Closed Bug 311269 Opened 19 years ago Closed 19 years ago

Crash on my.yahoo.com when sending password request [@ nsSHEntry::ContentInserted] [@ nsSHEntry::DropPresentationState] [@ nsSHEntry::DocumentMutated]

Categories

(Core :: DOM: Navigation, defect)

Product:
Core
Component:
DOM: Navigation
Version:
1.8 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: marcia, Assigned: sicking)

References

(
URL
)

Details

(4 keywords, Whiteboard: [sg:fix])

Crash Data

Attachments

(4 files)

stack trace from talkback report
3.53 KB, text/plain
Details
another stack with one more line at the top
2.15 KB, text/plain
Details
back out 292962
2.62 KB, patch
Details | Diff | Splinter Review
Set up mutation observer at right place
2.66 KB, patch
bryner
: review+
bryner
: superreview+
asa
: approval1.8rc1+
Details | Diff | Splinter Review 
From Asa's blog, I filed this bug because we are getting numerous reports:

Build 2005100418 for Mac OS X crashed on http://my.yahoo.com each time I tried
to send the password via the request form of the my.yahoo.com e-mail module,
which is NOT the standard login of my.yahoo.com. The nightly of 2005-10-03 (06
or 07, can't remember) didn't have that problem.

I also am getting a consistent crash visiting store.mozilla.org site and logging
in. I can reproduce this 100% on the 2005100418 Mac build but not on the 2005103
build.

The first lines of my Apple stack show commonality with the yahoo stack trace -
nsSHEentry:

1 org.mozilla.firefox 0x002f1610 nsSHEntry::DocumentMutated() + 224
2 org.mozilla.firefox 0x001b159c nsDocument::ContentRemoved(nsIContent*,
nsIContent*, int) + 140
3 org.mozilla.firefox 0x00248e60 nsGenericElement::RemoveChildAt(unsigned, int)
+ 856
Severity: normal → critical
Keywords: regression
Some folks have suggested that this might be related to Bug 292962
Blocks: 292962
This crash accounts for at least 11 of the 24 crashes reported against the
2005-10-04-18 branch builds of Firefox:
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=1&searchby=stacksig&match=contains&searchfor=&vendor=All&product=Firefox15&platform=All&buildid=2005100418&sdate=10%2F04%2F2005&stime=10%3A00%3A00&edate=&etime=&sortby=bbid

This crash looks exploitabe.
URL: http://my.yahoo.com/
Flags: blocking1.8b5?
Keywords: topcrash
Summary: Crash on my.yahoo.com when sending password request → Crash on my.yahoo.com when sending password request [@ nsSHEntry::ContentInserted] [@ nsSHEntry::DropPresentationState] [@ nsSHEntry::DocumentMutated]
Group: security
Flags: blocking1.8b5? → blocking1.8b5+
cc'ing some people that were involved at bug 292962. Sounds like we have to get
this fixed for beta 2. 
This is all platforms.
OS: MacOS X → All
Hardware: Macintosh → All
Component: General → History: Session
Product: Firefox → Core
QA Contact: general → history.session
Version: 1.5 Branch → 1.8 Branch
Whiteboard: [sg:fix]
Assignee: nobody → bugmail
So.. we should really not be triggering on the DOM mutations Sanitize()
triggers, at the very least.
No, we shouldn't, or most pages won't be cached.
That's what both stacks are showing -- we hit a DOM mutation from inside
Sanitize(), which causes us to drop everything.  Not sure why that crashes, but...
Group: security
Attached patch back out 292962Splinter Review 
After a mini pow-wow with bryner and Asa. We think we should just back out
292962, respin some bits so we have something that doesn't crash for our end
users.

292962 wasn't fixing any known bug or crash.

This at least gives us a build in hand we can ship with as a backup plan.
backed out on the branch for now. 
Ok, this is wrong on many levels

1. We set up the mutation-observer before we sanitize the document (wrong)
2. The sanitation causes document mutations (why?)
3. We end up in nsSHEntry::DropPresentationState which sets
   mContentViewer = nsnull
   where mContentViewer is 0xdddddddd  (why)

Still looking, but there are bigger problems here then just bug 292962
> 2. The sanitation causes document mutations (why?)

It resets the value of inputs, which means modifying the anonymous content
inside the editor.  That notification goes to the document observers, of course.

>   where mContentViewer is 0xdddddddd  (why)

Sounds like the nsSHEntry has been deleted.  Presumably, the only ref being held
to it at this point is by the content viewer, so it dies when
mContentViewer->ClearHistoryEntry() is called...
Ok, so what happens is that we first set up the mutationobserver. We then
sanitize the document causing a mutation and DropPresentationState is called.
The first thing it does is to tell the contentviewer to release the reference to
the SHEntry. However the contentviewer holds the last entry to the SHEntry and
so the SHEntry dies. When DropPresentationState then continues all members are
of course deleted.

