Closed
Bug 803963
Opened 12 years ago
Closed 12 years ago
crash in nsContentList::ContentAppended with Ask Toolbar bundled with Avira Antivirus
Categories
(Firefox :: Extension Compatibility, defect)
Tracking
()
People
(Reporter: scoobidiver, Unassigned)
Details
(Keywords: crash, reproducible, topcrash, Whiteboard: [fixed in Ask Toolbar 3.17.2])
Crash Data
Attachments
(1 file)
15.71 KB,
text/plain
|
Details |
It's #40 top browser crasher (#28 w/o hangs) in 16.0.1 and #90 in 17.0b1.
It's correlated to Avira and Ask Toolbar embbedded with Avira:
99% (198/200) vs. 3% (3948/122954) toolbar@ask.com
97% (194/200) vs. 2% (2926/122954) avsda.dll
Signature nsContentList::ContentAppended(nsIDocument*, nsIContent*, nsIContent*, int) More Reports Search
UUID 4c497a83-b33d-4fcb-819d-054d52121018
Date Processed 2012-10-18 01:04:07
Uptime 18
Last Crash 23 seconds before submission
Install Age 3.4 days since version was first installed.
Install Time 2012-10-14 15:10:32
Product Firefox
Version 16.0.1
Build ID 20121010144125
Release Channel release
OS Windows NT
OS Version 6.1.7601 Service Pack 1
Build Architecture x86
Build Architecture Info GenuineIntel family 6 model 37 stepping 5
Crash Reason EXCEPTION_ACCESS_VIOLATION_READ
Crash Address 0x1c
User Comments I clicked on a page on Comicbookmovie.com and the site crashed several times.
App Notes
AdapterVendorID: 0x10de, AdapterDeviceID: 0x0a22, AdapterSubsysID: 1141174b, AdapterDriverVersion: 8.17.12.7533
D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+
EMCheckCompatibility True
Adapter Vendor ID 0x10de
Adapter Device ID 0x0a22
Total Virtual Memory 4294836224
Available Virtual Memory 3676008448
System Memory Use Percentage 31
Available Page File 10695479296
Available Physical Memory 4419989504
Frame Module Signature Source
0 xul.dll nsContentList::ContentAppended content/base/src/nsContentList.cpp:745
1 xul.dll nsNodeUtils::ContentAppended content/base/src/nsNodeUtils.cpp:120
2 xul.dll nsINode::doInsertChildAt content/base/src/nsINode.cpp:1321
3 xul.dll nsGenericElement::InsertChildAt content/base/src/nsGenericElement.cpp:2626
4 xul.dll nsINode::ReplaceOrInsertBefore content/base/src/nsINode.cpp:1890
5 xul.dll nsINode::AppendChild obj-firefox/dist/include/nsINode.h:504
6 xul.dll nsIDOMNode_AppendChild obj-firefox/js/xpconnect/src/dom_quickstubs.cpp:5401
7 mozjs.dll js::InvokeKernel js/src/jsinterp.cpp:344
8 mozjs.dll js::Interpret js/src/jsinterp.cpp:2442
9 mozjs.dll js::InvokeKernel js/src/jsinterp.cpp:355
10 mozjs.dll js::Invoke js/src/jsinterp.cpp:387
11 mozjs.dll JS_CallFunctionValue js/src/jsapi.cpp:5604
12 xul.dll nsJSContext::CallEventHandler dom/base/nsJSEnvironment.cpp:1892
13 xul.dll nsGlobalWindow::RunTimeoutHandler dom/base/nsGlobalWindow.cpp:9552
14 xul.dll nsGlobalWindow::RunTimeout dom/base/nsGlobalWindow.cpp:9806
15 xul.dll nsGlobalWindow::TimerCallback dom/base/nsGlobalWindow.cpp:10077
16 xul.dll nsTimerImpl::Fire xpcom/threads/nsTimerImpl.cpp:473
17 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:624
18 xul.dll mozilla::ipc::RPCChannel::DequeueTask::`scalar deleting destructor'
19 nspr4.dll _MD_CURRENT_THREAD nsprpub/pr/src/md/windows/w95thred.c:312
20 xul.dll mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:82
21 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:201
22 xul.dll nsRange::ContentRemoved content/base/src/nsRange.cpp:571
23 xul.dll nsBaseAppShell::Run widget/xpwidgets/nsBaseAppShell.cpp:163
24 xul.dll FindSubstring<wchar_t,char> xpcom/string/src/nsStringObsolete.cpp:680
25 xul.dll nsBlockFrame::GetLineCursor layout/generic/nsBlockFrame.h:369
26 xul.dll nsSupportsArray::GrowArrayBy xpcom/ds/nsSupportsArray.cpp:133
27 xul.dll nsSupportsArray::GrowArrayBy xpcom/ds/nsSupportsArray.cpp:132
28 xul.dll nsBlockFrame::GetLineCursor layout/generic/nsBlockFrame.h:369
More reports at:
https://crash-stats.mozilla.com/report/list?signature=nsContentList%3A%3AContentAppended%28nsIDocument*%2C+nsIContent*%2C+nsIContent*%2C+int%29
Comment 1•12 years ago
|
||
Scoobidiver, thanks for the bug report. I work on the Ask Toolbar, and this is news to me, especially since the toolbar itself injects no binaries into the Firefox code. I'm going to send this up the flagpole and see what I can find.
Reporter | ||
Comment 2•12 years ago
|
||
(In reply to Alex Vincent [:WeirdAl] from comment #1)
> since the toolbar itself injects no binaries into the Firefox code.
Ask Toolbar is not only bundled with Avira so correlations suggest the problem comes from Avira or an interaction between Avira and Ask Toolbar but not Ask Toolbar alone.
Reporter | ||
Comment 3•12 years ago
|
||
It started across all versions at the beginning of October.
Correlations per version confirm it's caused by the latest version of Avira:
99% (198/200) vs. 3% (3948/122954) toolbar@ask.com
1% (1/200) vs. 0% (1/122954) 3.12.2.100009
1% (1/200) vs. 1% (1094/122954) 3.15.4.100013
10% (20/200) vs. 0% (33/122954) 3.15.5.100015
1% (1/200) vs. 0% (1/122954) 3.15.8.29403
88% (175/200) vs. 0% (335/122954) 3.15.8.100015
97% (194/200) vs. 2% (2926/122954) avsda.dll
97% (194/200) vs. 1% (671/122954) 13.4.2.163
Comment 4•12 years ago
|
||
Oops - I forgot that for Avira we do have a plugin DLL, but that should be running inside the plugin container. A crash there should be self-contained, and shouldn't result in this stack trace.
Comment 5•12 years ago
|
||
I have this in my debugger now. JS stack trace:
0 anonymous() ["http://g2.gumgum.com/javascripts/ggv2.js":8]
this = [object Object]
1 anonymous() ["http://g2.gumgum.com/javascripts/ggv2.js":8]
this = [object Window]
2 <TOP LEVEL> ["<unknown>":0]
<failed to get 'this' value>
Comment 6•12 years ago
|
||
crash dump at https://alexvincent.us/temp/firefox-bug803963.7z
Comment 7•12 years ago
|
||
I'm able to exonerate Avira code from this crash: I generated the above crash with only the Ask toolbar (customized for Avira) in place - that is, without the Avira antivirus program installed. Also, the Ask toolbar doesn't tell gumgum scripts to load: that's coming directly from the webpage itself.
Reporter | ||
Comment 8•12 years ago
|
||
It's #29 top browser crasher w/o hangs in 17.0 and #59 in 18.0b1 so no longer a top crasher (arbitrary restricted to the top 20).
Keywords: topcrash
Reporter | ||
Comment 9•12 years ago
|
||
It's #12 top browser crasher in 18.0.1 and #17 in 19.0b2.
