Closed Bug 422044 Opened 17 years ago Closed 12 years ago

crash [@ SocketSend ]

Categories

(Core :: Networking, defect)

x86
Windows XP
defect
Not set
critical

Tracking

()

RESOLVED INCOMPLETE
Tracking Status
firefox7 - ---
firefox8 + ---
firefox9 + ---

People

(Reporter: timeless, Assigned: mcmanus)

References

Details

(Keywords: crash, Whiteboard: startupcrash)

Crash Data

Attachments

(1 file)

This is my guess:
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/nsprpub/pr/src/io/prlayer.c&rev=3.19&mark=538,560,565#535
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/nsprpub/pr/src/io/pripv6.c&rev=3.12&mark=368,370#351

Signature	SocketSend
UUID	d67e137a-ea6d-11dc-9c2e-001a4bd43ed6
Time	2008-03-04 20:36:51-08:00
Uptime	0
Product	Firefox
Version	3.0b4pre
Build ID	2008021607
OS	Windows NT
OS Version	5.1.2600 Service Pack 2
CPU	x86
CPU Info	GenuineIntel family 6 model 15 stepping 6
Crash Reason	EXCEPTION_ACCESS_VIOLATION
Crash Address	0x5
Comments	
Crashing Thread
Frame 	Signature 	Source
0 	SocketSend 	mozilla/nsprpub/pr/src/io/prsocket.c:701
1 	SocketWrite 	mozilla/nsprpub/pr/src/io/prsocket.c:714
2 	PR_SetPollableEvent 	mozilla/nsprpub/pr/src/io/prpolevt.c:498
3 	nsSocketTransportService::OnDispatchedEvent(nsIThreadInternal*) 	mozilla/netwerk/base/src/nsSocketTransportService2.cpp:491
4 	nsThread::PutEvent(nsIRunnable*) 	mozilla/xpcom/threads/nsThread.cpp:368
5 	nsThread::Dispatch(nsIRunnable*, unsigned int) 	mozilla/xpcom/threads/nsThread.cpp:406
6 	nsSocketTransportService::Dispatch(nsIRunnable*, unsigned int) 	mozilla/netwerk/base/src/nsSocketTransportService2.cpp:116
7 	nsSocketTransport::PostEvent(unsigned int, unsigned int, nsISupports*) 	mozilla/netwerk/base/src/nsSocketTransport2.cpp:887
8 	nsSocketTransport::OpenOutputStream(unsigned int, unsigned int, unsigned int, nsIOutputStream**) 	mozilla/netwerk/base/src/nsSocketTransport2.cpp:1691
9 	nsHttpConnection::CreateTransport() 	mozilla/netwerk/protocol/http/src/nsHttpConnection.cpp:458
10 	nsHttpConnection::Activate(nsAHttpTransaction*, unsigned char) 	mozilla/netwerk/protocol/http/src/nsHttpConnection.cpp:143
11 	nsHttpConnectionMgr::DispatchTransaction(nsHttpConnectionMgr::nsConnectionEntry*, nsAHttpTransaction*, unsigned char, nsHttpConnection*) 	mozilla/netwerk/protocol/http/src/nsHttpConnectionMgr.cpp:598
12 	nsHttpConnectionMgr::ProcessNewTransaction(nsHttpTransaction*) 	mozilla/netwerk/protocol/http/src/nsHttpConnectionMgr.cpp:729
13 	nsHttpConnectionMgr::OnMsgNewTransaction(int, void*) 	mozilla/netwerk/protocol/http/src/nsHttpConnectionMgr.cpp:757
14 	nsHttpConnectionMgr::nsConnEvent::Run() 	mozilla/netwerk/protocol/http/src/nsHttpConnectionMgr.h:247
15 	nsThread::ProcessNextEvent(int, int*) 	mozilla/xpcom/threads/nsThread.cpp:510
16 	NS_ProcessPendingEvents_P(nsIThread*, unsigned int) 	nsThreadUtils.cpp:183
17 	nsSocketTransportService::Run() 	mozilla/netwerk/base/src/nsSocketTransportService2.cpp:552
18 	nsThread::ProcessNextEvent(int, int*) 	mozilla/xpcom/threads/nsThread.cpp:510
19 	NS_ProcessNextEvent_P(nsIThread*, int) 	nsThreadUtils.cpp:227
20 	nsThread::ThreadFunc(void*) 	mozilla/xpcom/threads/nsThread.cpp:254
21 	_PR_NativeRunThread 	mozilla/nsprpub/pr/src/threads/combined/pruthr.c:436
22 	pr_root 	mozilla/nsprpub/pr/src/md/windows/w95thred.c:122
23 	_callthreadstartex 	threadex.c:348
24 	_threadstartex 	threadex.c:326
25 	BaseThreadStart
most crashes look like that, the one exception is this (ssl but ipv6 is still the likely culprit and it's crashing on the same line number)

Signature	SocketSend
UUID	64c980ee-e9f4-11dc-aad5-001a4bd46e84
Time	2008-03-04 06:07:33-08:00
Uptime	0
Product	Firefox
Version	3.0b4pre
Build ID	2008030206
OS	Windows NT
OS Version	5.1.2600 Service Pack 2
CPU	x86
CPU Info	GenuineIntel family 15 model 4 stepping 9
Crash Reason	EXCEPTION_ACCESS_VIOLATION
Crash Address	0xb4
Comments	
Crashing Thread
Frame 	Signature 	Source
0 	SocketSend 	mozilla/nsprpub/pr/src/io/prsocket.c:701
1 	ssl_DefSend 	mozilla/security/nss/lib/ssl/ssldef.c:128
2 	ssl3_SendRecord 	mozilla/security/nss/lib/ssl/ssl3con.c:2043
3 	ssl3_FlushHandshake 	mozilla/security/nss/lib/ssl/ssl3con.c:2181
4 	ssl3_SendClientHello 	mozilla/security/nss/lib/ssl/ssl3con.c:3736
5 	ssl2_BeginClientHandshake 	mozilla/security/nss/lib/ssl/sslcon.c:3128
6 	ssl_Do1stHandshake 	mozilla/security/nss/lib/ssl/sslsecur.c:151
7 	ssl_SecureSend 	mozilla/security/nss/lib/ssl/sslsecur.c:1152
8 	ssl_SecureWrite 	mozilla/security/nss/lib/ssl/sslsecur.c:1197
9 	ssl_Write 	mozilla/security/nss/lib/ssl/sslsock.c:1472
10 	nsSSLThread::Run() 	mozilla/security/manager/ssl/src/nsSSLThread.cpp:1029
The code in pripv6.c is not used by NSPR pollable events.
You can inspect the code in PR_NewPollableEvent and
PR_NewTCPSocketPair to verify that:
http://lxr.mozilla.org/nspr/source/nsprpub/pr/src/io/prpolevt.c#413
http://lxr.mozilla.org/nspr/source/nsprpub/pr/src/io/prsocket.c#1510

If fd or fd->secret is NULL, we should have crashed inside the
_PR_MD_SEND call earlier at prsocket.c line 694:
http://lxr.mozilla.org/nspr/source/nsprpub/pr/src/md/windows/w95sock.c#348

This is all I can find out by code inspection in 20 minutes.
Summary: [ipv6?] crash [@ SocketSend] secret is probably null → crash [@ SocketSend]
do you have steps to reproduce the crash?


nope, if it was my crash, i'd have said so :(
small number of crashes in Thunderbird

spot check only - crashes all versions of FF.
https://crash-stats.mozilla.com/report/list?product=Firefox&build_id=&query_search=signature&query_type=exact&query=SocketSend&date=&range_value=4&range_unit=weeks&process_type=all&plugin_field=&plugin_query_type=&plugin_query=&do_query=1&signature=SocketSend&missing_sig=&page=1

some stacks vary slightly. for example
bp-73127b3c-73e6-4ce0-9cf9-88d702100319 v3.6 
1	nspr4.dll	SocketSend	 nsprpub/pr/src/io/prsocket.c:681
2	nspr4.dll	PR_DestroyLock	
3	nspr4.dll	SocketWrite	nsprpub/pr/src/io/prsocket.c:701
4	xul.dll	nsSocketOutputStream::Write	netwerk/base/src/nsSocketTransport2.cpp:576
5	xul.dll	nsHttpConnection::OnReadSegment	netwerk/protocol/http/src/nsHttpConnection.cpp:539
6	xul.dll	nsHttpTransaction::ReadRequestSegment	netwerk/protocol/http/src/nsHttpTransaction.cpp:433
7	xul.dll	nsStringInputStream::ReadSegments	xpcom/io/nsStringStream.cpp:276
8	xul.dll	nsHttpTransaction::ReadSegments	netwerk/protocol/http/src/nsHttpTransaction.cpp:458 

versus
bp-cae2d311-068b-4538-b51e-e6e262100319 v3.7
1	nspr4.dll	SocketSend	 nsprpub/pr/src/io/prsocket.c:681
2	nspr4.dll	PR_DestroyLock	
3	xul.dll	netwerk/protocol/http/src/nsHttpConnection.cpp:539
4	xul.dll	netwerk/protocol/http/src/nsHttpTransaction.cpp:439
5	xul.dll
6	xul.dll	nsHttpTransaction::ReadSegments
7	xul.dll	nsHttpConnection::OnSocketWritable	netwerk/protocol/http/src/nsHttpConnection.cpp:574 

does the ipv6 crash need a separate bug?
ipv6ToIpv4SocketSendTo
bp-032fc788-cc82-4c4c-8cb2-a00002100319
1	nspr4.dll	Ipv6ToIpv4SocketSendTo	 nsprpub/pr/src/io/pripv6.c:157
2	nspr4.dll	PR_DestroyLock	
3	nspr4.dll	SocketWrite	nsprpub/pr/src/io/prsocket.c:701
4	xul.dll	nsSocketOutputStream::Write	netwerk/base/src/nsSocketTransport2.cpp:576
5	xul.dll	nsHttpConnection::OnReadSegment	netwerk/protocol/http/src/nsHttpConnection.cpp:539
6	xul.dll	nsHttpTransaction::ReadRequestSegment	netwerk/protocol/http/src/nsHttpTransaction.cpp:433
7	xul.dll	nsStringInputStream::ReadSegments	xpcom/io/nsStringStream.cpp:276
8	xul.dll	nsHttpTransaction::ReadSegments	netwerk/protocol/http/src/nsHttpTransaction.cpp:458
9	xul.dll	nsStringInputStream::Available	xpcom/io/nsStringStream.cpp:250
10	xul.dll	nsHttpConnection::OnSocketWritable	netwerk/protocol/http/src/nsHttpConnection.cpp:574
11	xul.dll	nsHttpConnection::OnOutputStreamReady	netwerk/protocol/http/src/nsHttpConnection.cpp:785
12	xul.dll	nsSocketOutputStream::OnSocketReady	netwerk/base/src/nsSocketTransport2.cpp:515
Status: UNCONFIRMED → NEW
Ever confirmed: true
Firefox 4b8 reproducibly crashes at http://www.microsoft.com/security_essentials/ on this computer.
Bogus stacks.
SocketWrite    does not call PR_DestroyLock.
PR_DestroyLock does not call SocketSend      or any variant of it.
SocketWrite    *DOES*   call SocketSend      directly.
SocketSend     calls _PR_MD_SEND, which calls send, not Ipv6ToIpv4SocketSendTo.
nelson: just ignore the PR_DestroyLock frame. We're dealing w/ optimizers here so some things will look funny.
Optimizers often remove expected stack frames.
They seldom insert new unexpected stack frames.
I don't doubt that the number of stack frames shown is correct.
I DO doubt the names shown for the functions for those frames.
It is #15 top crasher in 4.0RC1.
Keywords: topcrash
Crash Signature: [@ SocketSend]
There is a spike from October 12 across all versions and it happens now on startup.
It's now #11 top crasher in 7.0.1 over the last 3 days, #2 top crasher in 8.0b3, #11 in 9.0a2.

Crashes breakdown as follow on Fx 7:
2011-10-10: 24.254 crashes/1M ADU/day
2011-10-11: 27.764 crashes/1M ADU/day
2011-10-12: 49.651 crashes/1M ADU/day
2011-10-13: 49.286 crashes/1M ADU/day
2011-10-14: 302.373 crashes/1M ADU/day
2011-10-15: 215.301 crashes/1M ADU/day

Oct-11 MS patch (http://technet.microsoft.com/en-us/security/bulletin/ms11-oct) contains for Windows:
http://technet.microsoft.com/en-us/security/bulletin/ms11-075
http://technet.microsoft.com/en-us/security/bulletin/ms11-076
http://technet.microsoft.com/en-us/security/bulletin/ms11-077
http://technet.microsoft.com/en-us/security/bulletin/ms11-078
http://technet.microsoft.com/en-us/security/bulletin/ms11-081
http://support.microsoft.com/kb/890830
OS: Windows XP → Windows 7
https://crash-stats.mozilla.com/report/list?signature=SocketSend indicates there is still a fair number of crashes happening across all versions.
And it's spiking again. Now topcrash #9 on 7 and #3 on 8 in yesterday's data.
Keywords: needURLs
Here are some URLs from October - seems as if session restore comes up quite a bit, but other than that many are pretty generic:

1481 
   1261 \N
    352 jar:file:///C:/Program%20Files%20(x86)/Mozilla%20Firefox/omni.jar!/chrome/browser/content/browser/aboutSessionRestore.xhtml
    339 http://www.facebook.com/
    292 jar:file:///C:/Program%20Files/Mozilla%20Firefox/omni.jar!/chrome/browser/content/browser/aboutSessionRestore.xhtml
    292 jar:file:///C:/Program%20Files/Mozilla%20Firefox/omni.jar!/chrome/browser/content/browser/aboutHome.xhtml
    197 jar:file:///C:/Program%20Files%20(x86)/Mozilla%20Firefox/omni.jar!/chrome/browser/content/browser/aboutHome.xhtml
    168 https://www.facebook.com/login.php?login_attempt=1
    159 about:blank
    138 http://www.google.com/
    109 http://redirecturls.info/
     88 http://www.fullarticles.net/
     86 http://www.google.de/
     66 http://redirectsite.net/
     59 http://www.searchqu.com/406
     57 http://www.yahoo.com/
     42 http://www.google.co.in/
     41 http://www.google.com.br/
     38 jar:file:///C:/Archivos%20de%20programa/Mozilla%20Firefox/omni.jar!/chrome/browser/content/browser/aboutSessionRestore.xhtml
     34 http://www.yandex.ru/
     34 http://www.google.co.id/
     29 http://www.google.ro/
     29 http://redirect.avira.com/redirect.php?lngprod=en&type=av12upgradefromav10free
     28 https://www.facebook.com/
     27 http://www.facebook.com/logout.php
     26 jar:file:///C:/Program%20Files/Mozilla%20Firefox%204.0%20Beta%2011/omni.jar!/chrome/browser/content/browser/aboutSessionRestore.xhtml
     26 jar:file:///C:/Program%20Files%20(x86)/Mozilla%20Firefox%204.0%20Beta%2011/omni.jar!/chrome/browser/content/browser/aboutSessionRestore.xhtml
     26 http://google.com/
     24 http://www.ukr.net/
     23 http://love.mail.ru/my/messages.phtml
     22 http://facebook.com/
     21 http://www.ask.com/?o=15573&l=dis
     20 http://search.chatvibes.com/
     19 http://www.seznam.cz/
     18 http://www.youtube.com/
     18 http://www.google.pl/
     17 jar:file:///C:/Arquivos%20de%20programas/Mozilla%20Firefox/omni.jar!/chrome/browser/content/browser/aboutSessionRestore.xhtml
     17 http://www.yahoo.com/?ilc=8
     16 http://www.google.com.vn/
     15 jar:file:///C:/Program%20Files/Mozilla%20Firefox%204.0%20Beta%2012/omni.jar!/chrome/browser/content/browser/aboutHome.xhtml
     15 jar:file:///C:/Arquivos%20de%20programas/Mozilla%20Firefox/omni.jar!/chrome/browser/content/browser/aboutHome.xhtml
     15 jar:file:///C:/Archivos%20de%20programa/Mozilla%20Firefox/omni.jar!/chrome/browser/content/browser/aboutHome.xhtml
     15 http://www.searchqu.com/
     15 http://www.google.com.my/
     15 http://start.icq.com/
     15 http://search.imesh.com/
     14 "javascript:"""""
     14 http://www.mail.ru/cnt/5087
     14 http://www.google.it/
     14 http://www.google.co.th/
     14 http://www.dsebd.org/
     14 http://search.conduit.com/?ctid=CT2233703&SearchSource=13
     14 http://id.yahoo.com/
     14 http://google.de/
     13 jar:file:///C:/Program%20Files/Mozilla%20Firefox%204.0%20Beta%2012/omni.jar!/chrome/browser/content/browser/aboutSessionRestore.xhtml
     12 http://www.t-online.de/
     12 http://www.google.lt/
     12 http://www.facebook.com/#!/
     12 http://best-articles.ch/
     11 http://www.google.nl/
     11 http://www.google.bg/
     11 http://id.yahoo.com/fr=mkg031
     10 http://www.google.com.ar/
     10 http://vn.yahoo.com/?fr=mkg031
     10 http://startsear.ch/?aff=1
      9 jar:file:///C:/Program%20Files/Mozilla%20Firefox%204.0%20Beta%209/omni.jar!/chrome/browser/content/browser/aboutHome.xhtml
      9 jar:file:///C:/Program%20Files/Mozilla%20Firefox%204.0%20Beta%2010/omni.jar!/chrome/browser/content/browser/aboutHome.xhtml
      9 http://www.postaricles.com/
      9 http://www.google.fr/
      9 http://www.britishcouncil.org/uk/ukraine-teaching-centre-yl-dates-and-fees.htm
      9 http://www.ask.com/?l=dis&o=1716&gct=hp
      9 http://search.conduit.com/?ctid=CT3031607&SearchSource=13
      9 http://google.com.vn/
      9 about:sessionrestore
      8 jar:file:///C:/Program%20Files/Mozilla%20Firefox%204.0%20Beta%208/omni.jar!/chrome/browser/content/browser/aboutHome.xhtml
      8 http://www.redirecturls.info/
      8 http://www.google.com/search?q=fb&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a&source=hp&channel=np
      8 http://www.facebook.com/?sk=lf
      8 http://www.facebook.com/home.php?ref=hp
      8 http://www.facebook.com/home.php
      8 http://static.ak.facebook.com/common/referer_frame.php
      8 http://id-id.facebook.com/
      8 http://google.com.br/
      8 http://firefox.yandex.ru/
      7 jar:file:///C:/Program%20Files/Mozilla%20Firefox%204.0%20Beta%2011/omni.jar!/chrome/browser/content/browser/aboutHome.xhtml
      7 jar:file:///C:/Program%20Files%20(x86)/Mozilla%20Firefox%204.0%20Beta%206/omni.jar!/chrome/browser/content/browser/aboutSessionRestore.xhtml
      7 jar:file:///C:/Program%20Files%20(x86)/Mozilla%20Firefox%204.0%20Beta%2012/omni.jar!/chrome/browser/content/browser/aboutSessionRestore.xhtml
      7 jar:file:///C:/Archivos%20de%20programa/Mozilla%20Firefox%204.0%20Beta%207/omni.jar!/chrome/browser/content/browser/aboutSessionRestore.xhtml
      7 http://www.google.es/
      7 http://www.google.co.uk/
      7 http://www.google.com.pk/
Keywords: needURLs
This is topcrash #8 on 7, and #3 on both 8 and 9 in yesterday's data. Can we please get some tracking on this?
WTC:  are you still working on this bug?

