Closed Bug 1932518 Opened 18 days ago Closed 17 days ago

Crash in [@ PR_AtomicIncrement | nssToken_AddRef | nssCryptokiObject_Clone | find_objects_in_array]

Categories

(NSS :: Libraries, defect, P3)

Tracking

(firefox-esr115 unaffected, firefox-esr128 unaffected, firefox132 unaffected, firefox133 unaffected, firefox134+ fixed)

RESOLVED FIXED
Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 --- unaffected
firefox132 --- unaffected
firefox133 --- unaffected
firefox134 + fixed

People

(Reporter: mccr8, Assigned: jschanck)

Details

(Keywords: crash, regression)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/de848e4e-d293-4e61-b8b3-ded0e0241120

Reason:

EXC_BAD_ACCESS / KERN_INVALID_ADDRESS

Top 10 frames:

0  libnss3.dylib  PR_AtomicIncrement  nsprpub/pr/src/misc/pratom.c:246
0  libnss3.dylib  nssToken_AddRef  security/nss/lib/dev/devtoken.c:53
0  libnss3.dylib  nssCryptokiObject_Clone  security/nss/lib/dev/devutil.c:73
0  libnss3.dylib  find_objects_in_array  security/nss/lib/dev/devutil.c:680
0  libnss3.dylib  nssTokenObjectCache_FindObjectsByTemplate  security/nss/lib/dev/devutil.c:727
1  libnss3.dylib  nssToken_FindObjectsByTemplate  security/nss/lib/dev/devtoken.c:400
2  libnss3.dylib  nssToken_FindObjects  security/nss/lib/dev/devtoken.c:579
3  libnss3.dylib  PK11_TraverseCertsInSlot  security/nss/lib/pk11wrap/pk11cert.c:2375
4  libnss3.dylib  PK11_ListCertsInSlot  security/nss/lib/pk11wrap/pk11cert.c:2904
5  XUL  mozilla::psm::FindClientCertificatesWithPrivateKeys()  security/manager/ssl/nsNSSComponent.cpp:2105

Found in the crash spike report.

Maybe this should be NSS as it looks like a null deref deep inside NSS?

This crash report has the comment "Not able to use external key to authenticate." which is likely unsurprising.

MacOS-only.

This first showed up in the 20241119214442 build, so I'm going to guess that this is due to bug 1927888.

[Tracking Requested - why for this release]: crash regression. The volume isn't super high in absolute terms, but this is quite high for a MacOS specific issue.

[@ nssToken_AddRef | nssCryptokiObject_Clone | find_objects_in_array ] looks like the Windows version of the signature. Lower volume. Example: bp-8c2980df-0fb5-4cf7-a062-b6e180241120

Crash Signature: [@ PR_AtomicIncrement | nssToken_AddRef | nssCryptokiObject_Clone | find_objects_in_array] → [@ PR_AtomicIncrement | nssToken_AddRef | nssCryptokiObject_Clone | find_objects_in_array] [@ nssToken_AddRef | nssCryptokiObject_Clone | find_objects_in_array ]
Assignee: nobody → nobody
Component: Security: PSM → Libraries
Product: Core → NSS

:beurdouche, since you are the author of the regressor, bug 1927888, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

Flags: needinfo?(bbeurdouche)

The bug is marked as tracked for firefox134 (nightly). However, the bug still isn't assigned.

:ckerschb, could you please find an assignee for this tracked bug? Given that it is a regression and we know the cause, we could also simply backout the regressor. If you disagree with the tracking decision, please talk with the release managers.

For more information, please visit BugBot documentation.

Flags: needinfo?(ckerschb)

Benjamin is OOO, I forwarded the bug to the team channel. I'll make sure someone will take a look.

Flags: needinfo?(ckerschb)
Assignee: nobody → jschanck
Severity: -- → S3
Status: NEW → ASSIGNED
Priority: -- → P3
Flags: needinfo?(bbeurdouche)

The regressor was backed out of NSS prior to the release of NSS 3.107, which will land in M-C in Bug 1927888.

Status: ASSIGNED → RESOLVED
Closed: 17 days ago
No longer regressed by: 1927888
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.