Same correlations as previously:
99% (694/701) vs. 3% (5855/171315) toolbar@ask.com
7% (52/701) vs. 0% (82/171315) 3.15.10.100015
9% (61/701) vs. 0% (150/171315) 3.15.11.100015
81% (568/701) vs. 1% (1143/171315) 3.15.13.100015
1% (4/701) vs. 0% (17/171315) 3.15.13.33021
1% (5/701) vs. 0% (17/171315) 3.15.5.100015
1% (4/701) vs. 0% (16/171315) 3.15.8.100015
96% (673/701) vs. 2% (4204/171315) avsda.dll
0% (1/701) vs. 0% (226/171315) 10.0.0.17
1% (5/701) vs. 0% (67/171315) 13.4.2.163
95% (667/701) vs. 1% (2284/171315) 13.4.2.360
status-firefox18:
--- → affected
status-firefox19:
--- → affected
status-firefox20:
--- → affected
status-firefox21:
--- → affected
tracking-firefox19:
--- → ?
tracking-firefox20:
--- → ?
Keywords: topcrash
Version: 16 Branch → Trunk
Comment 10•12 years ago
|
||
With that many crashes, there have to be some other websites where this is happening... preferably with code that isn't obfuscated like gumgum's was. I'll take a look at this on Tuesday, when we're back at work.
Comment 11•12 years ago
|
||
Hmm, the URLs make me believe that some mostly German ads might be involved.
Top URLs (I pulled all with over 20 hits):
269 about:blank
82 http://www.pl**boy.de/stars-stories/stars/claudelle-deckert-titel-022013
42 http://wetter.msn.com/
40 http://unterhaltung.de.msn.com/
36 https://www.facebook.com/
36 http://www.terra.com.br/
29 http://www.pl**boy.de/playmate/girldestages/1
27 http://www.facebook.com/
26 http://news.de.msn.com/
25 http://www.stylebook.de/
25 http://www.terra.com.br/portal/
23 http://wetter.msn.com/local.aspx?wealocations=wc:GMXX0007&q=Berlin%2c+BE&src=Windows7
21 http://elex_p_img337-f.akamaihd.net/static/log/adproxy.html?gKey=farmmeinvz&uid=www.vz.net:bgMT-iG-qOc_k00MLZOzUQ
21 http://de.smeet.com/
21 http://sport.de.msn.com/
20 http://www.europeantour.com/europeantour/season=2013/tournamentid=2013005/leaderboard/index.html
20 http://www.iefimerida.gr/
The pl**boy.de is of course not the correct domain name, but as it contains mildly adult content I prefer to not post a direct link here. I guess most people know well enough how to spell that correctly if they really want to call it up. ;-)
Comment 12•12 years ago
|
||
Now that we have URLs maybe qa can try to reproduce and see if we can get more to go on here.
Updated•12 years ago
|
QA Contact: virgil.dicu
Comment 13•12 years ago
|
||
Steps to reproduce:
1. Download Avira Antivirus from http://www.avira.com/en/avira-free-antivirus
2. Install the antivirus (make sure Avira SearchFree Toolbar and Avira SearchFree options are checked on install)
3. Start Firefox and check "Allow this installation" to the Avira SearchFree Toolbar plus Web Protection 3.15.13.
4. Click "Continue" and restart Firefox
5. With Avira Toolbar installed open: http://wetter.msn.com/ or any other URL from comment 11.
Result:
https://crash-stats.mozilla.com/report/index/bp-4e76962c-59ff-47ac-a700-4e0372130125
Not a regression, same result with Latest Nightly, Latest Aurora, Firefox 19.0 beta 3, 18.0.1 and 4.0.1.
Keywords: qawanted
Comment 14•12 years ago
|
||
Used Windows 7 x86
Mozilla/5.0 (Windows NT 6.1; rv:18.0) Gecko/20100101 Firefox/18.0
Reporter | ||
Updated•12 years ago
|
Keywords: reproducible
Comment 15•12 years ago
|
||
Virgil, does that mean that Ask Toolbar is not involved at all? If so, we should remove it from the summary of this bug.
Comment 16•12 years ago
|
||
Looking into this: I get a ton of assertions, and then the crash:
###!!! ASSERTION: nsHTMLDocument::Close(): Trying to remove nonexistent wyciwyg channel!: 'mWyciwygChannel', file c:/ff18/mozilla/content/html/document/src/nsHTMLDocument.cpp, line 1643
###!!! ASSERTION: This is unsafe! Fix the caller! Userdata callback disabled.: 'Error', file c:/ff18/mozilla/content/base/src/nsNodeUtils.cpp, line 305
###!!! ASSERTION: This is unsafe! Fix the caller!: 'Error', file c:/ff18/mozilla/content/events/src/nsEventDispatcher.cpp, line 513
###!!! ASSERTION: Want to fire DOMNodeRemoved event, but it's not safe: '(aChild->IsNodeOfType(nsINode::eCONTENT) && static_cast<nsIContent*>(aChild)-> IsInNativeAnonymousSubtree()) || IsSafeToRunScript() || sDOMNodeRemovedSuppressCount', file c:/ff18/mozilla/content/base/src/nsContentUtils.cpp, line 3921
###!!! ASSERTION: Did we run script inappropriately?: 'aKid->GetNodeParent() == this', file c:/ff18/mozilla/content/base/src/nsINode.cpp, line 1313
###!!! ASSERTION: aRoot not an ancestor of |this|?: 'cur', file c:\ff18\fx-debug\dist\include\nsINode.h, line 1199
xul.dll!nsINode::GetNextSibling() Line 1150 + 0xa bytes C++
xul.dll!nsINode::GetNextNodeImpl(const nsINode * aRoot=0x15897c38, const bool aSkipChildren=false) Line 1213 + 0x8 bytes C++
xul.dll!nsINode::GetNextNode(const nsINode * aRoot=0x15897c38) Line 1163 C++
xul.dll!nsContentList::ContentAppended(nsIDocument * aDocument=0x10dd9168, nsIContent * aContainer=0x15897c38, nsIContent * aFirstNewContent=0x14d15068, int aNewIndexInContainer=47) Line 848 + 0xc bytes C++
xul.dll!nsNodeUtils::ContentAppended(nsIContent * aContainer=0x15897c38, nsIContent * aFirstNewContent=0x14d15068, int aNewIndexInContainer=47) Line 129 + 0xe6 bytes C++
0 anonymous() ["http://db3.stj.s-msn.com/br/csl/js/1/jquery-1.3.2.min.js":19]
this = function (E,F){return new o.fn.init(E,F)}
1 anonymous() ["http://db3.stj.s-msn.com/br/csl/js/1/jquery-1.3.2.min.js":19]
this = function (E,F){return new o.fn.init(E,F)}
2 anonymous() ["http://db3.stj.s-msn.com/br/csl/js/1/jquery-1.3.2.min.js":19]
this = function (E,F){return new o.fn.init(E,F)}
3 anonymous() ["http://wetter.msn.com/":101]
this = [object Window @ 0x11a92cd0 (native @ 0x14de1348)]
Comment 17•12 years ago
|
||
Near the top of this assertion we have:
xul.dll!nsINode::RemoveChild(nsINode * aOldChild=0x0abe39e8) Line 442 + 0x16 bytes C++
this 0x143977e0 nsINode * const
In that frame we have this as a HEAD element, and aOldChild is a SCRIPT element with src "http://platform.twitter.com/widgets.js".
But deeper in the stack, we have:
> xul.dll!nsINode::AppendChild(nsINode * aNewChild=0x0abe39e8, tag_nsresult * aReturn=0x003bbf28) Line 505 C++
this 0x143977e0 nsINode * const
So there's some code telling us to remove the script element we are in the process of adding.
What is the content policy on the stack?
Comment 19•12 years ago
|
||
Yeah, someone is modifying DOM during content policy call. That is strictly prohibited
http://mxr.mozilla.org/mozilla-central/source/content/base/public/nsIContentPolicy.idl#232
Can we blocklist the addons?
