Closed Bug 604814 Opened 14 years ago Closed 8 years ago

Crash in [@ ssl3_FlushHandshake ]

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: marcia, Unassigned)

References

Details

(Keywords: crash)

Crash Data

Seen while reviewing crash stats. Windows only crash that has cropped up today. http://tinyurl.com/24ucf73 links to the crashes which are all on Windows XP. I tried to reproduce with some of the sites listed but had no luck. Frame Module Signature [Expand] Source 0 @0x10b 1 ssl3.dll ssl3_FlushHandshake security/nss/lib/ssl/ssl3con.c:2419 2 ssl3.dll ssl3_SendChangeCipherSpecs security/nss/lib/ssl/ssl3con.c:2710 3 ssl3.dll ssl3_HandleServerHelloDone security/nss/lib/ssl/ssl3con.c:5741 4 ssl3.dll ssl3_HandleHandshakeMessage security/nss/lib/ssl/ssl3con.c:8632 5 ssl3.dll ssl3_HandleHandshake security/nss/lib/ssl/ssl3con.c:8727 6 ssl3.dll ssl3_HandleRecord security/nss/lib/ssl/ssl3con.c:9066 7 ssl3.dll ssl3_GatherCompleteHandshake security/nss/lib/ssl/ssl3gthr.c:209 8 ssl3.dll ssl_GatherRecord1stHandshake security/nss/lib/ssl/sslcon.c:1258 9 ssl3.dll ssl_Do1stHandshake security/nss/lib/ssl/sslsecur.c:151 10 ssl3.dll ssl_SecureSend security/nss/lib/ssl/sslsecur.c:1213 11 ssl3.dll ssl_SecureWrite security/nss/lib/ssl/sslsecur.c:1258 12 ssl3.dll ssl_Write security/nss/lib/ssl/sslsock.c:1652 13 xul.dll nsSSLThread::Run 14 nspr4.dll _PR_NativeRunThread nsprpub/pr/src/threads/combined/pruthr.c:426 15 nspr4.dll pr_root nsprpub/pr/src/md/windows/w95thred.c:122 16 mozcrt19.dll _callthreadstartex obj-firefox/memory/jemalloc/crtsrc/threadex.c:348 17 mozcrt19.dll _threadstartex obj-firefox/memory/jemalloc/crtsrc/threadex.c:326 18 kernel32.dll BaseThreadStart
looks like it was showing up about once a month on previous betas, then today we see a flood of reports. when we get the .csv tomorrow for these crashes we can try and fingerprint to see if there are any dups.
sorting by uptime I'm guessing this is one or two crashes an a bunch of dups. if thats the case its another example for the fix we need in bug 579136
At ssl3con.c:2419, ssl3_FlushHandshake calls ssl3_SendRecord. This is not a call through a pointer. ssl3_SendRecord doesn't appear in the stack. From these observations, I gather that ssl3_SendRecord called some function that trashed the stack and then returned, effectively jumping to address 0x10b. Perhaps ssl3_SendRecord called a function that called another function that trashed the stack, and the crash did not occur when that function returned, but later, when its caller returned. Or some other task might have trashed this task's stack. I looked through the functions that ssl3_SendRecord calls for those that have buffers in the stack, and found only one. ssl3_SendRecord calls ssl3_CompressMACEncryptRecord, which calls ssl3_ComputeRecordMAC, which has a hash buffer in the stack. But if that hash buffer became overrun, I would expect it to crash immediately upon that functino's return, if not before (in a return from a function called by ssl3_ComputeRecordMAC). So, my search was inconclusive.
Crash Signature: [@ ssl3_FlushHandshake ]
Severity: normal → critical
Crash Signature: [@ ssl3_FlushHandshake ] → ssl_Do1stHandshake | ssl_SecureSend |...] [@ ssl3_FlushHandshake ] [@ ssl3_FlushHandshake | ssl3_SendChangeCipherSpecs | ssl3_HandleServerHelloDone | ssl3_HandleHandshakeMessage | ssl3_HandleHandshake | ssl3_HandleRecord | ssl_GatherRecord1stHandshake | …
Depends on: 716345
I'm marking this bug as WORKSFORME as bug crashlog signature didn't appear from a long time (over half year) in Firefox.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.