Closed
Bug 126501
Opened 23 years ago
Closed 23 years ago
SSL client dies in handshake code in NSS 3.4
Categories
(NSS :: Libraries, defect, P1)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 126289
3.4
People
(Reporter: julien.pierre, Assigned: wtc)
Details
Last night I ran another stress test on my Sun box with NSS 3.4 . I was not using client auth this time. The client dumped core at 8:20am with the following stack : et@33 (l@102) terminated by signal ABRT (Abort) re Current function is PR_Assert 495 abort(); (dbx) current thread: t@33 [1] __sigprocmask(0x0, 0xfddf1210, 0x0, 0x0, 0x0, 0x0), at 0xfec39bf0 [2] _resetsig(0xfec3c510, 0x0, 0x0, 0xfddf1d78, 0xfec4e000, 0x0), at 0xfec2e620 [3] _sigon(0xfddf1d78, 0xfec55990, 0x6, 0xfddf12e4, 0xfddf1d78, 0xfddf1328), at 0xfec2dd10 [4] _thrp_kill(0x0, 0x21, 0x6, 0xfec4e000, 0x21, 0xfebba428), at 0xfec30e84 [5] raise(0x6, 0x0, 0x0, 0xffffffff, 0xfebba394, 0xfee6b6dc), at 0xfeb49b08 [6] abort(0xfebb6000, 0x3f, 0xfebbd99c, 0xfebb9c78, 0x7a, 0xfeb91c94), at 0xfeb35124 =>[7] PR_Assert(s = 0xff308044 "!ssl_HaveRecvBufLock(ss)", file = 0xff308060 "sslsecur.c", ln = 122), line 495 in "prlog.c" [8] ssl_Do1stHandshake(ss = 0x19a3b158), line 122 in "sslsecur.c" [9] ssl_SecureSend(ss = 0x19a3b158, buf = 0xb5578 "GET /index.html HTTP/1.0\n\n", len = 26, flags = 0), line 1100 in "sslsecur.c" [10] ssl_Send(fd = 0x123f10, buf = 0xb5578, len = 26, flags = 0, timeout = 360000000U), line 1212 in "sslsock.c" [11] PR_Send(fd = 0x123f10, buf = 0xb5578, amount = 26, flags = 0, timeout = 360000000U), line 221 in "priometh.c" [12] SunRequest::send(this = 0x19a3b110, sock = 0x123f10), line 308 in "request.cpp" [13] SunEngine::makeRequest(this = 0xfddf1b64, request = CLASS, server = CLASS, ignoresenderror = 1), line 413 in "engine.cpp" [14] SunTest::run(this = 0x8df10), line 454 in "tests.cpp" [15] TestInstance::execute_test(this = 0x8dec0), line 152 in "tests.cpp" [16] thread_entry(arg = (nil)), line 1684 in "tests.cpp" [17] _pt_root(arg = 0xeec28), line 214 in "ptthread.c" (dbx) This is very similar to the stack in defect 126289, which was an NSS 3.3.2 bug. I'm not sure if there was a memory leak in this test or not. The core is over 400 MB but I don't know if that really says much. Next time I will run a script in the background that will monitor each process' memory usage periodically using pmap.
Reporter | ||
Updated•23 years ago
|
Priority: -- → P1
Target Milestone: --- → 3.4
Assignee | ||
Comment 1•23 years ago
|
||
The only difference of this stack from the stack in bug 126289 is that in that bug it is the assertion at sslsecur.c:123 that failed: PORT_Assert( !ssl_HaveXmitBufLock(ss) ); I will need to examine the core files to see who owns the RecvBufLock and XmitBufLock when the assertions failed.
