Last Comment Bug 321024 - Crash in nsCryptoHash during shutdown of nsUrlClassifierDBService [@ nsUrlClassifierDBService::Shutdown][@ NSSRWLock_LockRead]
: Crash in nsCryptoHash during shutdown of nsUrlClassifierDBService [@ nsUrlCla...
[kerh-bra] [need testcase]
: crash, fixed1.8.1.8, topcrash
Product: Core
Classification: Components
Component: Security: PSM (show other bugs)
: Trunk
: All All
: -- major (vote)
: ---
Assigned To: Benjamin Smedberg [:bsmedberg]
: David Keeler [:keeler] (use needinfo?)
: 366528 376709 (view as bug list)
Depends on:
Blocks: 376709
  Show dependency treegraph
Reported: 2005-12-20 16:38 PST by Darin Fisher
Modified: 2011-06-13 10:01 PDT (History)
24 users (show)
dveditz: blocking1.8.1.8+
dveditz: wanted1.8.1.x+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

JS stack from shutdown crash (3.63 KB, text/plain)
2007-02-23 14:23 PST, Robert Sayre
no flags Details
v1: no js callbacks during shutdown (4.33 KB, patch)
2007-04-07 19:11 PDT, Tony Chang (Google)
no flags Details | Diff | Splinter Review
v2: no js callbacks during shutdown (4.40 KB, patch)
2007-04-09 11:43 PDT, Tony Chang (Google)
darin.moz: review+
Details | Diff | Splinter Review
We should observe a much earlier topic, rev. 1 (2.18 KB, patch)
2007-07-11 09:38 PDT, Benjamin Smedberg [:bsmedberg]
tony: review+
Details | Diff | Splinter Review
Branch rollup patch (6.37 KB, patch)
2007-07-12 09:21 PDT, Benjamin Smedberg [:bsmedberg]
dveditz: approval1.8.1.8+
Details | Diff | Splinter Review

Description Darin Fisher 2005-12-20 16:38:37 PST
Crash if nsCryptoHash is used from xpcom-startup

It crashes inside HASH_Begin, and I'm not sure what is going on exactly since NS_NSS_GENERIC_FACTORY_COSNTRUCTOR ensures that NSS has been initialized before it hands back the nsICryptoHash implementation.
Comment 1 Doug Turner (:dougt) 2005-12-20 17:44:17 PST
doesn't psm / nss need a profile before it will work correctly?
Comment 2 Darin Fisher 2005-12-20 17:50:06 PST
Yes, but there is a profile ;-)  Firefox selects a profile before starting XPCOM.
Comment 3 Benjamin Smedberg [:bsmedberg] 2005-12-20 17:51:34 PST
PSM requires a profile? Why? In profileless situations can't it use the default certs?
Comment 4 Doug Turner (:dougt) 2005-12-20 18:25:46 PST
Mozilla requires some profile directory.  For nss/psm, they find the secmod, cert, key, db's in this directory.  Of course, you can start NSS in readonly mode.
Comment 5 Christian :Biesinger (don't email me, ping me on IRC) 2005-12-21 04:39:56 PST
bug 309877 is about making PSM/NSS work w/o profile
Comment 6 Darin Fisher 2005-12-21 08:40:48 PST
Stack trace:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 4678)]
0x40767c8c in NSSRWLock_LockRead () from /usr/local/fritz/firefox/
(gdb) bt
#0  0x40767c8c in NSSRWLock_LockRead ()
  from /usr/local/fritz/firefox/
#1  0x407458f7 in SECMOD_GetReadLock ()
  from /usr/local/fritz/firefox/
#2  0x407555b8 in PK11_GetAllTokens () from /usr/local/fritz/firefox/
#3  0x407557bf in PK11_GetBestSlotMultiple ()
  from /usr/local/fritz/firefox/
#4  0x4075598d in PK11_GetBestSlot () from /usr/local/fritz/firefox/
#5  0x407441b9 in PK11_CreateDigestContext ()
  from /usr/local/fritz/firefox/
#6  0x40737eaa in CERT_DecodeCRLDistributionPoints ()
  from /usr/local/fritz/firefox/
#7  0x40738159 in HASH_Create () from /usr/local/fritz/firefox/
#8  0x08676160 in nsXPTCVariant::Init ()
#9  0x4012f60b in XPTC_InvokeByIndex ()
  from /usr/local/fritz/firefox/
#10 0x080a14f8 in nsTHashtable<nsBaseHashtableET<nsDepCharHashKey,
nsAutoPtr<nsINIParser::INIValue> > >::~nsTHashtable ()
#11 0x080a6c74 in nsTHashtable<nsBaseHashtableET<nsDepCharHashKey,
nsAutoPtr<nsINIParser::INIValue> > >::~nsTHashtable ()
#12 0x4004f90d in js_Invoke () from /usr/local/fritz/firefox/
#13 0x4005863b in js_Interpret () from /usr/local/fritz/firefox/
#14 0x4004f9be in js_Invoke () from /usr/local/fritz/firefox/
#15 0x40053e5b in js_Interpret () from /usr/local/fritz/firefox/
#16 0x4004f9be in js_Invoke () from /usr/local/fritz/firefox/
#17 0x40053e5b in js_Interpret () from /usr/local/fritz/firefox/
#18 0x4004f9be in js_Invoke () from /usr/local/fritz/firefox/
#19 0x40053e5b in js_Interpret () from /usr/local/fritz/firefox/
#20 0x4004f9be in js_Invoke () from /usr/local/fritz/firefox/
#21 0x40053e5b in js_Interpret () from /usr/local/fritz/firefox/
#22 0x4004f9be in js_Invoke () from /usr/local/fritz/firefox/
#23 0x40053e5b in js_Interpret () from /usr/local/fritz/firefox/
#24 0x4004f9be in js_Invoke () from /usr/local/fritz/firefox/
#25 0x0809d314 in nsTHashtable<nsBaseHashtableET<nsDepCharHashKey,
nsAutoPtr<nsINIParser::INIValue> > >::~nsTHashtable ()
#26 0x0809b4d4 in nsTHashtable<nsBaseHashtableET<nsDepCharHashKey,
nsAutoPtr<nsINIParser::INIValue> > >::~nsTHashtable ()
#27 0x4012f730 in XPTC_InvokeByIndex ()
  from /usr/local/fritz/firefox/
#28 0x40111efa in NS_CreateServicesFromCategory ()
  from /usr/local/fritz/firefox/
#29 0x400e4e28 in NS_InitXPCOM3_P ()
  from /usr/local/fritz/firefox/
Comment 7 Kai Engert (:kaie) 2005-12-21 09:07:49 PST
Darin: We saw yesterday, that EnsureNSSInitialized does not return a possible failure, and therefore PSM services might get loaded, even if there is a problem with NSS databases.

Did you verify the call to NSS_InitReadWrite in nsNSSComponent::InitializeNSS succeeds?
Comment 8 Darin Fisher 2005-12-21 09:17:54 PST
> Did you verify the call to NSS_InitReadWrite in nsNSSComponent::InitializeNSS
> succeeds?

Nope, I have not.  That would be a good thing to test when I have a chance.
Comment 9 :Gavin Sharp [email:] 2007-01-10 11:33:47 PST
*** Bug 366528 has been marked as a duplicate of this bug. ***
Comment 10 Jesse Ruderman 2007-02-21 20:29:29 PST
On Mac, this happens to several out of every thousand Firefox instances (see bug 366528).  I think that makes it a topcrash.
Comment 11 Robert Sayre 2007-02-23 14:23:35 PST
Created attachment 256217 [details]
JS stack from shutdown crash
Comment 12 Tony Chang (Google) 2007-02-23 15:26:53 PST
It sounds like this happens if NSS hits shutdown before nsUrlClassifierDBService (anti-phishing thread).  During xpcom-shutdown, nsUrlClassifierDBService processes pending events, which may include using nsCryptoHash.

I think the fix is to turn all pending events into NOOPs during nsUrlClassifierDBService shutdown.  I'll see if I can repro and get a patch.
Comment 13 Tony Chang (Google) 2007-04-07 19:11:05 PDT
Created attachment 260933 [details] [diff] [review]
v1: no js callbacks during shutdown

I wasn't able to repro, but this patch cancels all calls into JS code once the urlclassifier shutdown has started.  Maybe someone who can repro can check to see if this fixes the shutdown crash.
Comment 14 Darin Fisher 2007-04-09 08:47:05 PDT
Comment on attachment 260933 [details] [diff] [review]
v1: no js callbacks during shutdown

It seems like some of these methods should return errors since they are not going to generate callbacks.  How about NS_ERROR_NOT_INITIALIZED?  Or, NS_ERROR_UNEXPECTED?