Working on a patch now.
So I can fix 1 and I understand 2, but 3 is still a mystery to me. If i put a
breakpoint in nsDocumentViewerImpl::Destroy mSHEntry usually has a refcount of
2. However on the page where the crash happens the refcount is for some reason
1. So even once i've fixed the observer to be set up at the right time we are
still going to go through a bunch of hassle to save the presentation in the
SHEntry and then just delete the SHEntry when the contentviewer releases its
reference to it.

I'll file that as a new bug, but ideas are welcome.
I think we want this patch either way. Without it there is going to be a lot of
pages that we don't store in the bfcache. Specifically all pages with forms
modified by the user (not sure the 'modified by user' requirement is there
even)
Attachment #198647 - Flags: superreview?(bryner)
Attachment #198647 - Flags: review?(bryner)
Btw, steps I used to reproduce:

1. Enter the mozilla store.
2. If you are logged in, log out.
3. Click the 'My Account' link.
4. Enter a bogus email and passwd and press 'sign in'
5. Repeat 4

I always crash when pressing 'sign in' the second time.
So the reason the SHEntry is about to die is that we're doing a LOAD_LINK load
of the same URI.  We get into nsDocShell::OnNewURI (called from
CreateContentViewer _after_ the last time we check CanSavePresentation) and this
resets mLoadType to LOAD_NORMAL_REPLACE (see line 7278).  So we save the
presentation in the old SHEntry, then do a replace and drop the old SHEntry on
the floor.
anyone on this cc list - if you can please try to reproduce the crash on
my.yahoo.com on the new set of builds we just put out -
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2005-10-05-18-mozilla1.8/.
It should no longer crash due to a backout.

On the Mac build from that directory, I no longer see the store.mozilla.org crash.
crash on store.mozilla.org confirmed with 2005100504 linux build, 2005100517 is ok
I wrote the comment on Asa's blog you quoted. 

With the Build 2005100518 on MAC the password request form of the my.yahoo.com
email module works perfectly again. Not the slightest problem anymore, thanks!!
No problem with the Build 2005100517 on WinXP Pro SP2 either.

Dex
*** Bug 311144 has been marked as a duplicate of this bug. ***
*** Bug 311351 has been marked as a duplicate of this bug. ***
someone label this with the keyword:

fixed1.8
Comment on attachment 198647 [details] [diff] [review]
Set up mutation observer at right place

Would be nice if we could avoid the kungFuDeathGrip, but that's fairly
difficult when both the SHEntry and the ContentViewer are going to be
destroyed.
Attachment #198647 - Flags: superreview?(bryner)
Attachment #198647 - Flags: superreview+
Attachment #198647 - Flags: review?(bryner)
Attachment #198647 - Flags: review+
putting the keyword back. This was fixed for 1.5 Beta 2 by backing out 292962.
We need this keyword or it shows up as a blocker which hasn't been checked in
yet in our queries. Please don't remove it.
Keywords: fixed1.8
Comment on attachment 198647 [details] [diff] [review]
Set up mutation observer at right place

So I think we should land this for 1.8.

Without this patch we will never put pages with password fields or fields with
autocomplete=off in the bfcache.

Not sure if we should try to also reland the patch that got backed out, though
this patch does fix the crash that we saw on two levels.
Attachment #198647 - Flags: approval1.8rc1?
Fwiw, I think we should take 292962 if there are no outstanding issues from it.
Comment on attachment 198647 [details] [diff] [review]
Set up mutation observer at right place

It's too late to make serious changes after beta2 since we won't get any more
serious testing opportunities. The added perf we'd get from this on password
pages isn't worth the risk at this point.
Attachment #198647 - Flags: approval1.8rc1? → approval1.8rc1-
Asa, I'm pretty unhappy about shipping bfcache enabled if we're not planning to
fix bug 292962.  I realize that testing is going to be hard to come by, but then
again I think this bug should have blocked 1.8b5 like it's flagged to...
Flags: blocking1.8b5+
Comment on attachment 198647 [details] [diff] [review]
Set up mutation observer at right place

OK. let's get this landed ASAP.
Attachment #198647 - Flags: approval1.8rc1- → approval1.8rc1+
Flags: blocking1.8rc1+
Keywords: fixed1.8
Does this mean that we want to reverse the backout done on the branch too?
yup, we plussed 292962 again for the branch so it can be re-landed.
done and done
Status: NEW → RESOLVED
Closed: 19 years ago
Keywords: fixed1.8
Resolution: --- → FIXED
Component: History: Session → Document Navigation
QA Contact: history.session → docshell
Crash Signature: [@ nsSHEntry::ContentInserted] [@ nsSHEntry::DropPresentationState] [@ nsSHEntry::DocumentMutated]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: