Closed Bug 1808816 Opened 1 year ago Closed 1 year ago

Intermittent headless-spi SUMMARY: ThreadSanitizer: data race /builds/worker/checkouts/gecko/security/nss/lib/pki/pki3hack.c:750:15 in fill_CERTCertificateFields

Categories

(Core :: Security: PSM, defect)

defect

Tracking

()

RESOLVED FIXED
111 Branch
Tracking Status
firefox111 --- fixed

People

(Reporter: intermittent-bug-filer, Assigned: keeler)

References

(Blocks 2 open bugs)

Details

(Keywords: csectype-race, intermittent-failure)

Attachments

(3 files)

This hits about 50% of the time when running mochitest-plain in headless-spi (socketprocess) mode (--headless --setpref=network.process.enabled=true --setpref=network.http.network_access_on_socket_process.enabled=true) under TSAN. Seems to hit consistently when running dom/base/test/test_bug466080.html. This isn't currently enabled by default in CI, but I've been running Try pushes in the hopes of getting it green enough to do so.

Log link:
https://treeherder.mozilla.org/logviewer?job_id=401496165&repo=try&lineNumber=3120

Pernosco trace:
https://pernos.co/debug/m_IHUARELHepEATm7BITwQ/index.html#f{m[A98G,AV0_,t[CQ,CFU_,f{e[A8zk,zt4_,s{afv/yALAA,bAdc,u7As,o8ao___/

Attached file tsan log
Blocks: tsan
Keywords: csectype-race

This test does change the value of the pref network.cors_preflight.allow_client_cert. I don't know if that might be causing the race or not.

Looks like FindClientCertificatesWithPrivateKeys can create CERTCertificates in some cases, and it is being called off the socket thread in SelectClientAuthCertificate::DoSelectClientAuthCertificate. Arguably an NSS bug, but I think our current approach is to fix this sort of issue by dispatching to the socket thread, so I'm moving this to PSM. I don't think it's a security issue---there's no attacker-controllable data and the two threads should write identical data to the CERTCertificate's fields.

Assignee: nobody → nobody
Component: Libraries → Security: PSM
Product: NSS → Core
Version: trunk → unspecified
Group: crypto-core-security
See Also: → 1808236
Assignee: nobody → dkeeler
Status: NEW → ASSIGNED
Pushed by dkeeler@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/78e0947c2257
find potential client certificates on the socket thread rather than the main thread r=jschanck
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → 110 Branch
Status: RESOLVED → REOPENED
Flags: needinfo?(dkeeler)
Resolution: FIXED → ---
Target Milestone: 110 Branch → ---
Pushed by dkeeler@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/4f69a02ee8f9
socket process follow-up: find potential client certificates on the socket thread r=jschanck
Status: REOPENED → RESOLVED
Closed: 1 year ago1 year ago
Resolution: --- → FIXED
Target Milestone: --- → 111 Branch
Flags: needinfo?(dkeeler)
See Also: → 1815998
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: