Last Comment Bug 483963 - Assertion failure in OCSP tests.
: Assertion failure in OCSP tests.
Status: RESOLVED FIXED
SUN_MUST_HAVE PKIX MOZ
:
Product: NSS
Classification: Components
Component: Libraries (show other bugs)
: trunk
: Sun Solaris
: P1 critical (vote)
: 3.12.3
Assigned To: Alexei Volkov
:
Mentors:
Depends on:
Blocks: psm-pkix
  Show dependency treegraph
 
Reported: 2009-03-18 05:13 PDT by Slavomir Katuscak
Modified: 2009-04-14 00:32 PDT (History)
0 users
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
Patch v1 - call nss legacy chain validation call on the second consecutive validation attempt (2.14 KB, patch)
2009-04-11 23:51 PDT, Alexei Volkov
nelson: review+
Details | Diff | Review

Description Slavomir Katuscak 2009-03-18 05:13:02 PDT
chains.sh: Verifying certificate(s)  OCSPEE11.cert OCSPCA1.cert with flags  -g leaf -m ocsp -d OCSPRootDB    -t OCSPRoot
vfychain -d OCSPRootDB -pp -vv  -g leaf -m ocsp    /export/tinderlight/data/communist_32_DBG/mozilla/security/nss/tests/libpkix/certs/OCSPEE11.cert /export/tinderlight/data/communist_32_DBG/mozilla/security/nss/tests/libpkix/certs/OCSPCA1.cert  -t OCSPRoot
chains.sh: -------- Running /export/tinderlight/data/communist_32_DBG/mozilla/dist/SunOS5.11_DBG.OBJ/bin/vfychain under DBX:
/usr/dist/pkgs/sunstudio_sparc,v12.0/SUNWspro/prod/bin/dbx /export/tinderlight/data/communist_32_DBG/mozilla/dist/SunOS5.11_DBG.OBJ/bin/vfychain
chains.sh: -------- DBX commands:
dbxenv follow_fork_mode parent
dbxenv rtc_mel_at_exit verbose
dbxenv rtc_biu_at_exit verbose
check -memuse -match 16 -frames 16
run -g leaf -m ocsp -d OCSPRootDB -pp -vv /export/tinderlight/data/communist_32_DBG/mozilla/security/nss/tests/libpkix/certs/OCSPEE11.cert /export/tinderlight/data/communist_32_DBG/mozilla/security/nss/tests/libpkix/certs/OCSPCA1.cert -t OCSPRoot
Assertion failure: fnInvLocalCount == 1, at certvfypkix.c:1220
Returned value is 1, expected result is pass
chains.sh: #1238: OCSP: Verifying certificate(s)  OCSPEE11.cert OCSPCA1.cert with flags  -g leaf -m ocsp -d OCSPRootDB    -t OCSPRoot - FAILED

OCSPEE11 and OCSPCA1 are validated both via OCSP protocol, test is expected to pass.
Comment 1 Slavomir Katuscak 2009-03-18 05:14:20 PDT
Tests were run with:
NSS_ENABLE_PKIX_VERIFY=1
PKIX_OBJECT_LEAK_TEST=1
Comment 2 Alexei Volkov 2009-04-11 23:51:19 PDT
Created attachment 372267 [details] [diff] [review]
Patch v1 - call nss legacy chain validation call on the second consecutive validation attempt

This is not really a bug, but a libpkix object leak check system limitation. It stores all info in global variables, so it is impossible to have two simultaneous runs of the test in the same process. Variable fnInvLocalCount tracks this condition.

Now, in case of ocsp, when we try to validate the response, libpkix validation engine get called again. It is very normal to have such condition during normal execution, but not within object leak test. This is why we are getting the assertion.

The attached patch makes sure, that we will never call libpkix during object leak test for the second time.

Memory leak tinderbox became green with this patch and leak fixes that was recently reviewed.
Comment 3 Nelson Bolyard (seldom reads bugmail) 2009-04-12 11:03:35 PDT
I guess I could allow a patch like this as a VERY SHORT TERM (Like, say, 
for the next week) workaround for these assertion failures.   But it's 
clearly not the right long term solution.  As you pointed out, the 
occurrence of these recursive calls to libPKIX is "very normal".  Our 
leak testing needs to cover this very normal condition.  

Please file a separate bug to address the fact that 
  libPKIX leak tests disallow recursive calls to libPKIX.
Comment 4 Alexei Volkov 2009-04-13 21:21:55 PDT
> Please file a separate bug to address the fact that 
>   libPKIX leak tests disallow recursive calls to libPKIX.
Please allow this patch in. Bug 488237 has been filed.
Comment 5 Nelson Bolyard (seldom reads bugmail) 2009-04-13 23:06:03 PDT
Comment on attachment 372267 [details] [diff] [review]
Patch v1 - call nss legacy chain validation call on the second consecutive validation attempt

Is it just my imagination?
Or is this patch also attached to bug 4877884, 
and also awaiting my review there?

Was one of those patches supposed to be a different patch?
Comment 6 Nelson Bolyard (seldom reads bugmail) 2009-04-13 23:16:05 PDT
Comment on attachment 372267 [details] [diff] [review]
Patch v1 - call nss legacy chain validation call on the second consecutive validation attempt

Given that these changes are all inside of 
  #ifdef PKIX_OBJECT_LEAK_TEST
they can't really hurt our released code.  So, r=nelson
Comment 7 Alexei Volkov 2009-04-14 00:32:43 PDT
(In reply to comment #5)
> (From update of attachment 372267 [details] [diff] [review])
> Is it just my imagination?
> Or is this patch also attached to bug 4877884,
That wrong place to attach it.

The fix integrated as a part of the patch to bug 4877884.

Note You need to log in before you can comment on or make changes to this bug.