Opened 6 years ago

Closed 13 months ago

Last modified 13 months ago

#10761 closed defect (fixed)

Restoring windows and tabs causes crash on exit

Reported by: cypherpunks Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-crash, tbb-firefox-patch, tbb-4.5-alpha, TorBrowserTeam201504R, MikePerry201504R
Cc: gk, mcs, jah Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

  1. Extract TBB 3.5.1
  2. In Torbutton, uncheck Don't record browsing history
  3. In Firefox options, set startup to Show my windows and tabs from last time
  4. Close TB
  5. Open and close TB a few times
  6. Open and close TB. It will crash on exit, every time.

Tested on Windows 7 64bit. This does not happen in a TBB with Firefox 17.

Child Tickets

Attachments (4)

start.cmd (49 bytes) - added by cypherpunks 6 years ago.
batch file with defined NSS_DISABLE_UNLOAD for start tbb for windows
10761.patch (1.1 KB) - added by disgleirio 4 years ago.
Get real PR_Free address
10761_v2.patch (1.1 KB) - added by disgleirio 4 years ago.
Get real PR_Free address
patch.diff (738 bytes) - added by gk 4 years ago.

Download all attachments as: .zip

Change History (63)

comment:1 Changed 6 years ago by gk

Cc: gk added

comment:2 Changed 6 years ago by cypherpunks

Is it still happens for you with TBB 3.5.2?

comment:3 Changed 6 years ago by cypherpunks

Tested on Windows 7 64bit.

Can you post crash report generated by windows.
It's usually stored in event logs forever.
Control Panel -> System and Security -> View event logs (Administrative Tools section)
Next you need to chose in viewer: Windows Logs -> Application
It will show all events and you need to find your crash, should be with "Error" level.
Double click it when found then it will open "Event properties" window.
Click "Copy" button and paste it here
(You probably don't want to paste it all, as it may contain some private stuff you probably cares like computer name, but we need 4 lines at least, about: Faulting application name, Faulting module name, Exception code, Fault offset)

Last edited 6 years ago by cypherpunks (previous) (diff)

comment:4 Changed 6 years ago by cypherpunks

Next you need to chose in viewer: Windows Logs -> Application
It will show all events and you need to find your crash, should be with "Error" level.
Double click it when found then it will open "Event properties" window.
Click "Copy" button and paste it here.

Graphical explanation,

comment:5 Changed 6 years ago by cypherpunks

Faulting application name: firefox.exe, version: 24.3.0.0, time stamp: 0x386d4380
Faulting module name: nssckbi.dll_unloaded, version: 0.0.0.0, time stamp: 0x386d4380
Exception code: 0xc0000005
Fault offset: 0x69bce8b8
Faulting module path: nssckbi.dll

comment:6 Changed 6 years ago by cypherpunks

Nothing

Last edited 5 years ago by cypherpunks (previous) (diff)

comment:7 Changed 6 years ago by cypherpunks

Nothing

Last edited 5 years ago by cypherpunks (previous) (diff)

comment:8 Changed 6 years ago by cypherpunks

Nothing

Last edited 5 years ago by cypherpunks (previous) (diff)

comment:9 Changed 6 years ago by gk

Component: TorBrowserButtonFirefox Patch Issues
Keywords: tbb-crash added

comment:10 Changed 6 years ago by cypherpunks

Nothing

Last edited 5 years ago by cypherpunks (previous) (diff)

comment:11 in reply to:  description Changed 6 years ago by cypherpunks

Tested on Windows 7 64bit. This does not happen in a TBB with Firefox 17.

What AV do you running?

comment:12 Changed 6 years ago by cypherpunks

Comparing files nssckbi.dll and NSSCKBI_patched.DLL
0000C58E: 18 10
0000C58F: C7 90
0000C590: 44 90
0000C591: 24 90
0000C592: 04 A1
0000C593: B8 3C
0000C594: E8 62
0000C595: BC C2
0000C597: C7 50
0000C598: 04 90
0000C599: 24 68

What do you think about this bin patch?

Last edited 6 years ago by cypherpunks (previous) (diff)

comment:13 in reply to:  12 ; Changed 6 years ago by cypherpunks

Replying to cypherpunks:

What do you think about this bin patch?

Doesn't crash for me (OP)

comment:14 Changed 6 years ago by cypherpunks

Nothing

Last edited 5 years ago by cypherpunks (previous) (diff)

comment:15 Changed 6 years ago by cypherpunks

Nothing

Last edited 5 years ago by cypherpunks (previous) (diff)

Changed 6 years ago by cypherpunks

Attachment: start.cmd added

batch file with defined NSS_DISABLE_UNLOAD for start tbb for windows

comment:16 in reply to:  13 Changed 6 years ago by cypherpunks

Doesn't crash for me (OP)

Can you test attached "start.cmd" batch file with non modified TBB? Place and run it from directory with "Start Tor Browser.exe" It should to prevent unloading dll, as workaround it should to prevent crash.

comment:17 Changed 6 years ago by cypherpunks

By any chance do you have problems with https sites for your crashed on exit TBB? When you visits this tracker with TBB does it show "This Connection is Untrusted" error message?

comment:18 Changed 6 years ago by cypherpunks

Using start.cmd it doesn't crash when it should.
Note that if I re-check "Don't record..." then it will not crash anymore, except when closing after making the change.
Also, while unchecked, changing to show a blank page or the home page makes no difference (it will continue crashing as usual).
I don't have any problems visiting this site or Startpage. And no AV.

comment:19 in reply to:  18 Changed 6 years ago by cypherpunks

Note that if I re-check "Don't record..." then it will not crash anymore, except when closing after making the change.

I see.

Can you test TBB without HTTPS-Everywhere, does it changes something? Not by disabling but removing it with restart browser.

comment:20 Changed 6 years ago by cypherpunks

Disabling it stops the crash.
Removing it also works.

comment:21 Changed 6 years ago by cypherpunks

Disabling it stops the crash.
Removing it also works.

So we found real culprit or at least one of reason.

Can you test TBB with HTTPS-Everywhere but without one file, remove Dir_where_TBB_installed\Data\Browser\profile.default\extensions\https-everywhere@…\chrome\content\code\NSS.js file?

comment:22 Changed 6 years ago by cypherpunks

Still crashes.

comment:23 Changed 6 years ago by cypherpunks

Nothing

Last edited 5 years ago by cypherpunks (previous) (diff)

comment:24 Changed 6 years ago by cypherpunks

Nothing

Last edited 5 years ago by cypherpunks (previous) (diff)

comment:25 Changed 6 years ago by cypherpunks

Is there an explanation for the fact that after first extracting TBB, it will close a few times without crashing?

comment:26 Changed 6 years ago by cypherpunks

Is there an explanation for the fact that after first extracting TBB, it will close a few times without crashing?

It's probably something about fetching info about new TBB or pinging servers about new add-ons (NoScript and HTTPS-Everywhere). If you fast enough for first times then nothing yet fetched and HTTPS-Everywhere something didn't triggered some changes in db files. After fetch it stores something to disk (as allowed by uncheck "Don't record browsing history" option) and every next run guaranteed crashes. It's only theory, however.

Last edited 6 years ago by cypherpunks (previous) (diff)

comment:27 Changed 6 years ago by cypherpunks

By any chance did you install EMET? Or some software that forces ASLR for every dll?

comment:28 Changed 6 years ago by cypherpunks

Nothing

Last edited 5 years ago by cypherpunks (previous) (diff)

comment:29 in reply to:  26 Changed 6 years ago by cypherpunks

Is there an explanation for the fact that after first extracting TBB, it will close a few times without crashing?

It's probably something about fetching info about new TBB or pinging servers about new add-ons (NoScript and HTTPS-Everywhere). If you fast enough for first times then nothing yet fetched and HTTPS-Everywhere something didn't triggered some changes in db files. After fetch it stores something to disk (as allowed by uncheck "Don't record browsing history" option) and every next run guaranteed crashes. It's only theory, however.