Reporter | ||
Comment 20•12 years ago
|
||
(In reply to Olli Pettay [:smaug] from comment #19)
> Can we blocklist the addons?
Which add-on?
Comment 21•12 years ago
|
||
Avira and Ask toolbars (if those cause these crashes). Or if those are just .dll files, block those
libraries?
Reporter | ||
Comment 22•12 years ago
|
||
(In reply to Olli Pettay [:smaug] from comment #21)
> Avira and Ask toolbars (if those cause these crashes).
Both are widespread so we need to know which ones. Disable one of them to see if the problem still occurs.
Comment 23•12 years ago
|
||
Ask is in discussion of being blocked due to other reasons anyhow (they are violating the add-on policies), but comment #13 sounds like this might be the Avira stuff alone, and that's a DLL that's being injected. If they are violating things that are prohibited, we should still first contact them before even discussing a block.
Comment 24•12 years ago
|
||
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #15)
> Virgil, does that mean that Ask Toolbar is not involved at all? If so, we
> should remove it from the summary of this bug.
Ask.com becomes the default search engine after installing the Avira Toolbar. It seems like Ask Toolbar is not involved in this.
With a clean profile I tried to install separately the Ask Toolbar from http://sp.ask.com/toolbar/install/apnasktoolbar/download.php
but it looks like this is only for Internet Explorer so I could not use this in Firefox to obtain a crash.
Comment 25•12 years ago
|
||
(In reply to Virgil Dicu [:virgil] [QA] from comment #24)
> Ask.com becomes the default search engine after installing the Avira
> Toolbar. It seems like Ask Toolbar is not involved in this.
Ah, that explains a lot (though it also points to a reason why blocking Ask is in discussion anyhow).
In any case, given this seems to be Avira and it's not an add-on but a DLL apparently, the dynamic downloadable blocklist approach wouldn't work anyhow. In any case, we should try to get a contact with them so they know and we can work with them to find a solution.
I sincerely hope it's not once again the missing UUID bump of nsIPrefBranch that causes this.
Summary: crash in nsContentList::ContentAppended with Avira and Ask Toolbar → crash in nsContentList::ContentAppended with Avira Antivirus (avsda.dll)
Comment 26•12 years ago
|
||
Reading the tealeaves, I don't think that nsIPrefBranch is related to this crash.
Comment 27•12 years ago
|
||
Hello again from Ask. On Friday we conclusively identified the file causing the crash. It is not the Avira DLL mentioned in this ticket. It is instead a content policy written as a JavaScript component. We have a potential fix which we are currently reviewing to make sure it's correct in all regards.
We understand precisely how urgent this is to fix immediately, and we'll provide more information as soon as we can.
Reporter | ||
Updated•12 years ago
|
Summary: crash in nsContentList::ContentAppended with Avira Antivirus (avsda.dll) → crash in nsContentList::ContentAppended with Ask Toolbar bundled with Avira Antivirus
Comment 28•12 years ago
|
||
FYI, our team has pushed the fix out to our Production servers. The fix itself will take some time to propagate, but after a few days, the crash numbers should start dropping rapidly.
Reporter | ||
Comment 29•12 years ago
|
||
It's #571 browser crasher in 18.0.1 and #298 in 19.0b4 over the last three days.
Status: NEW → RESOLVED
Closed: 12 years ago
Component: DOM → Extension Compatibility
Product: Core → Firefox
Resolution: --- → FIXED
Whiteboard: [fixed in Ask Toolbar 3.17.2]
Comment 30•12 years ago
|
||
Verified the fix and no crashes found for Firefox 18.0.2, Firefox 19.0 beta 4, Latest Aurora and Latest Nightly using the steps to reproduce from comment 13 and the URLs from comment 11 for Windows 7 x86.
Mozilla/5.0 (Windows NT 6.1; rv:18.0) Gecko/20100101 Firefox/18.0
Build ID: 20130201065344
You need to log in
before you can comment on or make changes to this bug.
Description
•