Closed Bug 989992 Opened 12 years ago Closed 4 years ago

crashes in mozilla::dom::XULDocument::OnScriptCompileComplete or js::frontend::TokenStream::getTokenInternal with jid1-vW9nopuIAJiRHw@jetpack (SmileysWeLove) and tl_r@jetpack (TimeLineRemove) add-ons

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
26 Branch
Platform:
x86
Windows NT
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: kairo, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash)

Crash Data

Attachments

(3 files)

jid1-vW9nopuIAJiRHw@jetpack.xpi
471.26 KB, application/zip
Details
tl_r@jetpack 1.5.2
247.04 KB, application/x-xpinstall
Details
TimeLineRemoveFF.xpi
99.44 KB, application/x-xpinstall
Details
This bug was filed from the Socorro interface and is report bp-2a145635-0307-4c2e-bd00-5c2c62140331. ============================================================= Both the signatures here were low volume but on 2014-03-29 they started spiking across channels (including 27.0.1 as well as 28.0 release and 29.0 beta, the signatures exist on Aurora 30 and Nightly 31 but are too low volume that a regression/spike can clearly be made out). Correlations are pretty clear on all channels, see 28.0 for example: [@ js::frontend::TokenStream::getTokenInternal(js::frontend::TokenStream::Modifier) ], Firefox 28.0 Windows NT: 97% (268/277) vs. 2% (1000/54830) jid1-vW9nopuIAJiRHw@jetpack [@ mozilla::dom::XULDocument::OnScriptCompileComplete(JSScript*, tag_nsresult) ], Firefox 28.0 Windows NT: 100% (224/225) vs. 2% (1000/54830) jid1-vW9nopuIAJiRHw@jetpack This means that all or almost all of the reports with those signatures have that add-on active while ~2% of the total reports do. Either this add-on is triggering a crash in our code (which is somewhat assume given that it's about scripts) or the add-on code itself is at fault. Even together, those crashes are not in the top 20 signatures on any channel, on 27, 28, and 29, the volume is around 80-100 crashes per 1M ADI for yesterday but significantly higher the day before.
<eviljeff> KaiRo: its addon 416610, fwiw <KaiRo> eviljeff: what does that mean? <eviljeff> the addon id on AMO. I've got more details now... <eviljeff> its called 'SmileysWeLove: use with Facebook, GMail, and more' <eviljeff> its disabled on AMO now <KaiRo> eviljeff: ah, that explains why crash rates are lower yesterday than the day before - why was it disabled? <eviljeff> KaiRo: I can't see it was ever approved on AMO actually. It kept getting rejected due to remote script insertion <eviljeff> https://addons.mozilla.org/en-US/editors/review/smileys-we-love - jorgev - is there any other background? <jorgev> no, it looks like it was an easy rejection <jorgev> about a year ago, and never published on AMO <KaiRo> jorgev: interesting that it caused a crash spike this weekend, then <jorgev> it's likely it's being distributed with some other software
We can blocklist it if it turns out it is being silently installed. Kris, what do the stats say about this?
Flags: needinfo?(kmaglione+bmo)
There's been a sharp rise in usage, all foreign installs, nearly all enabled, so yeah, it looks like this is being silently side-installed on a grand scale.
Flags: needinfo?(kmaglione+bmo)
OK, I managed to find a download link. It does do a silent install from an external installer. It also asks to install a Conduit search-hijacker (https://people.mozilla.org/~kmaglione/images/d1dab73d46869385.png), so it's a pretty strong candidate for killing with fire.
The extension has been blocked, so that should probably eliminate the crashes. Kris, I think it would be a good idea to link to the installer or attach it so the crash can still be studied.
I got the installer from http://smileyswelove.com/Home/Download The actual XPI is attached.
the signature is still around and it appears as it is now in large part caused by the TimeLineRemove.Com 1.5.3 (tl_r@jetpack) extension: https://crash-stats.mozilla.com/report/list?product=Firefox&signature=js%3A%3Afrontend%3A%3ATokenStream%3A%3AgetTokenInternal%28js%3A%3Afrontend%3A%3ATokenStream%3A%3AModifier%29#tab-correlations
A user from the French community board reported same crashes with this signature. TimeLineRemove.Com 1.5.3 true (tl_r@jetpack) is installed in his profile.
Summary: crashes in mozilla::dom::XULDocument::OnScriptCompileComplete or js::frontend::TokenStream::getTokenInternal with jid1-vW9nopuIAJiRHw@jetpack add-on → crashes in mozilla::dom::XULDocument::OnScriptCompileComplete or js::frontend::TokenStream::getTokenInternal with jid1-vW9nopuIAJiRHw@jetpack (SmileysWeLove) and tl_r@jetpack (TimeLineRemove) add-ons
Attached file tl_r@jetpack 1.5.2
xpi sample of tl_r@jetpack version 1.5.2
