Closed Bug 538998 Opened 16 years ago Closed 9 years ago

Spike in crashes [@ WSAStartup ] in early Jan 2010

Categories

(Core :: General, defect)

Product:
Core
Component:
General
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: chofmann, Unassigned)

References

Details

(Keywords: crash, Whiteboard: [crashkill][crashkill-thirdparty][crashkill-outreach][explosive])

Crash Data

early reports from 3.6 rc1 show this as the #10 top crash http://crash-stats.mozilla.com/report/index/d371a460-3506-41ed-a883-001792100110 Frame Module Signature [Expand] Source 0 @0x11a1626 1 ws2_32.dll WSAStartup all reports are within seconds of startup. and we are seeing a flood of these across all releases with a big ramp up on 2010 01 10 checking --- 20100110-crashdata.csv WSAStartup release total-crashes WSAStartup crashes pct. all 215352 3763 0.0174737 3.0.15 1958 34 0.0173647 3.0.16 4940 85 0.0172065 3.5.5 5270 53 0.0100569 3.5.6 16510 186 0.0112659 3.6 10425 192 0.0184173 3.6b5 14884 64 0.00429992 3.6b4 1505 0 3.6b3 721 0 3.6b2 729 0 3.6b1 2102 18 0.00856327 date WSAStartupcrashes 20100101-crashdata 0 WSAStartup 20100102-crashdata 0 WSAStartup 20100103-crashdata 0 WSAStartup 20100104-crashdata 0 WSAStartup 20100105-crashdata 60 WSAStartup 20100106-crashdata 115 WSAStartup 20100107-crashdata 100 WSAStartup 20100108-crashdata 94 WSAStartup 20100109-crashdata 115 WSAStartup 20100110-crashdata 3763 WSAStartup
os breakdown 2037 0.541323 Windows NT5.1.2600 Service Pack 3 1234 0.32793 Windows NT5.1.2600 Service Pack 2 196 0.0520861 Windows NT6.0.6001 Service Pack 1 151 0.0401276 Windows NT6.0.6002 Service Pack 2 73 0.0193994 Windows NT6.0.6000 54 0.0143503 Windows NT5.1.2600 Service Pack 1 9 0.00239171 Windows NT5.1.2600 Service Pack 3, v.5857 8 0.00212596 Windows NT5.1.2600 1 0.000265745 Windows NT5.1.2600 Service Pack 3, v.3264
Summary: Firefox 3.6 Crash Report [@ WSAStartup ] → Spike in crashes [@ WSAStartup ] in early Jan 2010
no urls reported and the big upswing seems to have started at 1pm pacific time yesterday with 599 crash reports in that hour. hourly frequency of reports 10 2010011001 4 2010011002 9 2010011003 6 2010011004 12 2010011005 4 2010011006 9 2010011007 3 2010011008 9 2010011009 4 2010011010 12 2010011011 5 2010011012 599 2010011013 455 2010011014 368 2010011015 494 2010011016 351 2010011017 311 2010011018 206 2010011019 158 2010011020 101 2010011021 292 2010011022 341 2010011023
Whiteboard: [crashkill][crashkill-thirdparty][crashkill-outreach][explosive]
3.5.7 correlation report from 2010 01 11 shows WSAStartup|EXCEPTION_ACCESS_VIOLATION (2107 crashes) 90% (1898/2107) vs. 74% (64614/87631) ws2help.dll 99% (2090/2107) vs. 91% (79341/87631) wininet.dll 72% (1517/2107) vs. 67% (58507/87631) normaliz.dll but just scanning some random reports a few instances of H8SRT malware shows up here is a sample. http://crash-stats.mozilla.com/report/index/fe4abdd7-0050-447f-b862-ffb022100110 ws2_32.dll 5.1.2600.21801 http://crash-stats.mozilla.com/report/index/fe3034e5-8724-4fc8-a86c-fb8b62100110 ws2_32.dll 6.0.6001.180001 http://crash-stats.mozilla.com/report/index/fe2213d0-93eb-41ce-b98c-0e7ff2100110 H8SRTqmgdikjoot.dll ws2_32.dll 5.1.2600.55121 http://crash-stats.mozilla.com/report/index/fe12187e-4f27-4bc6-8a66-5d36f2100110 ws2_32.dll 6.0.6001.180001 http://crash-stats.mozilla.com/report/index/fdea125b-11eb-4363-bcf2-f73d92100110 H8SRTfubvpiexjh.dll ws2_32.dll 5.1.2600.21801 http://crash-stats.mozilla.com/report/index/fde288e0-3db2-4706-88a0-43fd72100110 H8SRTxsapbvvxqq.dll ws2_32.dll 6.0.6001.180001 http://crash-stats.mozilla.com/report/index/fdde3e84-54a6-42c2-ae26-4a6d32100110 ws2_32.dll 5.1.2600.55121 http://crash-stats.mozilla.com/report/index/fdd921b7-703d-42d5-8d86-05deb2100110 H8SRTcyftodxobx.dll ws2_32.dll 5.1.2600.21801 http://crash-stats.mozilla.com/report/index/fdd859ed-ed7b-498e-b4af-9806d2100110 ws2_32.dll 5.1.2600.55121 http://crash-stats.mozilla.com/report/index/fd9028b9-3216-4e6b-85b3-c3cec2100110 H8SRTunbmlidujy.dll ws2_32.dll 5.1.2600.21801 http://crash-stats.mozilla.com/report/index/fd8caaba-edf7-4900-9885-551322100110 ws2_32.dll 5.1.2600.55121 http://crash-stats.mozilla.com/report/index/fd896616-280d-45f2-804c-daf8e2100110 H8SRTjymeaufurv.dll ws2_32.dll 5.1.2600.55121
there are a few places where we seem to call this windows library in nspr, and in an ogg player test program. http://mxr.mozilla.org/mozilla1.9.2/search?string=WSAStartup /nsprpub/pr/src/md/windows/ntio.c (View Hg log or Hg annotations) * line 879 -- err = WSAStartup( WSAVersion, &WSAData ); /nsprpub/pr/src/md/windows/w95io.c (View Hg log or Hg annotations) * line 283 -- err = WSAStartup( WSAVersion, &WSAData ); /media/liboggplay/src/liboggplay/oggplay_tcp_reader.c (View Hg log or Hg annotations) * line 128 -- if (WSAStartup(wVersionRequested, &wsaData) == -1) {
WSAStartup initializes WinSock/Networking; I'd assume LSPs get initialized underneath this call.
yep. this should be yet another instance of LSP malware/badware/bugware. I have a patch which will let us seal off all of this gunk for at least 3 months (until the badware gets more aggressive which will be really fun).
Blocks: 540309
http://test.kairo.at/socorro/2011-06-23.firefox.4.0.explosiveness.html shows a small spike in crashes in this signature showing up in recent 4.0 data.
Crash Signature: [@ WSAStartup ]
Severity: normal → critical
Keywords: crash
bp-7e4d67af-231a-408f-8f0f-7293f2160608 is only Thunderbird crash in 2.5 months. Whatever this is, it's rare and not enough info to be actionable
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.