Last Comment Bug 741258 - ASAN: unresolved symbols in libnssutil3.dylib
: ASAN: unresolved symbols in libnssutil3.dylib
Product: Core
Classification: Components
Component: Security (show other bugs)
: Trunk
: x86_64 Mac OS X
-- normal (vote)
: mozilla15
Assigned To: Christian Holler (:decoder)
: David Keeler [:keeler] (use needinfo?)
Depends on:
  Show dependency treegraph
Reported: 2012-04-01 17:58 PDT by Christoph Diehl [:posidron]
Modified: 2012-04-30 06:01 PDT (History)
3 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

Patch (881 bytes, patch)
2012-04-10 11:08 PDT, Christian Holler (:decoder)
ted: review+
gary: checkin+
Details | Diff | Splinter Review

Description User image Christoph Diehl [:posidron] 2012-04-01 17:58:16 PDT
As discussed in IRC one possible solution would be to add the flag -undefined dynamic_lookup to DSO_LDOPTS in security/coreconf/


DSO_LDOPTS = -dynamiclib $(DARWIN_DYLIB_VERSIONS) -install_name @executable_path/$(notdir $@) -headerpad_max_install_names -undefined dynamic_lookup
Comment 1 User image Christian Holler (:decoder) 2012-04-02 04:06:58 PDT
I reached out to the ASan developers to first ensure that -undefined dynamic_lookup is the right way to do it. Once we are sure about that, I'll take a look where exactly we can add it with best (preferably outside NSS).
Comment 2 User image Christian Holler (:decoder) 2012-04-03 04:10:18 PDT
According to the ASan developers, we are not supposed to pass -undefined dynamic_lookup ourselves, but instead it's likely that for the linker call here -faddress-sanitizer is not passed (which it should). I'm currently investigating why this flag is dropped at some point in NSS and how to force it.
Comment 3 User image Christian Holler (:decoder) 2012-04-10 11:08:30 PDT
Created attachment 613682 [details] [diff] [review]

The proper solution here is to ensure that NSS builds dylibs with -faddress-sanitizer, i.e. that LDFLAGS are correctly passed to NSS dylibs when MOZ_CFLAGS_NSS is set.

I haven't found a good solution to do this without touching NSS itself, but overriding DARWIN_DYLIB_VERSIONS seemed the least intrusive way and it works :)

These changes are only active when building with the --enable-address-sanitizer build option.
Comment 4 User image Kyle Huey [:khuey] (Exited; not receiving bugmail, email if necessary) 2012-04-11 15:54:47 PDT
Comment on attachment 613682 [details] [diff] [review]

Review of attachment 613682 [details] [diff] [review]:

Not a mac person.
Comment 5 User image Ted Mielczarek [:ted.mielczarek] 2012-04-24 09:47:07 PDT
Comment on attachment 613682 [details] [diff] [review]

Review of attachment 613682 [details] [diff] [review]:

This feels like the wrong way to fix this. Can you patch NSS instead? I know that's more of a hassle, but I don't like wedging things in where they don't belong.
Comment 6 User image Ted Mielczarek [:ted.mielczarek] 2012-04-24 09:56:58 PDT
Comment on attachment 613682 [details] [diff] [review]

In light of the fact that this code is only hit in a non-default configuration, I'll r+ this. However, I want you to file an NSS bug on adding a way to pass this info down in a more correct way, and mention the bug number in a comment here.
Comment 7 User image Christian Holler (:decoder) 2012-04-24 10:15:28 PDT
Filed follow-up bug 748423 to discuss and resolve the situation more properly in NSS. I also emailed wtc to ask about the right solution here.
Comment 9 User image Ed Morley [:emorley] 2012-04-27 06:58:28 PDT

Note You need to log in before you can comment on or make changes to this bug.