Closed
Bug 1348797
Opened 8 years ago
Closed 8 years ago
Crash in <T>::operator() | mozilla::intl::LocaleService::NegotiateLanguages
Categories
(Core :: Internationalization, defect)
Tracking
()
RESOLVED
FIXED
mozilla55
Tracking | Status | |
---|---|---|
firefox-esr45 | --- | unaffected |
firefox52 | --- | unaffected |
firefox-esr52 | --- | unaffected |
firefox53 | --- | unaffected |
firefox54 | --- | unaffected |
firefox55 | --- | fixed |
People
(Reporter: marcia, Assigned: zbraniecki)
References
Details
(Keywords: crash)
Crash Data
Attachments
(1 file)
(deleted),
patch
|
jfkthame
:
review+
|
Details | Diff | Splinter Review |
This bug was filed from the Socorro interface and is
report bp-471a55bc-84a6-4aec-bbd0-022d82170314.
=============================================================
Seen while looking at nightly crash stats. This crash started in 20170308030207: http://bit.ly/2nVEXz2.
Bug 1337694 touched code in this area. ni on gandalf.
Flags: needinfo?(gandalf)
Assignee | ||
Comment 1•8 years ago
|
||
Wow.
My first crash!
I'll investigate as I think I know what might be causing it, but...
:marcia, is that normal that we get crashes from functions that are not used by anyone anywhere? Like, those calls have no extensions and there's nothing except of 2 tests in mozilla-central that would call it.
Flags: needinfo?(gandalf) → needinfo?(mozillamarcia.knous)
Reporter | ||
Comment 2•8 years ago
|
||
(In reply to Zibi Braniecki [:gandalf][:zibi] from comment #1)
> Wow.
> My first crash!
>
> I'll investigate as I think I know what might be causing it, but...
>
> :marcia, is that normal that we get crashes from functions that are not used
> by anyone anywhere? Like, those calls have no extensions and there's nothing
> except of 2 tests in mozilla-central that would call it.
Not sure about what is "normal" in crash stats. Sometimes you have to look further down in the stack to see what is really going on. In this case, we have 16 crashes total, but only 5 installs have hit it, so not very widespread by any means. I would ask someone in Engineering if you want a better answer, as I cannot really interpret much about what is going on.
Flags: needinfo?(mozillamarcia.knous)
Assignee | ||
Comment 3•8 years ago
|
||
> In this case, we have 16 crashes total, but only 5 installs have hit it
From what I can read, none of those crashes have any extensions, and since no code in Gecko calls this method (yet, I just added it!), I'm wondering how is it possible that someone triggered the crash, unless it's someone fuzzing or looking for crashers.
I'd like to NI someone who might know more about how we get crash reports for code that is not called from Gecko, do you know who should I NI?
Flags: needinfo?(mozillamarcia.knous)
Assignee | ||
Comment 4•8 years ago
|
||
I'll close this bug for now, because I'm adding STR to crash Firefox. If it doesn't require security flag, feel free to remove it.
STR:
1) Launch Firefox
2) Open browser console
3) Type: `Services.locale.negotiateLanguages([null],[]);` or `Services.locale.negotiateLanguages([undefined],[]);`
AR:
crash
ER:
Exception thrown
Assignee: nobody → gandalf
Group: core-security
Status: NEW → ASSIGNED
Has Regression Range: --- → yes
Has STR: --- → yes
Assignee | ||
Comment 5•8 years ago
|
||
This fixes the crash by adding a null-check, but I still would like to use the opportunity to try to understand how is it possible that 16 people triggered an unused method in a very unusual way.
Attachment #8849195 -
Flags: review?(jfkthame)
Comment 6•8 years ago
|
||
This seems... puzzling. Marcia, is it possible that crash reports are getting incorrect buildid information?
NegotiateLanguages was introduced by bug 1337694 in https://hg.mozilla.org/mozilla-central/rev/120c713a857f, which was pushed to autoland in the evening (GMT) of 2017-03-08, and merged to central early on 2017-03-09 (again, GMT).
But the report in bp-471a55bc-84a6-4aec-bbd0-022d82170314 claims to be for buildid 20170308030207, which even allowing for California time vs GMT, should have been created before that patch landed, and so NegotiateLanguages didn't even exist in the codebase. https://archive.mozilla.org/pub/firefox/nightly/2017/03/2017-03-08-03-02-07-mozilla-central/firefox-55.0a1.en-US.win32.txt says it is built from rev 58753259bfeb, which predates the landing of bug 1337694.
The source links in that crash report, however, go to rev c40ca7a1bdd9, which corresponds to the following day's Nightly build (with buildid 20170309030216), according to https://archive.mozilla.org/pub/firefox/nightly/2017/03/2017-03-09-03-02-16-mozilla-central/firefox-55.0a1.en-US.win32.txt.
So AFAICS the buildid in the crash report must be wrong. Or am I just totally confused?
(In reply to Zibi Braniecki [:gandalf][:zibi] from comment #5)
> Created attachment 8849195 [details] [diff] [review]
> nego-crash.diff
>
> This fixes the crash by adding a null-check, but I still would like to use
> the opportunity to try to understand how is it possible that 16 people
> triggered an unused method in a very unusual way.
Nearer 6 than 16 people, I think (perhaps even fewer than that); it looks like there are multiple reports from a few installations, rather than all being independent.
I suspect someone (perhaps even within mozilla? but I don't know...) has fuzzing tools that automatically enumerate the methods available on an object and try calling them with a variety of "random" inputs, so it's not too surprising they'd end up passing [undefined] or similar in various places.
Updated•8 years ago
|
Attachment #8849195 -
Flags: review?(jfkthame) → review+
Assignee | ||
Updated•8 years ago
|
Keywords: checkin-needed
Comment 7•8 years ago
|
||
Blocks: 1337694
status-firefox52:
--- → unaffected
status-firefox53:
--- → unaffected
status-firefox54:
--- → unaffected
status-firefox-esr45:
--- → unaffected
status-firefox-esr52:
--- → unaffected
Keywords: checkin-needed
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Reporter | ||
Updated•8 years ago
|
Flags: needinfo?(mozillamarcia.knous)
Updated•8 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•