Last Comment Bug 472291 - crash in libpkix object leak tests due to null pointer dereferencing in pkix_build.c:3218.
: crash in libpkix object leak tests due to null pointer dereferencing in pkix_...
Status: RESOLVED FIXED
PKIX
:
Product: NSS
Classification: Components
Component: Libraries (show other bugs)
: trunk
: All All
: P1 normal (vote)
: 3.12.3
Assigned To: Alexei Volkov
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-01-06 04:56 PST by Slavomir Katuscak
Modified: 2009-07-30 18:26 PDT (History)
1 user (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
Remove PKIX_DECREF on prntState object(pkix_build.c:3230) (1.26 KB, patch)
2009-01-06 13:14 PST, Alexei Volkov
nelson: review+
Details | Diff | Review

Description Slavomir Katuscak 2009-01-06 04:56:08 PST
Occured on Tinderbox machine communist when running PKIX tests, this machine use special environment variables NSS_ENABLE_PKIX_VERIFY=1 and PKIX_OBJECT_LEAK_TEST=1. This failure occurs there in many vfychain tests on this machine.

From DBX log:
---
Running: vfychain -d AllDB -pp -vv UserBridge.der -t Army
(process id 8976)
RTC: Enabling Error Checking...
RTC: Running program...
t@1 (l@1) signal SEGV (no mapping at the fault address) in pkix_BuildForwardDepthFirstSearch at line 3218 in file "pkix_build.c"
 3218               while (state->parentState) {
---
Comment 1 Alexei Volkov 2009-01-06 13:13:33 PST
It is a regression introduced by fix for bug 470070.

Should get rid of

3230 PKIX_DECREF(prntState);

since the counter on the object was already decremented by pkix_ForwardBuilderState_Destroy function.
Comment 2 Alexei Volkov 2009-01-06 13:14:33 PST
Created attachment 355638 [details] [diff] [review]
Remove PKIX_DECREF on prntState object(pkix_build.c:3230)
Comment 3 Nelson Bolyard (seldom reads bugmail) 2009-01-06 14:14:06 PST
Comment on attachment 355638 [details] [diff] [review]
Remove PKIX_DECREF on prntState object(pkix_build.c:3230)


>-                PKIX_DECREF(prntState);
>+                /* No need to decref the parent state. It was already done by
>+                 * pkix_ForwardBuilderState_Destroy function. */

Where (in what code) and when did pkix_ForwardBuilderState_Destroy get called?
What was the call stack for that call?
Comment 4 Alexei Volkov 2009-01-06 14:45:23 PST
pkix_ForwardBuilderState_Destroy is called by PKIX_PL_Object_DecRef call before object memory is freed.
Comment 5 Nelson Bolyard (seldom reads bugmail) 2009-01-06 15:06:46 PST
Comment on attachment 355638 [details] [diff] [review]
Remove PKIX_DECREF on prntState object(pkix_build.c:3230)

r=nelson
Comment 6 chris hofmann 2009-03-30 14:28:16 PDT
did this patch get landed or is it ready to land now?
Comment 7 Alexei Volkov 2009-03-31 13:05:00 PDT
the patch was landed in Jan. Closing the bug...

Note You need to log in before you can comment on or make changes to this bug.