It is #67 top crasher in 4.0b12 and #70 top crasher in 3.6.13. Correlations by add-ons give: 1vbar.dll@0x3ab27|EXCEPTION_STACK_OVERFLOW (37 crashes) 100% (37/37) vs. 0% (66/19440) 1vffxtbr@SmileyCentral_1v.com (1.1) Its website is: http://smiley.smileycentral.com/download/index.jhtml Signature 1vbar.dll@0x3ab27 UUID 53143182-15e1-4921-be7d-f03ed2110301 Time 2011-03-01 00:56:41.245658 Uptime 55 Last Crash 62 seconds before submission Install Age 48730 seconds (13.5 hours) since version was first installed. Product Firefox Version 4.0b12 Build ID 20110222210221 Branch 2.0 OS Windows NT OS Version 6.1.7600 CPU x86 CPU Info GenuineIntel family 6 model 23 stepping 10 Crash Reason EXCEPTION_STACK_OVERFLOW Crash Address 0x585ab27 App Notes AdapterVendorID: 8086, AdapterDeviceID: 2a42, AdapterDriverVersion: 8.15.10.1883 Frame Module Signature [Expand] Source 0 1vbar.dll 1vbar.dll@0x3ab27 1 1vbar.dll 1vbar.dll@0x558b 2 1vPlugin.dll 1vPlugin.dll@0x34f5 3 1vPlugin.dll 1vPlugin.dll@0x381d 4 xul.dll CallNPMethodInternal modules/plugin/base/src/nsJSNPRuntime.cpp:1489 5 xul.dll CallNPMethod modules/plugin/base/src/nsJSNPRuntime.cpp:1542 6 xul.dll NPObjWrapper_Call modules/plugin/base/src/nsJSNPRuntime.cpp:1717 7 mozjs.dll js::RunScript js/src/jsinterp.cpp:653 8 mozjs.dll js::Invoke js/src/jsinterp.cpp:733 9 mozjs.dll js_fun_apply js/src/jsfun.cpp:2206 10 mozjs.dll js::Interpret js/src/jsinterp.cpp:4766 11 mozjs.dll js::RunScript js/src/jsinterp.cpp:653 12 mozjs.dll js::Invoke js/src/jsinterp.cpp:733 13 mozjs.dll js::InvokeSessionGuard::invoke js/src/jsinterpinlines.h:596 14 mozjs.dll array_extra js/src/jsarray.cpp:2857 15 mozjs.dll array_forEach js/src/jsarray.cpp:2914 16 mozjs.dll js::Interpret js/src/jsinterp.cpp:4766 17 mozjs.dll js::RunScript js/src/jsinterp.cpp:653 18 mozjs.dll js::Invoke js/src/jsinterp.cpp:733 19 mozjs.dll js_fun_apply js/src/jsfun.cpp:2206 20 mozjs.dll js::Interpret js/src/jsinterp.cpp:4766 21 mozjs.dll js::RunScript js/src/jsinterp.cpp:653 22 mozjs.dll js::Invoke js/src/jsinterp.cpp:733 23 mozjs.dll js::ExternalInvoke js/src/jsinterp.cpp:849 24 mozjs.dll JS_CallFunctionValue js/src/jsapi.cpp:5173 25 xul.dll nsXPCWrappedJSClass::CallMethod js/src/xpconnect/src/xpcwrappedjsclass.cpp:1672 26 xul.dll nsXPCWrappedJS::CallMethod js/src/xpconnect/src/xpcwrappedjs.cpp:588 27 xul.dll PrepareAndDispatch xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:114 28 xul.dll SharedStub xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp:141 29 xul.dll nsBrowserStatusFilter::OnStateChange toolkit/components/statusfilter/nsBrowserStatusFilter.cpp:183 30 xul.dll nsDocLoader::FireOnStateChange uriloader/base/nsDocLoader.cpp:1334 31 xul.dll nsDocLoader::FireOnStateChange uriloader/base/nsDocLoader.cpp:1341 32 xul.dll nsDocLoader::doStopURLLoad uriloader/base/nsDocLoader.cpp:907 33 xul.dll nsDocLoader::OnStopRequest uriloader/base/nsDocLoader.cpp:691 34 xul.dll nsLoadGroup::RemoveRequest netwerk/base/src/nsLoadGroup.cpp:680 35 xul.dll xul.dll@0xb38dd3 36 xul.dll imgRequestProxy::RemoveFromLoadGroup 37 xul.dll imgRequestProxy::OnStopRequest modules/libpr0n/src/imgRequestProxy.cpp:726 38 xul.dll imgRequest::OnStopRequest modules/libpr0n/src/imgRequest.cpp:956 39 xul.dll ProxyListener::OnStopRequest modules/libpr0n/src/imgLoader.cpp:2008 40 xul.dll nsBaseChannel::OnStopRequest netwerk/base/src/nsBaseChannel.cpp:727 41 xul.dll nsInputStreamPump::OnStateStop netwerk/base/src/nsInputStreamPump.cpp:578 42 xul.dll nsInputStreamPump::OnInputStreamReady netwerk/base/src/nsInputStreamPump.cpp:403 43 xul.dll nsInputStreamReadyEvent::Run xpcom/io/nsStreamUtils.cpp:112 44 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:633 45 xul.dll mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:110 46 xul.dll xul.dll@0xb2f7a7 47 xul.dll MessageLoop::RunInternal ipc/chromium/src/base/message_loop.cc:219 48 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:202 49 mozcrt19.dll _VEC_memzero 50 xul.dll xul.dll@0x359b4d 51 firefox.exe firefox.exe@0x1bb7 52 ntdll.dll WinSqmSetIfMaxDWORD 53 ntdll.dll _RtlUserThreadStart 54 firefox.exe firefox.exe@0x186f 55 firefox.exe firefox.exe@0x186f More reports at: https://crash-stats.mozilla.com/report/list?range_value=4&range_unit=weeks&signature=1vbar.dll%400x3ab27

Searching for signatures across all versions and branches that contain "bar.sll@0x3ab27" you'll find that there's a whole family of those crashes around, and for me, this sounds very much like malware given the randomized first two letters of the name. Chris, do we know this one?

Looking for just "bar.dll" turns up a few other places in such [two-random-chars]bar.dll libraries: https://crash-stats.mozilla.com/query/query?product=Firefox&range_value=1&range_unit=weeks&query_search=signature&query_type=contains&query=bar.dll&process_type=browser&do_query=1

> Chris, do we know this one? I haven't seen this one before, but its interesting. Looks like its about 1500-1700 crashes per day against all versions of firefox. I wonder if there is some wildcard blocklisting mechanism we could employ here like /^..bar.dll/ without hitting to many false positives? I wonder if its worth filing a bug to add that as a blocklisting feature. There also seems to be a concentration around a few names, and the crash address spans a variety of variations on the .dll name. The most for mar2 popular being these combo's with more than 10 crashes per day. Also note that the version number seems to have strong correlation to the crash address. 138 1vbar.dll@0x3ab27 3.6.13 74 1vbar.dll@0x3ab27 3.6.14 68 1vbar.dll@0x3ab27 4.0b12 - 100% of these might be version 2.3.72.6 42 7dbar.dll@0x3ab27 3.6.13 29 7dbar.dll@0x3ab27 4.0b12 25 7dbar.dll@0x3ab27 3.6.14 - 100% of these might be version 2.3.72.6 33 79bar.dll@0x3ab27 3.6.13 - 100% of these might be version 2.3.72.6 32 64bar.dll@0x3ab27 3.6.13 31 9ubar.dll@0x3ab27 3.6.13 24 9ubar.dll@0x3ab27 3.6.14 24 2zbar.dll@0x3b3c7 4.0b12 -- 100% = 2.3.77.10 22 64bar.dll@0x3ab27 4.0b12 22 2zbar.dll@0x3b3c7 3.6.13 22 1vbar.dll@0x1b787 3.6.13 20 79bar.dll@0x3ab27 3.6.14 17 64bar.dll@0x3ab27 3.6.14 15 jfbar.dll@0x3ab27 3.6.14 15 2zbar.dll@0x3b3c7 3.6.14 13 79bar.dll@0x3ab27 4.0b12 12 u4bar.dll@0x3b317 3.6.13 12 pabar.dll@0x3b317 4.0b12 12 2vbar.dll@0x3ad37 3.6.14 12 27bar.dll@0x3ab27 3.6.13 11 u4bar.dll@0x3b317 4.0b12 11 pabar.dll@0x3ab27 3.6.13 11 2vbar.dll@0x3ad37 3.6.13 10 pabar.dll@0x3b317 3.6.13 10 1vbar.dll@0x38237 3.6.13 ... It's also interesting that there are *zero* e-mail addresses associated with any of the reports for all of feb. and march.

With combined signatures, it is #42 top crasher in 4.0b12 and #41 in 3.6.13. It is not several dlls that are generated by one add-on, each dll matches one different add-on name. For instance: 1vbar.dll@0x3ab27|EXCEPTION_STACK_OVERFLOW (68 crashes) 99% (67/68) vs. 0% (175/62143) 1vffxtbr@SmileyCentral_1v.com (1.1) 7dbar.dll@0x3ab27|EXCEPTION_STACK_OVERFLOW (28 crashes) 89% (25/28) vs. 0% (121/62143) 7dffxtbr@Webfetti.com (1.1) 2zbar.dll@0x3b3c7|EXCEPTION_STACK_OVERFLOW (24 crashes) 100% (24/24) vs. 0% (51/62143) 2zffxtbr@Retrogamer_2z.com (1.1) 64bar.dll@0x3ab27|EXCEPTION_STACK_OVERFLOW (22 crashes) 100% (22/22) vs. 0% (103/62143) 64ffxtbr@TelevisionFanatic.com (1.1) 79bar.dll@0x3ab27|EXCEPTION_STACK_OVERFLOW (15 crashes) 100% (15/15) vs. 0% (72/62143) 79ffxtbr@MyFunCardsbar.com (1.1)

kev, can you find a contact at smileycentral? It hard to say if something legitimate is going on here or if it malware/adware attacks on firefox or smiley, or both. but it is clear that its causing a pretty significant volume of crashes just in these two signatures and possibly more.

It's now a low volume crash. I don't think the blocklisting is still required.

Closing old blocklist bugs. Please reopen if the problem still exists.