Closed
Bug 177208
Opened 22 years ago
Closed 22 years ago
crash in Stan code
Categories
(NSS :: Libraries, defect, P1)
Tracking
(Not tracked)
RESOLVED
FIXED
3.7
People
(Reporter: julien.pierre, Assigned: julien.pierre)
Details
Attachments
(1 file)
485 bytes,
patch
|
wtc
:
review+
|
Details | Diff | Splinter Review |
I encountered this crash while using a tip build of NSS 3.7 with Mozilla. I don't have a test case to reproduce this unfortunately. NTDLL! DbgBreakPoint address 0x77f97704 PORT_ArenaAlloc(PLArenaPool * 0x028789b8, unsigned int 41) line 227 + 21 bytes fill_CERTCertificateFields(NSSCertificateStr * 0x028e7718, CERTCertificateStr * 0x0298d528, int 1) line 641 + 15 bytes stan_GetCERTCertificate(NSSCertificateStr * 0x028e7718, int 1) line 701 + 17 bytes STAN_ForceCERTCertificateUpdate(NSSCertificateStr * 0x028e7718) line 717 + 11 bytes nssPKIObjectCollection_AddInstanceAsObject(nssPKIObjectCollectionStr * 0x03cad0c8, nssCryptokiInstanceStr * 0x04045698) line 940 + 12 bytes collector(nssCryptokiInstanceStr * 0x04045698, void * 0x03cad0c8) line 995 + 13 bytes nssToken_TraverseCertificates(NSSTokenStr * 0x028af280, nssSessionStr * 0x02857b48, int 2, int (nssCryptokiInstanceStr *, void *)* 0x03266b56 collector(nssCryptokiInstanceStr *, void *), void * 0x03cad0c8) line 1674 + 13 bytes NSSTrustDomain_TraverseCertificates(NSSTrustDomainStr * 0x02857a60, int (NSSCertificateStr *, void *)* 0x032175ed CollectNicknames(NSSCertificateStr *, void *), void * 0x03ea79e0) line 1048 + 26 bytes CERT_GetCertNicknames(NSSTrustDomainStr * 0x02857a60, int 2, void * 0x03ce06b8) line 497 + 18 bytes CERT_FindUserCertsByUsage(NSSTrustDomainStr * 0x02857a60, int 0, int 0, int 0, void * 0x03ce06b8) line 123 + 15 bytes PIPNSS! NSGetModule + -4904 bytes ssl3_HandleCertificateRequest(sslSocketStr * 0x01fdb588, unsigned char * 0x03be5ae3, unsigned int 0) line 4572 + 48 bytes ssl3_HandleHandshakeMessage(sslSocketStr * 0x01fdb588, unsigned char * 0x03be5a46, unsigned int 157) line 7198 + 17 bytes ssl3_HandleHandshake(sslSocketStr * 0x01fdb588, sslBufferStr * 0x01fdb730) line 7298 + 25 bytes ssl3_HandleRecord(sslSocketStr * 0x01fdb588, SSL3Ciphertext * 0x01b1f8f8, sslBufferStr * 0x01fdb730) line 7562 + 13 bytes ssl3_GatherCompleteHandshake(sslSocketStr * 0x01fdb588, int 0) line 203 + 22 bytes ssl_GatherRecord1stHandshake(sslSocketStr * 0x01fdb588) line 1256 + 11 bytes ssl_Do1stHandshake(sslSocketStr * 0x01fdb588) line 145 + 13 bytes ssl_SecureSend(sslSocketStr * 0x01fdb588, const unsigned char * 0x01f860e0, int 556, int 0) line 1024 + 9 bytes ssl_SecureWrite(sslSocketStr * 0x01fdb588, const unsigned char * 0x01f860e0, int 556) line 1058 + 19 bytes ssl_Write(PRFileDesc * 0x03ecd828, const void * 0x01f860e0, int 556) line 1262 + 21 bytes PIPNSS! NSGetModule + -6674 bytes PR_Write(PRFileDesc * 0x02956c48, const void * 0x01f860e0, int 556) line 141 + 20 bytes NECKO! NSGetModule + 82226 bytes NECKO! NSGetModule + 82171 bytes NECKO! NSGetModule + 82317 bytes NECKO! NSGetModule + 190778 bytes NECKO! NSGetModule + 83702 bytes NECKO! NSGetModule + 73002 bytes 804b0004()
Comment 1•22 years ago
|
||
Couple observations: 1) It looks like you were using a smart card. The code path being executed is used to update a CERTCertificate when a new token instance of a cert is discovered. It is also possible that you have a cert in the builtins and softoken. 2) The crash occured in PORT_ArenaAlloc, which implies: a) there is a threading-related bug in PORT_ArenaAlloc (you mentioned that the assertion was in the THREADMARK block on IRC) b) a bad arena is being passed to PORT_ArenaAlloc I don't have any real insight nto this yet, just noting some things.
