Closed
Bug 311269
Opened 19 years ago
Closed 19 years ago
Crash on my.yahoo.com when sending password request [@ nsSHEntry::ContentInserted] [@ nsSHEntry::DropPresentationState] [@ nsSHEntry::DocumentMutated]
Categories
(Core :: DOM: Navigation, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: marcia, Assigned: sicking)
References
()
Details
(4 keywords, Whiteboard: [sg:fix])
Crash Data
Attachments
(4 files)
3.53 KB,
text/plain
|
Details | |
2.15 KB,
text/plain
|
Details | |
2.62 KB,
patch
|
Details | Diff | Splinter Review | |
2.66 KB,
patch
|
bryner
:
review+
bryner
:
superreview+
asa
:
approval1.8rc1+
|
Details | Diff | Splinter Review |
From Asa's blog, I filed this bug because we are getting numerous reports: Build 2005100418 for Mac OS X crashed on http://my.yahoo.com each time I tried to send the password via the request form of the my.yahoo.com e-mail module, which is NOT the standard login of my.yahoo.com. The nightly of 2005-10-03 (06 or 07, can't remember) didn't have that problem. I also am getting a consistent crash visiting store.mozilla.org site and logging in. I can reproduce this 100% on the 2005100418 Mac build but not on the 2005103 build. The first lines of my Apple stack show commonality with the yahoo stack trace - nsSHEentry: 1 org.mozilla.firefox 0x002f1610 nsSHEntry::DocumentMutated() + 224 2 org.mozilla.firefox 0x001b159c nsDocument::ContentRemoved(nsIContent*, nsIContent*, int) + 140 3 org.mozilla.firefox 0x00248e60 nsGenericElement::RemoveChildAt(unsigned, int) + 856
Updated•19 years ago
|
Severity: normal → critical
Keywords: regression
Comment 1•19 years ago
|
||
Some folks have suggested that this might be related to Bug 292962
Blocks: 292962
Comment 2•19 years ago
|
||
This crash accounts for at least 11 of the 24 crashes reported against the 2005-10-04-18 branch builds of Firefox: http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=1&searchby=stacksig&match=contains&searchfor=&vendor=All&product=Firefox15&platform=All&buildid=2005100418&sdate=10%2F04%2F2005&stime=10%3A00%3A00&edate=&etime=&sortby=bbid This crash looks exploitabe.
URL: http://my.yahoo.com/
Flags: blocking1.8b5?
Keywords: topcrash
Summary: Crash on my.yahoo.com when sending password request → Crash on my.yahoo.com when sending password request [@ nsSHEntry::ContentInserted] [@ nsSHEntry::DropPresentationState] [@ nsSHEntry::DocumentMutated]
Updated•19 years ago
|
Group: security
Updated•19 years ago
|
Flags: blocking1.8b5? → blocking1.8b5+
Comment 3•19 years ago
|
||
cc'ing some people that were involved at bug 292962. Sounds like we have to get this fixed for beta 2.
Comment 5•19 years ago
|
||
Updated•19 years ago
|
Component: General → History: Session
Product: Firefox → Core
QA Contact: general → history.session
Version: 1.5 Branch → 1.8 Branch
Updated•19 years ago
|
Whiteboard: [sg:fix]
Updated•19 years ago
|
Assignee: nobody → bugmail
Comment 6•19 years ago
|
||
Comment 7•19 years ago
|
||
So.. we should really not be triggering on the DOM mutations Sanitize() triggers, at the very least.
Comment 8•19 years ago
|
||
No, we shouldn't, or most pages won't be cached.
Comment 9•19 years ago
|
||
That's what both stacks are showing -- we hit a DOM mutation from inside Sanitize(), which causes us to drop everything. Not sure why that crashes, but...
Updated•19 years ago
|
Group: security
Comment 10•19 years ago
|
||
After a mini pow-wow with bryner and Asa. We think we should just back out 292962, respin some bits so we have something that doesn't crash for our end users. 292962 wasn't fixing any known bug or crash. This at least gives us a build in hand we can ship with as a backup plan.
Comment 11•19 years ago
|
||
backed out on the branch for now.
Assignee | ||
Comment 12•19 years ago
|
||
Ok, this is wrong on many levels 1. We set up the mutation-observer before we sanitize the document (wrong) 2. The sanitation causes document mutations (why?) 3. We end up in nsSHEntry::DropPresentationState which sets mContentViewer = nsnull where mContentViewer is 0xdddddddd (why) Still looking, but there are bigger problems here then just bug 292962
Comment 13•19 years ago
|
||
> 2. The sanitation causes document mutations (why?) It resets the value of inputs, which means modifying the anonymous content inside the editor. That notification goes to the document observers, of course. > where mContentViewer is 0xdddddddd (why) Sounds like the nsSHEntry has been deleted. Presumably, the only ref being held to it at this point is by the content viewer, so it dies when mContentViewer->ClearHistoryEntry() is called...
Assignee | ||
Comment 14•19 years ago
|
||
Ok, so what happens is that we first set up the mutationobserver. We then sanitize the document causing a mutation and DropPresentationState is called. The first thing it does is to tell the contentviewer to release the reference to the SHEntry. However the contentviewer holds the last entry to the SHEntry and so the SHEntry dies. When DropPresentationState then continues all members are of course deleted. Working on a patch now.
Assignee | ||
Comment 15•19 years ago
|
||
So I can fix 1 and I understand 2, but 3 is still a mystery to me. If i put a breakpoint in nsDocumentViewerImpl::Destroy mSHEntry usually has a refcount of 2. However on the page where the crash happens the refcount is for some reason 1. So even once i've fixed the observer to be set up at the right time we are still going to go through a bunch of hassle to save the presentation in the SHEntry and then just delete the SHEntry when the contentviewer releases its reference to it. I'll file that as a new bug, but ideas are welcome.
Assignee | ||
Comment 16•19 years ago
|
||
I think we want this patch either way. Without it there is going to be a lot of pages that we don't store in the bfcache. Specifically all pages with forms modified by the user (not sure the 'modified by user' requirement is there even)
Attachment #198647 -
Flags: superreview?(bryner)
Attachment #198647 -
Flags: review?(bryner)
Assignee | ||
Comment 17•19 years ago
|
||
Btw, steps I used to reproduce: 1. Enter the mozilla store. 2. If you are logged in, log out. 3. Click the 'My Account' link. 4. Enter a bogus email and passwd and press 'sign in' 5. Repeat 4 I always crash when pressing 'sign in' the second time.
Comment 18•19 years ago
|
||
So the reason the SHEntry is about to die is that we're doing a LOAD_LINK load of the same URI. We get into nsDocShell::OnNewURI (called from CreateContentViewer _after_ the last time we check CanSavePresentation) and this resets mLoadType to LOAD_NORMAL_REPLACE (see line 7278). So we save the presentation in the old SHEntry, then do a replace and drop the old SHEntry on the floor.
Reporter | ||
Comment 19•19 years ago
|
||
anyone on this cc list - if you can please try to reproduce the crash on my.yahoo.com on the new set of builds we just put out - http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2005-10-05-18-mozilla1.8/. It should no longer crash due to a backout. On the Mac build from that directory, I no longer see the store.mozilla.org crash.
Comment 20•19 years ago
|
||
crash on store.mozilla.org confirmed with 2005100504 linux build, 2005100517 is ok
Comment 21•19 years ago
|
||
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2005-10-05-18-mozilla1.8/. On windows cannot repro crash
Comment 22•19 years ago
|
||
I wrote the comment on Asa's blog you quoted. With the Build 2005100518 on MAC the password request form of the my.yahoo.com email module works perfectly again. Not the slightest problem anymore, thanks!! No problem with the Build 2005100517 on WinXP Pro SP2 either. Dex
Comment 23•19 years ago
|
||
*** Bug 311144 has been marked as a duplicate of this bug. ***
Comment 24•19 years ago
|
||
*** Bug 311351 has been marked as a duplicate of this bug. ***
Comment 25•19 years ago
|
||
someone label this with the keyword: fixed1.8
Comment 26•19 years ago
|
||
Comment on attachment 198647 [details] [diff] [review] Set up mutation observer at right place Would be nice if we could avoid the kungFuDeathGrip, but that's fairly difficult when both the SHEntry and the ContentViewer are going to be destroyed.
Attachment #198647 -
Flags: superreview?(bryner)
Attachment #198647 -
Flags: superreview+
Attachment #198647 -
Flags: review?(bryner)
Attachment #198647 -
Flags: review+
Comment 27•19 years ago
|
||
putting the keyword back. This was fixed for 1.5 Beta 2 by backing out 292962. We need this keyword or it shows up as a blocker which hasn't been checked in yet in our queries. Please don't remove it.
Keywords: fixed1.8
Assignee | ||
Comment 28•19 years ago
|
||
Comment on attachment 198647 [details] [diff] [review] Set up mutation observer at right place So I think we should land this for 1.8. Without this patch we will never put pages with password fields or fields with autocomplete=off in the bfcache. Not sure if we should try to also reland the patch that got backed out, though this patch does fix the crash that we saw on two levels.
Attachment #198647 -
Flags: approval1.8rc1?
Comment 29•19 years ago
|
||
Fwiw, I think we should take 292962 if there are no outstanding issues from it.
Comment 30•19 years ago
|
||
Comment on attachment 198647 [details] [diff] [review] Set up mutation observer at right place It's too late to make serious changes after beta2 since we won't get any more serious testing opportunities. The added perf we'd get from this on password pages isn't worth the risk at this point.
Attachment #198647 -
Flags: approval1.8rc1? → approval1.8rc1-
Comment 31•19 years ago
|
||
Asa, I'm pretty unhappy about shipping bfcache enabled if we're not planning to fix bug 292962. I realize that testing is going to be hard to come by, but then again I think this bug should have blocked 1.8b5 like it's flagged to...
Updated•19 years ago
|
Flags: blocking1.8b5+
Comment 32•19 years ago
|
||
Comment on attachment 198647 [details] [diff] [review] Set up mutation observer at right place OK. let's get this landed ASAP.
Attachment #198647 -
Flags: approval1.8rc1- → approval1.8rc1+
Assignee | ||
Comment 33•19 years ago
|
||
Does this mean that we want to reverse the backout done on the branch too?
Comment 34•19 years ago
|
||
yup, we plussed 292962 again for the branch so it can be re-landed.
Assignee | ||
Comment 35•19 years ago
|
||
done and done
Component: History: Session → Document Navigation
QA Contact: history.session → docshell
Updated•13 years ago
|
Crash Signature: [@ nsSHEntry::ContentInserted]
[@ nsSHEntry::DropPresentationState]
[@ nsSHEntry::DocumentMutated]
You need to log in
before you can comment on or make changes to this bug.
Description
•