Socket process crashes in Symantec's IPSEng64 / IPSEng32
Categories
(External Software Affecting Firefox :: Other, defect)
Tracking
(firefox108 wontfix, firefox109 fixed)
People
(Reporter: jimm, Assigned: gstoll)
References
Details
Crash Data
Attachments
(3 files)
We tried to address this in bug 1743427, but that doesn't seem to be helping. We're still seeing these crashes in background threads at pretty high volume.
Comment 1•2 years ago
|
||
Bug 1743427, pre-spawn CIG is currently limited to early beta and earlier due to compat risks (bug 1704373).
Comment 2•2 years ago
|
||
The severity field is not set for this bug.
:haik, could you have a look please?
For more information, please visit auto_nag documentation.
Comment 3•2 years ago
|
||
Some of these crashes are showing up on Socorro too.
Updated•2 years ago
|
Comment 4•2 years ago
|
||
Broadcom told us they believe this problem was fixed in version 17.2.7.51 of ipseng64.dll/ipseng32.dll.
Crashstats data support this. At this time, there aren't any instances of socket process crashes with version 17.2.7.51 or later of the 32-bit or 64-bit DLLs in the stack. Some crashes are showing up for other processes (main and content) with the new version.
Over the last two weeks, from module ping telemetry, 17.2.7.51 is the latest and most popular version of the DLL getting loaded by about 4x for each of 64-bit and 32-bit compared to the next most recent. Going back 4 weeks shows the new version being loaded about as often as the next most recent indicating adoption of the newest version is ramping up.
Hence we can expect this problem to go away over time as the later DLL version adoption continues. I'll take more time to look at the crashes in other processes to determine if a new bug should be filed for those.
Comment 5•2 years ago
|
||
The bug is linked to a topcrash signature, which matches the following criterion:
- Top 5 socket and utility process crashes on release
:haik, could you consider increasing the severity of this top-crash bug?
For more information, please visit auto_nag documentation.
Comment 6•2 years ago
|
||
Changing to S2 due to this being a top crasher for the socket process.
Assignee | ||
Comment 7•2 years ago
•
|
||
We can see from this query that more than 99% of these crashes for IPSEng64 are from versions before 17.2.7.51, and similarly for IPSEng32. So it looks like this issue is still fixed in later versions, but for some reason many people still have older versions of this DLL.
I'm not sure why this would be popping up again. I'll work on a query to see the usage of these versions over time; perhaps Symantec pushed out something recently that caused older versions to get installed?
Assignee | ||
Comment 8•2 years ago
|
||
Here's a view of the most common IPSEng64 versions over the last 7 days - looks like around 70% of clients are on version 17.2.7.51 or above. I think this is a good candidate for blocklisting versions before the fix.
Assignee | ||
Comment 9•2 years ago
|
||
Here is the DLL blocklist questionnaire:
-
How were we aware of the problem?
Showed up as a topcrasher for the socket process. -
What is a suspicious product causing the problem?
Symantec Endpoint Protection - Intrusion Detection -
Is the product downloadable? If so, do we have a local repro?
The product does not seem to be downloadable. It was in the past, but we were not able to reproduce the crash (see comment 9 on bug 1743427. Since we believe the issue has been fixed in more recent versions it seems even more unlikely we would be able to reproduce it now. -
Which OS versions does the problem occur on?
According to telemetry this is affecting all versions of Windows, with Windows 10 at around 86% of crashes. -
Which process types does the problem occur on?
This seems to only happen in the socket process. Unfortunately the blocklist does not currently support blocking a module only in the socket process. I plan on adding this functionality and only blocking this module in the socket process. -
What is the maximum version of the module in the crash reports?
Of the ~24K reports, only 2 have a version higher than 17.2.7.51. -
Is the issue fixed by a newer version of the product?
Yes, Broadcom believes this was fixed in version 17.2.7.51, and this is borne out by the crash reports. -
Do we have data about the module in the third-party-module ping?
Yes. -
Do we know how the module is loaded?
(NOTE: I believe this is true, but it would be nice to have confirmation that I'm interpreting this correctly) According to telemetry this is not a dependent module sinceis_dependent
is false. -
Describe your conclusion.
We should block ipseng64.dll and ipseng32.dll versions prior to 17.2.7.51 in the socket process only.
Assignee | ||
Comment 10•2 years ago
|
||
Assignee | ||
Comment 11•2 years ago
|
||
Depends on D160586
Assignee | ||
Updated•2 years ago
|
Comment 12•2 years ago
|
||
Based on the topcrash criteria, the crash signature linked to this bug is not a topcrash signature anymore.
For more information, please visit auto_nag documentation.
Assignee | ||
Comment 13•2 years ago
|
||
There doesn't seem to be a good way to directly test the blocklisting in the socket/utility process, so I manually tested it for the socket process and added these automated tests that things blocklisted in the socket/utility process can load in other processes.
Depends on D160586
Comment 14•2 years ago
|
||
Pushed by gstoll@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/c9a2bdc74bb5 part 1: add ability to blocklist DLLs in socket process. r=gerard-majax https://hg.mozilla.org/integration/autoland/rev/6c4278668c2f part 1.5: add tests for blocklists in socket and utility processes. r=handyman
Comment 15•2 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/c9a2bdc74bb5
https://hg.mozilla.org/mozilla-central/rev/6c4278668c2f
Comment 16•2 years ago
|
||
There's a patch attached to this bug that hasn't been landed yet. Is that an oversight? Alternatively, should this bug be left open for now?
Updated•2 years ago
|
Assignee | ||
Comment 17•2 years ago
|
||
Yeah, the ability to blocklist DLLs for just the socket process went in, but actually using that blocklist to block IPSEng64/IPSEng32 has not. Reopening (and thanks!)
Updated•2 years ago
|
Comment 18•1 year ago
|
||
Pushed by gstoll@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/2a1fec837d80 part 2: blocklist DLL in socket process only. r=handyman
Assignee | ||
Comment 19•1 year ago
|
||
After the configuration change, I see very few crashes with newer versions but it's still relatively common with older ones, so I'm going to block just older versions.
Comment 20•1 year ago
|
||
bugherder |
Comment 21•1 year ago
|
||
The patch landed in nightly and beta is affected.
:gstoll, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox108
towontfix
.
For more information, please visit auto_nag documentation.
Assignee | ||
Updated•1 year ago
|
Description
•