Assignee | ||
Comment 2•23 years ago
|
||
This is from dbx on the core file. Since both ss->gather->buf and ss->sec->writeBuf look fine, this does NOT support my theory that we ran out of memory when creating these buffers in ssl_CreateSecurityInfo(). detected a multithreaded program t@33 (l@102) terminated by signal ABRT (Abort) 0xfec39bf0: __sigprocmask+0x0008: jmp %o7 + 0x8 Current function is PR_Assert 495 abort(); (/tools/ns/workshop-6.0u2/bin/../WS6U2/bin/sparcv9/dbx) up Current function is ssl_Do1stHandshake 124 PORT_Assert( !ssl_HaveRecvBufLock(ss) ); (/tools/ns/workshop-6.0u2/bin/../WS6U2/bin/sparcv9/dbx) print ss ss = 0x19a3b158 (/tools/ns/workshop-6.0u2/bin/../WS6U2/bin/sparcv9/dbx) print *ss *ss = { fd = 0x123f10 ops = 0xff31f2e4 useSocks = 0 useSecurity = 1U requestCertificate = 0 requireCertificate = 2U handshakeAsClient = 1U handshakeAsServer = 0 enableSSL2 = 1U enableSSL3 = 1U enableTLS = 1U clientAuthRequested = 0 noCache = 1U fdx = 0 v2CompatibleHello = 1U detectRollBack = 1U firstHsDone = 0 recvdCloseNotify = 0 lastWriteBlocked = 0 TCPconnected = 1U handshakeBegun = 0 delayDisabled = 0 version = 0 clientHelloVersion = 0 sec = 0x19a96c08 url = 0x199c3758 "localhost" gather = 0x19a967a0 handshake = (nil) nextHandshake = (nil) securityHandshake = 0xff2eb878 = &ssl2_BeginClientHandshake() saveBuf = { buf = (nil) len = 0 space = 0 } pendingBuf = { buf = (nil) len = 0 space = 0 } peerID = (nil) ssl3 = (nil) cipherSpecs = (nil) sizeCipherSpecs = 0 preferredCipher = (nil) serverCerts = ( { serverCert = (nil) serverCertChain = (nil) serverKey = (nil) serverKeyBits = 0 }{ serverCert = (nil) serverCertChain = (nil) serverKey = (nil) serverKeyBits = 0 }{ serverCert = (nil) serverCertChain = (nil) serverKey = (nil) serverKeyBits = 0 }{ serverCert = (nil) serverCertChain = (nil) serverKey = (nil) serverKeyBits = 0 } ) stepDownKeyPair = (nil) authCertificate = 0x2a3a8 = &`httptest`engine.cpp`certcallback(void *arg, struct PRFileDesc *fd, PRBool checksig, PRBool isServer) authCertificateArg = 0x857b0 getClientAuthData = (nil) getClientAuthDataArg = (nil) handleBadCert = (nil) badCertArg = (nil) handshakeCallback = (nil) handshakeCallbackData = (nil) pkcs11PinArg = (nil) rTimeout = 360000000U wTimeout = 360000000U cTimeout = 360000000U recvLock = 0x19b06b80 sendLock = 0x19b06be0 recvBufLock = 0x19b06a90 xmitBufLock = 0x19b06b08 firstHandshakeLock = 0x19a3b2c0 ssl3HandshakeLock = 0x19a3b338 specLock = 0x199c40e0 dbHandle = 0x857b0 writerThread = 0xeec28 shutdownHow = 0 allowedByPolicy = 222U maybeAllowedByPolicy = 222U chosenPreference = 255U handshaking = sslHandshakingAsClient cipherSuites = ( { cipher_suite = 57U policy = 1U enabled = 0 isPresent = 0 }{ cipher_suite = 56U policy = 1U enabled = 0 isPresent = 0 }{ cipher_suite = 53U policy = 1U enabled = 0 isPresent = 0 }{ cipher_suite = 30U policy = 1U enabled = 1U isPresent = 0 }{ cipher_suite = 102U policy = 1U enabled = 0 isPresent = 0 }{ cipher_suite = 51U policy = 1U enabled = 0 isPresent = 0 }{ cipher_suite = 50U policy = 1U enabled = 0 isPresent = 0 }{ cipher_suite = 4U policy = 1U enabled = 1U isPresent = 0 }{ cipher_suite = 5U policy = 1U enabled = 0 isPresent = 0 }{ cipher_suite = 47U policy = 1U enabled = 0 isPresent = 0 }{ cipher_suite = 22U policy = 1U enabled = 0 isPresent = 0 }{ cipher_suite = 19U policy = 1U enabled = 0 isPresent = 0 }{ cipher_suite = 65279U policy = 1U enabled = 1U isPresent = 0 }{ cipher_suite = 10U policy = 1U enabled = 1U isPresent = 0 }{ cipher_suite = 29U policy = 1U enabled = 1U isPresent = 0 }{ cipher_suite = 21U policy = 1U enabled = 0 isPresent = 0 }{ cipher_suite = 18U policy = 1U enabled = 0 isPresent = 0 }{ cipher_suite = 65278U policy = 1U enabled = 1U isPresent = 0 }{ cipher_suite = 9U policy = 1U