crash in nsDNSRecord::GetNextAddr(unsigned short, mozilla::net::NetAddr*)

RESOLVED FIXED

Status

()

--
critical
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: baffclan, Assigned: dragana)

Tracking

({crash})

unspecified
x86
Windows XP
crash
Points:
---

Firefox Tracking Flags

(firefox36 fixed, firefox37+ fixed, firefox38+ fixed, firefox39+ fixed)

Details

(crash signature)

(Reporter)

Description

5 years ago
This bug was filed from the Socorro interface and is 
report bp-59aae1fd-aa8e-40a4-842d-08c952140101.
=============================================================

---
User Agent : Mozilla/5.0 (Windows NT 5.1; rv:26.0) Gecko/20100101 Firefox/26.0
gecko.buildID;20131205075310

--- 
Signature 	nsDNSRecord::GetNextAddr(unsigned short, mozilla::net::NetAddr*) More Reports Search
UUID 	59aae1fd-aa8e-40a4-842d-08c952140101
Date Processed	2014-01-01 09:06:20.739433
Uptime	165203
Last Crash	8141674 seconds before submission
Install Age 	871458 since version was first installed.
Install Time 	2013-12-22 07:00:59
Product 	Firefox
Version 	26.0
Build ID 	20131205075310
Release Channel 	release
OS 	Windows NT
OS Version 	5.1.2600 Service Pack 3
Build Architecture 	x86
Build Architecture Info 	GenuineIntel family 6 model 8 stepping 10 | 1
Crash Reason 	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address 	0x70617269
User Comments 	
App Notes 	

AdapterVendorID: 0x102b, AdapterDeviceID: 0x0525, AdapterSubsysID: 2179102b, AdapterDriverVersion: 5.1.2001.0
D3D10 Layers? D3D10 Layers- D3D9 Layers? D3D9 Layers- 

Processor Notes 	sp-processor07_phx1_mozilla_com.19186:2012; HybridCrashProcessor
EMCheckCompatibility 	

True

Winsock LSP 	

AVSDA over [MSAFD Tcpip [TCP/IP]] : 2 : 1 :  
 AVSDA over [MSAFD Tcpip [UDP/IP]] : 2 : 2 : C:\Program Files\Avira\AntiVir Desktop\avsda.dll 
 AVSDA over [MSAFD Tcpip [TCP/IPv6]] : 2 : 1 : C:\Program Files\Avira\AntiVir Desktop\avsda.dll 
 AVSDA over [MSAFD Tcpip [UDP/IPv6]] : 2 : 2 : C:\Program Files\Avira\AntiVir Desktop\avsda.dll 
 MSAFD Tcpip [TCP/IP] : 2 : 1 : %SystemRoot%\system32\mswsock.dll 
 MSAFD Tcpip [UDP/IP] : 2 : 2 : %SystemRoot%\system32\mswsock.dll 
 MSAFD Tcpip [RAW/IP] : 2 : 3 : %SystemRoot%\system32\mswsock.dll 
 RSVP UDP Service Provider : 6 : 2 : %SystemRoot%\system32\rsvpsp.dll 
 RSVP TCP Service Provider : 6 : 1 : %SystemRoot%\system32\rsvpsp.dll 
 MSAFD Tcpip [TCP/IPv6] : 2 : 1 : %SystemRoot%\system32\mswsock.dll 
 MSAFD Tcpip [UDP/IPv6] : 2 : 2 : %SystemRoot%\system32\mswsock.dll 
 MSAFD Tcpip [RAW/IPv6] : 2 : 3 : %SystemRoot%\system32\mswsock.dll 
 MSAFD NetBIOS [\Device\NetBT_Tcpip6_{8A633F2C-F1CB-44E3-8BB9-41A70E13FAE7}] SEQPACKET 3 : 2 : 5 : %SystemRoot%\system32\mswsock.dll 
 MSAFD NetBIOS [\Device\NetBT_Tcpip6_{8A633F2C-F1CB-44E3-8BB9-41A70E13FAE7}] DATAGRAM 3 : 2 : 2 : %SystemRoot%\system32\mswsock.dll 
 MSAFD NetBIOS [\Device\NetBT_Tcpip6_{D977ED64-B8F5-4257-9116-72294DD96AF5}] SEQPACKET 9 : 2 : 5 : %SystemRoot%\system32\mswsock.dll 
 MSAFD NetBIOS [\Device\NetBT_Tcpip6_{D977ED64-B8F5-4257-9116-72294DD96AF5}] DATAGRAM 9 : 2 : 2 : %SystemRoot%\system32\mswsock.dll 
 MSAFD NetBIOS [\Device\NetBT_Tcpip6_{3418077F-9CF4-4B8F-AF96-D52F6319547B}] SEQPACKET 5 : 2 : 5 : %SystemRoot%\system32\mswsock.dll 
 MSAFD NetBIOS [\Device\NetBT_Tcpip6_{3418077F-9CF4-4B8F-AF96-D52F6319547B}] DATAGRAM 5 : 2 : 2 : %SystemRoot%\system32\mswsock.dll 
 MSAFD NetBIOS [\Device\NetBT_Tcpip6_{3E458F48-0A06-4C09-850C-B935B7A809A0}] SEQPACKET 8 : 2 : 5 : %SystemRoot%\system32\mswsock.dll 
 MSAFD NetBIOS [\Device\NetBT_Tcpip6_{3E458F48-0A06-4C09-850C-B935B7A809A0}] DATAGRAM 8 : 2 : 2 : %SystemRoot%\system32\mswsock.dll 
 MSAFD NetBIOS [\Device\NetBT_Tcpip_{8A633F2C-F1CB-44E3-8BB9-41A70E13FAE7}] SEQPACKET 4 : 2 : 5 : %SystemRoot%\system32\mswsock.dll 
 MSAFD NetBIOS [\Device\NetBT_Tcpip_{8A633F2C-F1CB-44E3-8BB9-41A70E13FAE7}] DATAGRAM 4 : 2 : 2 : %SystemRoot%\system32\mswsock.dll 
 MSAFD NetBIOS [\Device\NetBT_Tcpip_{D977ED64-B8F5-4257-9116-72294DD96AF5}] SEQPACKET 10 : 2 : 5 : %SystemRoot%\system32\mswsock.dll 
 MSAFD NetBIOS [\Device\NetBT_Tcpip_{D977ED64-B8F5-4257-9116-72294DD96AF5}] DATAGRAM 10 : 2 : 2 : %SystemRoot%\system32\mswsock.dll 
 MSAFD NetBIOS [\Device\NetBT_Tcpip_{3418077F-9CF4-4B8F-AF96-D52F6319547B}] SEQPACKET 0 : 2 : 5 : %SystemRoot%\system32\mswsock.dll 
 MSAFD NetBIOS [\Device\NetBT_Tcpip_{3418077F-9CF4-4B8F-AF96-D52F6319547B}] DATAGRAM 0 : 2 : 2 : %SystemRoot%\system32\mswsock.dll 
 MSAFD NetBIOS [\Device\NetBT_Tcpip_{EE75D7AF-6323-463D-8B9E-7A54A3B7920F}] SEQPACKET 1 : 2 : 5 : %SystemRoot%\system32\mswsock.dll 
 MSAFD NetBIOS [\Device\NetBT_Tcpip_{EE75D7AF-6323-463D-8B9E-7A54A3B7920F}] DATAGRAM 1 : 2 : 2 : %SystemRoot%\system32\mswsock.dll 
 MSAFD NetBIOS [\Device\NetBT_Tcpip_{4EB01A8F-6A65-4AB1-8CCE-6320213DAD07}] SEQPACKET 2 : 2 : 5 : %SystemRoot%\system32\mswsock.dll 
 MSAFD NetBIOS [\Device\NetBT_Tcpip_{4EB01A8F-6A65-4AB1-8CCE-6320213DAD07}] DATAGRAM 2 : 2 : 2 : %SystemRoot%\system32\mswsock.dll 
 AVSDA : 2 : 1 : C:\Program Files\Avira\AntiVir Desktop\avsda.dll

