Closed Bug 858231 Opened 8 years ago Closed 8 years ago

Update Mozilla 23 to use NSS 3.15 (uses a new directory layout)

Categories

(Core :: Security: PSM, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla24
Tracking Status
firefox23 + fixed
firefox24 --- fixed

People

(Reporter: KaiE, Assigned: briansmith)

References

Details

Attachments

(5 files, 1 obsolete file)

Attached patch patch to adjust dbm build rules (obsolete) — Splinter Review
The NSS team is working on NSS version 3.15, which will use a new layout for its directories. The client.py script has already been updated to pull from the new location in bug 853775.

As a first step for this task, mozilla-central should pull the NSS_3_15_BETA1 tag.

I already did some local experimentation, and I can propose steps to perform the landing. Also, it seems (luckily) the beta1 tag makes the currently local patches in mozilla-central obsolete.

I propose:
- rm -rf dbm security/dbm security/coreconf
- rm security/patches/*.patch
- hg addremove

HG discovers that some of the deletions are moves.

But even for the files where hg doesn't detect the move, I don't think it matters. History for NSS is contained in the upstream NSS repository anyway.

On top of above, I used a small patch to security/build that allowed my local Linux build to pass the NSS directory. I'll attach that patch. I don't know if it's sufficient. You might want to test on the other platforms prior to landing this patch.
Comment on attachment 733530 [details] [diff] [review]
patch to adjust dbm build rules

Review of attachment 733530 [details] [diff] [review]:
-----------------------------------------------------------------

::: security/build/Makefile.in
@@ +298,5 @@
>  endif
>  
>  NSS_DIRS =
>  ifndef NSS_DISABLE_DBM
> +NSS_DIRS += nss/lib/dbm

I think you can remove this, although you probably need to do something for DBM not to be built with NSS_DISABLE_DBM is set (which it is on android)
Comment on attachment 733530 [details] [diff] [review]
patch to adjust dbm build rules

Review of attachment 733530 [details] [diff] [review]:
-----------------------------------------------------------------

::: security/build/Makefile.in
@@ +298,5 @@
>  endif
>  
>  NSS_DIRS =
>  ifndef NSS_DISABLE_DBM
> +NSS_DIRS += nss/lib/dbm

Yes, we should simply remove this (lines 301-303).

NSS_DISABLE_DBM is now handled by nss/lib/{Makefile,manifest.mn}.

@@ -440,5 @@
>  libs-nss/lib/softoken: $(NSPR_IMPORT_LIBS) $(SQLITE_IMPORT_LIB)
>  libs-nss/lib/softoken: libs-nss/lib/freebl
> -ifndef NSS_DISABLE_DBM
> -libs-nss/lib/softoken: libs-dbm
> -endif

Did you delete this because libs-dbm isn't defined?

http://mxr.mozilla.org/mozilla-central/search?string=libs-dbm
Assignee: nobody → mh+mozilla
Attachment #733530 - Attachment is obsolete: true
Assignee: mh+mozilla → nobody
https://hg.mozilla.org/integration/mozilla-inbound/rev/0857f2bc8f8a
https://hg.mozilla.org/integration/mozilla-inbound/rev/c4bac10ee49e

In addition to following Kai's instructions and merging glandium's changes, I updated configure.in to require NSS 3.15 and I updated security/patches/README to remove the references to the no-longer-needed private patches that we previously had in mozilla-central.

Thanks for the help with this!
Target Milestone: --- → mozilla23
https://hg.mozilla.org/mozilla-central/rev/0857f2bc8f8a
https://hg.mozilla.org/mozilla-central/rev/c4bac10ee49e
Assignee: nobody → bsmith
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Reopening, because that was only a beta, but this bug is track the full landing including the final release of NSS 3.15 (pending).
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Whiteboard: [keep-open]
Blocks: 700693
Comment on attachment 736404 [details] [diff] [review]
Adapt security/build rules to new NSS layout

Review of attachment 736404 [details] [diff] [review]:
-----------------------------------------------------------------

::: security/build/Makefile.in
@@ +302,5 @@
>  NSS_DIRS += nss/lib
> +else
> +ifndef NSS_DISABLE_DBM
> +NSS_DIRS += nss/lib/dbm
> +endif

I think it is better to add nss/lib/dbm here:

336 # Remaining nss/lib directories
337 NSS_DIRS += nss/lib/freebl nss/lib/softoken nss/lib/jar nss/lib/crmf nss/lib/ckfw nss/lib/libpkix
In security/nss/lib/freebl/Makefile, HAVE_ABI32_INT32, USE_ABI32_INT32 sections under SPARC 32bit are removed.

Is it intentional?

But in security/build/Makefile.in, it still have
HAVE_FREEBL_LIBS_32 = 1

It caused build failure.
Ginn: yes, we dropped Solaris SPARC v8 support in NSS 3.15 (bug 841664).

Could you create a patch for security/build/Makefile.in? You may just
need to delete the line
  HAVE_FREEBL_LIBS_32 = 1

I have another question for you: which versions of the Solaris Studio
compiler do you use? There are a lot of compiler warnings when NSS is
compiled with the latest version of the Solaris Studio compiler. It
will be easier to fix those warnings if I only need to support recent
versions of Solaris Studio.
Ginn: I looked into the security/build/Makefile.in problem. I think
HAVE_FREEBL_LIBS_32 needs to be refined into two variables:

  HAVE_FREEBL_LIBS_32INT32
  HAVE_FREEBL_LIBS_32FPU

and

  ifdef HAVE_FREEBL_LIBS_32INT32
  NSS_EXTRA_DLLS += freebl_32int_3
  endif
  ifdef HAVE_FREEBL_LIBS_32FPU
  NSS_EXTRA_DLLS += freebl_32fpu_3
  endif
Ginn: please review and test this patch. If it works, please check it in
for me. Thanks.

Description: Refine HAVE_FREEBL_LIBS_32 into HAVE_FREEBL_LIBS_32INT32 and
HAVE_FREEBL_LIBS_32FPU, and set only HAVE_FREEBL_LIBS_32FPU to 1 for
32-bit Solaris SPARC builds.
Attachment #739871 - Flags: review?(ginn.chen)
(In reply to Wan-Teh Chang from comment #9)

> I have another question for you: which versions of the Solaris Studio
> compiler do you use? There are a lot of compiler warnings when NSS is
> compiled with the latest version of the Solaris Studio compiler. It
> will be easier to fix those warnings if I only need to support recent
> versions of Solaris Studio.

I'm using Solaris Studio 12.2 and 12.3 for Firefox.
I guess another team is compiling NSS with Studio 12.1.

IMO, you only need to consider 12.3.
If it breaks 12.1 or 12.2, they should apply workarounds on their local workspace.
Attachment #739871 - Flags: review?(ginn.chen) → review+
Whiteboard: [keep-open] → [leave open]
I've tagged NSS_3_15_BETA2.
Could you please pick it up in mozilla-central?
Attachment #739871 - Flags: checkin+
Summary: Update PSM to use NSS 3.15 (uses a new directory layout) → Update Mozilla 23 to use NSS 3.15 (uses a new directory layout)
Kai, this is the patch to push NSS_3_15_BETA2 to m-c.

I noticed that Brian did not add the .cvsignore files when he pushed
NSS_3_15_BETA1, so I didn't add those files either.

https://hg.mozilla.org/integration/mozilla-inbound/rev/08e868f22c98
Attachment #743333 - Flags: review?(kaie)
Attachment #743333 - Flags: checkin+
Comment on attachment 743333 [details] [diff] [review]
Upgrade to NSS_3_15_BETA2

Kai, I saw these in the diffs:

>diff --git a/security/nss/cmd/pk11gcmtest/Makefile b/security/nss/cmd/pk11gcmtest/Makefile
>old mode 100644
>new mode 100755

>diff --git a/security/nss/tests/libpkix/certs/make-ca-u50-u51 b/security/nss/tests/libpkix/certs/make-ca-u50-u51
>old mode 100644
>new mode 100755

Do you know why? I wonder if they are caused by files being
pushed on Windows vs. on Linux.
Comment on attachment 743333 [details] [diff] [review]
Upgrade to NSS_3_15_BETA2

I didn't review this long patch, I think it's not necessary. I assume you simply used the "python client.py update_nss" script.
Attachment #743333 - Flags: review?(kaie) → review+
(In reply to Wan-Teh Chang from comment #17)
> Comment on attachment 743333 [details] [diff] [review]
> Upgrade to NSS_3_15_BETA2
> 
> Kai, I saw these in the diffs:
> 
> >diff --git a/security/nss/cmd/pk11gcmtest/Makefile b/security/nss/cmd/pk11gcmtest/Makefile
> >old mode 100644
> >new mode 100755
> 
> >diff --git a/security/nss/tests/libpkix/certs/make-ca-u50-u51 b/security/nss/tests/libpkix/certs/make-ca-u50-u51
> >old mode 100644
> >new mode 100755
> 
> Do you know why? I wonder if they are caused by files being
> pushed on Windows vs. on Linux.

I did a little searching and I found that this does indeed seem to be caused by me doing the update on Windows. khuey (who just updated NSPR in mozilla-beta) and I both use Windows as our primary dev. platform. Until we can find a real solution, I will do the updates of NSS and NSPR in my Linux VM.

Probably we should just change all the test scripts so that the executable bit does not need to be set (i.e. explicitly invoke the interpreter when running any script). Anybody disagree? If not, I will file the bug in NSS.
NSS_3_15_BETA3 (tagged this morning) pushed to mozilla-inbound:
https://hg.mozilla.org/integration/mozilla-inbound/rev/0314d200873a
(In reply to Brian Smith (:bsmith) from comment #19)
>
> Probably we should just change all the test scripts so that the executable
> bit does not need to be set (i.e. explicitly invoke the interpreter when
> running any script). Anybody disagree? If not, I will file the bug in NSS.

