Crash in nsCryptoHash during shutdown of nsUrlClassifierDBService [@ nsUrlClassifierDBService::Shutdown][@ NSSRWLock_LockRead]

VERIFIED FIXED

Status

()

defect
--
major
VERIFIED FIXED
14 years ago
8 years ago

People

(Reporter: darin.moz, Assigned: benjamin)

Tracking

({crash, fixed1.8.1.8, topcrash})

Trunk
Points:
---
Bug Flags:
blocking1.8.1.8 +
wanted1.8.1.x +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [kerh-bra] [need testcase], crash signature)

Attachments

(4 attachments, 1 obsolete attachment)

(Reporter)

Description

14 years ago
Crash if nsCryptoHash is used from xpcom-startup

It crashes inside HASH_Begin, and I'm not sure what is going on exactly since NS_NSS_GENERIC_FACTORY_COSNTRUCTOR ensures that NSS has been initialized before it hands back the nsICryptoHash implementation.

http://lxr.mozilla.org/mozilla/source/security/manager/ssl/src/nsNSSModule.cpp#75
doesn't psm / nss need a profile before it will work correctly?
(Reporter)

Comment 2

14 years ago
Yes, but there is a profile ;-)  Firefox selects a profile before starting XPCOM.
(Assignee)

Comment 3

14 years ago
PSM requires a profile? Why? In profileless situations can't it use the default certs?
Mozilla requires some profile directory.  For nss/psm, they find the secmod, cert, key, db's in this directory.  Of course, you can start NSS in readonly mode.
bug 309877 is about making PSM/NSS work w/o profile
(Reporter)

Comment 6

14 years ago
Stack trace:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 4678)]
0x40767c8c in NSSRWLock_LockRead () from /usr/local/fritz/firefox/libnss3.so
(gdb) bt
#0  0x40767c8c in NSSRWLock_LockRead ()
  from /usr/local/fritz/firefox/libnss3.so
#1  0x407458f7 in SECMOD_GetReadLock ()
  from /usr/local/fritz/firefox/libnss3.so
#2  0x407555b8 in PK11_GetAllTokens () from /usr/local/fritz/firefox/libnss3.so
#3  0x407557bf in PK11_GetBestSlotMultiple ()
  from /usr/local/fritz/firefox/libnss3.so
#4  0x4075598d in PK11_GetBestSlot () from /usr/local/fritz/firefox/libnss3.so
#5  0x407441b9 in PK11_CreateDigestContext ()
  from /usr/local/fritz/firefox/libnss3.so
#6  0x40737eaa in CERT_DecodeCRLDistributionPoints ()
  from /usr/local/fritz/firefox/libnss3.so
#7  0x40738159 in HASH_Create () from /usr/local/fritz/firefox/libnss3.so
#8  0x08676160 in nsXPTCVariant::Init ()
#9  0x4012f60b in XPTC_InvokeByIndex ()
  from /usr/local/fritz/firefox/libxpcom_core.so
#10 0x080a14f8 in nsTHashtable<nsBaseHashtableET<nsDepCharHashKey,
nsAutoPtr<nsINIParser::INIValue> > >::~nsTHashtable ()
#11 0x080a6c74 in nsTHashtable<nsBaseHashtableET<nsDepCharHashKey,
nsAutoPtr<nsINIParser::INIValue> > >::~nsTHashtable ()
#12 0x4004f90d in js_Invoke () from /usr/local/fritz/firefox/libmozjs.so
#13 0x4005863b in js_Interpret () from /usr/local/fritz/firefox/libmozjs.so
#14 0x4004f9be in js_Invoke () from /usr/local/fritz/firefox/libmozjs.so
#15 0x40053e5b in js_Interpret () from /usr/local/fritz/firefox/libmozjs.so
#16 0x4004f9be in js_Invoke () from /usr/local/fritz/firefox/libmozjs.so
#17 0x40053e5b in js_Interpret () from /usr/local/fritz/firefox/libmozjs.so
#18 0x4004f9be in js_Invoke () from /usr/local/fritz/firefox/libmozjs.so
#19 0x40053e5b in js_Interpret () from /usr/local/fritz/firefox/libmozjs.so
#20 0x4004f9be in js_Invoke () from /usr/local/fritz/firefox/libmozjs.so
#21 0x40053e5b in js_Interpret () from /usr/local/fritz/firefox/libmozjs.so
#22 0x4004f9be in js_Invoke () from /usr/local/fritz/firefox/libmozjs.so
#23 0x40053e5b in js_Interpret () from /usr/local/fritz/firefox/libmozjs.so
#24 0x4004f9be in js_Invoke () from /usr/local/fritz/firefox/libmozjs.so
#25 0x0809d314 in nsTHashtable<nsBaseHashtableET<nsDepCharHashKey,
nsAutoPtr<nsINIParser::INIValue> > >::~nsTHashtable ()
#26 0x0809b4d4 in nsTHashtable<nsBaseHashtableET<nsDepCharHashKey,
nsAutoPtr<nsINIParser::INIValue> > >::~nsTHashtable ()
#27 0x4012f730 in XPTC_InvokeByIndex ()
  from /usr/local/fritz/firefox/libxpcom_core.so
#28 0x40111efa in NS_CreateServicesFromCategory ()
  from /usr/local/fritz/firefox/libxpcom_core.so
#29 0x400e4e28 in NS_InitXPCOM3_P ()
  from /usr/local/fritz/firefox/libxpcom_core.so
Darin: We saw yesterday, that EnsureNSSInitialized does not return a possible failure, and therefore PSM services might get loaded, even if there is a problem with NSS databases.