Adapter Vendor ID 	

0x102b

Adapter Device ID 	

0x0525

Total Virtual Memory 	

2147352576

Available Virtual Memory 	

1556508672

System Memory Use Percentage 	

88

Available Page File 	

418131968

Available Physical Memory 	

63930368

-- 
Crashing Thread
Frame 	Module 	Signature 	Source
0 	xul.dll 	nsDNSRecord::GetNextAddr(unsigned short,mozilla::net::NetAddr *) 	netwerk/dns/nsDNSService2.cpp
1 	xul.dll 	nsDNSRecord::HasMore(bool *) 	netwerk/dns/nsDNSService2.cpp
2 	xul.dll 	NS_InvokeByIndex 	xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp
3 	xul.dll 	XPC_WN_CallMethod(JSContext *,unsigned int,JS::Value *) 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp
4 		@0x62e23b8 	
5 		@0x13f5fe10 	
6 		@0x6481f81 	
7 	mozjs.dll 	EnterBaseline 	js/src/jit/BaselineJIT.cpp
8 	mozjs.dll 	js::jit::EnterBaselineAtBranch(JSContext *,js::StackFrame *,unsigned char *) 	js/src/jit/BaselineJIT.cpp
9 	mozjs.dll 	Interpret 	js/src/vm/Interpreter.cpp
10 	mozjs.dll 	js::Invoke(JSContext *,JS::Value const &,JS::Value const &,unsigned int,JS::Value *,JS::MutableHandle<JS::Value>) 	js/src/vm/Interpreter.cpp
11 	mozjs.dll 	JS_CallFunctionValue(JSContext *,JSObject *,JS::Value,unsigned int,JS::Value *,JS::Value *) 	js/src/jsapi.cpp
12 	xul.dll 	nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS *,unsigned short,XPTMethodDescriptor const *,nsXPTCMiniVariant *) 	js/xpconnect/src/XPCWrappedJSClass.cpp
13 	xul.dll 	nsXPCWrappedJS::CallMethod(unsigned short,XPTMethodDescriptor const *,nsXPTCMiniVariant *) 	js/xpconnect/src/XPCWrappedJS.cpp
14 	xul.dll 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp
15 	xul.dll 	SharedStub 	xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp
16 	xul.dll 	`anonymous namespace'::DNSListenerProxy::OnLookupCompleteRunnable::Run() 	netwerk/dns/nsDNSService2.cpp
17 	xul.dll 	nsThread::ProcessNextEvent(bool,bool *) 	xpcom/threads/nsThread.cpp
18 	xul.dll 	NS_ProcessNextEvent(nsIThread *,bool) 	xpcom/glue/nsThreadUtils.cpp
19 	xul.dll 	mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate *) 	ipc/glue/MessagePump.cpp
Here are some notes from my initial analysis (some of these are for my own records).

-- Crashing on the main thread, somewhere in JS, in a DNS listener.
-- There are two crash types:
   -- 1. READ violation: GetNextAddr called from either GetNextAddrAsString or HasMore.
   -- 2. WRITE violation: GetNextAddr called from OnSocketEvent. This crash occurs much more infrequently, but it is likely related.
Note: I will focus on the READ violation traces for now.

-- There is a plugin correlation, but only the signature shows, not the name: it starts with 972ce4c6. I see this for all crashes on version 29 and 28. I see refs to this signature in mozilla-central, but I'm not sure what the package name is.

-- In mozilla-central, only gonk's NetworkManager.js calls getNextAddrAsString and hasMore (for hasMore, I think this is the only call related to an nsIDNSRecord). These calls are on adjacent lines - I'm wondering if this is a B2G emulator crash ... I'm not sure how NetworkManager is packaged with the desktop build, if it all.

-- The final line number for the crash (READ violation) happens on different, but nearby lines in GetNextAddr - I've put the code snippet below instead of line numbers:
   -- mHostRecord->addr_info_lock.Unlock() for all Fx29 crashes
   -- mIter = mIter->GetNext() for all Fx28 crashes, and many samples from the other versions.

Back to the WRITE violation:
-- Crashes occur in GetNextAddr at:
   -- memcpy(addr, &mIter->mAddress...)
   -- or mHostRecord->addr_info_lock.Lock() for Fx27.0
   -- while (!mIter && mHostRecord->Blacklisted(&mIter->mAddress)) for Fx 25.0.1

So, maybe the nsIDNSRecords/nsDNSRecord is being corrupted, since mIter and mHostRecord are members.
-- Is it a corruption that starts in Resolve/AsyncResolve?
-- Is there something happening on another thread?


Not sure how to reproduce this one, and I don't have a speculative fix yet. Also, the numbers are pretty low so far, so I won't be attending to this very urgently. But it's on my radar :)
(Reporter)

Comment 2

5 years ago
(In reply to Steve Workman [:sworkman] from comment #1)
thanks for a comment.

I found a "972ce4c6" in about:config.
> extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description;The default theme.
> extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name;Default

Comment 3

4 years ago
I might have some input on reproducing this issue. I encountered this issue twice within a few minutes while working in Gmail. Specifically, I was rapidly going through and forwarding a bunch of emails.

The workflow was simple:
 * Open Gmail web interface
 * Open an email -> Select forward -> Enter recipient & quick addendum to body -> Send
 * Repeat the latter step

Comment 4

4 years ago
And another one, again while fiddling around in the Gmail web interface. I'm increasingly confident that Gmail is doing something conducive to surfacing this bug.

