Last Comment Bug 404526 - glibc detected free(): invalid pointer
: glibc detected free(): invalid pointer
Status: RESOLVED FIXED
:
Product: NSS
Classification: Components
Component: Libraries (show other bugs)
: trunk
: All All
: P1 critical (vote)
: 3.12
Assigned To: nobody
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-20 06:34 PST by Rich Coe
Modified: 2007-12-03 12:27 PST (History)
3 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---


Attachments

Description Rich Coe 2007-11-20 06:34:33 PST
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071115 Firefox/2.0.0.10
Build Identifier: Firefox/3.0b1 2007110903 Gecko/1.9b1 

downloaded and installed the new firefox 3.0b1
at startup firefox hung
*** glibc detected *** /usr/local/src/firefox/firefox-bin: free(): invalid pointer: 0xbfdecc8c ***
======= Backtrace: =========
/lib/libc.so.6[0xb69f5c23]
/lib/libc.so.6(cfree+0x90)[0xb69f90f0]
/usr/local/src/firefox/libnspr4.so(PR_Free+0x30)[0xb7260bbe]
/usr/local/src/firefox/libnssdbm3.so[0xb38ecd5c]
/usr/local/src/firefox/libnssdbm3.so[0xb38eb80b]
/usr/local/src/firefox/libnssdbm3.so[0xb38d4c30]
/usr/local/src/firefox/libsoftokn3.so[0xb6800fdc]
/usr/local/src/firefox/libsoftokn3.so[0xb67ebd19]
/usr/local/src/firefox/libsoftokn3.so[0xb67ed814]
/usr/local/src/firefox/libsoftokn3.so[0xb67eda2d]
/usr/local/src/firefox/libsoftokn3.so[0xb67edd54]
/usr/local/src/firefox/libsoftokn3.so[0xb67edde1]
/usr/local/src/firefox/libnss3.so[0xb6844660]
/usr/local/src/firefox/libnss3.so[0xb68448c1]
/usr/local/src/firefox/libnss3.so(SECMOD_LoadModule+0x1e0)[0xb684b89d]
/usr/local/src/firefox/libnss3.so(SECMOD_LoadModule+0x22f)[0xb684b8ec]
/usr/local/src/firefox/libnss3.so[0xb682e24c]
/usr/local/src/firefox/libnss3.so(NSS_InitReadWrite+0x3b)[0xb682e64e]
/usr/local/src/firefox/libxul.so[0xb7a60920]
/usr/local/src/firefox/libxul.so[0xb7a62482]
/usr/local/src/firefox/libxul.so[0xb7a6b992]/usr/local/src/firefox/libxul.so[0xb7bf75a0]
/usr/local/src/firefox/libxul.so[0xb7c208a5]
/usr/local/src/firefox/libxul.so[0xb7c21279]
/usr/local/src/firefox/libxul.so[0xb7bf11d2]
/usr/local/src/firefox/libxul.so[0xb7bf11ed]
/usr/local/src/firefox/libxul.so[0xb7bf0891]
/usr/local/src/firefox/libxul.so[0xb758ff15]
/usr/local/src/firefox/libxul.so[0xb758ef4c]
/usr/local/src/firefox/libxul.so[0xb7591c97]
/usr/local/src/firefox/libxul.so[0xb75a308b]
/usr/local/src/firefox/libxul.so[0xb7694b05]
/usr/local/src/firefox/libxul.so[0xb7695fab]
/usr/local/src/firefox/libxul.so[0xb7696049]
/usr/local/src/firefox/libxul.so[0xb76c3955]
/usr/local/src/firefox/libxul.so[0xb76c3fdd]
/usr/local/src/firefox/libxul.so[0xb760e168]
/usr/local/src/firefox/libxul.so[0xb760967a]
/usr/local/src/firefox/libxul.so[0xb7609f95]
/usr/local/src/firefox/libxul.so[0xb760a129]
/usr/local/src/firefox/libxul.so[0xb79e134f]
/usr/local/src/firefox/libxul.so[0xb79d85f5]
/usr/local/src/firefox/libxul.so[0xb79d623b]
/usr/local/src/firefox/libxul.so[0xb79d9e28]
/usr/local/src/firefox/libxul.so[0xb79de13e]/usr/local/src/firefox/libxul.so[0xb79e5867]
/usr/local/src/firefox/libxul.so[0xb7bf1c65]
/usr/local/src/firefox/libxul.so[0xb7bf07f5]
/usr/local/src/firefox/libxul.so[0xb780884d]
/usr/local/src/firefox/libxul.so[0xb7872c96]
/usr/local/src/firefox/libxul.so[0xb7a087b9]
/usr/local/src/firefox/libxul.so[0xb7a08df1]
/usr/local/src/firefox/libxul.so[0xb7a0aa0c]
/usr/local/src/firefox/libxul.so(NS_InvokeByIndex_P+0x29)[0xb7c32b89]
/usr/local/src/firefox/libxul.so[0xb74da3f8]
/usr/local/src/firefox/libxul.so[0xb74ddbb1]
/usr/local/src/firefox/libmozjs.so(js_Invoke+0x2ed)[0xb72bc8fb]
/usr/local/src/firefox/libmozjs.so[0xb72bdf79]
/usr/local/src/firefox/libmozjs.so(js_Invoke+0x701)[0xb72bcd0f]
/usr/local/src/firefox/libxul.so[0xb74d685d]
/usr/local/src/firefox/libxul.so[0xb74d22ff]
/usr/local/src/firefox/libxul.so[0xb7c3369f]
/usr/local/src/firefox/libxul.so(XRE_main+0x2320)[0xb74a3490]

gdb says (thread 1 of 6)
#0  0xb6a6aeb9 in __lll_mutex_lock_wait () from /lib/libc.so.6
#1  0xb69f9e2d in _L_lock_14621 () from /lib/libc.so.6
#2  0xb69f90e4 in free () from /lib/libc.so.6
#3  0xb74a983b in ?? () from /usr/local/src/firefox/libxul.so
#4  0x0808ec50 in ?? ()
#5  0xb7f77ff4 in ?? () from /lib/ld-linux.so.2
#6  0x00000001 in ?? ()
#7  0xb74a9809 in ?? () from /usr/local/src/firefox/libxul.so
#8  0xb7ef4d5c in ?? () from /usr/local/src/firefox/libxul.so
#9  0xbfdec38c in ?? ()
#10 0xbfdebf58 in ?? ()
#11 0xb74a9889 in ?? () from /usr/local/src/firefox/libxul.so
#12 0x0808800c in ?? ()
#13 0x00000038 in ?? ()
#14 0xb6991c14 in ?? () from /lib/libc.so.6
#15 0xb6990ad0 in ?? () from /lib/libc.so.6
#16 0xb74a9875 in ?? () from /usr/local/src/firefox/libxul.so
#17 0xb7ef4d5c in ?? () from /usr/local/src/firefox/libxul.so
#18 0xbfdebff8 in ?? ()
#19 0xb74a9ef5 in ?? () from /usr/local/src/firefox/libxul.so
#20 0x00000000 in ?? ()




Reproducible: Didn't try

Steps to Reproduce:
startup firefox
Comment 1 Jo Hermans 2007-11-20 07:22:18 PST
Is this bug 399706 ? It's not clear if this got checked in 3.0.b1 or immediately afterwards.
Comment 2 Rich Coe 2007-11-20 08:18:54 PST
==5207== Invalid free() / delete / delete[]
==5207==    at 0x40220C5: free (vg_replace_malloc.c:233)
==5207==    by 0x4D0EBBD: PR_Free (in /usr/local/src/firefox-3b1/libnspr4.so)
==5207==    by 0x7BCBD5B: (within /usr/local/src/firefox-3b1/libnssdbm3.so)
==5207==    by 0x7BCA80A: (within /usr/local/src/firefox-3b1/libnssdbm3.so)
==5207==    by 0x7BB3C2F: (within /usr/local/src/firefox-3b1/libnssdbm3.so)
==5207==    by 0x5776FDB: (within /usr/local/src/firefox-3b1/libsoftokn3.so)
==5207==    by 0x5761D18: (within /usr/local/src/firefox-3b1/libsoftokn3.so)
==5207==    by 0x5763813: (within /usr/local/src/firefox-3b1/libsoftokn3.so)
==5207==    by 0x5763A2C: (within /usr/local/src/firefox-3b1/libsoftokn3.so)
==5207==    by 0x5763D53: (within /usr/local/src/firefox-3b1/libsoftokn3.so)
==5207==    by 0x5763DE0: (within /usr/local/src/firefox-3b1/libsoftokn3.so)
==5207==    by 0x56A065F: (within /usr/local/src/firefox-3b1/libnss3.so)
==5207==  Address 0xBEF60E3C is on thread 1's stack
Comment 3 Rich Coe 2007-11-20 09:50:12 PST
security/nss/lib/softoken/legacydb/keydb.c
   nsslowkey_GetPWCheckEntry(...)
sets global_salt to &none if GetKeyDBGlobalSalt returns NULL.
but unconditonally frees global_salt if non-NULL.

#0  0xb740dc87 in raise () from /lib/libc.so.6
#1  0xb740f4f8 in abort () from /lib/libc.so.6
#2  0xb7443c4b in __libc_message () from /lib/libc.so.6
#3  0xb744bc23 in _int_free () from /lib/libc.so.6
#4  0xb744f0f0 in free () from /lib/libc.so.6
#5  0xb7cd1b15 in PR_Free (ptr=0xbf81f570)
    at /usr/local/src/moz/mozilla/nsprpub/pr/src/malloc/prmem.c:490
#6  0xb2a2b11a in PORT_Free (ptr=0xbf81f570) at secport.c:152
#7  0xb2a29dbb in SECITEM_FreeItem (zap=0xbf81f570, freeit=1) at secitem.c:266
#8  0xb2a05f9b in nsslowkey_GetPWCheckEntry (handle=0x867e4d8, entry=0xbf81f5f0)
    at keydb.c:1422
#9  0xb2a073c2 in lg_GetMetaData (sdb=0x8684448, id=0xb6d5326b "password",
    item1=0xbf81f8d4, item2=0xbf81f8c8) at keydb.c:2242
[ ... ]
Comment 4 Rich Coe 2007-11-20 10:13:11 PST
Index: security/nss/lib/softoken/legacydb/keydb.c
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/softoken/legacydb/keydb.c,v
retrieving revision 1.5
diff -u -3 -p -r1.5 keydb.c
--- security/nss/lib/softoken/legacydb/keydb.c  25 Sep 2007 01:14:23 -0000      1.5
+++ security/nss/lib/softoken/legacydb/keydb.c  20 Nov 2007 18:12:22 -0000
@@ -1418,7 +1418,7 @@ loser:
     if (dbkey) {
        sec_destroy_dbkey(dbkey);
     }
-    if (global_salt) {
+    if (global_salt && global_salt != &none) {
        SECITEM_FreeItem(global_salt,PR_TRUE);
     }
     return rv;
Comment 5 Kai Engert (:kaie) 2007-11-20 16:19:30 PST
(In reply to comment #1)
> Is this bug 399706 ? It's not clear if this got checked in 3.0.b1 or
> immediately afterwards.


The "minimal fix" from bug 399706 is included in beta 1.

We landed the "preferred fix" after beta 1 was done.
Comment 6 Kai Engert (:kaie) 2007-11-20 16:36:50 PST
Rich, thanks a lot for your report and your analysis. It seems right!

Bob, can you please review the patch listed in comment 4 ?
Comment 7 Robert Relyea 2007-11-20 17:39:38 PST
r+ rrelyea. The bug was introduced by the patch for bug 397122. The crash will happen only with databases that lack a global salt (which shouldn't happen, but appear to occur in the wild).

bob
Comment 8 Rich Coe 2007-11-20 20:14:04 PST
I reviewed 397122.
My key3.db file is 32768.
Comment 9 Kai Engert (:kaie) 2007-12-03 12:27:10 PST
I checked in the patch from comment 4.

/cvsroot/mozilla/security/nss/lib/softoken/legacydb/keydb.c,v  <--  keydb.c
new revision: 1.9; previous revision: 1.8

Rich, thanks a lot!

Note You need to log in before you can comment on or make changes to this bug.