilot.firefox.com/experiments/containers/). (In reply to Markus Hartung from comment #20) > Is where a way to determine which API calls might be causing this, is it > more likely to relate to the webRequest API or more like have something to > do with content scripts injecting elements or styles? I think it's more likely to have something to do with injected elements/styles.
Comment 22•7 years ago
|
||
Are there similar issues experienced with the Adguard extension?
Comment 24•7 years ago
|
||
(In reply to Markus Hartung from comment #22) > Are there similar issues experienced with the Adguard extension? I don't see anything similar for users with the Adguard extension: https://crash-stats.mozilla.com/search/?addons=~adguardadblocker%40adguard.com&product=Firefox&date=%3E%3D2017-07-13T22%3A03%3A00.000Z&date=%3C2017-07-20T22%3A03%3A00.000Z&_sort=-date&_facets=signature&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-signature
Crash Signature: [@ nsINode::GetParent] → [@ nsINode::GetParent]
[@ nsIFrame::SetStyleContext]
Comment 25•7 years ago
|
||
Marking 'fix-optional' for 57. The few crash reports I saw on Firefox 57 appear to use the Gecko (not Stylo) style system.
Updated•7 years ago
|
Priority: -- → P3
Updated•7 years ago
|
Comment 26•3 years ago
|
||
Closing because no crashes reported for 12 weeks.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•