Opened 4 years ago

Closed 3 years ago

#17761 closed defect (worksforme)

Tor Browser is crashing while decoding ICO favicons

Reported by: teor Owned by: tbb-team
Priority: Very High Milestone:
Component: Applications/Tor Browser Version:
Severity: Critical Keywords: tbb-crash, TorBrowserTeam201604, ff45-esr-will-have
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor: None

Description

I am running Tor Browser 5.0.4 on OS X 10.11.1.

Tor Browsr crashed when I opened a link from a PDF. I was reading the PDF fullscreen in Preview, clicked to open the link in Tor Browser (it's my default briwser), then went to hide Tor Browser and switch back to the PDF. Tor Browser crashed.

I have attached a log of the crash.

The link was http://dud.inf.tu-dresden.de/Anon Terminology.shtml

Child Tickets

Attachments (1)

TBB_504_OSX_Crash.txt (65.9 KB) - added by teor 4 years ago.
Crash Log

Download all attachments as: .zip

Change History (18)

Changed 4 years ago by teor

Attachment: TBB_504_OSX_Crash.txt added

Crash Log

comment:1 Changed 4 years ago by gk

Keywords: tbb-crash TorBrowserTeam201512 added
Priority: MediumHigh
Severity: NormalMajor
Status: newneeds_information

Is that reproducible? Do you have a link to the pdf document?

comment:2 in reply to:  1 Changed 4 years ago by teor

Replying to gk:

Is that reproducible? Do you have a link to the pdf document?

I can't reproduce it, but I do have some idea of some things that might have caused it:

  • The actual link contains an underscore, the link in the PDF contains a special character that pastes as a space.
  • I think Tor Browser was hidden before and / or after I clicked the link. I switched back to the PDF quickly.
  • It was the first time I'd accessed the site. (And therefore the first time Tor Browser rendered the favicon, which is the only image on the page.)

The link to the PDF is http://web.cs.ucdavis.edu/~rogaway/papers/moral-fn.pdf
The link I clicked is on Page 30, in footnote 130.

comment:3 Changed 4 years ago by teor

I can reproduce this crash using the following steps:

  1. Close and reopen Tor Browser
  2. Type "http://dud.inf.tu-dresden.de/Anon Terminology.shtml" into the address bar
    • Copy-paste or clicking the link in the PDF also causes the crash.
    • The full link is required. Any shorter links make it reproduce intermittently or not at all.
    • It doesn't matter whether the space is %-encoded or not.
    • It must be the first page you open after launch.
    • It must be the first time you access the 404 page on that site after launch.
  3. Wait for the page to load. Tor Browser crashes about 2-3 seconds after the page loads.
  • If it doesn't crash when you type in the link, try clicking the link in the PDF. It's the most reliable method I've found.

comment:4 Changed 4 years ago by gk

Priority: HighVery High
Severity: MajorCritical
Status: needs_informationassigned

Okay, I can see this on a 5.5a4-hardened build as well. Here is the stacktrace:

#0  0x00007fffeba6405b in mozilla::OffTheBooksMutex::Lock (this=this@entry=0x8)
    at ../../dist/include/mozilla/Mutex.h:69
#1  0x00007fffec94d8f0 in mozilla::Monitor::Lock (this=0x8)
    at ../../dist/include/mozilla/Monitor.h:35
#2  mozilla::MonitorAutoLock::MonitorAutoLock (aMonitor=..., this=0x7fffc9daf110)
    at ../../dist/include/mozilla/Monitor.h:78
#3  mozilla::image::imgFrame::ImageUpdated (this=0x0, aUpdateRect=...)
    at /home/ubuntu/build/tor-browser/image/src/imgFrame.cpp:667
#4  0x00007fffec938bc4 in mozilla::image::Decoder::PostInvalidation (
    this=this@entry=0x6160004aaf80, aRect=..., aRectAtTargetSize=...)
    at /home/ubuntu/build/tor-browser/image/src/Decoder.cpp:645
#5  0x00007fffec96371a in mozilla::image::nsBMPDecoder::WriteInternal (
    this=0x6160004aaf80, aBuffer=<optimized out>, aCount=<optimized out>)
    at /home/ubuntu/build/tor-browser/image/decoders/nsBMPDecoder.cpp:891
#6  0x00007fffec933a1a in mozilla::image::Decoder::Write (this=0x6160004aaf80, 
    aBuffer=<optimized out>, aCount=1152)
    at /home/ubuntu/build/tor-browser/image/src/Decoder.cpp:227
#7  0x00007fffec97323a in mozilla::image::nsICODecoder::WriteToContainedDecoder (
    this=this@entry=0x6140002e8040, aBuffer=aBuffer@entry=0x6210010b1d4e "", 
    aCount=aCount@entry=1152)
    at /home/ubuntu/build/tor-browser/image/decoders/nsICODecoder.cpp:599
#8  0x00007fffec97493c in mozilla::image::nsICODecoder::WriteInternal (
    this=0x6140002e8040, aBuffer=<optimized out>, aCount=<optimized out>)
    at /home/ubuntu/build/tor-browser/image/decoders/nsICODecoder.cpp:508
#9  0x00007fffec933a1a in mozilla::image::Decoder::Write (
    this=this@entry=0x6140002e8040, aBuffer=<optimized out>, aCount=2238)
    at /home/ubuntu/build/tor-browser/image/src/Decoder.cpp:227
#10 0x00007fffec9391e2 in mozilla::image::Decoder::Decode (
    this=this@entry=0x6140002e8040)
    at /home/ubuntu/build/tor-browser/image/src/Decoder.cpp:157
#11 0x00007fffec945962 in mozilla::image::DecodePool::Decode (this=0x60400011bc90, 
    aDecoder=0x6140002e8040)
    at /home/ubuntu/build/tor-browser/image/src/DecodePool.cpp:331
#12 0x00007fffec947d9a in mozilla::image::DecodeWorker::Run (this=<optimized out>)
    at /home/ubuntu/build/tor-browser/image/src/DecodePool.cpp:122
#13 0x00007fffebadc312 in nsThreadPool::Run (this=0x60c0000d2b80)
    at /home/ubuntu/build/tor-browser/xpcom/threads/nsThreadPool.cpp:225
#14 0x00007fffebaddcf2 in nsThread::ProcessNextEvent (this=0x60f00012b6e0, 
    aMayWait=<optimized out>, aResult=0x7fffc9dafbd0)
    at /home/ubuntu/build/tor-browser/xpcom/threads/nsThread.cpp:855
#15 0x00007fffebb13336 in NS_ProcessNextEvent (aThread=0x60f00012b6e0, 
    aMayWait=aMayWait@entry=false)
    at /home/ubuntu/build/tor-browser/xpcom/glue/nsThreadUtils.cpp:265
#16 0x00007fffebf2a1f5 in mozilla::ipc::MessagePumpForNonMainThreads::Run (
    this=0x6060001e8d80, aDelegate=0x61400010fe40)
    at /home/ubuntu/build/tor-browser/ipc/glue/MessagePump.cpp:339
#17 0x00007fffebef0924 in MessageLoop::RunHandler (this=0x61400010fe40)
    at /home/ubuntu/build/tor-browser/ipc/chromium/src/base/message_loop.cc:226
#18 MessageLoop::Run (this=this@entry=0x61400010fe40)
    at /home/ubuntu/build/tor-browser/ipc/chromium/src/base/message_loop.cc:200
#19 0x00007fffebae2a69 in nsThread::ThreadFunc (aArg=0x60f00012b6e0)
    at /home/ubuntu/build/tor-browser/xpcom/threads/nsThread.cpp:356
#20 0x00007ffff7f6d369 in _pt_root (arg=0x6120001204c0)
    at /home/ubuntu/build/tor-browser/nsprpub/pr/src/pthreads/ptthread.c:212
#21 0x00007ffff6c5d0a4 in start_thread (arg=0x7fffc9db0700) at pthread_create.c:309
#22 0x00007ffff5efd06d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

And this seems to be caused by one of our patches as I can't get it to crash on a vanilla ESR 38.4.0.

comment:5 Changed 4 years ago by cypherpunks

Isn't https://bugzilla.mozilla.org/show_bug.cgi?id=1155722

And this seems to be caused by one of our patches as I can't get it to crash on a vanilla ESR 38.4.0.

What about Private Browsing mode?

comment:6 in reply to:  5 Changed 4 years ago by gk

Replying to cypherpunks:

Isn't https://bugzilla.mozilla.org/show_bug.cgi?id=1155722

Might be. Especially as I am seeing in my Tor Browser log the fetching of favicons immediately before the crash is happening.

And this seems to be caused by one of our patches as I can't get it to crash on a vanilla ESR 38.4.0.

What about Private Browsing mode?

Does not change things for me.

comment:7 Changed 4 years ago by gk

Keywords: TorBrowserTeam201601 added; TorBrowserTeam201512 removed

Tickets for Jan 2016.

comment:8 Changed 4 years ago by gk

Keywords: TorBrowserTeam201602 added; TorBrowserTeam201601 removed

Putting stuff on the radar for February.

comment:9 Changed 4 years ago by gk

Keywords: TorBrowserTeam201603 added; TorBrowserTeam201602 removed

comment:10 Changed 4 years ago by gk

Thanks to a script linked to by cacahuatl on IRC a while ago I was able to reliably reproduce the crash and look at possible fixes. The good news is Mozilla has fixed this (in two stages):

First in https://bugzilla.mozilla.org/show_bug.cgi?id=1117607 which fixes the crash but still has issues with ICO decoding.

Second in https://bugzilla.mozilla.org/show_bug.cgi?id=1196066 which seems to fix the remaining issues.

So, this will be in ESR 45. Now, the bad news is that these fixes are too big to backport given that we are in full preparation for switching to ESR 45 which binds almost all of our resources.

Not sure yet if there is a smarter way handling this to get at least the crash fixed earlier.

comment:11 Changed 3 years ago by gk

Sponsor: None
Summary: OS X Crash on opening link from fullscreen applicationTor Browser is crashing while decoding ICO favicons

#18577 is a duplicate.

comment:12 Changed 3 years ago by bugzilla

Workaround for #17761, #18577 and #16747:
browser.chrome.site_icons set to false
(and, please, make it default for TBB until these vulnerabilities are fixed.)

comment:13 in reply to:  12 ; Changed 3 years ago by gk

Replying to bugzilla:

Workaround for #17761, #18577 and #16747:
browser.chrome.site_icons set to false
(and, please, make it default for TBB until these vulnerabilities are fixed.)

That does not help. And, no, setting browser.chrome.favicons to false does not help either.

Last edited 3 years ago by gk (previous) (diff)

comment:14 in reply to:  13 Changed 3 years ago by bugzilla

Replying to gk:

That does not help. And, no, setting browser.chrome.favicons to false does not help either.

On Win that is a win ;) And works as described by Mozilla: no loading of favicons. So no problems with it.
(browser.chrome.favicons entirely depends on site_icons, so it can't help.)

comment:15 Changed 3 years ago by gk

Keywords: TorBrowserTeam201604 added; TorBrowserTeam201603 removed

comment:16 Changed 3 years ago by gk

Keywords: ff45-esr-will-have added

comment:17 Changed 3 years ago by gk

Resolution: worksforme
Status: assignedclosed

Our nightlies already ship fixes for that and our alphas are about to do so, too. Let's close this ticket then.

Note: See TracTickets for help on using tickets.