Updates:
Status: Assigned
Owner: [email protected]
Comment #2 on issue 30119 by [email protected]: Crash on
net::CertVerifier::Request::DoVerify
http://code.google.com/p/chromium/issues/detail?id=30119
Will has a core file
pkcs11.c:3400 in NSS is:
3392 do {
3393 PZLock *lock;
3394 do {
3395 sessionID = (PR_AtomicIncrement(&slot->sessionIDCount) &
0xffffff)
3396 | (slot->index << 24);
3397 } while (sessionID == CK_INVALID_HANDLE);
3398 lock = SFTK_SESSION_LOCK(slot,sessionID);
3399 PZ_Lock(lock);
3400 sftkqueue_find(sameID, sessionID, slot->head,
slot->sessHashSize);
3401 if (sameID == NULL) {
3402 session->handle = sessionID;
3403 sftk_update_state(slot, session);
3404 sftkqueue_add(session, sessionID,
slot->head,slot->sessHashSize);
3405 } else {
3406 slot->sessionIDConflict++; /* for debugging */
3407 }
3408 PZ_Unlock(lock);
3409 } while (sameID != NULL);
sftkqueue_find is a macro defined as:
471 #define sftkqueue_find(element,id,head,hash_size) \
472 for( (element) = (head)[sftk_hash(id,hash_size)]; (element) !=
NULL; \
473 (element) = (element)->next) {
\
474 if ((element)->handle == (id)) { break; } }
The values of the four arguments at the crash are:
sameID/element: (SFTKSession *) 0x6100670070006f
sessionID/id: 24926
slot->head/head: (SFTKSession **) 0x7fffec708700
slot->sessHashSize/hash_size: 32
The contents of *slot look sane:
(gdb) p *slot
$35 = {slotID = 1, slotLock = 0x7fffec697dc0, sessionLock = 0x7ffff7e6a7f0,
numSessionLocks = 1, sessionLockMask = 0, objectLock = 0x7fffec697c60,
pwCheckLock = 0x7fffec697bb0, present = 1, hasTokens = 0, isLoggedIn = 0,
ssoLoggedIn = 0, needLogin = 0, DB_loaded = 0, readOnly = 0,
optimizeSpace = 1, certDB = 0x0, keyDB = 0x0, minimumPinLen = 0,
sessionIDCount = 24926, sessionIDConflict = 0, sessionCount = 56,
rwSessionCount = 0, sessionObjectHandleCount = 3215, index = 0,
tokObjHashTable = 0x7fffed3ade40, sessObjHashTable = 0x7fffec708800,
sessObjHashSize = 32, head = 0x7fffec708700, sessHashSize = 32,
tokDescription = "NSS Generic Crypto Services ",
updateTokDescription = ' ' <repeats 32 times>,
slotDescription = "NSS Internal Cryptographic Services", ' ' <repeats 29
times>}
sftk_hash(id,hash_size) = sftk_hash(24926, 32) = 22
The first element in that hash table bucket is bad, which caused the crash:
(gdb) p slot->head[22]
$36 = (SFTKSession *) 0x7fffec8f5b40
(gdb) p *slot->head[22]
$37 = {next = 0x6100670070006f, prev = 0x74006500670064,
handle = 32088624094183471, refCount = 6553708,
objectLock = 0x3d007700650069, objectIDCount = 7536746, info = {
slotID = 29555336417443840, state = 429503348858, flags = 4,
ulDeviceError = 0}, notify = 0x7ffff536c0d0 <pk11_notify>,
appData = 0x7fffec535340, slot = 0x7fffec689280, search = 0x0,
enc_context = 0x7fffee9c4dc0, hash_context = 0x0, sign_context = 0x0,
objects = {0x0}}
(gdb) p slot->head[22]->next
$38 = (SFTKSession *) 0x6100670070006f
(gdb) p sameID
$39 = (SFTKSession *) 0x6100670070006f
(gdb) p *slot->head[22]->next
Cannot access memory at address 0x6100670070006f
I inspected all the other elements in the slot->head hash table.
They all look sane. (See the attached file slot-head.txt.) So
slot->head[22] is the only corrupted element. The neighboring
buckets have one element each and they are:
(gdb) p *slot->head[21]
$85 = {next = 0x0, prev = 0x0, handle = 19409, refCount = 1,
objectLock = 0x7fffec5b3000, objectIDCount = 1, info = {slotID = 1,
state = 0, flags = 4, ulDeviceError = 0},
notify = 0x7ffff536c0d0 <pk11_notify>, appData = 0x7fffec535340,
slot = 0x7fffec689280, search = 0x0, enc_context = 0x7fffec74bf00,
hash_context = 0x0, sign_context = 0x0, objects = {0x0}}
(gdb) p *slot->head[23]
$87 = {next = 0x0, prev = 0x0, handle = 43, refCount = 1,
objectLock = 0x7fffec83be70, objectIDCount = 1, info = {slotID = 1,
state = 0, flags = 4, ulDeviceError = 0},
notify = 0x7ffff536c0d0 <pk11_notify>, appData = 0x7fffec535340,
slot = 0x7fffec689280, search = 0x0, enc_context = 0x0, hash_context =
0x0,
sign_context = 0x0, objects = {0x7fffece19848}}
So only some of the fields in slot->head[22] are corrupted.
--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
--
Automated mail from issue updates at http://crbug.com/
Subscription options: http://groups.google.com/group/chromium-bugs
