Crash in nsCryptoHash during shutdown of nsUrlClassifierDBService [@ nsUrlClassifierDBService::Shutdown][@ NSSRWLock_LockRead]

VERIFIED FIXED

Status

()

Core
Security: PSM
--
major
VERIFIED FIXED
12 years ago
6 years ago

People

(Reporter: Darin Fisher, Assigned: bsmedberg)

Tracking

({crash, fixed1.8.1.8, topcrash})

Trunk
crash, fixed1.8.1.8, topcrash
Points:
---
Bug Flags:
blocking1.8.1.8 +
wanted1.8.1.x +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [kerh-bra] [need testcase], crash signature)

Attachments

(4 attachments, 1 obsolete attachment)

(Reporter)

Description

12 years ago
Crash if nsCryptoHash is used from xpcom-startup

It crashes inside HASH_Begin, and I'm not sure what is going on exactly since NS_NSS_GENERIC_FACTORY_COSNTRUCTOR ensures that NSS has been initialized before it hands back the nsICryptoHash implementation.

http://lxr.mozilla.org/mozilla/source/security/manager/ssl/src/nsNSSModule.cpp#75

Comment 1

12 years ago
doesn't psm / nss need a profile before it will work correctly?
(Reporter)

Comment 2

12 years ago
Yes, but there is a profile ;-)  Firefox selects a profile before starting XPCOM.
(Assignee)

Comment 3

12 years ago
PSM requires a profile? Why? In profileless situations can't it use the default certs?

Comment 4

12 years ago
Mozilla requires some profile directory.  For nss/psm, they find the secmod, cert, key, db's in this directory.  Of course, you can start NSS in readonly mode.
bug 309877 is about making PSM/NSS work w/o profile
(Reporter)

Comment 6

12 years ago
Stack trace:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 4678)]
0x40767c8c in NSSRWLock_LockRead () from /usr/local/fritz/firefox/libnss3.so
(gdb) bt
#0  0x40767c8c in NSSRWLock_LockRead ()
  from /usr/local/fritz/firefox/libnss3.so
#1  0x407458f7 in SECMOD_GetReadLock ()
  from /usr/local/fritz/firefox/libnss3.so
#2  0x407555b8 in PK11_GetAllTokens () from /usr/local/fritz/firefox/libnss3.so
#3  0x407557bf in PK11_GetBestSlotMultiple ()
  from /usr/local/fritz/firefox/libnss3.so
#4  0x4075598d in PK11_GetBestSlot () from /usr/local/fritz/firefox/libnss3.so
#5  0x407441b9 in PK11_CreateDigestContext ()
  from /usr/local/fritz/firefox/libnss3.so
#6  0x40737eaa in CERT_DecodeCRLDistributionPoints ()
  from /usr/local/fritz/firefox/libnss3.so
#7  0x40738159 in HASH_Create () from /usr/local/fritz/firefox/libnss3.so
#8  0x08676160 in nsXPTCVariant::Init ()
#9  0x4012f60b in XPTC_InvokeByIndex ()
  from /usr/local/fritz/firefox/libxpcom_core.so
#10 0x080a14f8 in nsTHashtable<nsBaseHashtableET<nsDepCharHashKey,
nsAutoPtr<nsINIParser::INIValue> > >::~nsTHashtable ()
#11 0x080a6c74 in nsTHashtable<nsBaseHashtableET<nsDepCharHashKey,
nsAutoPtr<nsINIParser::INIValue> > >::~nsTHashtable ()
#12 0x4004f90d in js_Invoke () from /usr/local/fritz/firefox/libmozjs.so
#13 0x4005863b in js_Interpret () from /usr/local/fritz/firefox/libmozjs.so
#14 0x4004f9be in js_Invoke () from /usr/local/fritz/firefox/libmozjs.so
#15 0x40053e5b in js_Interpret () from /usr/local/fritz/firefox/libmozjs.so
#16 0x4004f9be in js_Invoke () from /usr/local/fritz/firefox/libmozjs.so
#17 0x40053e5b in js_Interpret () from /usr/local/fritz/firefox/libmozjs.so
#18 0x4004f9be in js_Invoke () from /usr/local/fritz/firefox/libmozjs.so
#19 0x40053e5b in js_Interpret () from /usr/local/fritz/firefox/libmozjs.so
#20 0x4004f9be in js_Invoke () from /usr/local/fritz/firefox/libmozjs.so
#21 0x40053e5b in js_Interpret () from /usr/local/fritz/firefox/libmozjs.so
#22 0x4004f9be in js_Invoke () from /usr/local/fritz/firefox/libmozjs.so
#23 0x40053e5b in js_Interpret () from /usr/local/fritz/firefox/libmozjs.so
#24 0x4004f9be in js_Invoke () from /usr/local/fritz/firefox/libmozjs.so
#25 0x0809d314 in nsTHashtable<nsBaseHashtableET<nsDepCharHashKey,
nsAutoPtr<nsINIParser::INIValue> > >::~nsTHashtable ()
#26 0x0809b4d4 in nsTHashtable<nsBaseHashtableET<nsDepCharHashKey,
nsAutoPtr<nsINIParser::INIValue> > >::~nsTHashtable ()
#27 0x4012f730 in XPTC_InvokeByIndex ()
  from /usr/local/fritz/firefox/libxpcom_core.so
#28 0x40111efa in NS_CreateServicesFromCategory ()
  from /usr/local/fritz/firefox/libxpcom_core.so
#29 0x400e4e28 in NS_InitXPCOM3_P ()
  from /usr/local/fritz/firefox/libxpcom_core.so

Comment 7

12 years ago
Darin: We saw yesterday, that EnsureNSSInitialized does not return a possible failure, and therefore PSM services might get loaded, even if there is a problem with NSS databases.

Did you verify the call to NSS_InitReadWrite in nsNSSComponent::InitializeNSS succeeds?
(Reporter)

Comment 8

12 years ago
> Did you verify the call to NSS_InitReadWrite in nsNSSComponent::InitializeNSS
> succeeds?

Nope, I have not.  That would be a good thing to test when I have a chance.
Duplicate of this bug: 366528

Comment 10

10 years ago
On Mac, this happens to several out of every thousand Firefox instances (see bug 366528).  I think that makes it a topcrash.
Flags: blocking1.9?
Keywords: topcrash

Comment 11

10 years ago
Created attachment 256217 [details]
JS stack from shutdown crash

Comment 12

10 years ago
It sounds like this happens if NSS hits shutdown before nsUrlClassifierDBService (anti-phishing thread).  During xpcom-shutdown, nsUrlClassifierDBService processes pending events, which may include using nsCryptoHash.

I think the fix is to turn all pending events into NOOPs during nsUrlClassifierDBService shutdown.  I'll see if I can repro and get a patch.

Updated

10 years ago
Whiteboard: [kerh-bra]

Comment 13

10 years ago
Created attachment 260933 [details] [diff] [review]
v1: no js callbacks during shutdown

I wasn't able to repro, but this patch cancels all calls into JS code once the urlclassifier shutdown has started.  Maybe someone who can repro can check to see if this fixes the shutdown crash.
Assignee: kengert → tony
Status: NEW → ASSIGNED
Attachment #260933 - Flags: review?(darin.moz)

Updated

10 years ago
Summary: Crash if nsCryptoHash is used from xpcom-startup → Crash in nsCryptoHash during shutdown of nsUrlClassifierDBService

Updated

10 years ago
Blocks: 376709
(Reporter)

Comment 14

10 years ago
Comment on attachment 260933 [details] [diff] [review]
v1: no js callbacks during shutdown

It seems like some of these methods should return errors since they are not going to generate callbacks.  How about NS_ERROR_NOT_INITIALIZED?  Or, NS_ERROR_UNEXPECTED?

-Darin

Comment 15

10 years ago
Created attachment 261031 [details] [diff] [review]
v2: no js callbacks during shutdown

Updated to return NS_ERROR_NOT_INITIALIZED instead.
Attachment #260933 - Attachment is obsolete: true
Attachment #261031 - Flags: review?(darin.moz)
Attachment #260933 - Flags: review?(darin.moz)

Updated

10 years ago
Summary: Crash in nsCryptoHash during shutdown of nsUrlClassifierDBService → Crash in nsCryptoHash during shutdown of nsUrlClassifierDBService [@ nsUrlClassifierDBService::Shutdown][@ NSSRWLock_LockRead]
QA Contact: psm

Updated

10 years ago
Attachment #261031 - Attachment is patch: true
Attachment #261031 - Attachment mime type: application/octet-stream → text/plain
(Reporter)

Updated

10 years ago
Attachment #261031 - Flags: review?(darin.moz) → review+

Comment 16

10 years ago
We seem to be this bug pretty frequently on the tinderbox page, so I checked this in.

