Closed Bug 1210508 Opened 9 years ago Closed 9 years ago

crash in JSAutoCompartment::JSAutoCompartment(JSContext*, JSObject*) | nsILoadContext::GetOriginAttributes(mozilla::OriginAttributes&)

Categories

(Core :: Security: CAPS, defect)

Product:
Core
Component:
Security: CAPS
Platform:
Unspecified
Android
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla44
Project Flags:
blocking-b2g 2.5+
Tracking Flags:
Tracking Status
firefox44 --- fixed
b2g-v2.2 --- unaffected
b2g-master --- affected

People

(Reporter: vbelonenko, Assigned: bholley)

References

(
URL
)

Details

(Keywords: crash, regression, reproducible, Whiteboard: [2.5-Daily-Testing][Spark])

Crash Data

Attachments

(2 files)

logcat_20150930_1225.txt
1003.76 KB, text/plain
Details
Handle null OriginAttributes from JS-implemented nsILoadContext. r=me
1.14 KB, patch
bholley
: review+
Details | Diff | Splinter Review 
This bug was filed from the Socorro interface and is 
report bp-0cdf161f-3899-4ce2-bbff-af2282151001.
=============================================================

0	libxul.so	JSAutoCompartment::JSAutoCompartment(JSContext*, JSObject*)	
1	libxul.so	nsILoadContext::GetOriginAttributes(mozilla::OriginAttributes&)	/home/worker/objdir-gecko/objdir/dist/include/nsILoadContext.h:112
2	libxul.so	mozilla::OriginAttributes::CopyFromLoadContext(nsILoadContext*)	caps/BasePrincipal.cpp
3	libxul.so	nsScriptSecurityManager::GetLoadContextCodebasePrincipal(nsIURI*, nsILoadContext*, nsIPrincipal**)	caps/nsScriptSecurityManager.cpp
4	libxul.so	nsScriptSecurityManager::GetChannelURIPrincipal(nsIChannel*, nsIPrincipal**)	caps/nsScriptSecurityManager.cpp
5	libxul.so	mozilla::net::HttpBaseChannel::TimingAllowCheck(nsIPrincipal*, bool*)	netwerk/protocol/http/HttpBaseChannel.cpp
6	libxul.so	mozilla::net::HttpBaseChannel::SetupReplacementChannel(nsIURI*, nsIChannel*, bool)	/home/worker/objdir-gecko/objdir/dist/include/nsITimedChannel.h:95
7	libxul.so	mozilla::net::nsHttpChannel::SetupReplacementChannel(nsIURI*, nsIChannel*, bool)	netwerk/protocol/http/nsHttpChannel.cpp
8	libxul.so	mozilla::net::nsHttpChannel::ContinueProcessRedirectionAfterFallback(nsresult)	netwerk/protocol/http/nsHttpChannel.cpp
9	libxul.so	mozilla::net::nsHttpChannel::AsyncProcessRedirection(unsigned int)	netwerk/protocol/http/nsHttpChannel.cpp
10	libxul.so	mozilla::net::nsHttpChannel::ProcessResponse()	netwerk/protocol/http/nsHttpChannel.cpp
11	libxul.so	mozilla::net::nsHttpChannel::OnStartRequest(nsIRequest*, nsISupports*)	netwerk/protocol/http/nsHttpChannel.cpp
12	libxul.so	nsInputStreamPump::OnStateStart()	netwerk/base/nsInputStreamPump.cpp
13	libxul.so	nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*)	netwerk/base/nsInputStreamPump.cpp
14	libxul.so	nsInputStreamReadyEvent::Run()	xpcom/io/nsStreamUtils.cpp
15	libxul.so	nsThread::ProcessNextEvent(bool, bool*)	xpcom/threads/nsThread.cpp
16	libxul.so	NS_ProcessNextEvent(nsIThread*, bool)	xpcom/glue/nsThreadUtils.cpp
17	libxul.so	mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)	ipc/glue/MessagePump.cpp
18	libxul.so	MessageLoop::RunInternal()	ipc/chromium/src/base/message_loop.cc
19	libxul.so	MessageLoop::Run()	ipc/chromium/src/base/message_loop.cc
20	libxul.so	nsBaseAppShell::Run()	widget/nsBaseAppShell.cpp
21	libxul.so	nsAppStartup::Run()	toolkit/components/startup/nsAppStartup.cpp
22	libxul.so	XREMain::XRE_mainRun()	toolkit/xre/nsAppRunner.cpp
23	libxul.so	XREMain::XRE_main(int, char**, nsXREAppData const*)	toolkit/xre/nsAppRunner.cpp
24	libxul.so	XRE_main	toolkit/xre/nsAppRunner.cpp
25	b2g	do_main	b2g/app/nsBrowserApp.cpp
26	b2g	b2g_main(int, char const**)	b2g/app/nsBrowserApp.cpp
27	b2g	main	b2g/app/B2GLoader.cpp
28	libc.so	__libc_init	/home/worker/workspace/B2G/bionic/libc/bionic/libc_init_dynamic.cpp:112
29	b2g	b2g@0xc1da	
30	linker	set_soinfo_pool_protection	/home/worker/workspace/B2G/bionic/linker/linker.cpp:291
31		@0xbefb6a6a	

Description:
When user selects ESPN Brasil app inside marketplace app and tries to install. The mobile device crashes and restarts.
Repro Steps:

1) Update a Aries to 20150930115400
2) Open Marketplace app
3) Install ESPN Brasil app
4) Observe that when you select install for free it crashes and restarts your phone.

Actual:
User tries to install ESPN Brasil app, it crashes when he selects install for free.

Expected:
ESPN Brasil app should not crash while installing.

Notes: Only happens to ESPN Brasil app

Environmental Variables:
Device: Aries Master 2.5 kk full flash (319 mb)
Build ID: 20150930115400
Gaia: 14a64f1ebd353bccc3f1c0399e1a01a03327749e
Gecko: 97e537f85183ef31481602ab9e5587a6e7d16b4d
Gonk: 2916e2368074b5383c80bf5a0fba3fc83ba310bd
Version: 44.0a1 (Master)
Firmware Version: D5803_23.1.A.1.28_NCB.ftf
User Agent: Mozilla/5.0 (Mobile; rv:44.0) Gecko/44.0 Firefox/44.0

Repro frequency: 3/3
See attached: video clip and logcat
This issue occurs on 2.5 flame
Result: User tries to install ESPN Brasil app, it crashes when he selects install for free.

Environmental Variables:
Device: Flame Master 2.5 kk full flash (319 mb)
Build ID: 20150929030205
Gaia: f345f6a015709beeb2ca3955cab077fcaa959d3b
Gecko: acdb22976ff86539dc10413c5f366e1fb429a680
Gonk: c4779d6da0f85894b1f78f0351b43f2949e8decd
Version: 44.0a1 (Master)
Firmware Version: v18D
User Agent: Mozilla/5.0 (Mobile; rv:44.0) Gecko/44.0 Firefox/44.0

This issue does not occur on 2.2 flame
Result: ESPN Brasil app did not crash while installing.

Environmental Variables:
Device: Flame 2.2 kk full flash (319 mb)
Build ID: 20150930032502
Gaia: 5dd95cfb9f1d6501ce0e34414596ef3dd9c2f583
Gecko: 65ddad73ad6b
Gonk: bd9cb3af2a0354577a6903917bc826489050b40d
Version: 37.0 (2.2)
Firmware Version: v18D
User Agent: Mozilla/5.0 (Mobile; rv:37.0) Gecko/37.0 Firefox/37.0
QA Whiteboard: [QAnalyst-Triage+]
status-b2g-v2.2: --- → unaffected
status-b2g-master: --- → affected
Flags: needinfo?(ktucker)
blocking-b2g: --- → 2.5?
QA Whiteboard: [QAnalyst-Triage+]
QA Contact: pcheng
b2g-inbound regression window:

Last Working
Device: Flame 2.5
BuildID: 20150926164034
Gaia: 566ca621e80c40d71b818d3aa8d39e2e96ff85d5
Gecko: fb6f36ba8eb1909f23e1ba5b6c1c8f3e3200bbfc
Version: 44.0a1 (2.5) 
Firmware Version: v18Dv4
User Agent: Mozilla/5.0 (Mobile; rv:44.0) Gecko/44.0 Firefox/44.0

First Broken
Device: Flame 2.5
BuildID: 20150926230934
Gaia: 566ca621e80c40d71b818d3aa8d39e2e96ff85d5
Gecko: 86a7be21dfc8ef0a3c3080d58ef508732ce2d154
Version: 44.0a1 (2.5) 
Firmware Version: v18Dv4
User Agent: Mozilla/5.0 (Mobile; rv:44.0) Gecko/44.0 Firefox/44.0

Gaia is the same so it's a Gecko issue.

Gecko pushlog:
http://hg.mozilla.org/integration/b2g-inbound/pushloghtml?fromchange=fb6f36ba8eb1909f23e1ba5b6c1c8f3e3200bbfc&tochange=86a7be21dfc8ef0a3c3080d58ef508732ce2d154

This issue appears to be caused by changes made in Bug 1165466.
Blocks: 1165466
QA Whiteboard: [QAnalyst-Triage?]
Flags: needinfo?(jmercado)
Keywords: regressionwindow-wanted
Yoshi this issue seems to have been caused by the changes for bug 1165466.  Can you please take a look?
QA Whiteboard: [QAnalyst-Triage?] → [QAnalyst-Triage+]
Flags: needinfo?(allstars.chh)
Flags: needinfo?(jmercado)
I'll land a patch for this real quick.
Can somebody push this patch to b2g-inbound? I don't have a local checkout of it.
Thanks Bobby for the help, push the patch with updating UUID.
Flags: needinfo?(allstars.chh)
Thanks a lot Bobby!
blocking-b2g: 2.5? → 2.5+
Assignee: nobody → bobbyholley
Component: Gaia::System::Download → Security: CAPS
Product: Firefox OS → Core
Whiteboard: [2.5-Daily-Testing][Systemsfe][Spark] → [2.5-Daily-Testing][Spark]
https://hg.mozilla.org/mozilla-central/rev/0b9b618c20f2
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox44: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: