Closed
Bug 1272955
Opened 8 years ago
Closed 2 years ago
Crash in pl_Def* with Browsec VPN addon
Categories
(NSPR :: NSPR, defect)
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: lovemetal_vgf, Unassigned, NeedInfo)
Details
Crash Data
Can you help me with this annoying crash please? This bug was filed from the Socorro interface and is report bp-722c5678-da14-43a3-be5a-61d6a2160515. ============================================================= Thank you.
Do you have steps to reproduce? Did you test in safe mode and with a fresh profile?
Flags: needinfo?(lovemetal_vgf)
Comment 2•8 years ago
|
||
I see about 550 null deref crashes in the past 7 days in the following pl_Def* functions: pl_DefSend, pl_DefGetsocketoption, pl_DefGetsockname: https://crash-stats.mozilla.com/search/?signature=~pl_Def&address=%3D0x0&_facets=signature&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-signature They occur in versions between FF29 and FF49. I took a look at the minidump for one report (https://crash-stats.mozilla.com/report/index/d1dfbe93-3007-4f95-8c67-313912160522). It said that |fd->lower| was nullptr, which is not supposed to happen -- there is a |PR_ASSERT(fd->lower != NULL);| immediately before the crash point.
Crash Signature: [@ pl_DefSend] → [@ pl_DefSend]
[@ pl_DefGetsocketoption ]
[@ pl_DefGetsockname ]
Product: Firefox → Core
Summary: Crash in pl_DefSend → Crash in pl_Def*
Updated•8 years ago
|
Assignee: nobody → nobody
Component: General → Libraries
Product: Core → NSS
Version: 46 Branch → trunk
Reporter | ||
Comment 4•8 years ago
|
||
UPDATE: I deactivated the add-on Browsec and no more crashes.
Comment 5•8 years ago
|
||
(In reply to Nicholas Nethercote [:njn] from comment #2) > I see about 550 null deref crashes in the past 7 days in the following > pl_Def* functions: pl_DefSend, pl_DefGetsocketoption, pl_DefGetsockname: > > It said that |fd->lower| was nullptr, which is not supposed > to happen -- there is a |PR_ASSERT(fd->lower != NULL);| immediately before > the crash point. PR_ASSERT has no effect in opt builds. All those functions (pl_Def*) have to check the arguments they're using for nullptr.
Updated•8 years ago
|
Assignee: nobody → nobody
Component: Libraries → NSPR
Product: NSS → NSPR
Version: trunk → 4.12
Comment 6•8 years ago
|
||
> PR_ASSERT has no effect in opt builds. All those functions (pl_Def*) have to
> check the arguments they're using for nullptr.
The PR_ASSERT suggests that a null fd->lower is expected to be impossible, which suggests that there's a bug elsewhere. So the fix is, to me, unclear. We could just skip the call if fd->lower is null and return something (not sure what), but maybe that's no better than crashing?
Comment 7•8 years ago
|
||
(In reply to Nicholas Nethercote [:njn] from comment #2) > I took a look at the minidump for one report > (https://crash-stats.mozilla.com/report/index/d1dfbe93-3007-4f95-8c67- > 313912160522). It said that |fd->lower| was nullptr, For my education, where on that page do you see that fd->lower was NULL ?
Flags: needinfo?(kaie)
Updated•8 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 8•8 years ago
|
||
(In reply to Nicholas Nethercote [:njn] from comment #6) > We could just skip the call if fd->lower is null and return something (not > sure what), but maybe that's no better than crashing? I think we shouldn't crash in this scenario. If fd->lower is null, I think we're already in a corrupted state and shouldn't proceed further. If fd->lower is null, we have: - either memory corruption - or some sort of race, where a socket has already been closed/destroyed, but another thread is still operating on it.
Comment 9•8 years ago
|
||
> > I took a look at the minidump for one report > > (https://crash-stats.mozilla.com/report/index/d1dfbe93-3007-4f95-8c67- > > 313912160522). It said that |fd->lower| was nullptr, > > For my education, where on that page do you see that fd->lower was NULL ? It's not on that page. You have to download the minidump -- which requires minidump access privileges, which not everybody has -- and open it in MSVC. See https://developer.mozilla.org/en-US/docs/Mozilla/Debugging/Debugging_a_minidump for more details.
Comment 10•8 years ago
|
||
(100.0% in signature vs 00.30% overall) Addon "Browsec VPN" = true
Summary: Crash in pl_Def* → Crash in pl_Def* with Browsec VPN addon
Updated•6 years ago
|
Crash Signature: [@ pl_DefSend]
[@ pl_DefGetsocketoption ]
[@ pl_DefGetsockname ] → [@ pl_DefSend]
[@ pl_DefGetsocketoption ]
[@ pl_DefGetsockname ]
[@ static PRStatus pl_DefGetsockname]
Comment 11•2 years ago
|
||
Closing because no crashes reported for 12 weeks.
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•