Closed
Bug 793426
Opened 12 years ago
Closed 11 years ago
crash in NS_GetInnermostURI
Categories
(Core :: Security: CAPS, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: martijn.martijn, Unassigned)
Details
(Keywords: crash, testcase)
Crash Data
Attachments
(2 files)
This bug was filed from the Socorro interface and is report bp-3a08f037-83b8-47cd-b18f-961ee2120922 . ============================================================= 0 xul.dll NS_GetInnermostURI obj-firefox/dist/include/nsNetUtil.h:1639 1 xul.dll NS_SecurityHashURI obj-firefox/dist/include/nsNetUtil.h:1680 2 xul.dll nsScriptSecurityManager::HashPrincipalByOrigin caps/src/nsScriptSecurityManager.cpp:996 3 xul.dll nsPrincipal::GetHashValue caps/src/nsPrincipal.cpp:961 4 xul.dll PrincipalKey::HashKey caps/include/nsScriptSecurityManager.h:99 5 xul.dll nsTHashtable<nsBaseHashtableET<PrincipalKey,nsCOMPtr<nsIPrincipal> > >::s_HashKe obj-firefox/dist/include/nsTHashtable.h:432 6 xul.dll PL_DHashTableOperate obj-firefox/xpcom/build/pldhash.cpp:576 7 xul.dll nsTHashtable<nsPtrHashKey<nsObjectFrame> >::GetEntry obj-firefox/dist/include/nsTHashtable.h:149 8 xul.dll nsRefPtrHashtable<nsPtrHashKey<PRThread>,nsThread>::Get obj-firefox/dist/include/nsInterfaceHashtable.h:90 9 xul.dll nsScriptSecurityManager::GetCodebasePrincipalInternal caps/src/nsScriptSecurityManager.cpp:2068 10 xul.dll nsScriptSecurityManager::GetNoAppCodebasePrincipal caps/src/nsScriptSecurityManager.cpp:2011 See testcase, which uses specialpowers. The testcase crashes on permissionmanager.testPermission({}, "");
Updated•12 years ago
|
Comment 1•12 years ago
|
||
So the real problem here is that XPConnect manufactures a completely bogus nsIURI impl for us here. Then we construct a principal for it. Then we try to hash the URI, and hit this code: 1635 NS_PRECONDITION(uri, "Must have URI"); 1636 1637 nsCOMPtr<nsINestedURI> nestedURI(do_QueryInterface(uri)); 1638 if (!nestedURI) { 1639 NS_ADDREF(uri); 1640 return uri; 1641 } This is crashing with a null-deref on the NS_ADDREF. So presumably uri is null? I wonder how that happened, actually... Martijn, how do I actually run this testcase?
Reporter | ||
Comment 2•12 years ago
|
||
With the specialpowers extension: http://people.mozilla.org/~mwargers/extensions/specialpowers/specialpowers.xpi
Comment 3•12 years ago
|
||
The problem is in nsScriptSecurityManager::HashPrincipalByOrigin. The code looks like this: 992 nsCOMPtr<nsIURI> uri; 993 aPrincipal->GetDomain(getter_AddRefs(uri)); 994 if (!uri) 995 aPrincipal->GetURI(getter_AddRefs(uri)); 996 return SecurityHashURI(uri); But GetURI can return null if the URI could not be marked immutable, which will be the case with the bogo-URI here. We really need to switch to always-immutable URIs. :(
Reporter | ||
Comment 4•11 years ago
|
||
I had to update the testcase, because Components doesn't exist anymore in content. This testcase doesn't seem to crash anymore in trunk, I'm now getting this js error in the console: Timestamp: 5/20/13 1:57:47 AM Error: [Exception... "'JavaScript component does not have a method named: "clone"' when calling method: [nsIURI::clone]" nsresult: "0x80570030 (NS_ERROR_XPC_JSOBJECT_HAS_NO_FUNCTION_NAMED)" location: "JS frame :: chrome://specialpowers/content/specialpowersAPI.js :: doApply :: line 83" data: no] Source File: chrome://specialpowers/content/specialpowersAPI.js Line: 83 Timestamp: 5/20/13 1:57:47 AM Error: [Exception... "'JavaScript component does not have a method named: "clone"' when calling method: [nsIURI::clone]" nsresult: "0x80570030 (NS_ERROR_XPC_JSOBJECT_HAS_NO_FUNCTION_NAMED)" location: "JS frame :: chrome://specialpowers/content/specialpowersAPI.js :: doApply :: line 83" data: no] Source File: chrome://specialpowers/content/specialpowersAPI.js Line: 83 Timestamp: 5/20/13 1:57:47 AM Error: NS_ERROR_XPC_JSOBJECT_HAS_NO_FUNCTION_NAMED: 'JavaScript component does not have a method named: "clone"' when calling method: [nsIURI::clone] Source File: chrome://specialpowers/content/specialpowersAPI.js Line: 83
Reporter | ||
Comment 5•11 years ago
|
||
I guess this bug can be closed then, right?
Updated•11 years ago
|
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•