276185 - PK11_FreeSlot slot pointer reset problem, assertion failure, and crash

Status: RESOLVED INVALID

(NSS :: Libraries, defect)

Description

[Jason Reid]

First problem, PK11_FreeSlot does not reset the provided pointer to NULL
after freeing the slot. This leaves the question of how to determine
whether the particular slot pointer has been freed.
/* get a slot */
        slot = PK11_GetInternalKeySlot();
        if (slot == NULL) {
                fprintf(stderr,
"ERROR: PK11_GetInternalKeySlot failed to get PK11 slot\n");
                rv++;
        }

        /* Free the slot. The pointer should be NULL when done */
        PK11_FreeSlot(slot);
        if (NULL != slot) {
                fprintf(stderr,
"ERROR: PK11_FreeSlot did not reset pointer to NULL.\n");
                rv++;
        }

Second problem, attempting to free the slot a second time with PK11_FreeSlot
creates an assertion failure.

        /* Free the slot again. Nothing bad should happen */
        PK11_FreeSlot(slot);

> gdb ./pkcs-tests
GNU gdb 5.3.92
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i586-suse-linux"...
(gdb) break 37
Breakpoint 1 at 0x80486ae: file pkcs-tests.c, line 37.
(gdb) run
Starting program: /home/jmr/work/nss/tests/PKCS/pkcs-tests
[New Thread 16384 (LWP 4893)]
ERROR: PK11_FreeSlot did not reset pointer to NULL.
[Switching to Thread 16384 (LWP 4893)]

Breakpoint 1, main (argc=1, argv=0xbffff1f4) at pkcs-tests.c:37
37              PK11_FreeSlot(slot);
(gdb) next
Assertion failure: module->refCount == 0, at pk11util.c:791

Program received signal SIGABRT, Aborted.
0x400f2b71 in kill () from /lib/i686/libc.so.6
(gdb) quit
The program is running.  Exit anyway? (y or n) y

Third problem, attempting to PK11_SlotFree a NULL pointer causes a crash.
/* Free a NULL slot. Nothing bad should happen */
        PK11_FreeSlot(NULL);

> gdb ./pkcs-tests
GNU gdb 5.3.92
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i586-suse-linux"...
(gdb) break 42
Breakpoint 1 at 0x80486ae: file pkcs-tests.c, line 42.
(gdb) run
Starting program: /home/jmr/work/nss/tests/PKCS/pkcs-tests
[New Thread 16384 (LWP 5152)]
ERROR: PK11_FreeSlot did not reset pointer to NULL.
[Switching to Thread 16384 (LWP 5152)]

Breakpoint 1, main (argc=1, argv=0xbffff1f4) at pkcs-tests.c:42
42              PK11_FreeSlot(NULL);
(gdb) next

Program received signal SIGSEGV, Segmentation fault.
_PR_x86_AtomicDecrement () at ../../../../../pr/src/md/unix/os_Linux_x86.s:62
62          lock
Current language:  auto; currently asm
(gdb) where
#0  _PR_x86_AtomicDecrement ()
    at ../../../../../pr/src/md/unix/os_Linux_x86.s:62
#1  0x40214691 in PR_AtomicDecrement (val=0x48)
    at ../../../../pr/src/misc/pratom.c:310
#2  0x4005dc5e in PK11_FreeSlot (slot=0x0) at pk11slot.c:452
#3  0x080486b8 in main (argc=1, argv=0xbffff1f4) at pkcs-tests.c:42
(gdb)

Comment 1

[Wan-Teh Chang]

This bug is invalid.

In C, function arguments are passed by value,
so it is impossible for PK11_FreeSlot to
reset the provided pointer to NULL after
freeing the slot.  (Similarly, the Standard
C library function 'free' can't reset the
provided pointer to NULL after freeing the
memory.)  It is the caller's responsibility
to do that if it is deemed appropriate.

Attempting to free the slot a second time with
PK11_FreeSlot is a programming error, which
is why it causes an assertion failure.  Since
PK11_FreeSlot returns void, an assertion failure
is the best we can do.  (The Standard C library
function 'free' behaves the same way.)