Did you verify the call to NSS_InitReadWrite in nsNSSComponent::InitializeNSS succeeds?
(Reporter)

Comment 8

14 years ago
> Did you verify the call to NSS_InitReadWrite in nsNSSComponent::InitializeNSS
> succeeds?

Nope, I have not.  That would be a good thing to test when I have a chance.
Duplicate of this bug: 366528

Comment 10

12 years ago
On Mac, this happens to several out of every thousand Firefox instances (see bug 366528).  I think that makes it a topcrash.
Flags: blocking1.9?
Keywords: topcrash
It sounds like this happens if NSS hits shutdown before nsUrlClassifierDBService (anti-phishing thread).  During xpcom-shutdown, nsUrlClassifierDBService processes pending events, which may include using nsCryptoHash.

I think the fix is to turn all pending events into NOOPs during nsUrlClassifierDBService shutdown.  I'll see if I can repro and get a patch.

Updated

12 years ago
Whiteboard: [kerh-bra]
I wasn't able to repro, but this patch cancels all calls into JS code once the urlclassifier shutdown has started.  Maybe someone who can repro can check to see if this fixes the shutdown crash.
Assignee: kengert → tony
Status: NEW → ASSIGNED
Attachment #260933 - Flags: review?(darin.moz)

Updated

12 years ago
Summary: Crash if nsCryptoHash is used from xpcom-startup → Crash in nsCryptoHash during shutdown of nsUrlClassifierDBService

Updated

12 years ago
Blocks: 376709
(Reporter)

Comment 14

12 years ago
Comment on attachment 260933 [details] [diff] [review]
v1: no js callbacks during shutdown

It seems like some of these methods should return errors since they are not going to generate callbacks.  How about NS_ERROR_NOT_INITIALIZED?  Or, NS_ERROR_UNEXPECTED?

-Darin
Updated to return NS_ERROR_NOT_INITIALIZED instead.
Attachment #260933 - Attachment is obsolete: true
Attachment #261031 - Flags: review?(darin.moz)
Attachment #260933 - Flags: review?(darin.moz)

Updated

12 years ago
Summary: Crash in nsCryptoHash during shutdown of nsUrlClassifierDBService → Crash in nsCryptoHash during shutdown of nsUrlClassifierDBService [@ nsUrlClassifierDBService::Shutdown][@ NSSRWLock_LockRead]
QA Contact: psm

Updated

12 years ago
Attachment #261031 - Attachment is patch: true
Attachment #261031 - Attachment mime type: application/octet-stream → text/plain
(Reporter)

Updated

12 years ago
Attachment #261031 - Flags: review?(darin.moz) → review+

Comment 16

12 years ago
We seem to be this bug pretty frequently on the tinderbox page, so I checked this in.

Checking in src/nsUrlClassifierDBService.cpp;
/cvsroot/mozilla/toolkit/components/url-classifier/src/nsUrlClassifierDBService.cpp,v  <--  nsUrlClassifierDBService.cpp
new revision: 1.21; previous revision: 1.20
done
(In reply to comment #16)

Do you know if this fix could be solve bug 376709 ?

Comment 18

12 years ago
I hit this crash three times last night (Mac trunk debug), despite my build being up-to-date.  (That's three crashes out of about 1360 shutdowns.)
Happening much more frequently now on the Firefox tinderbox page, on Mac qm-xserve01. I've copied a crashreport to:

http://pastebin.mozilla.org/127724
(Assignee)

Comment 20

12 years ago
We should be observing a much earlier observer topic in any case. This will shutdown database activity at profile-before-change, as well as xpcom-shutdown-threads.

The comment in ::Shutdown says that it joins the thread, but I don't think it actually does. Unless I am misreading, we should definitely join that thread properly during shutdown. You aren't allowed to have threads persist past the xpcom-shutdown-threads observer topic.
Attachment #271852 - Flags: review?(tony)
(Assignee)

Comment 21

12 years ago
I committed this patch a=robcee to get the tinderbox green, but I'd still like ex-post-facto review. Does this affect the branches at all, or just trunk?

Comment 22

12 years ago
Looks like it affects branch, yes. NSSRWLock_LockRead is the #22 topcrash for Firefox 2.0.0.4. http://talkback-public.mozilla.org/reports/firefox/FF2004/FF2004-topcrashers.html
OS: Linux → All
Hardware: PC → All

Updated

12 years ago
Attachment #271852 - Flags: review?(tony) → review+
What in the world is Thunderbird 2 doing with the URLClassifier? I can confirm that Thunderbird has a filehandle open to urlclassifier2.sqlite, (which is empty, of course).

filed bug 387840 to use --disable-safe-browsing in tbird
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.6?
Thunderbird 2 has phishing detection.  We want to keep it enabled.
http://mxr.mozilla.org/seamonkey/source/mail/components/phishing/
(Assignee)

Comment 26

12 years ago
Here's a rollup patch for the 1.8 branch.
Assignee: tony → benjamin
Attachment #272029 - Flags: approval1.8.1.5?
Comment on attachment 272029 [details] [diff] [review]
Branch rollup patch

too late for 1.8.1.5
Attachment #272029 - Flags: approval1.8.1.5? → approval1.8.1.6?
(Assignee)

Updated

12 years ago
Status: ASSIGNED → RESOLVED
Last Resolved: 12 years ago
Flags: blocking1.9?
Resolution: --- → FIXED
Flags: blocking1.8.1.7? → blocking1.8.1.7+
Comment on attachment 272029 [details] [diff] [review]
Branch rollup patch

approved for 1.8.1.7, a=dveditz for release-drivers
Attachment #272029 - Flags: approval1.8.1.7? → approval1.8.1.7+
(Assignee)

Comment 30

12 years ago
Fixed on MOZILLA_1_8_BRANCH for what is now I think 1.8.1.8

Comment 31

12 years ago
I believe the string "fixed1.8.1.8" should be moved from "URL" to "Keywords" in the bug status summary.

Updated

12 years ago
Can someone provide a STR or testcase?   Trying to verify on branch, but need steps.
Whiteboard: [kerh-bra] → [kerh-bra] [need testcase]
(Assignee)

Comment 33

12 years ago
Because this is a thread race there really aren't steps to reproduce. The best way to verify would be to check whether the crashes disappeared in talkback.
This patch did not appear to help the NSSRWLock_LockRead crash. According to talkback that's hovering around 1.4% of all crashes in both FF2.0.0.7 and FF2.0.0.8
Duplicate of this bug: 376709
Crash Signature: [@ nsUrlClassifierDBService::Shutdown] [@ NSSRWLock_LockRead]
You need to log in before you can comment on or make changes to this bug.