Re: x-www-browser for ultra5 ultra60
On Wed, 2009-03-25 at 07:47 +0100, Julien Cristau wrote:
> I've spent some time looking at this, and I'm a bit worried about
> PKIX_PL_Object_Alloc. Specifically, sizeof(PKIX_PL_Object) seems to be
> 28 on 32bit, and __alignof__(PKIX_PL_Object) is 4. PKIX_PL_Object_Alloc
> goes to allocate some space for one PKIX_PL_Object + the size it was
> asked for, and then goes and returns object + 1. Thus, if
> PKIX_PL_Malloc gives it a 8 byte aligned pointer, PKIX_PL_Object_Alloc
> will return an unaligned address to its caller. PKIX_PL_OcspResponse's
> size is 56, and it has to be 8 byte aligned on sparc, so it's possible
> this is the problem here.
It'd be nice if someone could try the attached patch on sparc and see if
they can reproduce the browser crash.
Cheers,
Julien
diff -u nss-3.12.2.with.ckbi.1.73/debian/changelog nss-3.12.2.with.ckbi.1.73/debian/changelog
--- nss-3.12.2.with.ckbi.1.73/debian/changelog
+++ nss-3.12.2.with.ckbi.1.73/debian/changelog
@@ -1,3 +1,9 @@
+nss (3.12.2.with.ckbi.1.73-2) UNRELEASED; urgency=low
+
+ * Make sure PKIX_PL_Object_Alloc returns an aligned pointer.
+
+ -- Julien Cristau <jcristau@debian.org> Wed, 25 Mar 2009 08:38:37 +0100
+
nss (3.12.2.with.ckbi.1.73-1) unstable; urgency=low
* debian/patches/38_kbsd.dpatch: Brown paper bag fix for regression
only in patch2:
unchanged:
--- nss-3.12.2.with.ckbi.1.73.orig/mozilla/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_object.c
+++ nss-3.12.2.with.ckbi.1.73/mozilla/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_object.c
@@ -561,6 +561,7 @@
{
PKIX_PL_Object *object = NULL;
pkix_ClassTable_Entry *ctEntry = NULL;
+ PKIX_UInt32 alloc_size;
PKIX_ENTER(OBJECT, "PKIX_PL_Object_Alloc");
PKIX_NULLCHECK_ONE(pObject);
@@ -605,17 +606,20 @@
PORT_Assert(size == ctEntry->typeObjectSize);
- /* Allocate space for the object header and the requested size */
+ /* Allocate space for the object header and the requested size,
+ * and make sure that we return an aligned pointer */
+ alloc_size = ((sizeof(PKIX_PL_Object) + 7) & ~7) + size;
+
#ifdef PKIX_OBJECT_LEAK_TEST
PKIX_CHECK(PKIX_PL_Calloc
(1,
- ((PKIX_UInt32)sizeof (PKIX_PL_Object))+size,
+ alloc_size,
(void **)&object,
plContext),
PKIX_MALLOCFAILED);
#else
PKIX_CHECK(PKIX_PL_Malloc
- (((PKIX_UInt32)sizeof (PKIX_PL_Object))+size,
+ (alloc_size,
(void **)&object,
plContext),
PKIX_MALLOCFAILED);
@@ -641,7 +645,7 @@
/* Return a pointer to the user data. Need to offset by object size */
- *pObject = object + 1;
+ *pObject = (PKIX_PL_Object *)((((char*)object) + alloc_size - size));
object = NULL;
/* Atomically increment object counter */
Reply to: