MASTER firefox crash [@NSSRWLock_LockRead]

doesn't psm / nss need a profile before it will work correctly?

Yes, but there is a profile ;-) Firefox selects a profile before starting XPCOM.

PSM requires a profile? Why? In profileless situations can't it use the default certs?

Mozilla requires some profile directory. For nss/psm, they find the secmod, cert, key, db's in this directory. Of course, you can start NSS in readonly mode.

bug 309877 is about making PSM/NSS work w/o profile

Stack trace:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 4678)]
0x40767c8c in NSSRWLock_LockRead () from /usr/local/fritz/firefox/libnss3.so
(gdb) bt
#0 0x40767c8c in NSSRWLock_LockRead ()
  from /usr/local/fritz/firefox/libnss3.so
#1 0x407458f7 in SECMOD_GetReadLock ()
  from /usr/local/fritz/firefox/libnss3.so
#2 0x407555b8 in PK11_GetAllTokens () from /usr/local/fritz/firefox/libnss3.so
#3 0x407557bf in PK11_GetBestSlotMultiple ()
  from /usr/local/fritz/firefox/libnss3.so
#4 0x4075598d in PK11_GetBestSlot () from /usr/local/fritz/firefox/libnss3.so
#5 0x407441b9 in PK11_CreateDigestContext ()
  from /usr/local/fritz/firefox/libnss3.so
#6 0x40737eaa in CERT_DecodeCRLDistributionPoints ()
  from /usr/local/fritz/firefox/libnss3.so
#7 0x40738159 in HASH_Create () from /usr/local/fritz/firefox/libnss3.so
#8 0x08676160 in nsXPTCVariant::Init ()
#9 0x4012f60b in XPTC_InvokeByIndex ()
  from /usr/local/fritz/firefox/libxpcom_core.so
#10 0x080a14f8 in nsTHashtable<nsBaseHashtableET<nsDepCharHashKey,
nsAutoPtr<nsINIParser::INIValue> > >::~nsTHashtable ()
#11 0x080a6c74 in nsTHashtable<nsBaseHashtableET<nsDepCharHashKey,
nsAutoPtr<nsINIParser::INIValue> > >::~nsTHashtable ()
#12 0x4004f90d in js_Invoke () from /usr/local/fritz/firefox/libmozjs.so
#13 0x4005863b in js_Interpret () from /usr/local/fritz/firefox/libmozjs.so
#14 0x4004f9be in js_Invoke () from /usr/local/fritz/firefox/libmozjs.so
#15 0x40053e5b in js_Interpret () from /usr/local/fritz/firefox/libmozjs.so
#16 0x4004f9be in js_Invoke () from /usr/local/fritz/firefox/libmozjs.so
#17 0x40053e5b in js_Interpret () from /usr/local/fritz/firefox/libmozjs.so
#18 0x4004f9be in js_Invoke () from /usr/local/fritz/firefox/libmozjs.so
#19 0x40053e5b in js_Interpret () from /usr/local/fritz/firefox/libmozjs.so
#20 0x4004f9be in js_Invoke () from /usr/local/fritz/firefox/libmozjs.so
#21 0x40053e5b in js_Interpret () from /usr/local/fritz/firefox/libmozjs.so
#22 0x4004f9be in js_Invoke () from /usr/local/fritz/firefox/libmozjs.so
#23 0x40053e5b in js_Interpret () from /usr/local/fritz/firefox/libmozjs.so
#24 0x4004f9be in js_Invoke () from /usr/local/fritz/firefox/libmozjs.so
#25 0x0809d314 in nsTHashtable<nsBaseHashtableET<nsDepCharHashKey,
nsAutoPtr<nsINIParser::INIValue> > >::~nsTHashtable ()
#26 0x0809b4d4 in nsTHashtable<nsBaseHashtableET<nsDepCharHashKey,
nsAutoPtr<nsINIParser::INIValue> > >::~nsTHashtable ()
#27 0x4012f730 in XPTC_InvokeByIndex ()
  from /usr/local/fritz/firefox/libxpcom_core.so
#28 0x40111efa in NS_CreateServicesFromCategory ()
  from /usr/local/fritz/firefox/libxpcom_core.so
#29 0x400e4e28 in NS_InitXPCOM3_P ()
  from /usr/local/fritz/firefox/libxpcom_core.so

Darin: We saw yesterday, that EnsureNSSInitialized does not return a possible failure, and therefore PSM services might get loaded, even if there is a problem with NSS databases.

Did you verify the call to NSS_InitReadWrite in nsNSSComponent::InitializeNSS succeeds?