This is not 100% of those crashes, but a good part: js::frontend::TokenStream::getTokenInternal(js::frontend::TokenStream::Modifier)|EXCEPTION_ACCESS_VIOLATION_READ (362 crashes) 88% (318/362) vs. 1% (513/84435) tl_r@jetpack 20% (74/362) vs. 1% (1153/84435) {e4a8a97b-f2ed-450b-b12d-ee082ba24781} (Greasemonkey, https://addons.mozilla.org/addon/748) 27% (97/362) vs. 15% (12984/84435) {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} (Adblock Plus, https://addons.mozilla.org/addon/1865) 10% (35/362) vs. 0% (75/84435) mwaddonclient@mwaddon.com It sounds to me like different add-ons seem to hit on this. Are we sure it's not an actual bug in our code?
would this be a candidate for blocklisting again?
Flags: needinfo?(jorge)
Attached file TimeLineRemoveFF.xpi
Kris, can you look into this new ID? The XPI can be downloaded from timelineremove.com, but I'm also attaching it in case it's useful.
Flags: needinfo?(jorge) → needinfo?(kmaglione+bmo)
This looks like it's either one or two platform bugs to me. I'm not convinced that the two crash signatures here are at all related, though, and I wonder if we shouldn't separate the bugs. Anyway, the stack traces from comment 8 are all truncated oddly, perhaps due to the JIT; can you pull one or a few and let us know more or all of the stack?
Flags: needinfo?(dmajor)
mozjs!js::frontend::TokenStream::getTokenInternal mozjs!js::frontend::Parser<js::frontend::FullParseHandler>::functionArguments mozjs!js::frontend::Parser<js::frontend::FullParseHandler>::functionArgsAndBodyGeneric mozjs!js::frontend::Parser<js::frontend::FullParseHandler>::standaloneLazyFunction mozjs!js::frontend::CompileLazyFunction mozjs!JSFunction::createScriptForLazilyInterpretedFunction mozjs!JSFunction::getOrCreateScript mozjs!js::LazyScript::functionDelazifying mozjs!JSFunction::createScriptForLazilyInterpretedFunction mozjs!JSFunction::getOrCreateScript mozjs!js::Invoke mozjs!js::Invoke mozjs!JS::Call xul!mozilla::dom::Function::Call xul!mozilla::dom::Function::Call<nsCOMPtr<nsISupports> > xul!nsGlobalWindow::RunTimeoutHandler xul!nsGlobalWindow::RunTimeout xul!nsGlobalWindow::TimerCallback xul!nsTimerImpl::Fire xul!nsTimerEvent::Run xul!nsThread::ProcessNextEvent xul!NS_ProcessNextEvent xul!mozilla::ipc::MessagePump::Run xul!MessageLoop::RunHandler xul!MessageLoop::Run xul!nsBaseAppShell::Run xul!nsAppShell::Run xul!XREMain::XRE_mainRun xul!XREMain::XRE_main xul!XRE_main firefox!do_main firefox!NS_internal_main firefox!wmain firefox!__tmainCRTStartup kernel32!BaseThreadInitThunk ntdll!__RtlUserThreadStart ntdll!_RtlUserThreadStart The other one is cut off even in my debugger. I assume the rest is just "the usual stuff below ProcessNextEvent". Could try to pull out more if you really want. xul!mozilla::dom::XULDocument::OnScriptCompileComplete xul!NotifyOffThreadScriptCompletedRunnable::Run xul!nsThread::ProcessNextEvent
Flags: needinfo?(dmajor)
ok looking at bp-7f6d6243-3df6-4fd3-9ff2-1b1ab2140911: crash is at http://hg.mozilla.org/releases/mozilla-release/annotate/44234f451065/js/src/frontend/TokenStream.cpp#l1080 crash address is 0xffffffffffa12b7a njn, is this likely to be an actual parser error, or some sort of GC/UAF error? Are there any interesting patterns of JS in the extension which might help provide clues to who might own this from an engineering perspective?
Flags: needinfo?(n.nethercote)
I looked at this the other day. I don't really have anything significant to add. It has about 25K users and seems to be legitimate. The privileged code is pretty trivial, and not anything I'd expect to cause a crash. The page mod code is obfuscated, and a few thousand lines. It does seem to cause my deminifier a fair amount of trouble, but I can't say much beyond that.
Flags: needinfo?(kmaglione+bmo)
> njn, is this likely to be an actual parser error, or some sort of GC/UAF > error? Are there any interesting patterns of JS in the extension which might > help provide clues to who might own this from an engineering perspective? GC is unlikely to be involved. This is just tokenizing code. The crash occurs when we try to read a char, which happens only after checking that we haven't reached the end of the buffer. I tried reproducing on the JS code within the TimeLineRemoveFF.xpi file, but failed. One of the files contains 573,765 chars of JS on a single line which is reasonable big but shouldn't really cause any problems. If it really is a bug in the tokenizer then I'm a reasonable choice of owner. Steps to reproduce would be awfully helpful, of course.
Flags: needinfo?(n.nethercote)
I tried reproducing with the other two attached files, without success.
Crash Signature: [@ mozilla::dom::XULDocument::OnScriptCompileComplete(JSScript*, tag_nsresult)] [@ js::frontend::TokenStream::getTokenInternal(js::frontend::TokenStream::Modifier)] → [@ mozilla::dom::XULDocument::OnScriptCompileComplete(JSScript*, tag_nsresult)] [@ js::frontend::TokenStream::getTokenInternal(js::frontend::TokenStream::Modifier)] [@ mozilla::dom::XULDocument::OnScriptCompileComplete] [@ js::frontend::TokenStream::ge…
QA Whiteboard: qa-not-actionable

Closing because no crashes reported for 12 weeks.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: