Last Comment Bug 749649 - crash in nsIOService::SpeculativeConnect
: crash in nsIOService::SpeculativeConnect
Status: RESOLVED FIXED
: crash, regression, topcrash
Product: Core
Classification: Components
Component: Networking (show other bugs)
: 15 Branch
: All All
: -- critical (vote)
: mozilla15
Assigned To: Patrick McManus [:mcmanus]
:
:
Mentors:
Depends on:
Blocks: 723628
  Show dependency treegraph
 
Reported: 2012-04-27 09:00 PDT by Scoobidiver (away)
Modified: 2012-08-13 02:51 PDT (History)
8 users (show)
ryanvm: in‑testsuite-
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
-
verified


Attachments
patch 0 (1.64 KB, patch)
2012-04-27 09:56 PDT, Patrick McManus [:mcmanus]
honzab.moz: review+
Details | Diff | Splinter Review

Description Scoobidiver (away) 2012-04-27 09:00:21 PDT
It first appeared in 15.0a1/20120426 and is #1 top crasher in today's build. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=75c7378c87b6&tochange=cc5254f9825f
It's likely a regression from bug 723628.

One comment says it happens when clicking Search Bar.

Signature 	nsIOService::SpeculativeConnect(nsIURI*, nsIInterfaceRequestor*, nsIEventTarget*) More Reports Search
UUID	23bd1685-e2c8-4e33-9256-eeffe2120427
Date Processed	2012-04-27 15:29:54
Uptime	1251
Last Crash	20.9 minutes before submission
Install Age	1.3 hours since version was first installed.
Install Time	2012-04-27 14:10:09
Product	Firefox
Version	15.0a1
Build ID	20120427030500
Release Channel	nightly
OS	Windows NT
OS Version	6.1.7600
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 23 stepping 10
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0x0
App Notes 	
AdapterVendorID: 0x1002, AdapterDeviceID: 0x9552, AdapterSubsysID: 02801025, AdapterDriverVersion: 8.960.0.0
D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ 
EMCheckCompatibility	True	
Total Virtual Memory	4294836224
Available Virtual Memory	3615428608
System Memory Use Percentage	73
Available Page File	1532522496
Available Physical Memory	575987712

Frame 	Module 	Signature 	Source
0 	xul.dll 	nsIOService::SpeculativeConnect 	netwerk/base/src/nsIOService.cpp:1289
1 	xul.dll 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:102
2 	xul.dll 	XPCWrappedNative::CallMethod 	js/xpconnect/src/XPCWrappedNative.cpp:2408
3 	xul.dll 	XPC_WN_CallMethod 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1549
4 	mozjs.dll 	js::GetPropertyOperation 	js/src/jsinterpinlines.h:266
5 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:2757
6 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:467
7 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:535
8 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:567
9 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5416
10 	xul.dll 	nsJSContext::CallEventHandler 	dom/base/nsJSEnvironment.cpp:1889
11 	xul.dll 	nsJSEventListener::HandleEvent 	dom/src/events/nsJSEventListener.cpp:225
12 	nspr4.dll 	PR_Now 	nsprpub/pr/src/md/windows/ntmisc.c:357
13 	xul.dll 	nsHTMLParagraphElement::AddRef 	content/html/content/src/nsHTMLScriptElement.cpp:154
14 	xul.dll 	nsGenericElement::QueryInterface 	content/base/src/nsGenericElement.cpp:5093
15 	xul.dll 	nsXULElement::QueryInterface 	content/xul/content/src/nsXULElement.cpp:395
16 	mozjs.dll 	JS_DHashTableOperate 	js/src/jsdhash.cpp:654
17 	xul.dll 	nsXPConnect::AddJSHolder 	js/xpconnect/src/nsXPConnect.cpp:2280
18 	xul.dll 	nsContentUtils::HoldJSObjects 	content/base/src/nsContentUtils.cpp:4369
19 	xul.dll 	NS_NewJSEventListener 	dom/src/events/nsJSEventListener.cpp:297
20 	xul.dll 	nsXBLEventHandler::HandleEvent 	content/xbl/src/nsXBLEventHandler.cpp:84
21 	xul.dll 	nsEventListenerManager::HandleEventInternal 	content/events/src/nsEventListenerManager.cpp:877
22 	xul.dll 	nsEventTargetChainItem::HandleEventTargetChain 	content/events/src/nsEventDispatcher.cpp:372
23 	xul.dll 	nsEventDispatcher::Dispatch 	content/events/src/nsEventDispatcher.cpp:684
24 	xul.dll 	nsGlobalChromeWindow::QueryInterface 	dom/base/nsGlobalWindow.cpp:10280
25 	xul.dll 	nsGenericElement::SetAttrAndNotify 	content/base/src/nsGenericElement.cpp:5365
26 	xul.dll 	PresShell::HandleEventInternal 	layout/base/nsPresShell.cpp:6606
27 	xul.dll 	PresShell::HandleEvent 	layout/base/nsPresShell.cpp:6086
28 	xul.dll 	nsViewManager::DispatchEvent 	view/src/nsViewManager.cpp:908
29 	xul.dll 	AttachedHandleEvent 	view/src/nsView.cpp:190
30 	xul.dll 	nsWindow::DispatchEvent 	widget/windows/nsWindow.cpp:3519
31 	xul.dll 	nsWindow::DispatchWindowEvent 	widget/windows/nsWindow.cpp:3545
32 	xul.dll 	nsWindow::DispatchMouseEvent 	widget/windows/nsWindow.cpp:3973
33 	xul.dll 	nsWindow::ProcessMessage 	widget/windows/nsWindow.cpp:4869
34 	xul.dll 	nsWindow::WindowProcInternal 	widget/windows/nsWindow.cpp:4373
35 	xul.dll 	CallWindowProcCrashProtected 	xpcom/base/nsCrashOnException.cpp:65
36 	xul.dll 	nsWindow::WindowProc 	widget/windows/nsWindow.cpp:4315
...

Here are correlations per extension:
  nsIOService::SpeculativeConnect(nsIURI*, nsIInterfaceRequestor*, nsIEventTarget*)|EXCEPTION_ACCESS_VIOLATION_READ (40 crashes)
     57% (23/40) vs.   0% (23/5707) leethax@leethax.net
     43% (17/40) vs.   0% (20/5707) firefox-support@vworldc.com

More reports at:
https://crash-stats.mozilla.com/report/list?signature=nsIOService%3A%3ASpeculativeConnect%28nsIURI*%2C+nsIInterfaceRequestor*%2C+nsIEventTarget*%29
Comment 1 Patrick McManus [:mcmanus] 2012-04-27 09:23:30 PDT
The bug here is silly and mine - see below (!handler should be !speculativeHandler). It does raise an interesting question though.

    nsCOMPtr<nsIProtocolHandler> handler;
    rv = GetProtocolHandler(scheme.get(), getter_AddRefs(handler));
    if (NS_FAILED(rv))
        return rv;

    nsCOMPtr<nsISpeculativeConnect> speculativeHandler =
        do_QueryInterface(handler);
    if (!handler)
        return NS_OK;

    return speculativeHandler->SpeculativeConnect(aURI,
                                                  aCallbacks,
                                                  aTarget);

---

how do so many people fail to QI the httphandler into speculative connect? Is httphandler commonly replaced by some addon? (I know it can be, but I wasn't aware it was common and this bug rocketed to the top immediately on checkin of nightly.)

or is there something else going on?
Comment 2 Patrick McManus [:mcmanus] 2012-04-27 09:56:20 PDT
Created attachment 619081 [details] [diff] [review]
patch 0

I added ms2ger's syntax nit from https://bugzilla.mozilla.org/show_bug.cgi?id=723628#c12 while I was in there.
Comment 3 Patrick McManus [:mcmanus] 2012-04-27 13:46:02 PDT
https://hg.mozilla.org/integration/mozilla-inbound/rev/a2236ba8b6bc
Comment 4 Ryan VanderMeulen [:RyanVM] 2012-04-29 14:34:32 PDT
http://hg.mozilla.org/mozilla-central/rev/a2236ba8b6bc
Comment 5 Ioana (away) 2012-08-13 02:51:56 PDT
There has only been one crash of this kind in the last 8 weeks:
Reports from the last 4 weeks: https://crash-stats.mozilla.com/query/query?product=Firefox&version=ALL%3AALL&range_value=4&range_unit=weeks&date=08%2F13%2F2012+09%3A40%3A15&query_search=signature&query_type=contains&query=nsIOService%3A%3ASpeculativeConnect&reason=&build_id=&process_type=any&hang_type=any&do_query=1

Reports from the previous 4 weeks: 
https://crash-stats.mozilla.com/query/query?product=Firefox&version=ALL%3AALL&range_value=4&range_unit=weeks&date=07%2F16%2F2012+09%3A45%3A48&query_search=signature&query_type=contains&query=nsIOService%3A%3ASpeculativeConnect&reason=&build_id=&process_type=any&hang_type=any&do_query=1


The existing crash was on Firefox 15.0 beta from 07/17. Since it didn't happen on any recent build and it was the only crash in 8 weeks, I will mark this bug as verified.

Please reopen the bug (or file a new one) if the number of crashes increases.

Note You need to log in before you can comment on or make changes to this bug.