I ran fresh with DR unchecked for 20min, closed it, then did 2 quick cycles, it crashed in the second.
Starting over, I did 3 cycles, on fourth unchecked DR, 2 more cycles, crashed on second (6th).

By any chance did you install EMET? Or some software that forces ASLR for every dll?

No security software on this PC. Same bug on another, slightly older PC.

comment:30 Changed 6 years ago by cypherpunks

DR unchecked for 20min, closed it,

This option toggles browser.privatebrowsing.autostart option. Try to uncheck DR, restart browser and then wait for 20min before closing browser.

comment:31 Changed 6 years ago by cypherpunks

Same bug on another, slightly older PC.

With 64bit windows too?

comment:32 Changed 6 years ago by cypherpunks

This option toggles browser.privatebrowsing.autostart option. Try to uncheck DR, restart browser and then wait for 20min before closing browser.

Still it didn't crash. Crashed on 3rd cycle, as before.

With 64bit windows too?

Yes.

comment:33 Changed 6 years ago by cypherpunks

Nothing

Last edited 5 years ago by cypherpunks (previous) (diff)

comment:34 Changed 6 years ago by cypherpunks

Nothing

Version 3, edited 5 years ago by cypherpunks (previous) (next) (diff)

comment:35 Changed 6 years ago by cypherpunks

Nothing

Last edited 5 years ago by cypherpunks (previous) (diff)

comment:36 Changed 5 years ago by joebt

TBB in Vista crashes at most shutdowns for me, going back several versions & now in 3.6.2.
EXCEPT, I don't restore tabs or windows from last / previous sessions. It still crashes consistently.

The faulting module is always nssckbi.dll.

Faulting application firefox.exe, version 24.6.0.0, time stamp 0x386d4380, faulting module nssckbi.dll_unloaded, version 0.0.0.0, time stamp 0x386d4380, exception code 0xc0000005, fault offset 0x69bce8b8, process id 0x117c, application start time 0x01cf9f06b6b79b20.

This has happened with completely clean installs of several versions of TBB - no addons / plugins. What concerns me is, I'm not sure Firefox / TBB is shutting down properly (aside from crash notice).

Last edited 5 years ago by joebt (previous) (diff)

comment:37 Changed 5 years ago by cypherpunks

It's probably some specific building bug.
Firefox builds by MinGW around the world and nobody yet report about crashes. Like pcxFirefox with no reports. No crash reports.

Need to redo all building scripts and patches. Or to drop mingw/firefox. Firefox is not ready for security. Or you need to build it by msvc.

Last edited 5 years ago by cypherpunks (previous) (diff)

comment:38 Changed 5 years ago by erinn

Component: Firefox Patch IssuesTor Browser
Keywords: tbb-firefox-patch added
Owner: changed from mikeperry to tbb-team

comment:39 Changed 5 years ago by mcs

Cc: mcs added

comment:40 Changed 5 years ago by gk

#13610 is a duplicate.

comment:41 Changed 5 years ago by gk

I tried to reproduce the crash (reliably) in order to file another (mingw-w64) bug but failed (in fact I did not get to crash my Tor Browser at all). Does somebody have instructions to crash Tor Browser 4.0 in this way? mingw-w64 developers already fixed to crash bugs for us. Thus, it might be a good thing to nail this one down now, too.

comment:42 Changed 5 years ago by cypherpunks

I copypasted a crashing TBB4 into a vmware Win7 32-bit. Stopped crashing. Started again after a few cycles.

Changed 4 years ago by disgleirio

Attachment: 10761.patch added

Get real PR_Free address

comment:43 Changed 4 years ago by disgleirio

Status: newneeds_review

Attached 10761.patch file, does it working for you?

Changed 4 years ago by disgleirio

Attachment: 10761_v2.patch added

Get real PR_Free address

comment:44 Changed 4 years ago by gk

Status: needs_reviewneeds_information

I talked to a mingw-w64 person and he suggested a different patch to test (attached). I created a build containing the proposed fix which you can find on:

https://people.torproject.org/~gk/testbuilds/10761/torbrowser-install-4.0.6_en-US.exe
https://people.torproject.org/~gk/testbuilds/10761/torbrowser-install-4.0.6_en-US.exe.asc

Does that solve your issue?

Changed 4 years ago by gk

Attachment: patch.diff added

comment:45 Changed 4 years ago by cypherpunks

different patch to test (attached)

What changed since https://bugzilla.mozilla.org/show_bug.cgi?id=337887 ? GCC? Vanilla Firefox builds successfully with this patch?

comment:46 Changed 4 years ago by cypherpunks

Does that solve your issue?

Yes, no crashes and unloaded modules anymore, it fixes #14454 as well.

comment:47 Changed 4 years ago by gk

Cc: jah added
Keywords: tbb-4.5-alpha added

Marked #14454 as a duplicate.

comment:48 in reply to:  45 Changed 4 years ago by gk

Replying to cypherpunks:

different patch to test (attached)

What changed since https://bugzilla.mozilla.org/show_bug.cgi?id=337887 ? GCC? Vanilla Firefox builds successfully with this patch?

Newer GCC/Binutils versions make this workaround not necessary anymore, yes. Vanilla Firefox is built with MSVC where NSS and NSPR are folded into a single library now which should fix the problem as well.

comment:49 Changed 4 years ago by gk

Keywords: TorBrowserTeam201504R added
Status: needs_informationneeds_review

bug_10761 (https://gitweb.torproject.org/user/gk/tor-browser.git/commit/?h=bug_10761&id=102883d62a56ab8bc36a508f832f39159fedfb12) in my tor-browser repo has Jacek's fix. I guess we want to take it for the stable even without testing it more widely in an alpha first, right?

comment:50 Changed 4 years ago by mikeperry

Keywords: MikePerry201504R added

comment:51 in reply to:  49 Changed 4 years ago by gk

Replying to gk:

bug_10761 (https://gitweb.torproject.org/user/gk/tor-browser.git/commit/?h=bug_10761&id=102883d62a56ab8bc36a508f832f39159fedfb12) in my tor-browser repo has Jacek's fix. I guess we want to take it for the stable even without testing it more widely in an alpha first, right?

bug_10761_v2 (https://gitweb.torproject.org/user/gk/tor-browser.git/commit/?h=bug_10761_v2&id=c9944b9ca97a238304b61e822d7509ec4ac85a12) has a better commit message, please take that one.

comment:52 Changed 4 years ago by cypherpunks

a better commit message

Wundows sounds legit too.

comment:53 Changed 4 years ago by mikeperry

Resolution: fixed
Status: needs_reviewclosed

Ok, merged and pushed for 4.5-stable.

comment:54 Changed 4 years ago by cypherpunks

It's worth to report about wasteful -mnop-fun-dllimport to mozilla's bugzilla.

337887:

Let's add a comment to explain why we added the -mnop-fun-dllimport flag. Otherwise it'll be difficult to ever remove this flag in the future.

comment:55 in reply to:  54 Changed 4 years ago by cypherpunks

Replying to cypherpunks:

It's worth to report about wasteful -mnop-fun-dllimport to mozilla's bugzilla.

It was reported. https://bugzilla.mozilla.org/show_bug.cgi?id=1151447

comment:56 Changed 13 months ago by vanowm

Please reopen this ticket, as the bug hasn't been fixed in current v7.5.6

comment:57 Changed 13 months ago by vanowm

Resolution: fixed
Status: closedreopened

comment:58 Changed 13 months ago by gk

Resolution: fixed
Severity: Normal
Status: reopenedclosed

This bug has been fixed a while back. The problem you see is likely a new one. We fixed a shutdown crash with the switch to Tor Browser 8 which should be available in our latest alpha (https://archive.torproject.org/tor-package-archive/torbrowser/8.0a10/). Please try to reproduce the crash with it and if you still see it open a new ticket. Thanks!

comment:59 Changed 13 months ago by vanowm

Didn't realize 8.0 is taking over 3 years to release...
Anyhow, v8.0 is not suitable for my use (no legacy extensions) therefor can't test it properly.

Note: See TracTickets for help on using tickets.