Closed Bug 521748 Opened 11 years ago Closed 7 years ago

threadsafety problems in RelevantKnowledge ("*xg.dll") extension causing Firefox 3.5.* crashes

Categories

(Toolkit :: Blocklist Policy Requests, defect, P2)

x86
Windows XP
defect

Tracking

()

RESOLVED WONTFIX

People

(Reporter: dbaron, Unassigned)

References

Details

(Keywords: crash, Whiteboard: [crashkill][crashkill-thirdparty])

Attachments

(1 file)

The RelevantKnowledge extension is a user tracking (spyware?) extension that is causing crashes in Firefox 3.5.*; I'm filing this bug to track the problems with this extension.

Their homepage is http://www.relevantknowledge.com/ , I found some additional information at http://www.truste.com/blog/?p=36 (which says it's affiliated with comScore) and http://www.ghacks.net/2009/05/18/about-relevant-knowledge/ and I found a download containing it at http://www.kcsoftwares.com/index.php?download .


This extension appears to be responsible for a portion of the Firefox topcrashes at the following signatures:

  nsCycleCollectingAutoRefCnt::decr(nsISupports*)
  nsGlobalWindow::cycleCollection::UnmarkPurple(nsISupports*)
  nsEventListenerManager::Release()
  KiFastSystemCallRet (pure virtual function call)
  nsPresContext::Release()
  nsGlobalChromeWindow::Release()
  nsHTMLDocument::Release()
  nsJSContext::Release()
  nsCOMPtr_base::assign_from_qi(nsQueryInterface, nsID const&)
  nsGlobalWindow::Release()
  nsDOMEvent::Release()
  nsArray::Release()
  nsXULDocument::Release()
  nsTextNode::Release()
  JS_ResumeRequest
  nsCycleCollectingAutoRefCnt::unmarkPurple()
  nsNodeInfo::Release()
  etc.


The problem with the extension is that it accesses main-thread-only objects on other threads.  This is easy for the developers of the extension to detect if they compile a debug build of Firefox and test the extension in that debug build:  then they will see assertion dialogs whenever they violate the threadsafety invariants (with an option to drop into the debugger).  We should contact them somehow so they can fix the extension; we may also want to consider blocklisting.
(In reply to comment #0)
> The problem with the extension is that it accesses main-thread-only objects on
> other threads.  This is easy for the developers of the extension to detect if
> they compile a debug build of Firefox and test the extension in that debug
> build:  then they will see assertion dialogs whenever they violate the
> threadsafety invariants (with an option to drop into the debugger).  We should
> contact them somehow so they can fix the extension; we may also want to
> consider blocklisting.

Instructions for doing this are at:
https://developer.mozilla.org/En/Simple_Firefox_build
https://developer.mozilla.org/en/Windows_Build_Prerequisites
They probably want to do a build from the 1.9.1 release branch (which
corresponds to Firefox 3.5); that's pulled from the hg repository at
http://hg.mozilla.org/releases/mozilla-1.9.1/

The key is that they want to do a build with --enable-debug and
--disable-optimize, which means adding these two lines:
ac_add_options --disable-optimize
ac_add_options --enable-debug
when creating the "mozconfig" file as instructed in the first link above.
Depends on: 525974
we should probably work on changing the service manager to rely on classinfo before it gives out objects on non main threads. i could look into doing this in a few weeks (we're @tpac right now and have other things to do...). although this shouldn't really be done in a bug where i presume your goal is blocking an evil library,
Just talked with Yvonne Bigbee at comScore.  Their engineering team is investigating and they indicated it was a top priority for them.
Whiteboard: [crashkill][crashkill-thirdparty]
In the correlation data RelevantKnowledge is showing up in a large number of crash signatures. I tried installing it and on first try my debug build crashed on shutdown in NSPR socket code. rlls.dll was on the stack, a number of sites mark it as a spyware dll related to RelevantKnowledge.
I think I actually didn't have an addon installed, just the general RelevantKnowledge applications/dlls (which I got through http://www.kcsoftwares.com/index.php?download). Not really sure where we could get the addon itself.
I have the addon too now, it comes from PermissionResearch (www.permissionresearch.com, but also ComScore). There's a ton of threadsafety assertions (accessing nsWindowMediator, nsDocument, nsGlobalWindow, ... from a non-main thread). Also crashes my trunk Firefox on shutdown in one of their dlls (prxg.dll) accessing a null pointer. They also seem to use accessibity apis and LSPs.
(In reply to comment #3)
> we should probably work on changing the service manager to rely on classinfo
> before it gives out objects on non main threads.

I tried that, but it doesn't actually help in this case. The first service they get is the windows mediator which doesn't have classinfo. From there they get all the DOM objects. We could maybe also add classinfo to windows mediator.
(In reply to comment #4)
> Just talked with Yvonne Bigbee at comScore.  Their engineering team is
> investigating and they indicated it was a top priority for them.

Damon, did we hear anything back?

I tried fixing this on our side by refusing to hand out the windows mediator when not on the main thread, that crashes in their dll probably because they don't even null-check the value they get back. I think we should consider blocklisting this addon.
I'm going to turn this into a blocklisting bug. We've reached out to ComScore and sent them technical details of all the problems we were seeing with the extension. They were going to look into fixing it, but that was two months ago and this is still correlated to a number of crashes on 3.0, 3.5 and 3.6 (for example two top-10 crashes on 3.6 correlated to this extension).

Here's the info from the extension's install.rdf:

  		<em:id>{6E19037A-12E3-4295-8915-ED48BC341614}</em:id>
	  	<em:version>1.3</em:version>

The crash reports only contain that one version (1.3), not sure if there are others.
Assignee: dbaron → nobody
Component: Extension Compatibility → Blocklisting
Product: Firefox → addons.mozilla.org
QA Contact: extension.compatibility → blocklisting
Version: 3.5 Branch → unspecified
(In reply to comment #10)
>           <em:id>{6E19037A-12E3-4295-8915-ED48BC341614}</em:id>
>           <em:version>1.3</em:version>

I agree that this looks sufficient.  From adding up numbers in the modules and addons correlation reports, it looks like this extension ID and version covers both rlxg.dll and pmxg.dll, which is what we want.
ComScore is deploying a new version, we'll have to see if it fixes the problems. However, it looks like they didn't update the addon's version so we'll probably have to resort to module blocklisting to block the older versions.
Can we blocklist now that there's a new version?  This is a not-infrequent cause of user crashes (even if the crash reporter doesn't link to this bug)
This is a mass change. Every comment has "assigned-to-new" in it.

I didn't look through the bugs, so I'm sorry if I change a bug which shouldn't be changed. But I guess these bugs are just bugs that were once assigned and people forgot to change the Status back when unassigning.
Status: ASSIGNED → NEW
Keywords: topcrash
RelevantKnowledge is a research software installed with the user's permission. RelevantKnowledge is part of an online market research community with over 2 million members worldwide. By participating in periodic surveys, users can receive free select software sponsored by RelevantKnowledge. If a user decides to uninstall the program for any reason, they can do so through control panel. We provide instruction for uninstalling RelevantKnoweldge in the FAQ section of our website: http://www.relevantknowledge.com/faq.aspx. If you have any questions, feel free to contact us at https://www.relevantknowledge.com/supportform.aspx Thank you, Relevant Knowledge Support Team
Closing old blocklist bugs. Please reopen if the problem still exists.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.