Closed Bug 501322 Opened 15 years ago Closed 15 years ago

Crash [@ _VEC_memzero] during shutdown

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Version:
3.12.3
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 492385

People

(Reporter: mayhemer, Assigned: mayhemer)

Details

Attachments

(1 file)

v1
1.55 KB, patch
Details | Diff | Splinter Review 
msvcr80d.dll!_VEC_memzero(void * dst=0x00000000, int val=-1414812757, int len=1242616)  + 0x6a bytes	C
>	nssutil3.dll!PORT_ZFree_Util(void * ptr=0xfdfdfdfd, unsigned int len=0)  Line 160 + 0xf bytes	C
 	nssutil3.dll!PORT_ZFree_Util(void * ptr=0xfdfdfdfd, unsigned int len=2880154539)  Line 160 + 0xf bytes	C
 	nssutil3.dll!SECITEM_ZfreeItem_Util(SECItemStr * zap=0x068fc8d0, int freeit=1)  Line 277 + 0x13 bytes	C
 	nss3.dll!NamedCRLCacheEntry_Destroy(NamedCRLCacheEntryStr * entry=0x068fda78)  Line 1319 + 0xe bytes	C
 	nss3.dll!FreeNamedEntries(PLHashEntry * he=0x04bf7f00, int i=0, void * arg=0x0012f660)  Line 1372 + 0x9 bytes	C
 	plds4.dll!PL_HashTableEnumerateEntries(PLHashTable * ht=0x0510b978, int (PLHashEntry *, int, void *)* f=0x019c60a0, void * arg=0x0012f660)  Line 406 + 0xf bytes	C
 	nss3.dll!ShutdownCRLCache()  Line 1424 + 0x15 bytes	C
 	nss3.dll!NSS_Shutdown()  Line 883	C
 	pipnss.dll!nsNSSComponent::ShutdownNSS()  Line 1752 + 0x5 bytes	C++
 	pipnss.dll!nsNSSComponent::DoProfileBeforeChange(nsISupports * aSubject=0x04cdfbc8)  Line 2505 + 0x8 bytes	C++
 	pipnss.dll!nsNSSComponent::Observe(nsISupports * aSubject=0x04cdfbc8, const char * aTopic=0x1003e33c, const wchar_t * someData=0x1003efa4)  Line 2057 + 0xf bytes	C++
 	xpcom_core.dll!nsObserverList::NotifyObservers(nsISupports * aSubject=0x04cdfbc8, const char * aTopic=0x1003e33c, const wchar_t * someData=0x1003efa4)  Line 129	C++
 	xpcom_core.dll!nsObserverService::NotifyObservers(nsISupports * aSubject=0x04cdfbc8, const char * aTopic=0x1003e33c, const wchar_t * someData=0x1003efa4)  Line 184	C++
 	xul.dll!nsXREDirProvider::DoShutdown()  Line 878	C++
 	xul.dll!ScopedXPCOMStartup::~ScopedXPCOMStartup()  Line 993	C++
 	xul.dll!XRE_main(int argc=3, char * * argv=0x00d1b1f8, const nsXREAppData * aAppData=0x00d1b940)  Line 3388	C++
 	firefox.exe!NS_internal_main(int argc=3, char * * argv=0x00d1b1f8)  Line 156 + 0x12 bytes	C++
 	firefox.exe!wmain(int argc=3, wchar_t * * argv=0x00d10fe8)  Line 110 + 0xd bytes	C++
 	firefox.exe!__tmainCRTStartup()  Line 594 + 0x19 bytes	C
 	firefox.exe!wmainCRTStartup()  Line 414	C
 	kernel32.dll!7c817077() 	
 	[Frames below may be incorrect and/or missing, no symbols loaded for kernel32.dll]	
 	js3250.dll!nanojit::live(avmplus::GC * gc=0x0069006c, nanojit::LirBuffer * lirbuf=0x004b0063)  Line 1555 + 0x13 bytes	C++


-		entry	0x068fda78 {canonicalizedName=0x04d175a0 crl=0x068fc8d0 inCRLCache=0 ...}	NamedCRLCacheEntryStr *
-		canonicalizedName	0x04d175a0 {type=siBuffer data=0x068e0d18 "†(http://crl.globalsign.net/ExtendVal1.crlýýýý««««««««îþ" len=42 }	SECItemStr *
		type	siBuffer	SECItemType
-		data	0x068e0d18 "†(http://crl.globalsign.net/ExtendVal1.crlýýýý««««««««îþ"	unsigned char *
			134 '†'	unsigned char
		len	42	unsigned int
-		crl	0x068fc8d0 {type=66439740 data=0xfdfdfdfd <Bad Ptr> len=2880154539 }	SECItemStr *
		type	66439740	SECItemType
> -		data	0xfdfdfdfd <Bad Ptr>	unsigned char *
			CXX0030: Error: expression cannot be evaluated	
		len	2880154539	unsigned int
		inCRLCache	0	int
		successfulInsertionTime	0	__int64
		lastAttemptTime	1246354174550000	__int64
		badDER	1	int
		dupe	0	int
		unsupported	0	int


mozilla-central debug build, during reproduction of bug 473197 in test env described in comment 14 of that bug at shutdown. The pointer is invalid (not just null).
Also crashes in area of feeefeee.
Attached patch v1Splinter Review 
This is patch on hg mozilla-central repo. It can be easily turned to CVS nss trunk patch.

When we fail to add a clr entry we free entry->clr member with SECITEM_ZfreeItem but we leave the invalid pointer in the entry structure. When it's going to be freed we crash.

It seems this problem is there from the very beginning...
Assignee: nobody → honzab.moz
Status: NEW → ASSIGNED
Attachment #386004 - Flags: review?(nelson)
Comment on attachment 386004 [details] [diff] [review]
v1

>@@ -1310,24 +1310,26 @@ static SECStatus NamedCRLCacheEntry_Dest
>     if (!entry)
>         return SECFailure;

>     if (entry->crl)
>+        entry->crl = NULL;
>     if (entry->canonicalizedName)
>+        entry->canonicalizedName = NULL;
>     PORT_Free(entry);

surely this isn't needed, as the structure is being destroyed/freed.
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Comment on attachment 386004 [details] [diff] [review]
v1

removing review request.  This is already fixed on trunk.
Attachment #386004 - Flags: review?(nelson)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: