Closed Bug 83593 Opened 23 years ago Closed 23 years ago

stress tests fail on orville

Categories

(NSS :: Libraries, defect, P1)

Product:
NSS
Component:
Libraries
Version:
3.2.1
Platform:
HP
HP-UX
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: sonja.mirtitsch, Assigned: wtc)

References

Details

Attachments

(8 files, 1 obsolete file)

stressclient output
509.22 KB, text/plain
Details
selfserver output, coresponding to the attachement above
589.95 KB, text/plain
Details
script to reproduce the problem
1.34 KB, text/plain
Details
A possible workaround. Write 0 bytes to the socket and retry getpeername.
1.03 KB, patch
Details | Diff | Splinter Review
The bug report I submitted to HP about the getpeername() problem.
1.77 KB, text/plain
Details
Test client nbclient.c (bug report attachment 2)
4.97 KB, text/plain
Details
Test server server.c (bug report attachment 1)
2.08 KB, text/plain
Details
Second workaround: a patch for NSPR. Select the socket for writing with zero timeout after successful completion of a non-blocking connect.
1.07 KB, patch
Details | Diff | Splinter Review
the iWs team would let us use orville again, which can finish our tests in 20 minutes (dump takes 3-5 hours) The strestests on orville fail, but other HP sysems pass. I filed bug #81707 on the fact that the stress tests did not return an error, but the QA stat did. When this was fixed I rebooted orville, but this did not help the condition. Information about the failure is in every day's QA log. Would you have a few minutes to explain to me what the failure means exactly?
Nelson, could you please have a look at it? I realize it seems low priority but it costs my time constantely, sinc eI have to doublecheck the QA reports every single day, and even if it is just 5 or 10 minutes every day it adds up. It also makes the QA report harder to read for the rest of you.
It is indeed a low priority until I get the SSL server session cache rewrite done. strsclnt is reporting error -5978 PR_NOT_CONNECTED_ERROR, which is equivalent to unix's ENOTCONN error, in response to a PR_Write call by the client. It appears that this error code is used only when an OS call returns ENOTCONN. The number of errors varies from run to run, typically between 3 and 12. The number of errors reported is coincidentally equal to 1000 - (cache_hits + cache_missed) as reported by strsclnt when it is done. This begs a question: Are these the last N connections that fail? or do these failures occur in the middle of the test with more succesful connections occuring afterwords? The failures occur with both SSL2 and SSL3 ciphersuites, specifically suites A and c, which are SSL2 RC4 128 WITH MD5 and SSL3 RSA WITH RC4 128 MD5 respectively. I suspect these are the first SSL2 and SSL3 suites that are tried by the QA test, respectively. Question: When one of these tests fails, do we stop trying any further suites from that protocol version? That is, when the first SSL2 suite fails, does the QA script go on and try the rest of the SSL2 suites? or does it stop there and go on to the SSL3 suites? Unless someone else works on this, these questions will go unanswered at least until next week, possibly later.
CCing Wan-Teh, since we should have a look at this bug before the early release
Summary: machine / configuration problems on orville → stress tests fail on orville
Nelson, could you please attach the old logs to verify that the failures on orville were occuring before the recent SSL server cache changes, and are no different now than before? Thanks Orville was used as our main HP-UX 32 bit QA machine until about 5 months ago, and I am not aware that it showed these failures then, we could not use it for a while because of a tinderbox running there. When I started using it again, about 1 month or so ago I noticed this failure.
Priority: -- → P1
Target Milestone: --- → 3.3
I have created a small shell script that will reproduce the problem. running both the server and the client with -v maves the problem disappear. I will work on this bug until someone else has time to take over
-v just decreases the failure - my previous observation was wrong client on charm, server on orville did not show problems, neither does server on charm and client on orville ----------- to answer a few questions that were asked on this bug previously: > Are these the last N connections that fail? or do these failures > occur in the middle of the test with more succesful connections > occuring afterwords? These are not the last connections, I will attach the output when run with -v > The failures occur with both SSL2 and SSL3 ciphersuites, specifically > suites A and c, which are SSL2 RC4 128 WITH MD5 and SSL3 RSA WITH RC4 128 MD5 > respectively. I suspect these are the first SSL2 and SSL3 suites that > are tried by the QA test, respectively. correct. The first and only > Question: When one of these tests fails, do we stop trying any > further suites from that protocol version? That is, when the first SSL2 > suite fails, does the QA script go on and try the rest of the SSL2 suites? > or does it stop there and go on to the SSL3 suites? The stress tests are the last of the ssl tests, there are only 2 tests enabled in tests/ssl/sslstress.txt feel free to add new ones, the just need to add lines with server and client parameters Other observations, bothe running -v, both on orville ----------------------------------------------------- #selfserver output should look like this: selfserv: About to call accept. selfserv: 0 cache hits; 0 cache misses, 0 cache not reusable selfserv: bulk cipher RC4, 128 secret key bits, 128 key bits, status: 1 selfserv: 0 cache hits; 0 cache misses, 0 cache not reusable selfserv: bulk cipher RC4, 128 secret key bits, 128 key bits, status: 1 selfserv: 0 cache hits; 0 cache misses, 0 cache not reusable selfserv: bulk cipher RC4, 128 secret key bits, 128 key bits, status: 1 selfserv: 0 cache hits; 0 cache misses, 0 cache not reusable selfserv: bulk cipher RC4, 128 secret key bits, 128 key bits, status: 1 selfserv: 0 cache hits; 0 cache misses, 0 cache not reusable selfserv: bulk cipher RC4, 128 secret key bits, 128 key bits, status: 1 selfserv: 0 cache hits; 0 cache misses, 0 cache not reusable selfserv: bulk cipher RC4, 128 secret key bits, 128 key bits, status: 1 selfserv: About to call accept. #sometimes output changes, 2 threads writing at the same time #(redirected stderr to stdout) selfserv: Aboutselfserv: 0 cache hits; 0 cache misses, 0 cache not reusable selfserv: bulk cipher RC4, 128 secret key bits, 128 key bits, status: 1 to call accept. selfserv: 0 cache hits; 0 cache misses, 0 cache not reusable selfserv: bulk cipher RC4, 128 secret key bits, 128 key bits, status: 1 --------------- I will attach the script that I have been using for testing, please do not run it in my directories, the commented out "cert.sh" needs to be run first, or the directories from nightly QA mozilla/testresults/security/orville.1 have to be copied to the working directory first
Attached file stressclient output
Assigned the bug to Sonja.
Assignee: nelsonb → sonmi
Wan-Teh, I will work on this bug and I might find some more evidence, but I do not think I have enough experience, either in NSS, nor in multithreaded programming to solve it. If you would have the time to look at the output of the selfserver and the first 2 attachments I'd apprechiate it.
Assigned the bug to Nelson.
Assignee: sonmi → nelsonb
I do not think it should be a P1, because I just reran 3.2.1 QA, and it shows the same failure. It reacts very different than all the other stresstest failures we have been seeing.
Whiteboard: NSS 3.3 Early Release
Whiteboard: NSS 3.3 Early Release
I propose we move the target to 3.4 as 3.2.1 fails the same way on orville.
Moved to 3.4 per Wan-Teh's suggestion, however, I will still try to look at it this coming week.
Target Milestone: 3.3 → 3.4
Assigned the bug to wtc.
Assignee: nelsonb → wtc
Status: NEW → ASSIGNED
Target Milestone: 3.4 → 3.3.1
The strsclnt failure on orville, sjsu, and hpgamma appears to be a bug in HP-UX B.11.00 or its kernel patches. I found that getpeername() occasionally fails with ENOTCONN after a successful completion of non-blocking connect. The connection is in fact successfully established because read() and write() on the socket work. Moreover, getpeername() works after a write() call is made on the socket, which inspires my workaround (attachment 50379 [details] [diff] [review]). I tested the workaround with the 32-bit HP-UX B.11.00 debug build of NSS_3_3_BRANCH on orville, sjsu, and hp64. It worked. I checked in the workaround on the NSS_3_3_BRANCH so that it will get tested by the daily QA. Nelson, I'd appreciate it if you could review the workaround. I will attach the bug report I submitted to HP, and a test server and a test client (without using NSPR or NSS) that reproduce the getpeername() bug.
Comment on attachment 50381 [details] Test server server.c (bug report attachment 1 [details] [diff] [review]) Wrong file.
Attachment #50381 - Attachment is obsolete: true
I did more experiments and found out more about this HP-UX bug. When a non-blocking connect completes successfully but getpeername() fails with ENOTCONN, a second connect() call on the socket will fail with EALREADY, which is consistent with the ENOTCONN error of getpeername(). If I then select the socket for writing again with a zero timeout, the next getpeername() call will succeed, and the next connect() call will fail with the expected EISCONN error. I never have to select a socket for writing a third time. This suggests another workaround, which differs from the first workaround in that we select the socket for writing (with a zero timeout) instead of writing zero bytes to it. This can be done in PR_Connect() for a blocking NSPR socket or in PR_ConnectContinue() for a non-blocking NSPR socket. Note that we can't use this workaround in NSS. NSS can't call select() and must call PR_Poll(). PR_Poll() only works when the bottom layer is NSPR, but NSS may be on top of a non-NSPR layer. This workaround must be done in the bottom layer, which would call select() directly on the Unix file descriptor. I will attach the second workaround, which will be a patch for NSPR.
Perhaps it's best to patch both SSL and NSPR. That way, the problem may be solved on HP boxes that use a different implementation of NSPR's I/O layer, also. But perhaps it would be best to put the modification inside the function ssl_GetPeerInfo rather than after the calls to that function.
Thanks for the code review, Nelson. I am inclined to also patch NSPR, like you suggested. What I haven't decided is when. > But perhaps it would be best to put the modification inside the > function ssl_GetPeerInfo rather than after the calls to that function. I didn't do that because the HP-UX bug only affects the party that calls connect (that is, the client) so it is only necessary to use the workaround when ssl_GetPeerInfo is called on the client side.
*** Bug 99493 has been marked as a duplicate of this bug. ***
The workaround made the NSS 3.3 branch pass the daily QA. I checked in the workaround on the tip of NSS.
Component: Tools → Libraries
Marked the bug fixed. I submitted a bug report to HP but did not get a reply.
Really marked the bug fixed.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: