Status

NSS
Libraries
P1
normal
RESOLVED FIXED
15 years ago
15 years ago

People

(Reporter: Julien Pierre, Assigned: Julien Pierre)

Tracking

x86
Windows 2000

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Assignee)

Description

15 years ago
I encountered this crash while using a tip build of NSS 3.7 with Mozilla. I
don't have a test case to reproduce this unfortunately.

NTDLL! DbgBreakPoint address 0x77f97704
PORT_ArenaAlloc(PLArenaPool * 0x028789b8, unsigned int 41) line 227 + 21 bytes
fill_CERTCertificateFields(NSSCertificateStr * 0x028e7718, CERTCertificateStr *
0x0298d528, int 1) line 641 + 15 bytes
stan_GetCERTCertificate(NSSCertificateStr * 0x028e7718, int 1) line 701 + 17 bytes
STAN_ForceCERTCertificateUpdate(NSSCertificateStr * 0x028e7718) line 717 + 11 bytes
nssPKIObjectCollection_AddInstanceAsObject(nssPKIObjectCollectionStr *
0x03cad0c8, nssCryptokiInstanceStr * 0x04045698) line 940 + 12 bytes
collector(nssCryptokiInstanceStr * 0x04045698, void * 0x03cad0c8) line 995 + 13
bytes
nssToken_TraverseCertificates(NSSTokenStr * 0x028af280, nssSessionStr *
0x02857b48, int 2, int (nssCryptokiInstanceStr *, void *)* 0x03266b56
collector(nssCryptokiInstanceStr *, void *), void * 0x03cad0c8) line 1674 + 13 bytes
NSSTrustDomain_TraverseCertificates(NSSTrustDomainStr * 0x02857a60, int
(NSSCertificateStr *, void *)* 0x032175ed CollectNicknames(NSSCertificateStr *,
void *), void * 0x03ea79e0) line 1048 + 26 bytes
CERT_GetCertNicknames(NSSTrustDomainStr * 0x02857a60, int 2, void * 0x03ce06b8)
line 497 + 18 bytes
CERT_FindUserCertsByUsage(NSSTrustDomainStr * 0x02857a60, int 0, int 0, int 0,
void * 0x03ce06b8) line 123 + 15 bytes
PIPNSS! NSGetModule + -4904 bytes
ssl3_HandleCertificateRequest(sslSocketStr * 0x01fdb588, unsigned char *
0x03be5ae3, unsigned int 0) line 4572 + 48 bytes
ssl3_HandleHandshakeMessage(sslSocketStr * 0x01fdb588, unsigned char *
0x03be5a46, unsigned int 157) line 7198 + 17 bytes
ssl3_HandleHandshake(sslSocketStr * 0x01fdb588, sslBufferStr * 0x01fdb730) line
7298 + 25 bytes
ssl3_HandleRecord(sslSocketStr * 0x01fdb588, SSL3Ciphertext * 0x01b1f8f8,
sslBufferStr * 0x01fdb730) line 7562 + 13 bytes
ssl3_GatherCompleteHandshake(sslSocketStr * 0x01fdb588, int 0) line 203 + 22 bytes
ssl_GatherRecord1stHandshake(sslSocketStr * 0x01fdb588) line 1256 + 11 bytes
ssl_Do1stHandshake(sslSocketStr * 0x01fdb588) line 145 + 13 bytes
ssl_SecureSend(sslSocketStr * 0x01fdb588, const unsigned char * 0x01f860e0, int
556, int 0) line 1024 + 9 bytes
ssl_SecureWrite(sslSocketStr * 0x01fdb588, const unsigned char * 0x01f860e0, int
556) line 1058 + 19 bytes
ssl_Write(PRFileDesc * 0x03ecd828, const void * 0x01f860e0, int 556) line 1262 +
21 bytes
PIPNSS! NSGetModule + -6674 bytes
PR_Write(PRFileDesc * 0x02956c48, const void * 0x01f860e0, int 556) line 141 +
20 bytes
NECKO! NSGetModule + 82226 bytes
NECKO! NSGetModule + 82171 bytes
NECKO! NSGetModule + 82317 bytes
NECKO! NSGetModule + 190778 bytes
NECKO! NSGetModule + 83702 bytes
NECKO! NSGetModule + 73002 bytes
804b0004()

