656471 - Crash on Windows XP in FreeFactoryEntries [@ msvcrt.dll@0x2070 ][@ nsCOMPtr_base::assign_with_AddRef(nsISupports*) | FreeFactoryEntries ][@ nsCOMPtr_base::~nsCOMPtr_base() | factory_ClearEntry ] with msxml3.dll from 5/10/11 (MS hotfix KB890830?)

Status: RESOLVED WORKSFORME

(Core :: XPCOM, defect)

Description

[Marcia Knous [:marcia]]

This bug was filed from the Socorro interface and is 
report bp-b05d3287-f7c8-46df-a09e-b56e12110511 .
============================================================= 

Seen while reviewing crash stats. http://tinyurl.com/3we5w4x to one week's worth of reports. Many of the comments mention Firefox crashing when closing. There has been a recent spike where this moved up to the #4 spot.

One report I looked at had:

sknc.dll

which from a quick Google search points to malware.


https://crash-stats.mozilla.com/report/index/b05d3287-f7c8-46df-a09e-b56e12110511

Frame 	Module 	Signature [Expand] 	Source
0 	msvcrt.dll 	msvcrt.dll@0x2070 	
1 	xul.dll 	nsCOMPtr_base::assign_with_AddRef 	obj-firefox/xpcom/build/nsCOMPtr.cpp:89
2 	xul.dll 	FreeFactoryEntries 	xpcom/components/nsComponentManager.cpp:1338
3 	xul.dll 	nsBaseHashtable<nsIDHashKey,nsFactoryEntry*,nsFactoryEntry*>::s_EnumReadStub 	obj-firefox/dist/include/nsBaseHashtable.h:345
4 	xul.dll 	PL_DHashTableEnumerate 	obj-firefox/xpcom/build/pldhash.c:754
5 	xul.dll 	nsBaseHashtable<nsIDHashKey,nsFactoryEntry*,nsFactoryEntry*>::EnumerateRead 	obj-firefox/dist/include/nsBaseHashtable.h:206
6 	xul.dll 	nsComponentManagerImpl::FreeServices 	xpcom/components/nsComponentManager.cpp:1351
7 	xul.dll 	mozilla::ShutdownXPCOM 	xpcom/build/nsXPComInit.cpp:686
8 	xul.dll 	ScopedXPCOMStartup::~ScopedXPCOMStartup 	toolkit/xre/nsAppRunner.cpp:1115
9 	xul.dll 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3817
10 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:128
11 	firefox.exe 	__tmainCRTStartup 	obj-firefox/memory/jemalloc/crtsrc/crtexe.c:591
12 	kernel32.dll 	BaseProcessStart

Comment 1

[Robert Kaiser]

This had 0 crashes for more than a week on 4.0* until it suddenly had over 2400 processed crashes on 2011-05-10. From what I saw, it looks like all those are on Windows XP, but I couldn't find the mentioned dll in the correlation reports.

Comment 2

[Robert Kaiser]

Actually, looking at all reports with this signature over the 7 days, the first on crashed on May 10, 2011 05:45 and from then on up to this point (15:48 on May 11) we had 9,379 crashes spread over all versions between Firefox 3.0 and 4.0.1.

Comment 3

[Robert Kaiser]

As a note, there's also https://crash-stats.mozilla.com/report/list?signature=nsCOMPtr_base%3A%3Aassign_with_AddRef%28nsISupports%2A%29%20%7C%20FreeFactoryEntries which was a residual crash over the last week, but also had a significant but not as high spike yesterday, starting at ~6am (but only ~600 crashes since then), comments claiming it to be mostly shutdown just like this one, and also looking to be on XP only. Those two could possibly be related.

Comment 4

[Scoobidiver (away)]

It is #4 top crasher in 4.0.1 over the last 3 days.
It happens only on Windows XP.

It is correlated to msxml3.dll (100% vs. 10%):
    100% (2187/2189) vs.  10% (14556/144456) msxml3.dll
         11% (238/2189) vs.   1% (1006/144456) 8.50.2162.0
          1% (28/2189) vs.   0% (83/144456) 8.70.1104.0
          2% (43/2189) vs.   0% (127/144456) 8.70.1113.0
         14% (300/2189) vs.   1% (1126/144456) 8.90.1101.0
          5% (107/2189) vs.   0% (455/144456) 8.100.1048.0
          1% (19/2189) vs.   0% (28/144456) 8.100.1049.0
         11% (233/2189) vs.   1% (936/144456) 8.100.1050.0
          3% (61/2189) vs.   0% (336/144456) 8.100.1051.0
         52% (1148/2189) vs.   3% (4639/144456) 8.100.1052.0

Comment 5

[Robert Kaiser]

The comment #3 signature exactly parallels the ones I pulled up for msvcrt.dll@0x2070 for 4.0* versions, https://crash-stats.mozilla.com/report/list?signature=nsCOMPtr_base%3A%3A~nsCOMPtr_base%28%29%20%7C%20factory_ClearEntry parallels it for 3.6, for all those, the stacks match up to the last frame, comments talk about shutdown crashes and all signatures are from XP.

Not sure how much the correlation in comment #4 tells us, I've seen it but seems to be a standard MS library.

Comment 6

[Robert Kaiser]

I found a number of different 3.0 versions (i.e. msxml3.dll 8.*), mostly from the list seen at http://support.microsoft.com/kb/269238 - note that this library comes with IE6, which came with XP (and all those people apparently are on XP as stated). I guess the newer versions of the DLL came from Windows Update.
Now one thing that is strange is that this started on a Tuesday and IIRC MS sends our patches on some Tuesdays - but with msxml3.dll being different versions, I don't think they did get updates for this one, and there is no OS library in the stack itself (unless msvcrt.dll is taken from the system and not shipped with Firefox).

Comment 7

[Scoobidiver (away)]

(In reply to comment #6)
> Now one thing that is strange is that this started on a Tuesday and IIRC MS
> sends our patches on some Tuesdays
The only patch for Windows XP on 5/10 is the malicious software removal tool (KB890830):
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=ad724ae0-e72d-4f54-9ab3-75b8eb148356

Comment 8

[chris hofmann]

wonder what the best contact at Microsoft might be for this?

date     crashes at
         nsCOMPtr_base::assign_with_AddRef.nsISupports.....FreeFactoryEntries
20110505 0
20110506 0
20110507 0
20110508 2
20110509 0
20110510 331
20110511 350


date     crashes at
         msvcrt.dll@0x2070
20110505 0
20110506 0
20110507 0
20110508 0
20110509 0
20110510 4511
20110511 5956

Comment 9

[Scoobidiver (away)]

(In reply to comment #5)
> The comment #3 signature exactly parallels the ones I pulled up for
> msvcrt.dll@0x2070 for 4.0* versions,
> https://crash-stats.mozilla.com/report/
> list?signature=nsCOMPtr_base%3A%3A~nsCOMPtr_base%28%29%20%7C%20factory_ClearE
> ntry parallels it for 3.6, for all those, the stacks match up to the last
> frame, comments talk about shutdown crashes and all signatures are from XP.
I added the 3.5 and 3.6 crash signature to the summary.

It is now #2 top crasher in 4.0.1 and #4 in 3.6.17 over the last day.

Comment 10

[Asa Dotzler [:asa]]

Does this impact Beta 5? I don't see it in https://crash-analysis.mozilla.com/chofmann/20110517/top-5.0.html

Comment 11

[chris hofmann]

strangely this doesn't seem to affect 5.0x  here are counts of crashes by release and build for may 18.  even small volume on older 3.x and 4.x releases but nothing on 5.0x

         msvcrt.dll@0x2070
date     total    breakdown by build
         crashes  count build, count build, ...


20110518 4013  	1873 4.0.12011041322, 
        		1222 3.6.172011042014, 	127 3.6.132010120307, 
        		91 3.5.192011042014, 	85 4.02011031805, 
        		61 3.6.162011031913, 	60 3.6.32010040108, 
        		57 3.0.192010031422, 	52 3.62010011514, 
        		40 3.6.82010072215, 	36 3.6.122010102621, 
        		31 3.6.152011030302, 	25 3.6.102010091412, 
        		22 4.0b12010063014, 	15 3.6.62010062523, 
        		13 4.0b102011012116, 	13 3.6.22010031607, 
        		12 4.0b122011022221, 	12 4.0b112011020314, 
        		12 3.6b52009120414, 	11 4.0b72010110414, 
        		8 4.0b82010121417, 	8 4.0b32010080519, 
        		8 3.6.92010082415, 	8 3.6.172011041408, 
        		7 4.0b42010081813, 	7 3.6.112010101211, 
        		7 3.0.32008092417, 	5 4.0b92011011019, 
        		5 3.6.72010071313, 	5 3.6.42010061114, 
        		5 3.5.92010031508, 	5 3.52009062402, 
        		5 3.0.52008120122, 	4 3.6.142011021812, 
        		4 3.5.52009110215, 	4 3.0.62009011913, 
        		3 4.0b62010091408, 	3 4.0b22010072019, 
        		3 3.6.72010070102, 	3 3.6.142011020713, 
        		3 3.5.72009122116, 	3 3.5.12009071509, 
        		2 3.5.82010020216, 	2 3.5.32009082410, 
        		2 3.5.182011031914, 	2 3.0.42008102920, 
        		2 3.0.152009101601, 	2 3.02008052906, 
        		1 4.02011030319, 	1 3.7a32010031509, 
        		1 3.6.18pre2011051703, 	1 3.6.18pre2011051503, 
        		1 3.6.142011012114, 	1 3.6.132010112205, 
        		1 3.5.22009072922, 	1 3.5.172011012115, 
        		1 3.5.162010113007, 	1 3.5.142010100117, 
        		1 3.5.132010091413, 	1 3.5.112010070102, 
        		1 3.5.102010050409, 	1 3.0b42008030714, 
        		1 3.0b22007121120, 	1 3.0.82009032609, 
        		1 3.0.102009042316, 	1 3.0.12008070208,

Comment 12

[Marcia Knous [:marcia]]

https://crash-stats.mozilla.com/report/index/f5fc5284-a1c3-4e52-8315-2e5b92110522 is a lone 5.0 report that I found in [@ nsCOMPtr_base::assign_with_AddRef(nsISupports*) | FreeFactoryEntries ], which is one of the stacks. But otherwise I do not see any crashes in the other stacks in the last week.

Comment 13

[Asa Dotzler [:asa]]

Marcia or Sheila, now that we've got more serious user levels, does this look any different?

Comment 14

[Marcia Knous [:marcia]]

No significant volume in any of the three signatures on 5.0:

nsCOMPtr_base::assign_with_AddRef(nsISupports*) | FreeFactoryEntries has 5 Windows crashes in the last week on 5.0

nsCOMPtr_base::~nsCOMPtr_base() | factory_ClearEntry has no crashes in the last week on 5.0

msvcrt.dll@0x2070 has no crashes in the last week on 5.0

Comment 15

[Marcia Knous [:marcia]]

Just by way of update, I don't see any of these 3 signatures in 5.0 crash data.

Here is a week's breakdown across all other versions:

nsCOMPtr_base::assign_with_AddRef(nsISupports*) | FreeFactoryEntries - 828
nsCOMPtr_base::~nsCOMPtr_base() | factory_ClearEntry - 324
msvcrt.dll@0x2070 - 237

Comment 16

[Wayne Mery (:wsmwk)]

currently, no crash signatures containing factory_ClearEntry. 

Containing FreeFactoryEntries is 
nsCOMPtr_base::assign_with_AddRef(nsISupports*) | FreeFactoryEntries
bp-0d23f4cc-5e5b-42c0-99ba-49eb72130527 startup crash
0		@0x8000b8b3	
1	xul.dll	nsCOMPtr_base::assign_with_AddRef	obj-firefox/xpcom/build/nsCOMPtr.cpp:49
2	xul.dll	FreeFactoryEntries	xpcom/components/nsComponentManager.cpp:1058
3	xul.dll	PL_DHashTableEnumerate	obj-firefox/xpcom/build/pldhash.cpp:717
4	xul.dll	nsBaseHashtable<nsIDHashKey,nsFactoryEntry*,nsFactoryEntry*>::EnumerateRead	obj-firefox/dist/include/nsBaseHashtable.h:190
5	xul.dll	nsComponentManagerImpl::FreeServices	xpcom/components/nsComponentManager.cpp:1070
6	xul.dll	mozilla::ShutdownXPCOM	xpcom/build/nsXPComInit.cpp:622 

bp-d70d4a86-8032-4420-81b8-025382130609 not startup crash
0	xul.dll	nsCOMPtr_base::assign_with_AddRef	obj-firefox/xpcom/build/nsCOMPtr.cpp:49
1	xul.dll	FreeFactoryEntries	xpcom/components/nsComponentManager.cpp:1117
2	xul.dll	PL_DHashTableEnumerate	obj-firefox/xpcom/build/pldhash.cpp:714
3	xul.dll	nsBaseHashtable<nsIDHashKey,nsFactoryEntry*,nsFactoryEntry*>::EnumerateRead	obj-firefox/dist/include/nsBaseHashtable.h:190
4	xul.dll	nsComponentManagerImpl::FreeServices	xpcom/components/nsComponentManager.cpp:1130
5	xul.dll	mozilla::ShutdownXPCOM	xpcom/build/nsXPComInit.cpp:634