Crash [@ _VEC_memzero] during shutdown

RESOLVED DUPLICATE of bug 492385

Status

NSS
Libraries
--
critical
RESOLVED DUPLICATE of bug 492385
9 years ago
9 years ago

People

(Reporter: mayhemer, Assigned: mayhemer)

Tracking

3.12.3
x86
Windows XP

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Assignee)

Description

9 years ago
msvcr80d.dll!_VEC_memzero(void * dst=0x00000000, int val=-1414812757, int len=1242616)  + 0x6a bytes	C
>	nssutil3.dll!PORT_ZFree_Util(void * ptr=0xfdfdfdfd, unsigned int len=0)  Line 160 + 0xf bytes	C
 	nssutil3.dll!PORT_ZFree_Util(void * ptr=0xfdfdfdfd, unsigned int len=2880154539)  Line 160 + 0xf bytes	C
 	nssutil3.dll!SECITEM_ZfreeItem_Util(SECItemStr * zap=0x068fc8d0, int freeit=1)  Line 277 + 0x13 bytes	C
 	nss3.dll!NamedCRLCacheEntry_Destroy(NamedCRLCacheEntryStr * entry=0x068fda78)  Line 1319 + 0xe bytes	C
 	nss3.dll!FreeNamedEntries(PLHashEntry * he=0x04bf7f00, int i=0, void * arg=0x0012f660)  Line 1372 + 0x9 bytes	C
 	plds4.dll!PL_HashTableEnumerateEntries(PLHashTable * ht=0x0510b978, int (PLHashEntry *, int, void *)* f=0x019c60a0, void * arg=0x0012f660)  Line 406 + 0xf bytes	C
 	nss3.dll!ShutdownCRLCache()  Line 1424 + 0x15 bytes	C
 	nss3.dll!NSS_Shutdown()  Line 883	C
 	pipnss.dll!nsNSSComponent::ShutdownNSS()  Line 1752 + 0x5 bytes	C++
 	pipnss.dll!nsNSSComponent::DoProfileBeforeChange(nsISupports * aSubject=0x04cdfbc8)  Line 2505 + 0x8 bytes	C++
 	pipnss.dll!nsNSSComponent::Observe(nsISupports * aSubject=0x04cdfbc8, const char * aTopic=0x1003e33c, const wchar_t * someData=0x1003efa4)  Line 2057 + 0xf bytes	C++
 	xpcom_core.dll!nsObserverList::NotifyObservers(nsISupports * aSubject=0x04cdfbc8, const char * aTopic=0x1003e33c, const wchar_t * someData=0x1003efa4)  Line 129	C++
 	xpcom_core.dll!nsObserverService::NotifyObservers(nsISupports * aSubject=0x04cdfbc8, const char * aTopic=0x1003e33c, const wchar_t * someData=0x1003efa4)  Line 184	C++
 	xul.dll!nsXREDirProvider::DoShutdown()  Line 878	C++
 	xul.dll!ScopedXPCOMStartup::~ScopedXPCOMStartup()  Line 993	C++
 	xul.dll!XRE_main(int argc=3, char * * argv=0x00d1b1f8, const nsXREAppData * aAppData=0x00d1b940)  Line 3388	C++
 	firefox.exe!NS_internal_main(int argc=3, char * * argv=0x00d1b1f8)  Line 156 + 0x12 bytes	C++
 	firefox.exe!wmain(int argc=3, wchar_t * * argv=0x00d10fe8)  Line 110 + 0xd bytes	C++
 	firefox.exe!__tmainCRTStartup()  Line 594 + 0x19 bytes	C
 	firefox.exe!wmainCRTStartup()  Line 414	C
 	kernel32.dll!7c817077() 	
 	[Frames below may be incorrect and/or missing, no symbols loaded for kernel32.dll]	
 	js3250.dll!nanojit::live(avmplus::GC * gc=0x0069006c, nanojit::LirBuffer * lirbuf=0x004b0063)  Line 1555 + 0x13 bytes	C++


-		entry	0x068fda78 {canonicalizedName=0x04d175a0 crl=0x068fc8d0 inCRLCache=0 ...}	NamedCRLCacheEntryStr *
-		canonicalizedName	0x04d175a0 {type=siBuffer data=0x068e0d18 "†(http://crl.globalsign.net/ExtendVal1.crlýýýý««««««««îþ" len=42 }	SECItemStr *
		type	siBuffer	SECItemType
-		data	0x068e0d18 "†(http://crl.globalsign.net/ExtendVal1.crlýýýý««««««««îþ"	unsigned char *
			134 '†'	unsigned char
		len	42	unsigned int
-		crl	0x068fc8d0 {type=66439740 data=0xfdfdfdfd <Bad Ptr> len=2880154539 }	SECItemStr *
		type	66439740	SECItemType
> -		data	0xfdfdfdfd <Bad Ptr>	unsigned char *
			CXX0030: Error: expression cannot be evaluated	
		len	2880154539	unsigned int
		inCRLCache	0	int
		successfulInsertionTime	0	__int64
		lastAttemptTime	1246354174550000	__int64
		badDER	1	int
		dupe	0	int
		unsupported	0	int


mozilla-central debug build, during reproduction of bug 473197 in test env described in comment 14 of that bug at shutdown. The pointer is invalid (not just null).
(Assignee)

Comment 2

9 years ago
Also crashes in area of feeefeee.
(Assignee)

Comment 3

9 years ago
Created attachment 386004 [details] [diff] [review]
v1

This is patch on hg mozilla-central repo. It can be easily turned to CVS nss trunk patch.

When we fail to add a clr entry we free entry->clr member with SECITEM_ZfreeItem but we leave the invalid pointer in the entry structure. When it's going to be freed we crash.

It seems this problem is there from the very beginning...
Assignee: nobody → honzab.moz
Status: NEW → ASSIGNED
Attachment #386004 - Flags: review?(nelson)

Comment 4

9 years ago
Comment on attachment 386004 [details] [diff] [review]
v1

>@@ -1310,24 +1310,26 @@ static SECStatus NamedCRLCacheEntry_Dest
>     if (!entry)
>         return SECFailure;

>     if (entry->crl)
>+        entry->crl = NULL;
>     if (entry->canonicalizedName)
>+        entry->canonicalizedName = NULL;
>     PORT_Free(entry);

surely this isn't needed, as the structure is being destroyed/freed.
Status: ASSIGNED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 492385
Comment on attachment 386004 [details] [diff] [review]
v1

removing review request.  This is already fixed on trunk.
Attachment #386004 - Flags: review?(nelson)
You need to log in before you can comment on or make changes to this bug.