519461 - Adding the Facebook app "Discover Your Friend Facts" crashes Firefox (flash)

Status: RESOLVED INCOMPLETE

(External Software Affecting Firefox Graveyard :: Flash (Adobe), defect)

Description

[reid]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Build Identifier: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3

I added the Facebook app "Discover Your Friend Facts" by clicking on a news story posted in a friend's feed. The app behaved a little strangely - Facebook confirmation boxes being auto-clicked, mostly - and when I got to the stage where it asked to post the result on my feed, I got an X error, system load climbed to 8-10, and then Firefox crashed with a core dump.

Reproducible: Always

Steps to Reproduce:
1. Log into Facebook.

2. Find a friend who's used the Discover Your Friend Facts app and posted the news story to his/her feed, and click on the Discover Your Friend Facts link in that story, -or-, perhaps just going to http://topzy.com/friendfacts/?ref=feed&ref=nf while logged into Facebook is sufficient.

3. Work through the app's wizard.

4. At the last step, when a feed story is offered, type in some stuff. I typed in: "While the graphs are pretty interesting, this app smells pretty sleazy, so I would not recommend it.\n\nI'm particularly amused by the political breakdown."

5. Click back in the text to edit it (I wanted to remove the first "pretty").

6. App auto-posts to your feed (this is against Facebook TOS btw).
Actual Results:  
Firefox prints on the conesole the following text and locks up:

The program 'firefox-bin' received an X Window System error.
This probably reflects a bug in the program.
The error was 'BadIDChoice (invalid resource ID chosen for this connection)'.
  (Details: serial 87290960 error_code 14 request_code 55 minor_code 0)
  (Note to programmers: normally, X errors are reported asynchronously;
   that is, you will receive the error a while after causing it.
   To debug your program, run it with the --sync command line
   option to change this behavior. You can then get a meaningful
   backtrace from your debugger if you break on the gdk_x_error() function.)

System load goes pretty high (say 6-10) for several seconds, and then Firefox dumps core.

Expected Results:  
No X error, no excessive CPU use, no crash.

I have a core dump; it's 1.4GB. I'm leery of sending in such a large dump since that's my browsing history for the past N days.

I checked the "security" box. This may be wrong, but I figured that it would be better to check it and be wrong than vice versa.

Comment 1

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

Maybe duplicate of bug 458092, which is a bug in libxcb?  What distro are you using?

Comment 2

[reid]

Hmm, the backtrace is way different from bug 458092.

Furthermore, it seems to have crashed inside the Flash Player, which is odd since I have Flashblock installed and there's only two whitelisted sites, neither of which have anything to do with Facebook.

I suppose this is a good lesson in not clicking on questionable Facebook apps.... sigh.

Given the backtrace, is this still a FF bug?

Thanks for your help.

#0  0xf7f5f9a0 in pthread_mutex_lock () from /lib/i686/cmov/libpthread.so.0
(gdb) bt
#0  0xf7f5f9a0 in pthread_mutex_lock () from /lib/i686/cmov/libpthread.so.0
#1  0xb3a387f8 in ?? ()
   from /usr/local/src/flash_player_10_linux_dev_10.0.32.18/plugin/debugger/libflashplayer.so
#2  0xb3a38a82 in ?? ()
   from /usr/local/src/flash_player_10_linux_dev_10.0.32.18/plugin/debugger/libflashplayer.so
#3  0xb3a38b11 in ?? ()
   from /usr/local/src/flash_player_10_linux_dev_10.0.32.18/plugin/debugger/libflashplayer.so
#4  0xb38b071d in ?? ()
   from /usr/local/src/flash_player_10_linux_dev_10.0.32.18/plugin/debugger/libflashplayer.so
#5  0xf7f5e4c0 in start_thread () from /lib/i686/cmov/libpthread.so.0
#6  0xf67886de in clone () from /lib/i686/cmov/libc.so.6

Comment 3

[Daniel Veditz [:dveditz]]

From the stack this does not appear to be a Firefox bug. Don't know if it's a potential security problem or not so we can leave the bug hidden.

Charles: is this a known Flash issue?

Comment 4

[Charles]

don't know anything about this but lets keep it hidden and see if more information comes in.

Comment 5

[chris hofmann]

seems like there might be two things to explore to get more data.

try to make the crash happen with a breakpad enabled build so we can see what the signature looks like to compare to others.

and

get some discussion going on the facebook crash finding group(s) to see if other see the problem.

Comment 6

[chris hofmann]

there is a signature and bug for pthread_mutex_lock crashes but that is all mac and the stacks in that case seem all over the place.  some times with flash on the stack and sometimes not.

http://crash-stats.mozilla.com/report/list?product=Firefox&query_search=signature&query_type=contains&query=pthread_mutex_lock&date=&range_value=1&range_unit=weeks&do_query=1&signature=pthread_mutex_lock

Signature  	        # 	Win  	Mac  	Lin  	Bugzilla Ids
pthread_mutex_lock 	166 	0 	166 	0 	bug 452318 ,More

Comment 7

[Charles]

I ran a quick test and I am not even sure this is a Flash Application.  I was UTR during my testing and not once detected a SWF.

Comment 8

[Daniel Veditz [:dveditz]]

I don't think this bug is going anywhere useful as a Mozilla security bug. I'll leave it hidden though until Adobe says it's not revealing any risks to their users.

Comment 9

[BMO Automation]

Version and milestone values are being reset to defaults as part of product refactoring.