crash in nsIOService::SpeculativeConnect

RESOLVED FIXED in Firefox 15

Status

()

Core
Networking
--
critical
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: Scoobidiver (away), Assigned: mcmanus)

Tracking

({crash, regression, topcrash})

15 Branch
mozilla15
crash, regression, topcrash
Points:
---
Bug Flags:
in-testsuite -

Firefox Tracking Flags

(firefox15- verified)

Details

(crash signature)

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
It first appeared in 15.0a1/20120426 and is #1 top crasher in today's build. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=75c7378c87b6&tochange=cc5254f9825f
It's likely a regression from bug 723628.

One comment says it happens when clicking Search Bar.

Signature 	nsIOService::SpeculativeConnect(nsIURI*, nsIInterfaceRequestor*, nsIEventTarget*) More Reports Search
UUID	23bd1685-e2c8-4e33-9256-eeffe2120427
Date Processed	2012-04-27 15:29:54
Uptime	1251
Last Crash	20.9 minutes before submission
Install Age	1.3 hours since version was first installed.
Install Time	2012-04-27 14:10:09
Product	Firefox
Version	15.0a1
Build ID	20120427030500
Release Channel	nightly
OS	Windows NT
OS Version	6.1.7600
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 23 stepping 10
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0x0
App Notes 	
AdapterVendorID: 0x1002, AdapterDeviceID: 0x9552, AdapterSubsysID: 02801025, AdapterDriverVersion: 8.960.0.0
D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ 
EMCheckCompatibility	True	
Total Virtual Memory	4294836224
Available Virtual Memory	3615428608
System Memory Use Percentage	73
Available Page File	1532522496
Available Physical Memory	575987712

Frame 	Module 	Signature 	Source
0 	xul.dll 	nsIOService::SpeculativeConnect 	netwerk/base/src/nsIOService.cpp:1289
1 	xul.dll 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:102
2 	xul.dll 	XPCWrappedNative::CallMethod 	js/xpconnect/src/XPCWrappedNative.cpp:2408
3 	xul.dll 	XPC_WN_CallMethod 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1549
4 	mozjs.dll 	js::GetPropertyOperation 	js/src/jsinterpinlines.h:266
5 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:2757
6 	mozjs.dll 	js::RunScript 	js/src/jsinterp.cpp:467
7 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:535
8 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:567
9 	mozjs.dll 	JS_CallFunctionValue 	js/src/jsapi.cpp:5416
10 	xul.dll 	nsJSContext::CallEventHandler 	dom/base/nsJSEnvironment.cpp:1889
11 	xul.dll 	nsJSEventListener::HandleEvent 	dom/src/events/nsJSEventListener.cpp:225
12 	nspr4.dll 	PR_Now 	nsprpub/pr/src/md/windows/ntmisc.c:357
13 	xul.dll 	nsHTMLParagraphElement::AddRef 	content/html/content/src/nsHTMLScriptElement.cpp:154
14 	xul.dll 	nsGenericElement::QueryInterface 	content/base/src/nsGenericElement.cpp:5093
15 	xul.dll 	nsXULElement::QueryInterface 	content/xul/content/src/nsXULElement.cpp:395
16 	mozjs.dll 	JS_DHashTableOperate 	js/src/jsdhash.cpp:654
17 	xul.dll 	nsXPConnect::AddJSHolder 	js/xpconnect/src/nsXPConnect.cpp:2280
18 	xul.dll 	nsContentUtils::HoldJSObjects 	content/base/src/nsContentUtils.cpp:4369
19 	xul.dll 	NS_NewJSEventListener 	dom/src/events/nsJSEventListener.cpp:297
20 	xul.dll 	nsXBLEventHandler::HandleEvent 	content/xbl/src/nsXBLEventHandler.cpp:84
21 	xul.dll 	nsEventListenerManager::HandleEventInternal 	content/events/src/nsEventListenerManager.cpp:877
22 	xul.dll 	nsEventTargetChainItem::HandleEventTargetChain 	content/events/src/nsEventDispatcher.cpp:372
23 	xul.dll 	nsEventDispatcher::Dispatch 	content/events/src/nsEventDispatcher.cpp:684
24 	xul.dll 	nsGlobalChromeWindow::QueryInterface 	dom/base/nsGlobalWindow.cpp:10280
25 	xul.dll 	nsGenericElement::SetAttrAndNotify 	content/base/src/nsGenericElement.cpp:5365
26 	xul.dll 	PresShell::HandleEventInternal 	layout/base/nsPresShell.cpp:6606
27 	xul.dll 	PresShell::HandleEvent 	layout/base/nsPresShell.cpp:6086
28 	xul.dll 	nsViewManager::DispatchEvent 	view/src/nsViewManager.cpp:908
29 	xul.dll 	AttachedHandleEvent 	view/src/nsView.cpp:190
30 	xul.dll 	nsWindow::DispatchEvent 	widget/windows/nsWindow.cpp:3519
31 	xul.dll 	nsWindow::DispatchWindowEvent 	widget/windows/nsWindow.cpp:3545
32 	xul.dll 	nsWindow::DispatchMouseEvent 	widget/windows/nsWindow.cpp:3973
33 	xul.dll 	nsWindow::ProcessMessage 	widget/windows/nsWindow.cpp:4869
34 	xul.dll 	nsWindow::WindowProcInternal 	widget/windows/nsWindow.cpp:4373
35 	xul.dll 	CallWindowProcCrashProtected 	xpcom/base/nsCrashOnException.cpp:65
36 	xul.dll 	nsWindow::WindowProc 	widget/windows/nsWindow.cpp:4315
...

Here are correlations per extension:
  nsIOService::SpeculativeConnect(nsIURI*, nsIInterfaceRequestor*, nsIEventTarget*)|EXCEPTION_ACCESS_VIOLATION_READ (40 crashes)
     57% (23/40) vs.   0% (23/5707) leethax@leethax.net
     43% (17/40) vs.   0% (20/5707) firefox-support@vworldc.com

More reports at:
https://crash-stats.mozilla.com/report/list?signature=nsIOService%3A%3ASpeculativeConnect%28nsIURI*%2C+nsIInterfaceRequestor*%2C+nsIEventTarget*%29
(Assignee)

Comment 1

5 years ago
The bug here is silly and mine - see below (!handler should be !speculativeHandler). It does raise an interesting question though.

    nsCOMPtr<nsIProtocolHandler> handler;
    rv = GetProtocolHandler(scheme.get(), getter_AddRefs(handler));
    if (NS_FAILED(rv))
        return rv;

    nsCOMPtr<nsISpeculativeConnect> speculativeHandler =
        do_QueryInterface(handler);
    if (!handler)
        return NS_OK;

    return speculativeHandler->SpeculativeConnect(aURI,
                                                  aCallbacks,
                                                  aTarget);

---

how do so many people fail to QI the httphandler into speculative connect? Is httphandler commonly replaced by some addon? (I know it can be, but I wasn't aware it was common and this bug rocketed to the top immediately on checkin of nightly.)

or is there something else going on?
Assignee: nobody → mcmanus
status-firefox15: --- → affected
Target Milestone: --- → mozilla15
(Assignee)

Updated

5 years ago
Status: NEW → ASSIGNED
Target Milestone: mozilla15 → ---
(Assignee)

Comment 2

5 years ago
Created attachment 619081 [details] [diff] [review]
patch 0

I added ms2ger's syntax nit from https://bugzilla.mozilla.org/show_bug.cgi?id=723628#c12 while I was in there.
Attachment #619081 - Flags: review?(honzab.moz)
Crash Signature: [@ nsIOService::SpeculativeConnect(nsIURI*, nsIInterfaceRequestor*, nsIEventTarget*)] → [@ nsIOService::SpeculativeConnect(nsIURI*, nsIInterfaceRequestor*, nsIEventTarget*)] [@ nsIOService::SpeculativeConnect ]
OS: Windows 7 → All
Attachment #619081 - Flags: review?(honzab.moz) → review+
(Assignee)

Comment 3

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/a2236ba8b6bc
Target Milestone: --- → mozilla15
http://hg.mozilla.org/mozilla-central/rev/a2236ba8b6bc
Flags: in-testsuite-
(Reporter)

Updated

5 years ago
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
status-firefox15: affected → fixed
tracking-firefox15: ? → -

Comment 5

5 years ago
There has only been one crash of this kind in the last 8 weeks:
Reports from the last 4 weeks: https://crash-stats.mozilla.com/query/query?product=Firefox&version=ALL%3AALL&range_value=4&range_unit=weeks&date=08%2F13%2F2012+09%3A40%3A15&query_search=signature&query_type=contains&query=nsIOService%3A%3ASpeculativeConnect&reason=&build_id=&process_type=any&hang_type=any&do_query=1

Reports from the previous 4 weeks: 
https://crash-stats.mozilla.com/query/query?product=Firefox&version=ALL%3AALL&range_value=4&range_unit=weeks&date=07%2F16%2F2012+09%3A45%3A48&query_search=signature&query_type=contains&query=nsIOService%3A%3ASpeculativeConnect&reason=&build_id=&process_type=any&hang_type=any&do_query=1


The existing crash was on Firefox 15.0 beta from 07/17. Since it didn't happen on any recent build and it was the only crash in 8 weeks, I will mark this bug as verified.

Please reopen the bug (or file a new one) if the number of crashes increases.
status-firefox15: fixed → verified
You need to log in before you can comment on or make changes to this bug.