849501 - crash in mozilla::safebrowsing::KnockoutSubs with AMD Athlon XP processors

Status: RESOLVED WONTFIX

(Toolkit :: Safe Browsing, defect, P5)

Description

[Scoobidiver (away)]

It's currently #41 browser crasher in the first day of 19.0.2 and first showed up in 19.0.2. It's likely a regression from bug 848644 although 20.0b4, 21.0a2 and 22.0a1 are so far unaffected.

It seems related to viewing videos according to comments.

Signature 	mozilla::safebrowsing::KnockoutSubs<mozilla::safebrowsing::SubComplete, mozilla::safebrowsing::AddComplete> More Reports Search
UUID	b569eded-5e1e-4d76-8c8e-dbe092130309
Date Processed	2013-03-09 06:25:37
Uptime	285
Last Crash	4.8 minutes before submission
Install Age	3.6 hours since version was first installed.
Install Time	2013-03-09 02:49:59
Product	Firefox
Version	19.0.2
Build ID	20130307023931
Release Channel	release
OS	Windows NT
OS Version	5.1.2600 Service Pack 3
Build Architecture	x86
Build Architecture Info	AuthenticAMD family 6 model 10 stepping 0
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0x7900000
User Comments	あくしろよ
App Notes 	
AdapterVendorID: 0x1039, AdapterDeviceID: 0x6330, AdapterSubsysID: 125810cf, AdapterDriverVersion: 6.14.10.3570
D3D10 Layers? D3D10 Layers- D3D9 Layers? D3D9 Layers- 
Processor Notes 	sp-processor01.phx1.mozilla.com_6524:2008
EMCheckCompatibility	True
Adapter Vendor ID	0x1039
Adapter Device ID	0x6330
Total Virtual Memory	2147352576
Available Virtual Memory	1842114560
System Memory Use Percentage	66
Available Page File	1942925312
Available Physical Memory	346341376

Frame 	Module 	Signature 	Source
0 	xul.dll 	mozilla::safebrowsing::KnockoutSubs<mozilla::safebrowsing::SubComplete,mozilla:: 	toolkit/components/url-classifier/HashStore.cpp:881
1 	xul.dll 	mozilla::safebrowsing::HashStore::ProcessSubs 	toolkit/components/url-classifier/HashStore.cpp:999
2 	xul.dll 	mozilla::safebrowsing::HashStore::Rebuild 	toolkit/components/url-classifier/HashStore.cpp:507
3 	xul.dll 	mozilla::safebrowsing::Classifier::ApplyTableUpdates 	toolkit/components/url-classifier/Classifier.cpp:713
4 	xul.dll 	mozilla::safebrowsing::Classifier::ApplyUpdates 	toolkit/components/url-classifier/Classifier.cpp:384
5 	xul.dll 	nsUrlClassifierDBServiceWorker::ApplyUpdate 	toolkit/components/url-classifier/nsUrlClassifierDBService.cpp:638
6 	xul.dll 	nsUrlClassifierDBServiceWorker::FinishUpdate 	toolkit/components/url-classifier/nsUrlClassifierDBService.cpp:612
7 	xul.dll 	nsRunnableMethodImpl<tag_nsresult 	obj-firefox/dist/include/nsThreadUtils.h:367
8 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:627
9 	xul.dll 	nsThread::ThreadFunc 	xpcom/threads/nsThread.cpp:265
10 	nspr4.dll 	_PR_NativeRunThread 	nsprpub/pr/src/threads/combined/pruthr.c:395
11 	nspr4.dll 	pr_root 	nsprpub/pr/src/md/windows/w95thred.c:90
12 	msvcr100.dll 	_callthreadstartex 	f:\dd\vctools\crt_bld\self_x86\crt\src\threadex.c:314
13 	msvcr100.dll 	_threadstartex 	f:\dd\vctools\crt_bld\self_x86\crt\src\threadex.c:292
14 	kernel32.dll 	BaseThreadStart 	

More reports at:
https://crash-stats.mozilla.com/report/list?signature=mozilla%3A%3Asafebrowsing%3A%3AKnockoutSubs%3Cmozilla%3A%3Asafebrowsing%3A%3ASubComplete%2C+mozilla%3A%3Asafebrowsing%3A%3AAddComplete%3E

Comment 1

[Scoobidiver (away)]

It seems there are a few crashes in 19.0 and below with a related signature: https://crash-stats.mozilla.com/report/list?signature=mozilla%3A%3Asafebrowsing%3A%3AKnockoutSubs%3Cmozilla%3A%3Asafebrowsing%3A%3ASubPrefix%2C+mozilla%3A%3Asafebrowsing%3A%3AAddPrefix%3E

Comment 2

[Gian-Carlo Pascutto [:gcp]]

The stacks aren't making any sense. Nor does this suddenly appearing in 19.0.2. Is some plugin pissing on our stack? (Would correlate with showing video...)

Comment 3

[Scoobidiver (away)]

Comments about videos are from the same user. Other comments mention Facebook, restoring tabs or nothing specifically.

Correlations are broken but a manual check of a few crash reports shows no correlation to some extensions or DLLs.

Comment 4

[Scoobidiver (away)]

It's now #34 top browser crasher in 19.0.2.

Correlations are now available and it's not correlated to something.

Comment 5

[Gian-Carlo Pascutto [:gcp]]

The stacks are completely bogus. We're supposed to be crashing here:
http://hg.mozilla.org/releases/mozilla-release/annotate/6ffe3e9da8a8/toolkit/components/url-classifier/HashStore.cpp#l887

 ++addIter;

this is defined as:

 TAdd* addIter = aAdds->Elements();

So, it's crashing when incrementing a pointer on the stack. I don't think that's possible.

89% of the crashes are on Windows XP. 96% even for the other signature.

Comment 6

[Robert Kaiser]

A few URLs:

10 	http://www.facebook.com/
10 	about:blank
8 	https://www.facebook.com/
6 	about:sessionrestore
6 	http://www.globalresearch.ca/the-legacy-of-hugo-chavez-the-revolution-within-the-revolution-will-continue/5325652
6 	http://play.cultures-online.de/co/bin/index.php
5 	http://www.youtube.com/watch?v=7FGWyyQoG38
4 	http://apps.facebook.com/farmville-two//index.php
4 	https://www.facebook.com/home.php
6 	http://espn.go.com/espnradio/
3 	http://www.gewinnspiele-info.de/


Scoobidiver, please don't randomly request URLs, this should only be done when QA or devs are actively working on reproducing and think they need it. It takes already-busy people multiple minutes to gather URLs because we need to look through them and sanitize them, and a bugs that cuts off longs URLs makes things even harder.

Comment 7

[Gian-Carlo Pascutto [:gcp]]

I also did a random sample on the reports and *all* of them were old AMD machines running Windows XP. Seriously, I think this signature are people with broken hardware.

Comment 8

[Scoobidiver (away)]

Not all have an AMD GPU, some have a VIA, S3 Graphics, SIS, NVIDIA or an unknown GPU, but all have Direct3D10 disabled via the graphics blocklist feature

Comment 9

[Gian-Carlo Pascutto [:gcp]]

I doubt this has anything to do with graphics. As I said, they're all old machines (which is likely why D10 is disabled) with old AMD *CPUs*. Not that I think the CPUs itself are broken, but my best guess is that these are all so-so quality mainboards with so-so quality chipsets and so-so quality RAM :P

I don't know why they would bomb out in this piece of code specifically, but one aspect of SafeBrowsing is that it regularly runs in the background even if the machine is idle otherwise.

Comment 10

[Scoobidiver (away)]

It happens only on two kinds of processor:
* AuthenticAMD family 6 model 8 stepping 1: AMD Athlon XP
* AuthenticAMD family 6 model 10 stepping 0: AMD Athlon XP

Comment 11

[Alex Keybl [:akeybl]]

+bsmedberg since this may point to another hardware/build-specific crash
+ehsan in case he can imagine any correlation between bug 848644 and this crash (I sincerely doubt it)

Since this isn't a top crash, I'm not even sure we'll have the time to get our hands on the devices in comment 10. No current plans to track for upcoming releases.

Comment 12

[Benjamin Smedberg]

This bug appears to occur also only on graphics adapter vendor 0x1106 (VIA) and 0x1039 (SIS).

It's interesting because it has the some of the characteristics of "the AMD crasher" but doesn't occur with the AMD graphics cards, but does occur with the AMD processors.

It's really hard to correlate against CPUs because of the populations sizes and variability, but I can try to run a report to see whether there are clear non-independence markers.

I'll pull a minidump tomorrow to look for the markers of 2-byte memory corruption we've seen in the past.

Comment 13

[(no longer active)]

I own private browsing, not safebrowsing, so I'm not sure if I can help a lot here.

Comment 14

[Scoobidiver (away)]

It spiked in 21.0b3.

Comment 15

[François Marier [:francois]]

Marking as WONTFIX since it's an old crash and appears to be specific to some old hardware we don't have.