Comment 15 Tony Chang (Google) 2007-04-09 11:43:47 PDT
Created attachment 261031 [details] [diff] [review]
v2: no js callbacks during shutdown

Updated to return NS_ERROR_NOT_INITIALIZED instead.
Comment 16 Robert Sayre 2007-04-24 10:42:39 PDT
We seem to be this bug pretty frequently on the tinderbox page, so I checked this in.

Checking in src/nsUrlClassifierDBService.cpp;
/cvsroot/mozilla/toolkit/components/url-classifier/src/nsUrlClassifierDBService.cpp,v  <--  nsUrlClassifierDBService.cpp
new revision: 1.21; previous revision: 1.20
Comment 17 Jean-Michel Reghem 2007-04-25 00:45:38 PDT
(In reply to comment #16)

Do you know if this fix could be solve bug 376709 ?

Comment 18 Jesse Ruderman 2007-04-27 10:25:26 PDT
I hit this crash three times last night (Mac trunk debug), despite my build being up-to-date.  (That's three crashes out of about 1360 shutdowns.)
Comment 19 Rob Campbell [:rc] (:robcee) 2007-07-11 09:28:56 PDT
Happening much more frequently now on the Firefox tinderbox page, on Mac qm-xserve01. I've copied a crashreport to:
Comment 20 Benjamin Smedberg [:bsmedberg] 2007-07-11 09:38:57 PDT
Created attachment 271852 [details] [diff] [review]
We should observe a much earlier topic, rev. 1

We should be observing a much earlier observer topic in any case. This will shutdown database activity at profile-before-change, as well as xpcom-shutdown-threads.

The comment in ::Shutdown says that it joins the thread, but I don't think it actually does. Unless I am misreading, we should definitely join that thread properly during shutdown. You aren't allowed to have threads persist past the xpcom-shutdown-threads observer topic.
Comment 21 Benjamin Smedberg [:bsmedberg] 2007-07-11 10:16:41 PDT
I committed this patch a=robcee to get the tinderbox green, but I'd still like ex-post-facto review. Does this affect the branches at all, or just trunk?
Comment 22 Adam Guthrie 2007-07-11 10:22:18 PDT
Looks like it affects branch, yes. NSSRWLock_LockRead is the #22 topcrash for Firefox
Comment 23 Tony Chang (Google) 2007-07-11 11:06:41 PDT
It's also the #7 crasher in Thunderbird:
Comment 24 Daniel Veditz [:dveditz] 2007-07-11 20:02:51 PDT
What in the world is Thunderbird 2 doing with the URLClassifier? I can confirm that Thunderbird has a filehandle open to urlclassifier2.sqlite, (which is empty, of course).

filed bug 387840 to use --disable-safe-browsing in tbird
Comment 25 Tony Chang (Google) 2007-07-11 20:23:01 PDT
Thunderbird 2 has phishing detection.  We want to keep it enabled.
Comment 26 Benjamin Smedberg [:bsmedberg] 2007-07-12 09:21:35 PDT
Created attachment 272029 [details] [diff] [review]
Branch rollup patch

Here's a rollup patch for the 1.8 branch.
Comment 27 Daniel Veditz [:dveditz] 2007-07-12 10:12:06 PDT
Comment on attachment 272029 [details] [diff] [review]
Branch rollup patch

too late for
Comment 29 Daniel Veditz [:dveditz] 2007-08-28 10:38:00 PDT
Comment on attachment 272029 [details] [diff] [review]
Branch rollup patch

approved for, a=dveditz for release-drivers
Comment 30 Benjamin Smedberg [:bsmedberg] 2007-09-14 06:27:17 PDT
Fixed on MOZILLA_1_8_BRANCH for what is now I think
Comment 31 Pavel Penaz 2007-09-22 08:00:29 PDT
I believe the string "fixed1.8.1.8" should be moved from "URL" to "Keywords" in the bug status summary.
Comment 32 Tony Chung [:tchung] 2007-10-05 03:33:56 PDT
Can someone provide a STR or testcase?   Trying to verify on branch, but need steps.
Comment 33 Benjamin Smedberg [:bsmedberg] 2007-10-05 06:13:57 PDT
Because this is a thread race there really aren't steps to reproduce. The best way to verify would be to check whether the crashes disappeared in talkback.
Comment 34 Daniel Veditz [:dveditz] 2007-10-23 17:53:42 PDT
This patch did not appear to help the NSSRWLock_LockRead crash. According to talkback that's hovering around 1.4% of all crashes in both FF2.0.0.7 and FF2.0.0.8
Comment 35 Henrik Skupin (:whimboo) 2008-03-21 02:04:02 PDT
*** Bug 376709 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.