Closed Bug 863534 Opened 11 years ago Closed 5 years ago

crash in PKIX_List_GetItem

Categories

(NSS :: Libraries, defect)

defect
Not set
critical

Tracking

(b2g18 affected, b2g18-v1.0.0 wontfix, b2g18-v1.0.1 affected)

RESOLVED WORKSFORME
Tracking Status
b2g18 --- affected
b2g18-v1.0.0 --- wontfix
b2g18-v1.0.1 --- affected

People

(Reporter: briansmith, Unassigned)

References

Details

(Keywords: crash, perf)

Crash Data

+++ This bug was initially created as a clone of Bug #787155 +++

Possible a race condition in the libpkix cert cache. I worked around this on B2G by disabling Gecko's usage of libpkix. But, this occurs on other platforms (relatively rarely) and so it should be fixed.

https://crash-stats.mozilla.com/report/index/bp-e781b49c-7333-40be-85bc-f40c72121215
[2] https://crash-stats.mozilla.com/report/list?signature=PKIX_List_GetItem

This bug was filed from the Socorro interface and is 
report bp-3e9ed381-d082-4f27-9c6d-926a22120828 .
============================================================= 
0	nss3.dll	PKIX_List_GetItem	security/nss/lib/libpkix/pkix/util/pkix_list.c:1553
1	nss3.dll	pkix_CacheCert_Lookup	security/nss/lib/libpkix/pkix/util/pkix_tools.c:1072
2	nss3.dll	pkix_Build_GatherCerts	security/nss/lib/libpkix/pkix/top/pkix_build.c:1800
3	nss3.dll	pkix_BuildForwardDepthFirstSearch	security/nss/lib/libpkix/pkix/top/pkix_build.c:2377
4	nss3.dll	pkix_Build_InitiateBuildChain	security/nss/lib/libpkix/pkix/top/pkix_build.c:3615
5	nss3.dll	PKIX_BuildChain	security/nss/lib/libpkix/pkix/top/pkix_build.c:3786
6	nss3.dll	CERT_PKIXVerifyCert	security/nss/lib/certhigh/certvfypkix.c:2204
7	xul.dll	nsNSSCertificate::hasValidEVOidTag	security/manager/ssl/src/nsIdentityChecking.cpp:1189
8	xul.dll	nsNSSCertificate::getValidEVOidTag	security/manager/ssl/src/nsIdentityChecking.cpp:1224
9	xul.dll	nsNSSCertificate::GetIsExtendedValidation	security/manager/ssl/src/nsIdentityChecking.cpp:1250 

firefox bp-ece0c31e-cdad-48fc-aa94-41dbf2120803

crashes in all releases of the past year. and all OS
nothing especially useful in any of the crash comments afaict.
No longer depends on: 787155
Priority: P1 → --
Looks like a ref-counting ordering issue

PKIX_PL_HashTable_Remove gives up the lock before decrementing the reference count of the item.

http://mxr.mozilla.org/nss/source/lib/libpkix/pkix_pl_nss/system/pkix_pl_hashtable.c#312

Whereas PKIX_PL_HashTable_Lookup properly increments the ref-count under the lock

http://mxr.mozilla.org/nss/source/lib/libpkix/pkix_pl_nss/system/pkix_pl_hashtable.c#373

It seems like line 310, http://mxr.mozilla.org/nss/source/lib/libpkix/pkix_pl_nss/system/pkix_pl_hashtable.c#310 , is entirely incorrect, given the code on 320/322 that handles unlocking.

Brian, do you want to just nuke 310 and see if that works for you?
Er, n/m, I missed that pkix_pl_PrimHashTable_Remove is transferring ownership back to the caller, so the fact that it's done outside of the lock should be fine.
Removing blocking-b2g flag because there is a wallpaper fix in bug 787155.
blocking-b2g: tef+ → ---
Whiteboard: [tbird crash][b2g-crash][eta:2013-04-19][madrid]

Closing because no crashes reported for 12 weeks.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.