The default bug view has changed. See this FAQ.

crash in libpkix object leak tests due to null pointer dereferencing in pkix_build.c:3218.

RESOLVED FIXED in 3.12.3

Status

NSS
Libraries
P1
normal
RESOLVED FIXED
8 years ago
8 years ago

People

(Reporter: Slavomir Katuscak, Assigned: Alexei Volkov)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: PKIX)

Attachments

(1 attachment)

(Reporter)

Description

8 years ago
Occured on Tinderbox machine communist when running PKIX tests, this machine use special environment variables NSS_ENABLE_PKIX_VERIFY=1 and PKIX_OBJECT_LEAK_TEST=1. This failure occurs there in many vfychain tests on this machine.

From DBX log:
---
Running: vfychain -d AllDB -pp -vv UserBridge.der -t Army
(process id 8976)
RTC: Enabling Error Checking...
RTC: Running program...
t@1 (l@1) signal SEGV (no mapping at the fault address) in pkix_BuildForwardDepthFirstSearch at line 3218 in file "pkix_build.c"
 3218               while (state->parentState) {
---
(Assignee)

Comment 1

8 years ago
It is a regression introduced by fix for bug 470070.

Should get rid of

3230 PKIX_DECREF(prntState);

since the counter on the object was already decremented by pkix_ForwardBuilderState_Destroy function.
Status: NEW → ASSIGNED
Priority: -- → P1
(Assignee)

Comment 2

8 years ago
Created attachment 355638 [details] [diff] [review]
Remove PKIX_DECREF on prntState object(pkix_build.c:3230)
Attachment #355638 - Flags: review?
Comment on attachment 355638 [details] [diff] [review]
Remove PKIX_DECREF on prntState object(pkix_build.c:3230)


>-                PKIX_DECREF(prntState);
>+                /* No need to decref the parent state. It was already done by
>+                 * pkix_ForwardBuilderState_Destroy function. */

Where (in what code) and when did pkix_ForwardBuilderState_Destroy get called?
What was the call stack for that call?
Attachment #355638 - Flags: review? → review?(nelson)
(Assignee)

Comment 4

8 years ago
pkix_ForwardBuilderState_Destroy is called by PKIX_PL_Object_DecRef call before object memory is freed.
Comment on attachment 355638 [details] [diff] [review]
Remove PKIX_DECREF on prntState object(pkix_build.c:3230)

r=nelson
Attachment #355638 - Flags: review?(nelson) → review+
(Assignee)

Updated

8 years ago
Summary: Vfychain tests sometimes failed when debugging options are enabled. → crash in libpkix object leak tests due to null pointer dereferencing in pkix_build.c:3218.

Comment 6

8 years ago
did this patch get landed or is it ready to land now?
(Assignee)

Comment 7

8 years ago
the patch was landed in Jan. Closing the bug...
Status: ASSIGNED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
Whiteboard: PKIX
OS: Solaris → All
Hardware: Sun → All
You need to log in before you can comment on or make changes to this bug.