Closed
Bug 1308938
Opened 8 years ago
Closed 8 years ago
Assertion failure: originAttrsLoadInfo.mUserContextId == originAttrsLoadContext.mUserContextId during loading of about:preferences
Categories
(Core :: DOM: Security, defect, P1)
Tracking
()
VERIFIED
FIXED
mozilla52
Tracking | Status | |
---|---|---|
firefox50 | --- | unaffected |
firefox51 | --- | verified |
firefox52 | --- | verified |
People
(Reporter: mccr8, Assigned: allstars.chh)
References
(Blocks 1 open bug)
Details
(Keywords: regression, sec-moderate, Whiteboard: [domsecurity-active][OA])
Attachments
(2 files, 2 obsolete files)
5.08 KB,
text/plain
|
Details | |
2.16 KB,
patch
|
allstars.chh
:
review+
gchang
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
The test browser/components/contextualidentity/test/browser/browser_aboutURLs.js loads every about: page. It is currently disabled on Windows and Linux debug for an intermittent negative leak (bug 1271182). I tried reenabling it to see what would happen, and it turns out there's an assertion failure every time it is run (unrelated to the negative leak): Assertion failure: originAttrsLoadInfo.mUserContextId == originAttrsLoadContext.mUserContextId (The value of mUserContextId in the loadContext and in the loadInfo are not the same!), at /home/worker/workspace/build/src/netwerk/base/nsNetUtil.cpp:2447 #01: nsBaseChannel::AsyncOpen [netwerk/base/nsBaseChannel.cpp:660] #02: nsBaseChannel::AsyncOpen2 [netwerk/base/nsBaseChannel.cpp:704] #03: imgLoader::LoadImage [image/imgLoader.cpp:2206] #04: nsContentUtils::LoadImage [dom/base/nsContentUtils.cpp:3306] #05: nsImageBoxFrame::UpdateImage [layout/xul/nsImageBoxFrame.cpp:241] #06: nsImageBoxFrame::AttributeChanged [layout/xul/nsImageBoxFrame.cpp:139] #07: mozilla::RestyleManager::AttributeChanged [xpcom/glue/nsTArray.h:878] #08: PresShell::AttributeChanged [layout/base/RestyleManagerHandleInlines.h:150] #09: nsNodeUtils::AttributeChanged [dom/base/nsNodeUtils.cpp:145] #10: mozilla::dom::Element::SetAttrAndNotify [dom/base/Element.cpp:2548] It looks like this happens when the test loads about:preferences. I don't know if this is a security issue or not, so I'm filing this hidden. Here's a log with the failure: https://treeherder.mozilla.org/logviewer.html#?job_id=28866297&repo=try
Reporter | ||
Comment 1•8 years ago
|
||
Dragana, do you know how bad of an assertion this is? Thanks.
Flags: needinfo?(dd.mozilla)
Reporter | ||
Comment 2•8 years ago
|
||
This assertion shows up on Linux64, but not OSX. I haven't tried Windows.
Comment 3•8 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #1) > Dragana, do you know how bad of an assertion this is? Thanks. Christoph is a better person to ask.
Flags: needinfo?(dd.mozilla) → needinfo?(ckerschb)
Assignee | ||
Updated•8 years ago
|
Assignee: nobody → allstars.chh
Flags: needinfo?(ckerschb)
Assignee | ||
Updated•8 years ago
|
Status: NEW → ASSIGNED
Component: Networking → DOM: Security
Whiteboard: [domsecurity-active]
Assignee | ||
Comment 4•8 years ago
|
||
An easier STR is to open about:preference in a container tab. And it asserts because the loadInfo->LoadingPrincipal() is SystemPrincical, hence no userContextId is stored on the origin attributes, however I remembered this worked before. Kamil, can you help to look which bug regresses this? Thanks
Blocks: ContextualIdentity
Assignee | ||
Updated•8 years ago
|
Flags: needinfo?(kjozwiak)
Assignee | ||
Updated•8 years ago
|
Assignee: allstars.chh → nobody
Status: ASSIGNED → NEW
Reporter | ||
Comment 5•8 years ago
|
||
This assertions seems to only happen on Linux. Windows and OSX are both fine.
Reporter | ||
Comment 6•8 years ago
|
||
The test was disabled on Linux in bug 1271182 comment 75, which hit inbound July 27.
Comment 7•8 years ago
|
||
I tried going through mozregression using "--build-type debug" under Ubuntu 16.04. Unfortunately I kept receiving "ERROR: Unable to find build info using the taskcluster route" error so I ended up going through this process manually using the following inbound builds: * https://tools.taskcluster.net/index/artifacts/#gecko.v2.mozilla-inbound.pushdate.2016.08.05/gecko.v2.mozilla-inbound.pushdate.2016.08.05 Results: ======== 20160805094455 - good 20160805094630 - good 20160805100501 - good 20160805103349 - good 20160805115216 - bad 20160805130059 - bad 20160805132614 - bad 20160805134925 - bad Regression range: * https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=4a431f553e0c8bc5e005f5c1684d4a1da026a47a&tochange=46d487ebf9afe289928ca424071bb58a870c65cd Possible suspect: * https://bugzilla.mozilla.org/show_bug.cgi?id=1264231 Yoshi, mind taking a look and seeing if bug#1264231 caused this regression?
Flags: needinfo?(kjozwiak) → needinfo?(allstars.chh)
Updated•8 years ago
|
Has STR: --- → yes
status-firefox50:
--- → unaffected
status-firefox51:
--- → affected
status-firefox52:
--- → affected
Updated•8 years ago
|
Priority: -- → P1
Whiteboard: [domsecurity-active] → [domsecurity-active][OA]
Updated•8 years ago
|
Group: core-security → dom-core-security
Assignee | ||
Comment 8•8 years ago
|
||
(In reply to Kamil Jozwiak [:kjozwiak] from comment #7) > Yoshi, mind taking a look and seeing if bug#1264231 caused this regression? Yeah, that's it. Thanks for finding this.
Assignee: nobody → allstars.chh
Flags: needinfo?(allstars.chh)
Assignee | ||
Updated•8 years ago
|
Status: NEW → ASSIGNED
Updated•8 years ago
|
Blocks: 1264231
Keywords: regression,
sec-moderate
Comment 9•8 years ago
|
||
I'm running into the following crash when opening about:preferences in the default container while another website is also being loaded in the personal container at the same time. I can consistently reproduce under macOS 10.12 using xCode 8.0 (8A218a). STR: * launch the latest version m-c debug * open a personal container via File -> New Container Tab * open a regular tab via File -> New Tab * load gmail.com within the personal container * while gmail.com is loading, load about:preference in the regular tab (default container) Yoshi, could this be related to this bug as it involves about:preferences? Or should I spawn this into it's own separate bug? Assertion failure: docShellAttrs.mUserContextId == attrs.mUserContextId (docshell and necko should have the same userContextId attribute.), at /Users/kjozwiak/projects/m-c/netwerk/protocol/http/HttpBaseChannel.cpp:2948 #01: mozilla::net::HttpBaseChannel::SetupReplacementChannel(nsIURI*, nsIChannel*, bool, unsigned int)[/Users/kjozwiak/projects/m-c/objdir-ff-debug/dist/NightlyDebug.app/Contents/MacOS/XUL +0x877c24] #02: mozilla::net::nsHttpChannel::SetupReplacementChannel(nsIURI*, nsIChannel*, bool, unsigned int)[/Users/kjozwiak/projects/m-c/objdir-ff-debug/dist/NightlyDebug.app/Contents/MacOS/XUL +0x8ed6f9] #03: mozilla::net::nsHttpChannel::ContinueProcessRedirectionAfterFallback(nsresult)[/Users/kjozwiak/projects/m-c/objdir-ff-debug/dist/NightlyDebug.app/Contents/MacOS/XUL +0x8f7050] #04: mozilla::net::nsHttpChannel::AsyncProcessRedirection(unsigned int)[/Users/kjozwiak/projects/m-c/objdir-ff-debug/dist/NightlyDebug.app/Contents/MacOS/XUL +0x8df584] #05: mozilla::net::nsHttpChannel::ContinueProcessResponse1(nsresult)[/Users/kjozwiak/projects/m-c/objdir-ff-debug/dist/NightlyDebug.app/Contents/MacOS/XUL +0x8e882d] #06: mozilla::net::nsHttpChannel::ProcessResponse()[/Users/kjozwiak/projects/m-c/objdir-ff-debug/dist/NightlyDebug.app/Contents/MacOS/XUL +0x8e83f7] #07: mozilla::net::nsHttpChannel::OnStartRequest(nsIRequest*, nsISupports*)[/Users/kjozwiak/projects/m-c/objdir-ff-debug/dist/NightlyDebug.app/Contents/MacOS/XUL +0x8ff174] #08: non-virtual thunk to mozilla::net::nsHttpChannel::OnStartRequest(nsIRequest*, nsISupports*)[/Users/kjozwiak/projects/m-c/objdir-ff-debug/dist/NightlyDebug.app/Contents/MacOS/XUL +0x8ff837] #09: nsInputStreamPump::OnStateStart()[/Users/kjozwiak/projects/m-c/objdir-ff-debug/dist/NightlyDebug.app/Contents/MacOS/XUL +0x35f395] #10: nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*)[/Users/kjozwiak/projects/m-c/objdir-ff-debug/dist/NightlyDebug.app/Contents/MacOS/XUL +0x35eebd] #11: non-virtual thunk to nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*)[/Users/kjozwiak/projects/m-c/objdir-ff-debug/dist/NightlyDebug.app/Contents/MacOS/XUL +0x36002c] #12: nsInputStreamReadyEvent::Run()[/Users/kjozwiak/projects/m-c/objdir-ff-debug/dist/NightlyDebug.app/Contents/MacOS/XUL +0x190329] #13: nsThread::ProcessNextEvent(bool, bool*)[/Users/kjozwiak/projects/m-c/objdir-ff-debug/dist/NightlyDebug.app/Contents/MacOS/XUL +0x1cdc19]
Assignee | ||
Comment 10•8 years ago
|
||
(In reply to Kamil Jozwiak [:kjozwiak] from comment #9) > I'm running into the following crash when opening about:preferences in the > default container while another website is also being loaded in the personal > container at the same time. I can consistently reproduce under macOS 10.12 > using xCode 8.0 (8A218a). > Should be a different bug. I'll check this.
Comment 11•8 years ago
|
||
Does this need to be a security sensitive bug?
Assignee | ||
Comment 12•8 years ago
|
||
waiting for mccr8's response in https://bugzilla.mozilla.org/show_bug.cgi?id=1271182#c128 first before sending r? https://treeherder.mozilla.org/#/jobs?repo=try&revision=723d2d514f3dc216e1d6b3fbf8f687955358b26c
Comment 13•8 years ago
|
||
(In reply to Yoshi Huang[:allstars.chh] from comment #10) > Should be a different bug. I'll check this. Created bug#1310276.
Reporter | ||
Comment 14•8 years ago
|
||
(In reply to Tanvi Vyas [:tanvi] from comment #11) > Does this need to be a security sensitive bug? I have no idea if it needs to be security sensitive or not. I just saw the principal stuff and was concerned that it might be sensitive.
Assignee | ||
Updated•8 years ago
|
Attachment #8800987 -
Flags: review?(amarchesini)
Comment 15•8 years ago
|
||
Comment on attachment 8800987 [details] [diff] [review] Patch. Review of attachment 8800987 [details] [diff] [review]: ----------------------------------------------------------------- ::: netwerk/base/nsNetUtil.cpp @@ +2401,5 @@ > nsCString spec = uri->GetSpecOrDefault(); > isAboutPage = spec.EqualsLiteral("about:newtab") || > + spec.EqualsLiteral("about:sync-tabs") || > + spec.EqualsLiteral("about:preferences") || > + spec.EqualsLiteral("about:addons"); should we generalize this a bit more? Should we use the scheme?
Attachment #8800987 -
Flags: review?(amarchesini)
Assignee | ||
Comment 16•8 years ago
|
||
use scheme to check.
Attachment #8800987 -
Attachment is obsolete: true
Assignee | ||
Comment 17•8 years ago
|
||
Comment on attachment 8802052 [details] [diff] [review] Patch. v2 Review of attachment 8802052 [details] [diff] [review]: ----------------------------------------------------------------- Hi, Baku Thanks for your review, this time I use scheme to check the URI. Can you review this again? Thanks
Attachment #8802052 -
Flags: review?(amarchesini)
Comment 18•8 years ago
|
||
Comment on attachment 8802052 [details] [diff] [review] Patch. v2 Review of attachment 8802052 [details] [diff] [review]: ----------------------------------------------------------------- ::: netwerk/base/nsNetUtil.cpp @@ +2397,5 @@ > if (node) { > nsIDocument* doc = node->OwnerDoc(); > if (doc) { > nsIURI* uri = doc->GetDocumentURI(); > + nsAutoCString scheme; uri->SchemeIs("about", &isAboutPage);
Attachment #8802052 -
Flags: review?(amarchesini) → review+
Assignee | ||
Comment 19•8 years ago
|
||
Attachment #8802052 -
Attachment is obsolete: true
Attachment #8802410 -
Flags: review+
Comment 20•8 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/59548efdaa50
Target Milestone: --- → mozilla52
Updated•8 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 21•8 years ago
|
||
I'll request uplift to 51 as this is regressed from bug 1264231.
Assignee | ||
Comment 22•8 years ago
|
||
The flag is "status-firefox51: affected", so it should be uplifted soon.
Comment 23•8 years ago
|
||
Hi :allstars.chh, Please create a uplift request for 51 aurora.
Flags: needinfo?(allstars.chh)
Assignee | ||
Comment 24•8 years ago
|
||
Comment on attachment 8802410 [details] [diff] [review] Patch. v3 Approval Request Comment [Feature/regressing bug #]: bug 1264231 [User impact if declined]: Open about:preferences in a container tab will crash in debug build. [Describe test coverage new/current, TreeHerder]: https://treeherder.mozilla.org/#/jobs?repo=try&revision=b38b3df8e2ac [Risks and why]: Low, the assertion are used to check the loading in content side, for about: pages it's done in chrome side, so we should skip the check if it's about: pages. [String/UUID change made/needed]: No
Flags: needinfo?(allstars.chh)
Attachment #8802410 -
Flags: approval-mozilla-aurora?
Assignee | ||
Comment 25•8 years ago
|
||
Comment on attachment 8802410 [details] [diff] [review] Patch. v3 Forgot to mention that, Please uplift this after bug 1271182 has been uplifted to firefox51, otherwise my patch will have a conflict here. See https://bugzilla.mozilla.org/show_bug.cgi?id=1271182#c131 https://bugzilla.mozilla.org/show_bug.cgi?id=1271182#c132 Thanks
Comment 26•8 years ago
|
||
Comment on attachment 8802410 [details] [diff] [review] Patch. v3 Fix a sec-moderate issue. Take it in 51 aurora.
Attachment #8802410 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment 27•8 years ago
|
||
uplift |
https://hg.mozilla.org/releases/mozilla-aurora/rev/10be9d40fa865be7c3c203b9cd042722ab3069ca
Updated•8 years ago
|
Group: dom-core-security → core-security-release
Comment 28•8 years ago
|
||
Went through verification using the following test cases: * opened about:preferences in several containers (all at the same time as well) * opened about:preferences within the default container * opened about:preferences within PB * opened all the about: sites listed under about:about in a container Builds being used: * fx52.0a1 (--enable-debug), buildId: 20161111172704, changeset: fc104971a4db * fx51.0a2 (--enable-debug), buildId: 20161111183120, changeset: 3d380055aaed
Updated•8 years ago
|
Group: core-security-release
Updated•8 years ago
|
Version: unspecified → 51 Branch
You need to log in
before you can comment on or make changes to this bug.
Description
•