731565 - Startup crash in nsSSLIOLayerHelpers::Init

Status: RESOLVED WORKSFORME

(Core :: Security, defect)

Description

[Marcia Knous [:marcia]]

This bug was filed from the Socorro interface and is 
report bp-137a7d0d-aa5d-4442-9f14-4bcef2120228 .
============================================================= 

Seen while looking at the explosive report. Crash present in 10.0.2 but also in other versions such as 11.0b4. https://crash-stats.mozilla.com/report/list?signature=PR_NewPollableEvent.

No real helpful comments but one user mentions Firefox crashes all the time and won't open.

There is another similar signature [@ je_calloc | je_malloc | PR_NewPollableEvent ] that might be related, but the stack in that is a bit different than this crash and has many comments in Russian.

Frame 	Module 	Signature [Expand] 	Source
0 		@0xad050290 	
1 	nspr4.dll 	PR_NewPollableEvent 	nsprpub/pr/src/io/prpolevt.c:178
2 	xul.dll 	nsSSLIOLayerHelpers::Init 	security/manager/ssl/src/nsNSSIOLayer.cpp:2120
3 	xul.dll 	nsNSSComponent::Init 	security/manager/ssl/src/nsNSSComponent.cpp:1980
4 	xul.dll 	nsNSSComponentConstructor 	security/manager/ssl/src/nsNSSModule.cpp:211
5 	xul.dll 	mozilla::GenericFactory::CreateInstance 	obj-firefox/xpcom/build/GenericFactory.cpp:48
6 	xul.dll 	nsComponentManagerImpl::CreateInstanceByContractID 	xpcom/components/nsComponentManager.cpp:1299
7 	xul.dll 	nsComponentManagerImpl::GetServiceByContractID 	xpcom/components/nsComponentManager.cpp:1701
8 	xul.dll 	nsCOMPtr_base::assign_from_gs_contractid 	obj-firefox/xpcom/build/nsCOMPtr.cpp:132
9 	xul.dll 	nsCOMPtr<nsINSSComponent>::nsCOMPtr<nsINSSComponent> 	obj-firefox/dist/include/nsCOMPtr.h:657
10 	xul.dll 	EnsureNSSInitialized 	security/manager/ssl/src/nsNSSComponent.cpp:344
11 	xul.dll 	nsSecretDecoderRingConstructor 	security/manager/ssl/src/nsNSSModule.cpp:221
12 	xul.dll 	mozilla::GenericFactory::CreateInstance 	obj-firefox/xpcom/build/GenericFactory.cpp:48
13 	xul.dll 	nsComponentManagerImpl::CreateInstance 	xpcom/components/nsComponentManager.cpp:1212
14 	xul.dll 	nsComponentManagerImpl::GetService 	xpcom/components/nsComponentManager.cpp:1505
15 	xul.dll 	nsJSCID::GetService 	js/xpconnect/src/XPCJSID.cpp:821
16 	xul.dll 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:102
17 	xul.dll 	XPC_WN_CallMethod 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1554
18 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:629
19 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:3948
20 	xul.dll 	xul.dll@0xc9159b 	
21 	mozjs.dll 	js::ContextStack::pushInvokeFrame 	js/src/vm/Stack.cpp:691
22 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:647
23 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5199
24 	xul.dll 	nsXPCWrappedJSClass::CallMethod 	js/xpconnect/src/XPCWrappedJSClass.cpp:1530
25 		@0x72b21c4 	
26 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:3491
27 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:584
28 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:647
29 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:679
30 	mozjs.dll 	js::InvokeGetterOrSetter 	js/src/jsinterp.cpp:716
31 	mozjs.dll 	js::Shape::set 	js/src/jsscopeinlines.h:303
32 	mozjs.dll 	js_SetPropertyHelper 	js/src/jsobj.cpp:6193
33 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:3741
34 	mozjs.dll 	js::ContextStack::pushInvokeFrame 	js/src/vm/Stack.cpp:691
35 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:647
36 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5199
37 	xul.dll 	nsXPCWrappedJSClass::CallMethod 	js/xpconnect/src/XPCWrappedJSClass.cpp:1530

Comment 1

[Marcia Knous [:marcia]]

Some manual correlations for 10.0.2:

PR_NewPollableEvent|EXCEPTION_ACCESS_VIOLATION_READ (64 crashes)
    100% (64/64) vs.   1% (1088/73258) mfc42.dll
    100% (64/64) vs.   6% (4293/73258) msvcp60.dll
     94% (60/64) vs.   1% (443/73258) mfc42loc.dll
     95% (61/64) vs.  55% (39997/73258) iphlpapi.dll
     95% (61/64) vs.  55% (40046/73258) hnetcfg.dll
     95% (61/64) vs.  55% (40505/73258) wshtcpip.dll
     95% (61/64) vs.  56% (40841/73258) comres.dll
     39% (25/64) vs.   0% (318/73258) ISWUL.dll
     39% (25/64) vs.   0% (318/73258) ISWFWMON.dll
     39% (25/64) vs.   0% (318/73258) ISWDMP.dll
     39% (25/64) vs.   0% (360/73258) ISWSHEX.dll
     95% (61/64) vs.  57% (42053/73258) ws2help.dll
     92% (59/64) vs.  70% (51252/73258) secur32.dll
     28% (18/64) vs.  19% (13929/73258) msctfime.ime
     30% (19/64) vs.  22% (16358/73258) MSCTFIME.IME
    100% (64/64) vs.  93% (68224/73258) crypt32.dll
    100% (64/64) vs.  93% (68231/73258) msasn1.dll
     42% (27/64) vs.  36% (26322/73258) samlib.dll
      9% (6/64) vs.   3% (2322/73258) serwvdrv.dll
      9% (6/64) vs.   3% (2322/73258) umdmxfrm.dll
    100% (64/64) vs.  95% (69349/73258) softokn3.dll
    100% (64/64) vs.  95% (69391/73258) firefox.exe
    100% (64/64) vs.  95% (69418/73258) xpcom.dll
      6% (4/64) vs.   1% (798/73258) Syncor11.dll
    100% (64/64) vs.  95% (69520/73258) dbghelp.dll

Comment 2

[Honza Bambas (:mayhemer)]

Just for info, this code has changed in bug 674147.  There is no longer any call to PR_NewPollableEvent from nsNSSComponent.

We do another call to PR_NewPollableEvent in socket transport service, AFAIK, that call was always happening before call of PR_NewPollableEvent from nsNSSComponent.

So, the second call to it may be the cause here.  But on m-c there is now just a single one.  If the presumption is wrong we may start crashing on a different place.

My guess is we crash some AV software.  On windows this function creates a local loopback connection.  Some AV software disallows that and may interfere with this crash potentially.

Comment 3

[Virtual_ManPL [:Virtual] 🇵🇱 - (please needinfo? me - so I will see your comment/reply/question/etc.)]

I'm marking this bug as WORKSFORME as bug crashlog signature didn't appear from a long time (over half year) in Firefox.