enabled = 1U isPresent = 0 }{ cipher_suite = 100U policy = 1U enabled = 1U isPresent = 0 }{ cipher_suite = 98U policy = 1U enabled = 1U isPresent = 0 }{ cipher_suite = 3U policy = 1U enabled = 1U isPresent = 0 }{ cipher_suite = 6U policy = 1U enabled = 1U isPresent = 0 }{ cipher_suite = 28U policy = 1U enabled = 1U isPresent = 0 }{ cipher_suite = 1U policy = 1U enabled = 0 isPresent = 0 } ) } (/tools/ns/workshop-6.0u2/bin/../WS6U2/bin/sparcv9/dbx) print ss->sec ss->sec = 0x19a96c08 (/tools/ns/workshop-6.0u2/bin/../WS6U2/bin/sparcv9/dbx) print *ss->sec *ss->sec = { send = 0xff2e4b40 = &`libssl3.so`sslcon.c`ssl2_SendClear(struct sslSocketStr *ss, const PRUint8 *in, PRInt32 len, PRInt32 flags) isServer = 0 writeBuf = { buf = 0x19a35e90 "" len = 0 space = 4096U } cipherType = 0 keyBits = 0 secretKeyBits = 0 localCert = (nil) peerCert = (nil) peerKey = (nil) authAlgorithm = ssl_sign_null authKeyBits = 0 keaType = ssl_kea_null keaKeyBits = 0 cache = (nil) uncache = (nil) sendSequence = 0 rcvSequence = 0 hash = (nil) hashcx = (nil) sendSecret = { type = siBuffer data = (nil) len = 0 } rcvSecret = { type = siBuffer data = (nil) len = 0 } readcx = (nil) writecx = (nil) enc = (nil) dec = (nil) destroy = (nil) blockShift = 0 blockSize = 1 ci = { sendBuf = { buf = (nil) len = 0 space = 0 } peer = { _S6_un = { _S6_u8 = "" _S6_u16 = (0, 0, 0, 0, 0, 0, 0, 0) _S6_u32 = (0, 0, 0, 0) _S6_u64 = (0, 0) } } port = 0 sid = (nil) elements = '\0' requiredElements = '\0' sentElements = '\0' sentFinished = '\0' serverChallengeLen = 0 authType = '\0' clientChallenge = "" connectionID = "" serverChallenge = "" readKey = "" writeKey = "" keySize = 0 } } (/tools/ns/workshop-6.0u2/bin/../WS6U2/bin/sparcv9/dbx) print *ss->gather *ss->gather = { state = 0 buf = { buf = 0x19a34e88 "" len = 0 space = 4096U } offset = 0 remainder = 0 count = 0 recordLen = 0 recordPadding = 0 recordOffset = 0 encrypted = 0 readOffset = 0 writeOffset = 0 inbuf = { buf = (nil) len = 0 space = 0 } hdr = "" }
Status: NEW → ASSIGNED
Assignee | ||
Comment 3•23 years ago
|
||
One more thing about the core file: the value of 'loopCount' in ssl_Do1stHandshake() is 0, which means the monitor's lock count was already non-zero when the function was entered. ss->recvBufLock->entryCount is 1. I am now at a loss. The only explanation I can come up with is that ssl_CreateSecurityInfo was called at least twice before we called ssl_Do1stHandshake(), and for some reason the first call to ssl_CreateSecurityInfo failed but the second call succeeded. This seems unlikely though. Nelson, for a normal SSL client, does it call ssl_CreateSecurityInfo twice before it gets to call ssl_Do1stHandshake()?
Comment 4•23 years ago
|
||
I think the hypothesis that that ssl_CreateSecurityInfo was called at least twice is viable. You'll find calls to ssl_CreateSecurityInfo in many places in libssl. The function doesn't allocate another SecurityInfo struct if one is already allocated, so it doesn't hurt to call it many times. Apparently my predecssors had a lot of problems with references to null sec pointers, so they puts calls to the Create function all over the place. I'm working on a patch now to make the SecurityInfo struct be part of the sslSocket str, so that it will be allocated with the ssl socket. Besides reducing the number of calls to malloc and free slightly, it will also greatly reduce the number of pointer indirections required to access members of this struct. e.g. ss->sec.foo instead of ss->sec->foo. I will attach the patch here soon.
Reporter | ||
Comment 5•23 years ago
|
||
This is the same bug as 126289, but on a different NSS version. Marking this one duplicate. *** This bug has been marked as a duplicate of 126289 ***
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•