Re: x-www-browser for ultra5 ultra60

[Julien Cristau <jcristau@debian.org>]

On Wed, 2009-03-25 at 07:47 +0100, Julien Cristau wrote:
> I've spent some time looking at this, and I'm a bit worried about
> PKIX_PL_Object_Alloc.  Specifically, sizeof(PKIX_PL_Object) seems to be
> 28 on 32bit, and __alignof__(PKIX_PL_Object) is 4.  PKIX_PL_Object_Alloc
> goes to allocate some space for one PKIX_PL_Object + the size it was
> asked for, and then goes and returns object + 1.  Thus, if
> PKIX_PL_Malloc gives it a 8 byte aligned pointer, PKIX_PL_Object_Alloc
> will return an unaligned address to its caller.  PKIX_PL_OcspResponse's
> size is 56, and it has to be 8 byte aligned on sparc, so it's possible
> this is the problem here.

It'd be nice if someone could try the attached patch on sparc and see if
they can reproduce the browser crash.

Cheers,
Julien

diff -u nss-3.12.2.with.ckbi.1.73/debian/changelog nss-3.12.2.with.ckbi.1.73/debian/changelog
--- nss-3.12.2.with.ckbi.1.73/debian/changelog
+++ nss-3.12.2.with.ckbi.1.73/debian/changelog
@@ -1,3 +1,9 @@
+nss (3.12.2.with.ckbi.1.73-2) UNRELEASED; urgency=low
+
+  * Make sure PKIX_PL_Object_Alloc returns an aligned pointer.
+
+ -- Julien Cristau <jcristau@debian.org>  Wed, 25 Mar 2009 08:38:37 +0100
+
 nss (3.12.2.with.ckbi.1.73-1) unstable; urgency=low
 
   * debian/patches/38_kbsd.dpatch: Brown paper bag fix for regression
only in patch2:
unchanged:
--- nss-3.12.2.with.ckbi.1.73.orig/mozilla/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_object.c
+++ nss-3.12.2.with.ckbi.1.73/mozilla/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_object.c
@@ -561,6 +561,7 @@
 {
         PKIX_PL_Object *object = NULL;
         pkix_ClassTable_Entry *ctEntry = NULL;
+        PKIX_UInt32 alloc_size;
 
         PKIX_ENTER(OBJECT, "PKIX_PL_Object_Alloc");
         PKIX_NULLCHECK_ONE(pObject);
@@ -605,17 +606,20 @@
         
         PORT_Assert(size == ctEntry->typeObjectSize);
 
-        /* Allocate space for the object header and the requested size */
+        /* Allocate space for the object header and the requested size,
+         * and make sure that we return an aligned pointer */
+        alloc_size = ((sizeof(PKIX_PL_Object) + 7) & ~7) + size;
+
 #ifdef PKIX_OBJECT_LEAK_TEST       
         PKIX_CHECK(PKIX_PL_Calloc
                     (1,
-                    ((PKIX_UInt32)sizeof (PKIX_PL_Object))+size,
+                    alloc_size,
                     (void **)&object,
                     plContext),
                     PKIX_MALLOCFAILED);
 #else
         PKIX_CHECK(PKIX_PL_Malloc
-                    (((PKIX_UInt32)sizeof (PKIX_PL_Object))+size,
+                    (alloc_size,
                     (void **)&object,
                     plContext),
                     PKIX_MALLOCFAILED);
@@ -641,7 +645,7 @@
 
 
         /* Return a pointer to the user data. Need to offset by object size */
-        *pObject = object + 1;
+        *pObject = (PKIX_PL_Object *)((((char*)object) + alloc_size - size));
         object = NULL;
 
         /* Atomically increment object counter */