Closed Bug 1048968 Opened 5 years ago Closed 5 years ago

[e10s] "Mind the Time" add-on crash in XPCWrappedNativeScope::XPCWrappedNativeScope(JSContext*, JS::Handle<JSObject*>)

Categories

(Core :: XPConnect, defect, critical)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla35
Tracking Status
e10s m3+ ---

People

(Reporter: cpeterson, Assigned: billm)

References

Details

(Keywords: crash, reproducible)

Crash Data

Attachments

(1 file)

This bug was filed from the Socorro interface and is 
report bp-fd69cbcd-b9c6-4247-8bce-7b3152140805.
=============================================================

Tolgay reports that the "Mind the Time" add-on crashes when e10s is enabled:

 0 	xul.dll 	XPCWrappedNativeScope::XPCWrappedNativeScope(JSContext*, JS::Handle<JSObject*>) 	js/xpconnect/src/XPCWrappedNativeScope.cpp
1 	xul.dll 	xpc::CreateGlobalObject(JSContext*, JSClass const*, nsIPrincipal*, JS::CompartmentOptions&) 	js/xpconnect/src/nsXPConnect.cpp
2 	xul.dll 	xpc::CreateSandboxObject(JSContext*, JS::MutableHandle<JS::Value>, nsISupports*, xpc::SandboxOptions&) 	js/xpconnect/src/Sandbox.cpp
3 	xul.dll 	XPCWrappedNativeScope::EnsureAddonScope(JSContext*, JSAddonId*) 	js/xpconnect/src/XPCWrappedNativeScope.cpp
4 	xul.dll 	xpc::GetAddonScope(JSContext*, JS::Handle<JSObject*>, JSAddonId*) 	js/xpconnect/src/XPCWrappedNativeScope.cpp
5 	xul.dll 	mozilla::EventListenerManager::CompileEventHandlerInternal(mozilla::EventListenerManager::Listener*, nsAString_internal const*, mozilla::dom::Element*) 	dom/events/EventListenerManager.cpp
6 	xul.dll 	mozilla::EventListenerManager::SetEventHandler(nsIAtom*, nsAString_internal const&, bool, bool, mozilla::dom::Element*) 	dom/events/EventListenerManager.cpp
7 	xul.dll 	mozilla::dom::Element::SetEventHandler(nsIAtom*, nsAString_internal const&, bool) 	content/base/src/Element.cpp
8 	xul.dll 	nsGenericHTMLElement::AfterSetAttr(int, nsIAtom*, nsAttrValue const*, bool) 	content/html/content/src/nsGenericHTMLElement.cpp
9 	xul.dll 	mozilla::dom::Element::SetAttrAndNotify(int, nsIAtom*, nsIAtom*, nsAttrValue const&, nsAttrValue&, unsigned char, bool, bool, bool) 	content/base/src/Element.cpp
10 	xul.dll 	mozilla::dom::Element::SetAttr(int, nsIAtom*, nsIAtom*, nsAString_internal const&, bool) 	content/base/src/Element.cpp
11 	xul.dll 	nsGenericHTMLElement::SetAttr(int, nsIAtom*, nsIAtom*, nsAString_internal const&, bool) 	content/html/content/src/nsGenericHTMLElement.cpp
12 	xul.dll 	nsHtml5TreeOperation::CreateElement(int, nsIAtom*, nsHtml5HtmlAttributes*, mozilla::dom::FromParser, nsHtml5DocumentBuilder*) 	parser/html/nsHtml5TreeOperation.cpp
13 	xul.dll 	nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**) 	parser/html/nsHtml5TreeOperation.cpp
14 	xul.dll 	nsHtml5TreeOpExecutor::RunFlushLoop() 	parser/html/nsHtml5TreeOpExecutor.cpp
15 	xul.dll 	nsHtml5ExecutorFlusher::Run() 	parser/html/nsHtml5StreamParser.cpp
16 	xul.dll 	nsThread::ProcessNextEvent(bool, bool*) 	xpcom/threads/nsThread.cpp
17 	xul.dll 	NS_ProcessPendingEvents(nsIThread*, unsigned int) 	xpcom/glue/nsThreadUtils.cpp
18 	xul.dll 	nsWindow::DispatchPendingEvents() 	widget/windows/nsWindow.cpp
19 	xul.dll 	nsWindow::ProcessMessage(unsigned int, unsigned int&, long&, long*) 	widget/windows/nsWindow.cpp
20 	xul.dll 	nsWindow::WindowProcInternal(HWND__*, unsigned int, unsigned int, long) 	widget/windows/nsWindow.cpp
21 	xul.dll 	CallWindowProcCrashProtected 	xpcom/base/nsCrashOnException.cpp
22 	xul.dll 	nsWindow::WindowProc(HWND__*, unsigned int, unsigned int, long) 	widget/windows/nsWindow.cpp
23 	user32.dll 	InternalCallWinProc 	
24 	user32.dll 	UserCallWinProcCheckWow 	
25 	user32.dll 	DispatchMessageWorker 	
26 	user32.dll 	DispatchMessageW 	
27 	xul.dll 	nsAppShell::ProcessNextNativeEvent(bool) 	widget/windows/nsAppShell.cpp
28 	xul.dll 	nsBaseAppShell::OnProcessNextEvent(nsIThreadInternal*, bool, unsigned int) 	widget/xpwidgets/nsBaseAppShell.cpp
29 	xul.dll 	nsThread::ProcessNextEvent(bool, bool*) 	xpcom/threads/nsThread.cpp
30 	xul.dll 	NS_ProcessNextEvent(nsIThread*, bool) 	xpcom/glue/nsThreadUtils.cpp
31 	xul.dll 	mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) 	ipc/glue/MessagePump.cpp
32 	xul.dll 	MessageLoop::RunHandler() 	ipc/chromium/src/base/message_loop.cc
33 	xul.dll 	MessageLoop::Run() 	ipc/chromium/src/base/message_loop.cc
34 	xul.dll 	nsBaseAppShell::Run() 	widget/xpwidgets/nsBaseAppShell.cpp
35 	xul.dll 	nsAppShell::Run() 	widget/windows/nsAppShell.cpp
36 	xul.dll 	nsAppStartup::Run() 	toolkit/components/startup/nsAppStartup.cpp
37 	xul.dll 	XREMain::XRE_mainRun() 	toolkit/xre/nsAppRunner.cpp
38 	xul.dll 	XREMain::XRE_main(int, char** const, nsXREAppData const*) 	toolkit/xre/nsAppRunner.cpp
39 	xul.dll 	XRE_main 	toolkit/xre/nsAppRunner.cpp
40 	firefox.exe 	do_main 	browser/app/nsBrowserApp.cpp
41 	firefox.exe 	NS_internal_main(int, char**) 	browser/app/nsBrowserApp.cpp
42 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp
43 	firefox.exe 	__tmainCRTStartup 	f:/dd/vctools/crt_bld/self_x86/crt/src/crtexe.c:552
44 	kernel32.dll 	BaseThreadInitThunk
Tolgay says Mind the Time crashes every time he uses it.
Keywords: reproducible
Assignee: nobody → wmccloskey
Depends on: old-e10s-m2
Duplicate of this bug: 1050209
Another add-on crashes Firefox e10s in the same way, see bug 1050209.
STR:
1) Install Divel Notepad https://addons.mozilla.org/en-us/firefox/addon/divel-notepad/
2) In e10s mode, you need to disable/reenable the add-on to display the add-on icons (bug surely).
3) Write a note and save it.
4) Display the note.

Result: crash.
Tolgay and Loic: do "Mind the Time" and "Divel Notepad" still crash for you?
I tried with Divel Notepad but only with a single e10s window because I'm not able to display the add-on icons in the toolbar (it's a bug). With a single e10s window, it doesn't crash, but I can't confirm it doesn't crash in full e10s mode.
I tested again and "Mind the Time" crashed.Here crash report:https://crash-stats.mozilla.com/report/index/553bea4c-0c36-468d-a262-075492140829
Edit:Sorry,I updated nightly  now then tested again it is still crashing.Here new crash report for latest version of nightly: https://crash-stats.mozilla.com/report/index/35c58e6d-63fa-45e4-b425-104f42140829
(In reply to Loic from comment #5)
> I tried with Divel Notepad but only with a single e10s window because I'm
> not able to display the add-on icons in the toolbar (it's a bug).

Filed bug 1060907.
Instant crash at start-up on my side with the addon "Mind the Time" in e10s mode.
CR: https://crash-stats.mozilla.com/report/index/16d1d86c-d625-48cb-9753-fc5e12140831
Blocks: old-e10s-m2
No longer depends on: old-e10s-m2
The problem here is that Jetpack can load HTML unprivileged pages from its add-on package. (I'm sure XUL add-ons can do this too, but it's probably a lot more rare.) Any event listeners on the page will trigger a call to GetAddonScope, which will assert because the original scope doesn't have system principals.

Even if we were to fix this issue and allow content scopes to have associated add-on scopes, we'd still have problem that <script> tags inside HTML documents wouldn't load inside the add-on scope--we only do that for XUL documents.

I think the best thing to do here is for GetAddonScope to return the original scope. We won't get any shims, but that's okay. We have a GSoC student working on getting Jetpack to work without shims.
Attachment #8496339 - Flags: review?(bobbyholley)
Comment on attachment 8496339 [details] [diff] [review]
fix-mind-the-time

Review of attachment 8496339 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/xpconnect/src/XPCWrappedNativeScope.cpp
@@ +378,5 @@
>      }
>  
>      JSAutoCompartment ac(cx, contentScope);
>      XPCWrappedNativeScope *nativeScope = CompartmentPrivate::Get(contentScope)->scope;
> +    if (!nsContentUtils::IsSystemPrincipal(nativeScope->GetPrincipal())) {

Please do an equality check with nsXPConnect::SystemPrincipal() rather than using nsCOntnetUtils, in case this happens early in startup.
Attachment #8496339 - Flags: review?(bobbyholley) → review+
https://hg.mozilla.org/mozilla-central/rev/f165c7e561c6
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla35
You need to log in before you can comment on or make changes to this bug.