Closed Bug 119086 Opened 23 years ago Closed 22 years ago

NSS3.4 build / crash in cert manager after SSL client auth

Categories

(Core Graveyard :: Security: UI, defect, P1)

Product:
Core Graveyard
Component:
Security: UI
Version:
Other Branch
Platform:
x86
Linux
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED WORKSFORME
Milestone:
psm2.2

People

(Reporter: KaiE, Assigned: KaiE)

References

Details

Access any client auth site. Either the one mentioned in bug 118818, or
https://217.160.75.209/misc/test6/ (optional client auth, you don't need a cert).

After the page has been loaded, try to open cert manager => crash

The console says:
  lock != NULL, at ../../../../../mozilla/nsprpub/pr/src/pthreads/ptsynch.c:182

Debugger says:
#2  0x4064d062 in abort () at ../sysdeps/generic/abort.c:88
#3  0x4031a824 in PR_Assert (s=0x4034b85c "lock != NULL", file=0x4034b780
"../../../../../mozilla/nsprpub/pr/src/pthreads/ptsynch.c", ln=182) at
../../../../../mozilla/nsprpub/pr/src/io/prlog.c:505
#4  0x40337c2f in PR_Lock (lock=0x0) at
../../../../../mozilla/nsprpub/pr/src/pthreads/ptsynch.c:182
#5  0x43dbd314 in nssPKIObject_AddRef (object=0x896f348) at certdecode.c:89
#6  0x43db8bdf in nssCertificate_AddRef (c=0x896f348) at certificate.c:71
#7  0x43dbd118 in cert_iter (k=0x896f348, v=0x896f330, a=0x8af0ae0) at
tdcache.c:1012
#8  0x43dc721e in nss_hash_enumerator (he=0x89494f8, index=0, arg=0xbfffcf2c) at
hash.c:376
#9  0x40300271 in PL_HashTableEnumerateEntries (ht=0x888ad48, f=0x43dc71e8
<nss_hash_enumerator>, arg=0xbfffcf2c) at
../../../../mozilla/nsprpub/lib/ds/plhash.c:429
#10 0x43dc7273 in nssHash_Iterate (hash=0x888ad28, fcn=0x43dbd0f0 <cert_iter>,
closure=0x8af0ae0) at hash.c:399
#11 0x43dbd196 in nssTrustDomain_GetCertsFromCache (td=0x888a388,
certListOpt=0x8af0ae0) at tdcache.c:1030
#12 0x43dbbad9 in NSSTrustDomain_TraverseCertificates (td=0x888a388,
callback=0x43d77ea0 <convert_cert>, arg=0xbfffcfa8) at trustdomain.c:854
#13 0x43d7cba1 in PK11_ListCerts (type=PK11CertListCA, pwarg=0x8af0210) at
pk11cert.c:3011
#14 0x43c96e5c in nsNSSCertificateDB::GetCertsByType (this=0x8aef158, aType=1,
aCertCmpFn=0x43ca2cac <nsCertOutliner::CmpByTok_IssuerOrg_Name(nsIX509Cert *,
nsIX509Cert *)>, _certs=0x8aefa1c) at
../../../../../mozilla/security/manager/ssl/src/nsNSSCertificate.cpp:2704
#15 0x43ca337b in nsCertOutliner::LoadCerts (this=0x8aefa10, aType=1) at
../../../../../mozilla/security/manager/ssl/src/nsCertOutliner.cpp:268

in nssPKIObject_AddRef object is:
{arena = 0x0, lock = 0x0, refCount = 0, instanceList = 0x0, instances = 0x0,
trustDomain = 0x0, cryptoContext = 0x0}

one level above that, in nssCertificate_AddRef c is:
{object = {arena = 0x0, lock = 0x0, refCount = 0, instanceList = 0x0, instances
= 0x0, trustDomain = 0x0, cryptoContext = 0x0}, type =
NSSCertificateType_Unknown, id = {data = 0x0, size = 0}, encoding = {data = 0x0,
size = 0}, issuer = {data = 0x8949498, size = 71}, subject = {data = 0x0, size =
0}, serial = {data = 0x89494e8, size = 4}, nickname = 0x0, email = 0x0, decoding
= 0x0}
adding dependency, P1
Blocks: 116334
Priority: -- → P1
I backed out my last checkin to tdcache.c.  It caused this bug.
Hmm, I now see a different crash.
Erase the *.db files from your profile.
Go to https://217.160.75.209/misc/test6/
After the page has been loaded, quit Mozilla.
Crash on exit.
Will post a stack trace.

#0  0x443b6a53 in nssCertificateStore_Remove (store=0xdadadada, cert=0x8880fc8)
at pkistore.c:307
#1  0x4439dafa in CERT_DestroyCertificate (cert=0x8831600) at stanpcertdb.c:468
#2  0x4433189c in ssl3_CleanupPeerCerts (ssl3=0x8817f68) at ssl3con.c:6378
#3  0x44334cb4 in ssl3_DestroySSL3Info (ssl3=0x8817f68) at ssl3con.c:7948
#4  0x443454cb in ssl_FreeSocket (ss=0x8812f78) at sslsock.c:345
#5  0x4433dc7e in ssl_DefClose (ss=0x8812f78) at ssldef.c:244
#6  0x44341474 in ssl_SecureClose (ss=0x8812f78) at sslsecur.c:965
#7  0x4434730b in ssl_Close (fd=0x86d4800) at sslsock.c:1170
#8  0x4427b7a9 in nsSSLIOLayerClose (fd=0x86d4800) at
../../../../../mozilla/security/manager/ssl/src/nsNSSIOLayer.cpp:582

At level #0, we crash on PZ_Lock, stored points to 0xdadadada
Target Milestone: --- → 2.2
This is a PSM bug.  The problem is that NSS_Shutdown() is called before the
socket is closed.  Put a break in NSS_Shutdown(), and another in ssl_Close(),
and you'll see that there is an attempt to close an SSL socket after NSS has
been shutdown.  That is the why the memory shown in the stack trace is invalid.
Ian, thanks for debugging this.

Conrad, Darin, looks like we need to extend what we've done in bug 104021 and
bug 104020, and do the same when the application exits.

I think, when application exit is initiated, "profile-change-net-teardown"
should be posted (causing a synch shutdown of network activity). Do you know of
a good place to add that? Could the profile manager code do that?
Assignee: ssaux → kaie
Kai, I think shutting down the profile when we exit the app would do it. Also, I
think I'll need to do that anyway for a bug I'm working on now (bug 76431).
Thanks, Conrad. Making dependent on your bug.
Depends on: 76431
This shouldn't block 116334. This remains a P1 bug. We'll work with Conrad to
make sure we do the right thing.

As I understand it, this is sort of an edge case.
No longer blocks: 116334
nsbeta1
Keywords: nsbeta1
nsbeta1- unless we get conrad fix.
Keywords: nsbeta1nsbeta1-
WFM on Win2000 and Linux.
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → WORKSFORME
Verified WFM.
Status: RESOLVED → VERIFIED
Product: PSM → Core
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.