Comment 5

4 years ago
I won't update this ticket anymore unless requested to but just had a fourth crash, again while using Gmail. I should note I'm browsing/using numerous other sites, but am only seeing this crash occur while interacting with Gmail.

Comment 7

4 years ago
I’m not an expert at all, but just wanted to add my 2¢: Firefox is crashing with increasing frequency again for me, and this was one of them. I don’t ever use Gmail. The program seems to shut down by itself without warning—not sure what is causing it. 

This was my crash that led to this page:

https://crash-stats.mozilla.com/report/index/365380da-9d3d-4699-b45c-ebea72140820

Comment 8

4 years ago
Sorry, one more—this one crashed while I was browsing on Vimeo. It also led to this page.

https://crash-stats.mozilla.com/report/index/00859b1f-332c-4ede-ab49-f8cfa2140820
steve - any ideas here? seems to be uaf. soccoro shows this active on nightly; though at low volume.

is it possible something is triggered when the dns service is reinitted? (something that is going to happen a lot more when daniel's patches land)
Flags: needinfo?(sworkman)
Unsure about the reinit question: I don't don't DNS Service should be getting re-initted very much at the moment. The 'network.manage-offline-status' pref should be disabled by default, and it's the only one I know that would re-init during runtime. Maybe a plugin/extension is re-initting it?

I poked around in the code again, and I'm wondering if DNSListenerProxy has something to do with it. I'll keep poking...
Flags: needinfo?(sworkman)

Comment 11

4 years ago
Just chiming in to advise I'm still seeing these crashes on the latest release (v32.0).

Most recent crash from a few moments ago:
https://crash-stats.mozilla.com/report/index/c70b426a-351f-4a41-b6b6-175ab2140911

Comment 12

4 years ago
This is definitely not scientific, but I'm fairly sure I witness this bug far more on slow connections. Every crash I've witnessed has been on a relatively slow connection. I've never seen this crash on my desktop at home, while of all the work places I have witnessed this, the one with the slowest connection has the vast majority of crashes witnessed. I wonder if slower connections result in circumstances more likely to reproduce this bug...

Just an observation that may be helpful.

Comment 13

4 years ago
I've found bug 1132358 which may be related to this issue. Please have a look.
(In reply to Steve Workman [:sworkman] (please use needinfo) from comment #10)
> I poked around in the code again, and I'm wondering if DNSListenerProxy has
> something to do with it. I'll keep poking...

Steve, are you still looking at this bug? I'm seeing this signature on the top-crash lists of various channels.
status-firefox37: --- → affected
status-firefox38: --- → affected
tracking-firefox37: --- → ?
tracking-firefox38: --- → ?
Flags: needinfo?(sworkman)
(Assignee)

Comment 15

4 years ago
If Steve does mind I can take it over and look at it.
Bug 1132358 fixed some of this crashes.
Very happy for Dragana to take this one :) Thanks Dragana!
Flags: needinfo?(sworkman)

Updated

4 years ago
Assignee: nobody → dd.mozilla
Tracking this as it's a topcrash, happy to see it's assigned.
status-firefox39: --- → affected
tracking-firefox37: ? → +
tracking-firefox38: ? → +
tracking-firefox39: --- → +
(Assignee)

Comment 18

4 years ago
Bug 1132358 fixed this.
I do not see any crashes on 39, but we can wait some days. 
There are same crashes with build from 2015/02/23 but the patch from bug 1132358 is still not in. So probably it shipped with 24th Nightly.
(In reply to Dragana Damjanovic [:dragana] from comment #18)
> Bug 1132358 fixed this.
> I do not see any crashes on 39, but we can wait some days. 
> There are same crashes with build from 2015/02/23 but the patch from bug
> 1132358 is still not in. So probably it shipped with 24th Nightly.

If this is the case, 38 and 39 should both be fixed. Please do follow up to ensure that bug 1132358 has fixed this issue.
status-firefox38: affected → fixed
status-firefox39: affected → fixed
Duplicate of this bug: 1062824
Depends on: 1132358
(Assignee)

Comment 21

4 years ago
Looking at crash reports, there is non reports with version 39 and 38 after 23.2.2015.
So this is fixed with bug 1132358.
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Bug 1132358 has been uplifted to 36 and 37 so both releases should be fixed as well.
status-firefox36: --- → fixed
status-firefox37: affected → fixed
You need to log in before you can comment on or make changes to this bug.