This seems like an over-reaction. Do you know why nss/tests/all.sh, which is
marked as executable, doesn't have the permission mode problem when you pushed
it to mozilla-central on Windows?
NSS_3_15_BETA3 with two local patches (bug-835919.patch and
bug-832272.patch) pushed to mozilla-inbound:
https://hg.mozilla.org/integration/mozilla-inbound/rev/c6f5c1bbcf76
Status: REOPENED → ASSIGNED
I had to revert to NSS_3_15_BETA4 in mozilla-inbound
because NSS_3_15_BETA5 broke three Mozilla build bots:
https://hg.mozilla.org/integration/mozilla-inbound/rev/cd4d5caefa88

I filed bug 874261 for the Mozilla build system problem.
Second attempt at pushing NSS_3_15_BETA5 to mozilla-inbound, without
Kai's SECITEM_ReallocItemV2 patch this time to work around bug 874261:
https://hg.mozilla.org/integration/mozilla-inbound/rev/011a86ed18fe
NSS_3_15_BETA6 pushed to mozilla-inbound:
https://hg.mozilla.org/integration/mozilla-inbound/rev/84985c77b141

To work around bug 874261, I applied a private patch to avoid using
the new SECITEM_ReallocItemV2 function.
undoing:
  status-firefox24: --- → fixed
because the main change hasn't landed yet
Final versions of NSS 3.15 and NSPR 4.10 have been released.

We must upgrade mozilla-central (24) and mozilla-aurora (23) to pick them up.
mozilla-central currently uses
NSPR (portable runtime) version: NSPR_4_10_BETA2
NSS (security library) version: NSS_3_15_BETA6

This patch was produced using:

python client.py update_nspr NSPR_4_10_RTM
python client.py update_nss NSS_3_15_RTM
Attachment #758583 - Flags: review?(wtc)
Attachment #758585 - Flags: review?(wtc)
Comment on attachment 758585 [details] [diff] [review]
final for mozilla-aurora 23

approval required because of the rule
  "must ship final versions of nspr/nss in releases"
Attachment #758585 - Flags: approval-mozilla-aurora?
Comment on attachment 758583 [details] [diff] [review]
final for mozilla-central

Review of attachment 758583 [details] [diff] [review]:
-----------------------------------------------------------------

r=wtc.

IMPORTANT: please remove the local patch security/patches/revert-bug-808217.patch
and remove the description of that patch in security/patches/README.

Watch out for linker errors (unresolved symbol SECITEM_ReallocItemV2) on the
Android and B2G build bots.
Attachment #758583 - Flags: review?(wtc) → review+
Comment on attachment 758585 [details] [diff] [review]
final for mozilla-aurora 23

Review of attachment 758585 [details] [diff] [review]:
-----------------------------------------------------------------

r=wtc.

IMPORTANT: change nsprpub/config/prdepend.h.
Attachment #758585 - Flags: review?(wtc) → review+
(In reply to Wan-Teh Chang from comment #39)
> IMPORTANT: please remove the local patch
> security/patches/revert-bug-808217.patch
> and remove the description of that patch in security/patches/README.

https://hg.mozilla.org/integration/mozilla-inbound/rev/6486354e07e4

I read your comment, but then forgot to do it at the same time of the landing.
And immediately after I checked in, mozilla-inbound was closed because of other bustage :)

This cleanup is for tracking purposes, only, and doesn't affect the build.
I'll do it after the tree opens.
(In reply to Wan-Teh Chang from comment #40)
> 
> IMPORTANT: change nsprpub/config/prdepend.h.

I wonder why the client.py script didn't make that change on the aurora branch...
> Watch out for linker errors (unresolved symbol SECITEM_ReallocItemV2) on the
> Android and B2G build bots.

We didn't get such errors after the landing. We are fine.

> IMPORTANT: please remove the local patch
> security/patches/revert-bug-808217.patch
> and remove the description of that patch in security/patches/README.

done:
https://hg.mozilla.org/integration/mozilla-inbound/rev/796a79fc347a


The work for mozilla-central is done.

It's OK to set this to fixed, after inbound has been merged into central.
Whiteboard: [leave open]
https://hg.mozilla.org/mozilla-central/rev/34ad18786196
https://hg.mozilla.org/mozilla-central/rev/796a79fc347a
Status: ASSIGNED → RESOLVED
Closed: 8 years ago8 years ago
Resolution: --- → FIXED
Attachment #758585 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
https://hg.mozilla.org/releases/mozilla-aurora/rev/5cd24379d192

I forgot to set the author before pushing :(. Please make sure your attached patches have it in the future.
http://hg.mozilla.org/mozilla-central/rev/c4bac10ee49e#l1.12
Native NSS version check does not work 
AM_PATH_NSS - need version specified in format \D+.\D+.\D+
otherwise it would not detect and think 3.14.3 - as 3.15 - compatible
You need to log in before you can comment on or make changes to this bug.