> Did you verify the call to NSS_InitReadWrite in nsNSSComponent::InitializeNSS
> succeeds?

Nope, I have not. That would be a good thing to test when I have a chance.

*** Bug 366528 has been marked as a duplicate of this bug. ***

On Mac, this happens to several out of every thousand Firefox instances (see bug 366528). I think that makes it a topcrash.

Created attachment 256217
JS stack from shutdown crash

It sounds like this happens if NSS hits shutdown before nsUrlClassifierDBService (anti-phishing thread). During xpcom-shutdown, nsUrlClassifierDBService processes pending events, which may include using nsCryptoHash.

I think the fix is to turn all pending events into NOOPs during nsUrlClassifierDBService shutdown. I'll see if I can repro and get a patch.

Created attachment 260933
v1: no js callbacks during shutdown

I wasn't able to repro, but this patch cancels all calls into JS code once the urlclassifier shutdown has started. Maybe someone who can repro can check to see if this fixes the shutdown crash.

Comment on attachment 260933
v1: no js callbacks during shutdown

It seems like some of these methods should return errors since they are not going to generate callbacks. How about NS_ERROR_NOT_INITIALIZED? Or, NS_ERROR_UNEXPECTED?

-Darin

Created attachment 261031
v2: no js callbacks during shutdown

Updated to return NS_ERROR_NOT_INITIALIZED instead.

We seem to be this bug pretty frequently on the tinderbox page, so I checked this in.

Checking in src/nsUrlClassifierDBService.cpp;
/cvsroot/mozilla/toolkit/components/url-classifier/src/nsUrlClassifierDBService.cpp,v <-- nsUrlClassifierDBService.cpp
new revision: 1.21; previous revision: 1.20
done

(In reply to comment #16)

Do you know if this fix could be solve bug 376709 ?

I hit this crash three times last night (Mac trunk debug), despite my build being up-to-date. (That's three crashes out of about 1360 shutdowns.)

Happening much more frequently now on the Firefox tinderbox page, on Mac qm-xserve01. I've copied a crashreport to:

http://pastebin.mozilla.org/127724

Created attachment 271852
We should observe a much earlier topic, rev. 1

We should be observing a much earlier observer topic in any case. This will shutdown database activity at profile-before-change, as well as xpcom-shutdown-threads.

The comment in ::Shutdown says that it joins the thread, but I don't think it actually does. Unless I am misreading, we should definitely join that thread properly during shutdown. You aren't allowed to have threads persist past the xpcom-shutdown-threads observer topic.

I committed this patch a=robcee to get the tinderbox green, but I'd still like ex-post-facto review. Does this affect the branches at all, or just trunk?

Looks like it affects branch, yes. NSSRWLock_LockRead is the #22 topcrash for Firefox 2.0.0.4. http://talkback-public.mozilla.org/reports/firefox/FF2004/FF2004-topcrashers.html

It's also the #7 crasher in Thunderbird:
http://talkback-public.mozilla.org/reports/thunderbird/TB2004/TB2004-topcrashers.html

What in the world is Thunderbird 2 doing with the URLClassifier? I can confirm that Thunderbird has a filehandle open to urlclassifier2.sqlite, (which is empty, of course).

filed bug 387840 to use --disable-safe-browsing in tbird

Thunderbird 2 has phishing detection. We want to keep it enabled.
http://mxr.mozilla.org/seamonkey/source/mail/components/phishing/

Created attachment 272029
Branch rollup patch

Here's a rollup patch for the 1.8 branch.

Comment on attachment 272029
Branch rollup patch

too late for 1.8.1.5

v/fixed according to http://crash-stats.mozilla.com/report/list?range_unit=weeks&branch=1.9&range_value=2&signature=NSSRWLock_LockRead

Comment on attachment 272029
Branch rollup patch

approved for 1.8.1.7, a=dveditz for release-drivers

Fixed on MOZILLA_1_8_BRANCH for what is now I think 1.8.1.8

I believe the string "fixed1.8.1.8" should be moved from "URL" to "Keywords" in the bug status summary.

Can someone provide a STR or testcase? Trying to verify on branch, but need steps.

Because this is a thread race there really aren't steps to reproduce. The best way to verify would be to check whether the crashes disappeared in talkback.

This patch did not appear to help the NSSRWLock_LockRead crash. According to talkback that's hovering around 1.4% of all crashes in both FF2.0.0.7 and FF2.0.0.8

*** Bug 376709 has been marked as a duplicate of this bug. ***