Checking in src/nsUrlClassifierDBService.cpp;
/cvsroot/mozilla/toolkit/components/url-classifier/src/nsUrlClassifierDBService.cpp,v  <--  nsUrlClassifierDBService.cpp
new revision: 1.21; previous revision: 1.20
done

Comment 17

10 years ago
(In reply to comment #16)

Do you know if this fix could be solve bug 376709 ?

Comment 18

10 years ago
I hit this crash three times last night (Mac trunk debug), despite my build being up-to-date.  (That's three crashes out of about 1360 shutdowns.)
Happening much more frequently now on the Firefox tinderbox page, on Mac qm-xserve01. I've copied a crashreport to:

http://pastebin.mozilla.org/127724
(Assignee)

Comment 20

10 years ago
Created attachment 271852 [details] [diff] [review]
We should observe a much earlier topic, rev. 1

We should be observing a much earlier observer topic in any case. This will shutdown database activity at profile-before-change, as well as xpcom-shutdown-threads.

The comment in ::Shutdown says that it joins the thread, but I don't think it actually does. Unless I am misreading, we should definitely join that thread properly during shutdown. You aren't allowed to have threads persist past the xpcom-shutdown-threads observer topic.
Attachment #271852 - Flags: review?(tony)
(Assignee)

Comment 21

10 years ago
I committed this patch a=robcee to get the tinderbox green, but I'd still like ex-post-facto review. Does this affect the branches at all, or just trunk?

Comment 22

10 years ago
Looks like it affects branch, yes. NSSRWLock_LockRead is the #22 topcrash for Firefox 2.0.0.4. http://talkback-public.mozilla.org/reports/firefox/FF2004/FF2004-topcrashers.html
OS: Linux → All
Hardware: PC → All

Updated

10 years ago
Attachment #271852 - Flags: review?(tony) → review+

Comment 23

10 years ago
It's also the #7 crasher in Thunderbird:
http://talkback-public.mozilla.org/reports/thunderbird/TB2004/TB2004-topcrashers.html
What in the world is Thunderbird 2 doing with the URLClassifier? I can confirm that Thunderbird has a filehandle open to urlclassifier2.sqlite, (which is empty, of course).

filed bug 387840 to use --disable-safe-browsing in tbird
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.6?

Comment 25

10 years ago
Thunderbird 2 has phishing detection.  We want to keep it enabled.
http://mxr.mozilla.org/seamonkey/source/mail/components/phishing/
(Assignee)

Comment 26

10 years ago
Created attachment 272029 [details] [diff] [review]
Branch rollup patch

Here's a rollup patch for the 1.8 branch.
Assignee: tony → benjamin
Attachment #272029 - Flags: approval1.8.1.5?
Comment on attachment 272029 [details] [diff] [review]
Branch rollup patch

too late for 1.8.1.5
Attachment #272029 - Flags: approval1.8.1.5? → approval1.8.1.6?
(Assignee)

Updated

10 years ago
Status: ASSIGNED → RESOLVED
Last Resolved: 10 years ago
Flags: blocking1.9?
Resolution: --- → FIXED
(Assignee)

Comment 28

10 years ago
v/fixed according to http://crash-stats.mozilla.com/report/list?range_unit=weeks&branch=1.9&range_value=2&signature=NSSRWLock_LockRead
Status: RESOLVED → VERIFIED
Flags: blocking1.8.1.7? → blocking1.8.1.7+
Comment on attachment 272029 [details] [diff] [review]
Branch rollup patch

approved for 1.8.1.7, a=dveditz for release-drivers
Attachment #272029 - Flags: approval1.8.1.7? → approval1.8.1.7+
(Assignee)

Comment 30

10 years ago
Fixed on MOZILLA_1_8_BRANCH for what is now I think 1.8.1.8

Comment 31

10 years ago
I believe the string "fixed1.8.1.8" should be moved from "URL" to "Keywords" in the bug status summary.

Updated

10 years ago
Keywords: fixed1.8.1.8

Comment 32

10 years ago
Can someone provide a STR or testcase?   Trying to verify on branch, but need steps.
Whiteboard: [kerh-bra] → [kerh-bra] [need testcase]
(Assignee)

Comment 33

10 years ago
Because this is a thread race there really aren't steps to reproduce. The best way to verify would be to check whether the crashes disappeared in talkback.
This patch did not appear to help the NSSRWLock_LockRead crash. According to talkback that's hovering around 1.4% of all crashes in both FF2.0.0.7 and FF2.0.0.8
Duplicate of this bug: 376709

Updated

7 years ago
Crash Signature: [@ nsUrlClassifierDBService::Shutdown] [@ NSSRWLock_LockRead]
You need to log in before you can comment on or make changes to this bug.