Comment 1

15 years ago
Couple observations:

1) It looks like you were using a smart card.  The code path being executed is
used to update a CERTCertificate when a new token instance of a cert is
discovered.  It is also possible that you have a cert in the builtins and softoken.

2) The crash occured in PORT_ArenaAlloc, which implies:

 a) there is a threading-related bug in PORT_ArenaAlloc (you mentioned that the
assertion was in the THREADMARK block on IRC)

 b) a bad arena is being passed to PORT_ArenaAlloc

I don't have any real insight nto this yet, just noting some things.
(Assignee)

Comment 2

15 years ago
Ian,

I wasn't using a smart card. The arena and all the data on the stack and
variables that I inspected before I closed the debugger looked fine (no visible
corruption).
(Assignee)

Comment 3

15 years ago
I got it again today. Seems like a very similar stack, if not identical.
This time I know what I was doing - I was trying to login to our internal bug DB
web site with client auth. The cert was incorrect (bad domain name, netscape.com
instead of mcom.com in the URL) so I clicked OK to accept. Then it crashed.

NTDLL! DbgBreakPoint address 0x77f97704
PORT_ArenaAlloc(PLArenaPool * 0x034f1f00, unsigned int 44) line 227 + 21 bytes
fill_CERTCertificateFields(NSSCertificateStr * 0x03592fa8, CERTCertificateStr *
0x035898d8, int 1) line 641 + 15 bytes
stan_GetCERTCertificate(NSSCertificateStr * 0x03592fa8, int 1) line 701 + 17 bytes
STAN_ForceCERTCertificateUpdate(NSSCertificateStr * 0x03592fa8) line 717 + 11 bytes
nssPKIObjectCollection_AddInstanceAsObject(nssPKIObjectCollectionStr *
0x036adbe0, nssCryptokiInstanceStr * 0x035e4668) line 940 + 12 bytes
collector(nssCryptokiInstanceStr * 0x035e4668, void * 0x036adbe0) line 995 + 13
bytes
nssToken_TraverseCertificates(NSSTokenStr * 0x029d8168, nssSessionStr *
0x029c9b58, int 2, int (nssCryptokiInstanceStr *, void *)* 0x02f66ad6
collector(nssCryptokiInstanceStr *, void *), void * 0x036adbe0) line 1674 + 13 bytes
NSSTrustDomain_TraverseCertificates(NSSTrustDomainStr * 0x029c9a70, int
(NSSCertificateStr *, void *)* 0x02f175ed CollectNicknames(NSSCertificateStr *,
void *), void * 0x036ad3b0) line 1048 + 26 bytes
CERT_GetCertNicknames(NSSTrustDomainStr * 0x029c9a70, int 2, void * 0x036edd00)
line 497 + 18 bytes
CERT_FindUserCertsByUsage(NSSTrustDomainStr * 0x029c9a70, int 0, int 0, int 0,
void * 0x036edd00) line 123 + 15 bytes
PIPNSS! NSGetModule + -4904 bytes
ssl3_HandleCertificateRequest(sslSocketStr * 0x02866028, unsigned char *
0x036efae3, unsigned int 0) line 4572 + 48 bytes
ssl3_HandleHandshakeMessage(sslSocketStr * 0x02866028, unsigned char *
0x036efa46, unsigned int 157) line 7198 + 17 bytes
ssl3_HandleHandshake(sslSocketStr * 0x02866028, sslBufferStr * 0x028661d0) line
7298 + 25 bytes
ssl3_HandleRecord(sslSocketStr * 0x02866028, SSL3Ciphertext * 0x01b1f8f8,
sslBufferStr * 0x028661d0) line 7562 + 13 bytes
ssl3_GatherCompleteHandshake(sslSocketStr * 0x02866028, int 0) line 203 + 22 bytes
ssl_GatherRecord1stHandshake(sslSocketStr * 0x02866028) line 1256 + 11 bytes
ssl_Do1stHandshake(sslSocketStr * 0x02866028) line 145 + 13 bytes
ssl_SecureSend(sslSocketStr * 0x02866028, const unsigned char * 0x02751aa8, int
556, int 0) line 1024 + 9 bytes
ssl_SecureWrite(sslSocketStr * 0x02866028, const unsigned char * 0x02751aa8, int
556) line 1058 + 19 bytes
ssl_Write(PRFileDesc * 0x036ec058, const void * 0x02751aa8, int 556) line 1262 +
21 bytes
PIPNSS! NSGetModule + -6674 bytes
PR_Write(PRFileDesc * 0x0202c798, const void * 0x02751aa8, int 556) line 141 +
20 bytes
NECKO! NSGetModule + 82226 bytes
NECKO! NSGetModule + 82171 bytes
NECKO! NSGetModule + 82317 bytes
NECKO! NSGetModule + 190778 bytes
NECKO! NSGetModule + 83702 bytes
NECKO! NSGetModule + 73002 bytes
804b0004()

Comment 4

15 years ago
Assigned the bug to Ian.
Assignee: wtc → ian.mcgreer
Priority: -- → P1
Target Milestone: --- → 3.7

Comment 5

15 years ago
reassigned to Julien.

The only assert in PORT_ArenaAlloc checks whether the arena has been marked by
another thread.  We are obviously hitting that assert.

The arena in question belongs to the CERTCertificate.  It is created in
CERT_DecodeDERCertificate.  I started there and traced where the arena is used.

One of the first places it is used is by the quick decoder here:
http://lxr.mozilla.org/security/source/security/nss/lib/certdb/certdb.c#831

that function is defined here:
http://lxr.mozilla.org/security/source/security/nss/lib/util/quickder.c#878

You can see at a glance that it marks the arena, and releases it when an error
occurs, but does not unmark it when there is no error.
Assignee: ian.mcgreer → jpierre
Priority: P1 → --
Target Milestone: 3.7 → ---

Updated

15 years ago
Priority: -- → P1
Target Milestone: --- → 3.7
(Assignee)

Comment 6

15 years ago
This is a regression due to bug 175167.
If this is a regression in 3.6, then IMO, it should go into 3.6.1!  Agreed??
(Assignee)

Comment 8

15 years ago
Created attachment 104699 [details] [diff] [review]
unmark the arena if decode is successful
(Assignee)

Comment 9

15 years ago
No, that other bug fix that caused the regression only went onto the tip, not
the 3.6 branch, so there is no need to roll it back to 3.6.1 .

Comment 10

15 years ago
Comment on attachment 104699 [details] [diff] [review]
unmark the arena if decode is successful

Good catch, Julien!

Can we just call PORT_ArenaRelease on
decoding error as well?  I don't know
the difference between release and
unmark.
(Assignee)

Comment 11

15 years ago
Actually, Ian caught it.
Ian said on IRC that release frees the memory and unmark removes the mark - ie.
commits the changes.

Comment 12

15 years ago
Comment on attachment 104699 [details] [diff] [review]
unmark the arena if decode is successful

Ah, I got it.  r=wtc.
Attachment #104699 - Flags: review+

Comment 13

15 years ago
Does this mean those THREADMARK assertions are
actually useful?
(Assignee)

Comment 14

15 years ago
Checked in to the tip.

Checking in quickder.c;
/cvsroot/mozilla/security/nss/lib/util/quickder.c,v  <--  quickder.c
new revision: 1.14; previous revision: 1.13
done
Status: NEW → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.