Closed Bug 863534 Opened 12 years ago Closed 6 years ago

crash in PKIX_List_GetItem

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(b2g18 affected, b2g18-v1.0.0 wontfix, b2g18-v1.0.1 affected)

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
b2g18 --- affected
b2g18-v1.0.0 --- wontfix
b2g18-v1.0.1 --- affected

People

(Reporter: briansmith, Unassigned)

References

Details

(Keywords: crash, perf)

Crash Data

+++ This bug was initially created as a clone of Bug #787155 +++ Possible a race condition in the libpkix cert cache. I worked around this on B2G by disabling Gecko's usage of libpkix. But, this occurs on other platforms (relatively rarely) and so it should be fixed. https://crash-stats.mozilla.com/report/index/bp-e781b49c-7333-40be-85bc-f40c72121215 [2] https://crash-stats.mozilla.com/report/list?signature=PKIX_List_GetItem This bug was filed from the Socorro interface and is report bp-3e9ed381-d082-4f27-9c6d-926a22120828 . ============================================================= 0 nss3.dll PKIX_List_GetItem security/nss/lib/libpkix/pkix/util/pkix_list.c:1553 1 nss3.dll pkix_CacheCert_Lookup security/nss/lib/libpkix/pkix/util/pkix_tools.c:1072 2 nss3.dll pkix_Build_GatherCerts security/nss/lib/libpkix/pkix/top/pkix_build.c:1800 3 nss3.dll pkix_BuildForwardDepthFirstSearch security/nss/lib/libpkix/pkix/top/pkix_build.c:2377 4 nss3.dll pkix_Build_InitiateBuildChain security/nss/lib/libpkix/pkix/top/pkix_build.c:3615 5 nss3.dll PKIX_BuildChain security/nss/lib/libpkix/pkix/top/pkix_build.c:3786 6 nss3.dll CERT_PKIXVerifyCert security/nss/lib/certhigh/certvfypkix.c:2204 7 xul.dll nsNSSCertificate::hasValidEVOidTag security/manager/ssl/src/nsIdentityChecking.cpp:1189 8 xul.dll nsNSSCertificate::getValidEVOidTag security/manager/ssl/src/nsIdentityChecking.cpp:1224 9 xul.dll nsNSSCertificate::GetIsExtendedValidation security/manager/ssl/src/nsIdentityChecking.cpp:1250 firefox bp-ece0c31e-cdad-48fc-aa94-41dbf2120803 crashes in all releases of the past year. and all OS nothing especially useful in any of the crash comments afaict.
No longer depends on: 787155
Priority: P1 → --
Looks like a ref-counting ordering issue PKIX_PL_HashTable_Remove gives up the lock before decrementing the reference count of the item. http://mxr.mozilla.org/nss/source/lib/libpkix/pkix_pl_nss/system/pkix_pl_hashtable.c#312 Whereas PKIX_PL_HashTable_Lookup properly increments the ref-count under the lock http://mxr.mozilla.org/nss/source/lib/libpkix/pkix_pl_nss/system/pkix_pl_hashtable.c#373 It seems like line 310, http://mxr.mozilla.org/nss/source/lib/libpkix/pkix_pl_nss/system/pkix_pl_hashtable.c#310 , is entirely incorrect, given the code on 320/322 that handles unlocking. Brian, do you want to just nuke 310 and see if that works for you?
Er, n/m, I missed that pkix_pl_PrimHashTable_Remove is transferring ownership back to the caller, so the fact that it's done outside of the lock should be fine.
Removing blocking-b2g flag because there is a wallpaper fix in bug 787155.
blocking-b2g: tef+ → ---
Whiteboard: [tbird crash][b2g-crash][eta:2013-04-19][madrid]

Closing because no crashes reported for 12 weeks.

Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.