Does anyone have a reproducible test case?  The URI in comment 6 is not crashing FF 8, at least.
Every I/O crash gets put in NSPR by default. They should be put in Core:Networking by default. Also, we should have separate bugs for separate stack traces.
Assignee: wtc → nobody
Component: NSPR → Networking
OS: Windows 7 → All
Product: NSPR → Core
QA Contact: nspr → networking
Hardware: x86 → All
Version: 4.7.3 → unspecified
What's the next step here? Is this still a concern for FF8?
(In reply to Alex Keybl [:akeybl] from comment #20)
> Is this still a concern for FF8?
Yes because it's #6 top crasher in 8.0 and #2 in 9.0b3.
The SocketWrite crash signature (bug 662330) is #3 top crasher in 10.0a2 and #18 in 11.0a1.
Josh - can you get eyes on this bug or get it split out into bugs with next actions? This is being considered a top crasher.
Assignee: nobody → joshmoz
Brian, what are your thoughts on this one? I thought we had discussed it and you thought it was not our code.
Patrick, can you look into this?
Assignee: joshmoz → mcmanus
Making the crash signature more specific so we can sort out different stacks.
Crash Signature: [@ SocketSend] → [@ SocketSend | SocketWrite | PR_SetPollableEvent | nsSocketTransportService::OnDispatchedEvent(nsIThreadInternal*)]
Summary: crash [@ SocketSend] → crash [@ SocketSend | SocketWrite | PR_SetPollableEvent | nsSocketTransportService::OnDispatchedEvent(nsIThreadInternal*)]
(In reply to Brian Smith (:bsmith) from comment #25)
> Making the crash signature more specific so we can sort out different stacks.
That's not the way Socorro works. You should take a look at https://crash-analysis.mozilla.com/crash_stacks.
If you know there are different stacks under the Socket* signature (I see only two types), file a bug to add SocketSend and SocketWrite to the skiplist: https://wiki.mozilla.org/Breakpad/Skip_List_How_To
Crash Signature: [@ SocketSend | SocketWrite | PR_SetPollableEvent | nsSocketTransportService::OnDispatchedEvent(nsIThreadInternal*)] → [@ SocketSend]
Summary: crash [@ SocketSend | SocketWrite | PR_SetPollableEvent | nsSocketTransportService::OnDispatchedEvent(nsIThreadInternal*)] → crash [@ SocketSend ]
Basically, we always need to have the caller of any/every NSPR/NSS function in the stack trace. I filed bug 716345 and wrote a patch to add basically the entire NSPR and NSS API to the skiplist.
Depends on: 716345
(In reply to Brian Smith (:bsmith) from comment #25)
> Making the crash signature more specific so we can sort out different stacks.

Is the more specific signature something actually reported in crash-stats? If not, it means that we don't get any crashes from there connected to this bug any more.
So as Kairo said in comment #28, I don't see this signature anymore for anything beyond 9.0. I do see signatures for...

SocketWrite - https://bugzilla.mozilla.org/show_bug.cgi?id=662330
PR_SetPollableEvent - https://bugzilla.mozilla.org/show_bug.cgi?id=709847
nsSocketTransportService::OnDispatchedEvent(nsIThreadInternal*) - pretty low volume and not even logged as a bug.

None of these are really a top crash. Does this mean this bug should be closed? What should I do with it.
70% of crashes occur within one minute.

(In reply to Sheila Mooney from comment #29)
> So as Kairo said in comment #28, I don't see this signature anymore for
> anything beyond 9.0.
The transition from 9.0.1 to 10.0.1 is not yet over, so let's let open it and remove the topcrash keyword.
Bug 716345 should help for crashes like this.
Crash Signature: [@ SocketSend] → [@ SocketSend] [@ @0x0 | SocketSend]
Keywords: topcrash
OS: All → Windows XP
Hardware: All → x86
Whiteboard: startupcrash
As SocketSend is now in the skiplist, I close this meta bug as incomplete.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: