crash in mozilla::safebrowsing::KnockoutSubs with AMD Athlon XP processors

RESOLVED WONTFIX

Status

()

P5
critical
RESOLVED WONTFIX
6 years ago
3 years ago

People

(Reporter: scoobidiver, Unassigned)

Tracking

({crash, regression})

19 Branch
x86
Windows XP
crash, regression
Points:
---

Firefox Tracking Flags

(firefox19- affected, firefox20 affected, firefox21 affected)

Details

(crash signature)

(Reporter)

Description

6 years ago
It's currently #41 browser crasher in the first day of 19.0.2 and first showed up in 19.0.2. It's likely a regression from bug 848644 although 20.0b4, 21.0a2 and 22.0a1 are so far unaffected.

It seems related to viewing videos according to comments.

Signature 	mozilla::safebrowsing::KnockoutSubs<mozilla::safebrowsing::SubComplete, mozilla::safebrowsing::AddComplete> More Reports Search
UUID	b569eded-5e1e-4d76-8c8e-dbe092130309
Date Processed	2013-03-09 06:25:37
Uptime	285
Last Crash	4.8 minutes before submission
Install Age	3.6 hours since version was first installed.
Install Time	2013-03-09 02:49:59
Product	Firefox
Version	19.0.2
Build ID	20130307023931
Release Channel	release
OS	Windows NT
OS Version	5.1.2600 Service Pack 3
Build Architecture	x86
Build Architecture Info	AuthenticAMD family 6 model 10 stepping 0
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0x7900000
User Comments	あくしろよ
App Notes 	
AdapterVendorID: 0x1039, AdapterDeviceID: 0x6330, AdapterSubsysID: 125810cf, AdapterDriverVersion: 6.14.10.3570
D3D10 Layers? D3D10 Layers- D3D9 Layers? D3D9 Layers- 
Processor Notes 	sp-processor01.phx1.mozilla.com_6524:2008
EMCheckCompatibility	True
Adapter Vendor ID	0x1039
Adapter Device ID	0x6330
Total Virtual Memory	2147352576
Available Virtual Memory	1842114560
System Memory Use Percentage	66
Available Page File	1942925312
Available Physical Memory	346341376

Frame 	Module 	Signature 	Source
0 	xul.dll 	mozilla::safebrowsing::KnockoutSubs<mozilla::safebrowsing::SubComplete,mozilla:: 	toolkit/components/url-classifier/HashStore.cpp:881
1 	xul.dll 	mozilla::safebrowsing::HashStore::ProcessSubs 	toolkit/components/url-classifier/HashStore.cpp:999
2 	xul.dll 	mozilla::safebrowsing::HashStore::Rebuild 	toolkit/components/url-classifier/HashStore.cpp:507
3 	xul.dll 	mozilla::safebrowsing::Classifier::ApplyTableUpdates 	toolkit/components/url-classifier/Classifier.cpp:713
4 	xul.dll 	mozilla::safebrowsing::Classifier::ApplyUpdates 	toolkit/components/url-classifier/Classifier.cpp:384
5 	xul.dll 	nsUrlClassifierDBServiceWorker::ApplyUpdate 	toolkit/components/url-classifier/nsUrlClassifierDBService.cpp:638
6 	xul.dll 	nsUrlClassifierDBServiceWorker::FinishUpdate 	toolkit/components/url-classifier/nsUrlClassifierDBService.cpp:612
7 	xul.dll 	nsRunnableMethodImpl<tag_nsresult 	obj-firefox/dist/include/nsThreadUtils.h:367
8 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:627
9 	xul.dll 	nsThread::ThreadFunc 	xpcom/threads/nsThread.cpp:265
10 	nspr4.dll 	_PR_NativeRunThread 	nsprpub/pr/src/threads/combined/pruthr.c:395
11 	nspr4.dll 	pr_root 	nsprpub/pr/src/md/windows/w95thred.c:90
12 	msvcr100.dll 	_callthreadstartex 	f:\dd\vctools\crt_bld\self_x86\crt\src\threadex.c:314
13 	msvcr100.dll 	_threadstartex 	f:\dd\vctools\crt_bld\self_x86\crt\src\threadex.c:292
14 	kernel32.dll 	BaseThreadStart 	

More reports at:
https://crash-stats.mozilla.com/report/list?signature=mozilla%3A%3Asafebrowsing%3A%3AKnockoutSubs%3Cmozilla%3A%3Asafebrowsing%3A%3ASubComplete%2C+mozilla%3A%3Asafebrowsing%3A%3AAddComplete%3E
(Reporter)

Comment 1

6 years ago
It seems there are a few crashes in 19.0 and below with a related signature: https://crash-stats.mozilla.com/report/list?signature=mozilla%3A%3Asafebrowsing%3A%3AKnockoutSubs%3Cmozilla%3A%3Asafebrowsing%3A%3ASubPrefix%2C+mozilla%3A%3Asafebrowsing%3A%3AAddPrefix%3E
Crash Signature: [@ mozilla::safebrowsing::KnockoutSubs<mozilla::safebrowsing::SubComplete, mozilla::safebrowsing::AddComplete>] → [@ mozilla::safebrowsing::KnockoutSubs<mozilla::safebrowsing::SubComplete, mozilla::safebrowsing::AddComplete>] [@ mozilla::safebrowsing::KnockoutSubs<mozilla::safebrowsing::SubPrefix, mozilla::safebrowsing::AddPrefix> ]
The stacks aren't making any sense. Nor does this suddenly appearing in 19.0.2. Is some plugin pissing on our stack? (Would correlate with showing video...)
(Reporter)

Comment 3

6 years ago
Comments about videos are from the same user. Other comments mention Facebook, restoring tabs or nothing specifically.

Correlations are broken but a manual check of a few crash reports shows no correlation to some extensions or DLLs.
(Reporter)

Comment 4

6 years ago
It's now #34 top browser crasher in 19.0.2.

Correlations are now available and it's not correlated to something.
The stacks are completely bogus. We're supposed to be crashing here:
http://hg.mozilla.org/releases/mozilla-release/annotate/6ffe3e9da8a8/toolkit/components/url-classifier/HashStore.cpp#l887

 ++addIter;

this is defined as:

 TAdd* addIter = aAdds->Elements();

So, it's crashing when incrementing a pointer on the stack. I don't think that's possible.

89% of the crashes are on Windows XP. 96% even for the other signature.
(Reporter)

Updated

6 years ago
OS: Windows 7 → Windows XP

Comment 6

6 years ago
A few URLs:

10 	http://www.facebook.com/
10 	about:blank
8 	https://www.facebook.com/
6 	about:sessionrestore
6 	http://www.globalresearch.ca/the-legacy-of-hugo-chavez-the-revolution-within-the-revolution-will-continue/5325652
6 	http://play.cultures-online.de/co/bin/index.php
5 	http://www.youtube.com/watch?v=7FGWyyQoG38
4 	http://apps.facebook.com/farmville-two//index.php
4 	https://www.facebook.com/home.php
6 	http://espn.go.com/espnradio/
3 	http://www.gewinnspiele-info.de/


Scoobidiver, please don't randomly request URLs, this should only be done when QA or devs are actively working on reproducing and think they need it. It takes already-busy people multiple minutes to gather URLs because we need to look through them and sanitize them, and a bugs that cuts off longs URLs makes things even harder.

Updated

6 years ago
Keywords: needURLs
I also did a random sample on the reports and *all* of them were old AMD machines running Windows XP. Seriously, I think this signature are people with broken hardware.
(Reporter)

Comment 8

6 years ago
Not all have an AMD GPU, some have a VIA, S3 Graphics, SIS, NVIDIA or an unknown GPU, but all have Direct3D10 disabled via the graphics blocklist feature
Summary: crash in mozilla::safebrowsing::KnockoutSubs → crash in mozilla::safebrowsing::KnockoutSubs with Direct3D 10 disabled by gfx blocklist
I doubt this has anything to do with graphics. As I said, they're all old machines (which is likely why D10 is disabled) with old AMD *CPUs*. Not that I think the CPUs itself are broken, but my best guess is that these are all so-so quality mainboards with so-so quality chipsets and so-so quality RAM :P

I don't know why they would bomb out in this piece of code specifically, but one aspect of SafeBrowsing is that it regularly runs in the background even if the machine is idle otherwise.
(Reporter)

Comment 10

6 years ago
It happens only on two kinds of processor:
* AuthenticAMD family 6 model 8 stepping 1: AMD Athlon XP
* AuthenticAMD family 6 model 10 stepping 0: AMD Athlon XP
Summary: crash in mozilla::safebrowsing::KnockoutSubs with Direct3D 10 disabled by gfx blocklist → crash in mozilla::safebrowsing::KnockoutSubs with AMD Athlon XP processors
+bsmedberg since this may point to another hardware/build-specific crash
+ehsan in case he can imagine any correlation between bug 848644 and this crash (I sincerely doubt it)

Since this isn't a top crash, I'm not even sure we'll have the time to get our hands on the devices in comment 10. No current plans to track for upcoming releases.
tracking-firefox19: ? → -

Comment 12

6 years ago
This bug appears to occur also only on graphics adapter vendor 0x1106 (VIA) and 0x1039 (SIS).

It's interesting because it has the some of the characteristics of "the AMD crasher" but doesn't occur with the AMD graphics cards, but does occur with the AMD processors.

It's really hard to correlate against CPUs because of the populations sizes and variability, but I can try to run a report to see whether there are clear non-independence markers.

I'll pull a minidump tomorrow to look for the markers of 2-byte memory corruption we've seen in the past.

Comment 13

6 years ago
I own private browsing, not safebrowsing, so I'm not sure if I can help a lot here.
(Reporter)

Updated

6 years ago
status-firefox20: --- → affected
(Reporter)

Comment 14

5 years ago
It spiked in 21.0b3.
status-firefox21: --- → affected
(Assignee)

Updated

4 years ago
Component: Phishing Protection → Phishing Protection
Product: Firefox → Toolkit

Updated

3 years ago
Crash Signature: [@ mozilla::safebrowsing::KnockoutSubs<mozilla::safebrowsing::SubComplete, mozilla::safebrowsing::AddComplete>] [@ mozilla::safebrowsing::KnockoutSubs<mozilla::safebrowsing::SubPrefix, mozilla::safebrowsing::AddPrefix> ] → [@ mozilla::safebrowsing::KnockoutSubs<mozilla::safebrowsing::SubComplete, mozilla::safebrowsing::AddComplete>] [@ mozilla::safebrowsing::KnockoutSubs<mozilla::safebrowsing::SubPrefix, mozilla::safebrowsing::AddPrefix> ] [@ mozilla::safebrowsing::Knocko…
Priority: -- → P5
Marking as WONTFIX since it's an old crash and appears to be specific to some old hardware we don't have.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.