Assignee | ||
Comment 2•22 years ago
|
||
Ian, I wasn't using a smart card. The arena and all the data on the stack and variables that I inspected before I closed the debugger looked fine (no visible corruption).
Assignee | ||
Comment 3•22 years ago
|
||
I got it again today. Seems like a very similar stack, if not identical. This time I know what I was doing - I was trying to login to our internal bug DB web site with client auth. The cert was incorrect (bad domain name, netscape.com instead of mcom.com in the URL) so I clicked OK to accept. Then it crashed. NTDLL! DbgBreakPoint address 0x77f97704 PORT_ArenaAlloc(PLArenaPool * 0x034f1f00, unsigned int 44) line 227 + 21 bytes fill_CERTCertificateFields(NSSCertificateStr * 0x03592fa8, CERTCertificateStr * 0x035898d8, int 1) line 641 + 15 bytes stan_GetCERTCertificate(NSSCertificateStr * 0x03592fa8, int 1) line 701 + 17 bytes STAN_ForceCERTCertificateUpdate(NSSCertificateStr * 0x03592fa8) line 717 + 11 bytes nssPKIObjectCollection_AddInstanceAsObject(nssPKIObjectCollectionStr * 0x036adbe0, nssCryptokiInstanceStr * 0x035e4668) line 940 + 12 bytes collector(nssCryptokiInstanceStr * 0x035e4668, void * 0x036adbe0) line 995 + 13 bytes nssToken_TraverseCertificates(NSSTokenStr * 0x029d8168, nssSessionStr * 0x029c9b58, int 2, int (nssCryptokiInstanceStr *, void *)* 0x02f66ad6 collector(nssCryptokiInstanceStr *, void *), void * 0x036adbe0) line 1674 + 13 bytes NSSTrustDomain_TraverseCertificates(NSSTrustDomainStr * 0x029c9a70, int (NSSCertificateStr *, void *)* 0x02f175ed CollectNicknames(NSSCertificateStr *, void *), void * 0x036ad3b0) line 1048 + 26 bytes CERT_GetCertNicknames(NSSTrustDomainStr * 0x029c9a70, int 2, void * 0x036edd00) line 497 + 18 bytes CERT_FindUserCertsByUsage(NSSTrustDomainStr * 0x029c9a70, int 0, int 0, int 0, void * 0x036edd00) line 123 + 15 bytes PIPNSS! NSGetModule + -4904 bytes ssl3_HandleCertificateRequest(sslSocketStr * 0x02866028, unsigned char * 0x036efae3, unsigned int 0) line 4572 + 48 bytes ssl3_HandleHandshakeMessage(sslSocketStr * 0x02866028, unsigned char * 0x036efa46, unsigned int 157) line 7198 + 17 bytes ssl3_HandleHandshake(sslSocketStr * 0x02866028, sslBufferStr * 0x028661d0) line 7298 + 25 bytes ssl3_HandleRecord(sslSocketStr * 0x02866028, SSL3Ciphertext * 0x01b1f8f8, sslBufferStr * 0x028661d0) line 7562 + 13 bytes ssl3_GatherCompleteHandshake(sslSocketStr * 0x02866028, int 0) line 203 + 22 bytes ssl_GatherRecord1stHandshake(sslSocketStr * 0x02866028) line 1256 + 11 bytes ssl_Do1stHandshake(sslSocketStr * 0x02866028) line 145 + 13 bytes ssl_SecureSend(sslSocketStr * 0x02866028, const unsigned char * 0x02751aa8, int 556, int 0) line 1024 + 9 bytes ssl_SecureWrite(sslSocketStr * 0x02866028, const unsigned char * 0x02751aa8, int 556) line 1058 + 19 bytes ssl_Write(PRFileDesc * 0x036ec058, const void * 0x02751aa8, int 556) line 1262 + 21 bytes PIPNSS! NSGetModule + -6674 bytes PR_Write(PRFileDesc * 0x0202c798, const void * 0x02751aa8, int 556) line 141 + 20 bytes NECKO! NSGetModule + 82226 bytes NECKO! NSGetModule + 82171 bytes NECKO! NSGetModule + 82317 bytes NECKO! NSGetModule + 190778 bytes NECKO! NSGetModule + 83702 bytes NECKO! NSGetModule + 73002 bytes 804b0004()
Comment 4•22 years ago
|
||
Assigned the bug to Ian.
Assignee: wtc → ian.mcgreer
Priority: -- → P1
Target Milestone: --- → 3.7
Comment 5•22 years ago
|
||
reassigned to Julien. The only assert in PORT_ArenaAlloc checks whether the arena has been marked by another thread. We are obviously hitting that assert. The arena in question belongs to the CERTCertificate. It is created in CERT_DecodeDERCertificate. I started there and traced where the arena is used. One of the first places it is used is by the quick decoder here: http://lxr.mozilla.org/security/source/security/nss/lib/certdb/certdb.c#831 that function is defined here: http://lxr.mozilla.org/security/source/security/nss/lib/util/quickder.c#878 You can see at a glance that it marks the arena, and releases it when an error occurs, but does not unmark it when there is no error.
Assignee: ian.mcgreer → jpierre
Priority: P1 → --
Target Milestone: 3.7 → ---
Updated•22 years ago
|
Priority: -- → P1
Target Milestone: --- → 3.7
Assignee | ||
Comment 6•22 years ago
|
||
This is a regression due to bug 175167.
Comment 7•22 years ago
|
||
If this is a regression in 3.6, then IMO, it should go into 3.6.1! Agreed??
Assignee | ||
Comment 8•22 years ago
|
||
Assignee | ||
Comment 9•22 years ago
|
||
No, that other bug fix that caused the regression only went onto the tip, not the 3.6 branch, so there is no need to roll it back to 3.6.1 .
Comment 10•22 years ago
|
||
Comment on attachment 104699 [details] [diff] [review] unmark the arena if decode is successful Good catch, Julien! Can we just call PORT_ArenaRelease on decoding error as well? I don't know the difference between release and unmark.
Assignee | ||
Comment 11•22 years ago
|
||
Actually, Ian caught it. Ian said on IRC that release frees the memory and unmark removes the mark - ie. commits the changes.
Comment 12•22 years ago
|
||
Comment on attachment 104699 [details] [diff] [review] unmark the arena if decode is successful Ah, I got it. r=wtc.
Attachment #104699 -
Flags: review+
Comment 13•22 years ago
|
||
Does this mean those THREADMARK assertions are actually useful?
Assignee | ||
Comment 14•22 years ago
|
||
Checked in to the tip. Checking in quickder.c; /cvsroot/mozilla/security/nss/lib/util/quickder.c,v <-- quickder.c new revision: 1.14; previous revision: 1.13 done
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•