1507141 - Crash in mozilla::net::nsSocketTransportService::Run

Status: RESOLVED INCOMPLETE

(Core :: Networking, defect, P2)

Description

[Marcia Knous [:marcia]]

This bug was filed from the Socorro interface and is
report bp-c31f7861-a9a5-459a-a805-38eaa0181025.
=============================================================

Seen while looking at nightly crash stats https://bit.ly/2PSL1tR. Mac crashes on nightly go back to at least 20181023100120. 11 crashes/5 installs in the last 2 weeks. There are a few instances of this crash signature in other branches, but it is much more noticeable in nightly.

Top 10 frames of crashing thread:

0  @0x8010a77bced 
1 XUL mozilla::net::nsSocketTransportService::Run netwerk/base/nsSocketTransportService2.cpp:579
2 XUL non-virtual thunk to mozilla::net::nsSocketTransportService::Run netwerk/base/nsSocketTransportService2.cpp
3 XUL nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1245
4 XUL NS_ProcessNextEvent xpcom/threads/nsThreadUtils.cpp:530
5 XUL mozilla::ipc::MessagePumpForNonMainThreads::Run ipc/glue/MessagePump.cpp:334
6 XUL nsThread::ThreadFunc ipc/chromium/src/base/message_loop.cc:325
7 libnss3.dylib _pt_root nsprpub/pr/src/pthreads/ptthread.c:201
8 libsystem_pthread.dylib _pthread_body 
9 libsystem_pthread.dylib _pthread_start 

=============================================================

Comment 1

[Julien Cristau [:jcristau]]

Not a new regression, volume is not too high.

Comment 2

[Valentin Gosu [:valentin] (he/him)]

What stands out from the crash reports is that this is a content process crash.

Comment 3

[Honza Bambas (:mayhemer)]

P3 based on comment 1.  This is also hard to act on.

Comment 4

[Honza Bambas (:mayhemer)]

(In reply to Valentin Gosu [:valentin] from comment #2)
> What stands out from the crash reports is that this is a content process
> crash.

Can you show how you determine that?

Comment 5

[Valentin Gosu [:valentin] (he/him)]

(In reply to Honza Bambas (:mayhemer) from comment #4)
> (In reply to Valentin Gosu [:valentin] from comment #2)
> > What stands out from the crash reports is that this is a content process
> > crash.
> 
> Can you show how you determine that?

I was looking at the more reports dashboard.
In fact they are not all content process crashes, just a few of them. At it seems they are crashing in different places in the method, not in PR_Poll.

Comment 6

[Liz Henry (:lizzard) (relman/hg->git project)]

Marking fix-optional for 65 and 66 since it is already triaged and has a priority set. We can still take a patch in nightly.

Comment 7

[Marcia Knous [:marcia]]

Adding 67 as affected. Still fairly low volume. In 66.0b4 this is flagged as a startup crash, but there are relatively few crashes.

Comment 8

[Marcia Knous [:marcia]]

Adding another signature seen in nightly crash triage.

Comment 9

[Marcia Knous [:marcia]]

Adding another signature. There are a number of comments in these various signatures that reference Twitter, and the URLs in the Mac crashes are almost exclusively Twitter:

*https://twitter.com/home

Perhaps this is a dupe of one of the other bugs such as Bug 1521922? Adding Adam for his thoughts.

Comment 10

[Adam Stevenson [:adamopenweb]]

Without steps to reproduce I don't think Twitter will be able to help much here unfortunately. I reached out about #1521922 but nothing came of it.

Comment 11

[Marcia Knous [:marcia]]

I took a look at the correlations for the signature that is the highest volume. Here is what it shows on Nightly:

(84.62% in signature vs 03.21% overall) Addon "React Developer Tools" = true
(76.92% in signature vs 06.08% overall) reason = EXC_BAD_ACCESS / KERN_INVALID_ADDRESS
(76.92% in signature vs 10.18% overall) Addon "Firefox Multi-Account Containers" = true
(61.54% in signature vs 01.81% overall) Addon "onepassword4@agilebits.com" = true
(61.54% in signature vs 04.01% overall) Module "SpotlightIndex" = true
(61.54% in signature vs 04.45% overall) Module "CloudDocs" = true
(53.85% in signature vs 00.55% overall) Addon "Cetus" = true
(53.85% in signature vs 00.71% overall) Addon "{b1f2a5fa-600c-4a9a-bb5d-ec3849f1bbe7}" = true
(53.85% in signature vs 00.89% overall) Addon "zotero@chnm.gmu.edu" = true
(53.85% in signature vs 01.28% overall) Addon "https-everywhere-eff@eff.org" = true
(53.85% in signature vs 01.63% overall) Addon "Refined GitHub" = true
(53.85% in signature vs 01.73% overall) Addon "jid1-MnnxcxisBPnSXQ-eff@jetpack" = true
(53.85% in signature vs 01.99% overall) Addon "Firefox Pioneer" = true
(53.85% in signature vs 04.07% overall) Addon "Greasemonkey" = true

Several of the other signature appear to have a password manager installed, such as support@lastpass.com. So that seems to be the one common denominator I have seen in the reports so far.

Comment 12

[Marcia Knous [:marcia]]

Bug 1528756 has a user that is hitting this regularly, and he does have a password manager installed.

Comment 13

[Marcia Knous [:marcia]]

Adding another nightly Mac signature seen during triage. One of the 2 URLs is https://twitter.com/home. I also pinged the reporter in the Bug in Comment 12 to see if they have STR.

Comment 14

[Pascal Chevrel:pascalc]

6 to 10 crashes per beta in 67, the bug is not currently assigned and we are past the beta cycle midpoint, so wontfix for 67.

There are crashes on Windows and Android as well, updating flags accordingly.

Comment 15

[Patricia Lawless]

Bulk change of P3 carryover bugs to wontfix for 68.

Comment 16

[Marcia Knous [:marcia]]

This is low enough volume now that we might consider just closing this one out.

Comment 17

[:Atoll]

I encountered this crash while Nightly 2022-04-24 was idle overnight. Same stack trace as usual, with stack smashing protections terminating the process. I have no about:crashes recorded since 2021-06 so I have no idea if Socorro receives this. needinfo? if more information is necessary.

Thread 5 Crashed:: Socket Thread
0 libsystem_kernel.dylib 0x7ff80991e00e __pthread_kill + 10
1 libsystem_pthread.dylib 0x7ff8099541ff pthread_kill + 263
2 libsystem_c.dylib 0x7ff80989fdbe __abort + 139
3 libsystem_c.dylib 0x7ff80988bb8c __stack_chk_fail + 100
4 libnss3.dylib 0x108c8b322 poll + 626
5 libnss3.dylib 0x108c9196b PR_Poll + 651
6 XUL 0x126b8d583 mozilla::net::nsSocketTransportService::Run() + 2067
7 XUL 0x126b8efad non-virtual thunk to mozilla::net::nsSocketTransportService::Run() + 13
8 XUL 0x126ad7372 nsThread::ProcessNextEvent(bool, bool*) + 6434
9 XUL 0x126d4e368 mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) + 216
10 XUL 0x126d0ad20 MessageLoop::Run() + 80
11 XUL 0x126acc8c0 nsThread::ThreadFunc(void*) + 240
12 libnss3.dylib 0x108c95186 _pt_root + 310
13 libsystem_pthread.dylib 0x7ff8099544e1 _pthread_start + 125
14 libsystem_pthread.dylib 0x7ff80994ff6b thread_start + 15

Comment 18

[Randell Jesup [:jesup] (needinfo me)]

Many of these crashes are wildptr crashes. A single clear UAF (5e5e) in ~400 crashes, so I'm not marking this bug as UAF currently.

Comment 19

[Randell Jesup [:jesup] (needinfo me)]

Only signatures seen in the last 6 months are:
mozilla::net::nsSocketTransportService::Run
PR_Poll | mozilla::net::nsSocketTransportService::Run

Comment 20

[Randell Jesup [:jesup] (needinfo me)]

Oddly I see multiple crashes with Crash Address 0x0000000100000000, and others that are very close to that. Interesting pattern...

Comment 21

[BugBot [:suhaib / :marco/ :calixte]]

The severity field for this bug is set to S3. However, the bug is flagged with the sec-high keyword.
:valentin, could you consider increasing the severity of this security bug?

For more information, please visit auto_nag documentation.

Comment 22

[Tom Ritter [:tjr]]

Only PR_Poll | mozilla::net::nsSocketTransportService::Run and mozilla::net::nsSocketTransportService::Run are still active signatures, PR_Poll just barely. There are a small number of crashes on recent versions, a variety of reasons, platforms, and arches. A minority percent on uaf addresses, a minority percent on nullish addresses... This seems to be a real splattering of different issues. We're trying to close unactionable bugs and right now this seems like it would need a close triage to separate out a single category of issue to track.

Comment 23

[BugBot (nomail) [:suhaib / :marco/ :calixte]]

Since the bug is closed, the stalled keyword is now meaningless.
For more information, please visit BugBot documentation.