Closed Bug 1247662 Opened 8 years ago Closed 8 years ago

TEST-UNEXPECTED-FAIL | services/common/tests/unit/test_kintoCertBlocklist.js | xpcshell return code: 0

Categories

(Thunderbird :: General, defect)

Product:
Thunderbird
Component:
General
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
Thunderbird 47.0

People

(Reporter: aleth, Assigned: jorgk-bmo)

References

Details

(Keywords: intermittent-failure)

Attachments

(1 file)

Possible fix (v1).
1.52 KB, patch
aleth
: review+
Details | Diff | Splinter Review 
Unexpected exception NS_ERROR_UNEXPECTED: Component returned failure code: 0x8000ffff (NS_ERROR_UNEXPECTED) [nsIPrefBranch.getCharPref]
 07:31:06     INFO -  CertBlocklistClient/this.maybeSync@resource://gre/modules/services-common/KintoCertificateBlocklist.js:51:18
 07:31:06     INFO -  test_something@/builds/slave/test/build/tests/xpcshell/tests/services/common/tests/unit/test_kintoCertBlocklist.js:74:22
 07:31:06     INFO -  _run_next_test@/builds/slave/test/build/tests/xpcshell/head.js:1540:9
 07:31:06     INFO -  do_execute_soon/<.run@/builds/slave/test/build/tests/xpcshell/head.js:692:9
 07:31:06     INFO -  _do_main@/builds/slave/test/build/tests/xpcshell/head.js:209:5
 07:31:06     INFO -  _execute_test@/builds/slave/test/build/tests/xpcshell/head.js:533:5
 07:31:06     INFO -  @-e:1:1
 07:31:06     INFO -  exiting test
Test and feature was added with Bug 1227956.
Depends on: 1227956
OK, if this came from bug 1227956. Let's see what they did:
https://hg.mozilla.org/mozilla-central/rev/56e66f43d7ee

Oh, they added preferences:
+// Kinto blocklist preferences
+pref("services.kinto.base", "https://firefox.settings.services.mozilla.com/v1");
+pref("services.kinto.bucket", "blocklists");
+pref("services.kinto.onecrl.collection", "certificates");
+pref("services.kinto.onecrl.checked", 0);

Now let's read the error:
(NS_ERROR_UNEXPECTED) [nsIPrefBranch.getCharPref]

I'd bet a beer that we're missing some preferences.
Try run here:
https://treeherder.mozilla.org/#/jobs?repo=try-comm-central&revision=9801beed78e0
(ignore the other changeset in the push, that's my ongoing work which won't interfere).
Does TB use the Kinto Certificate Blocklist?
My try came out green with this addition.

// Kinto blocklist preferences
pref("services.kinto.base", "https://firefox.settings.services.mozilla.com/v1");
pref("services.kinto.bucket", "blocklists");
pref("services.kinto.onecrl.collection", "certificates");
pref("services.kinto.onecrl.checked", 0);

I have no idea whether the URL's actually mean anything. Let's ask:

Mark and David, our xpcshell tests fail since test_kintoCertBlocklist.js fails.

I've copied the four preferences above into out preferences script and like this, the test passes.

Is this acceptable or is there a better fix? Does the URL https://firefox.settings.services.mozilla.com/v1 mean anything?

Your help would be much appreciated.
Flags: needinfo?(mgoodwin)
Flags: needinfo?(dkeeler)
(In reply to Jorg K (GMT+1) from comment #6)
> I have no idea whether the URL's actually mean anything. Let's ask:
> 
> Mark and David, our xpcshell tests fail since test_kintoCertBlocklist.js
> fails.
> 
> I've copied the four preferences above into out preferences script and like
> this, the test passes.
> 
> Is this acceptable or is there a better fix? Does the URL
> https://firefox.settings.services.mozilla.com/v1 mean anything?

The issue here isn't just making the test pass, it's figuring out whether oneCRL cert revocation works in TB or not (and maybe whether it is important to have it work in TB).
Flags: needinfo?(dkeeler)
Sorry about the NI SPAM. NI for David was accidentally removed. Your help would be much appreciated.
Flags: needinfo?(dkeeler)
(In reply to aleth [:aleth] from comment #7) 
> > Is this acceptable or is there a better fix? Does the URL
> > https://firefox.settings.services.mozilla.com/v1 mean anything?

Yes, this is where the next version of OneCRL (and, eventually, some other security state things) will get its data from.

> The issue here isn't just making the test pass, it's figuring out whether
> oneCRL cert revocation works in TB or not (and maybe whether it is important
> to have it work in TB).

OneCRL is something TB probably wants; without this, there's no way (without chem-spill) of revoking roots. Also, if you have security.onecrl.maximum_staleness_in_seconds set to a non-zero value (I'm not sure if this is set in TB), you might be bypassing revocation checks that you otherwise should be performing.

As to whether or not it *works* - I can help with testing, if that would be useful?
Flags: needinfo?(mgoodwin)
Thank you for your answer. I think we have enough information to proceed, so I'm clearing the other NI.

Currently we don't have any preference security.onecrl.* defined or set.

I suggest the following:
Land this patch here to get the xpcshell tests going again.

Then investigate the OneCRL function in another bug with Mark's help. Sounds fair?
Flags: needinfo?(dkeeler)
Attachment #8719509 - Flags: review?(aleth)
Attachment #8719509 - Flags: review?(aleth) → review+
(In reply to Jorg K (GMT+1) from comment #10)
> Currently we don't have any preference security.onecrl.* defined or set.
> 
> Then investigate the OneCRL function in another bug with Mark's help. Sounds
> fair?

Sounds like a good plan. This should be done asap as it seems oneCRL originally landed in 43 (without TB noticing), and so this security feature should be checked for 45 as well.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → Thunderbird 47.0
To be continued in bug 1248557.
Assignee: nobody → mozilla
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: