Closed Bug 1308938 Opened 8 years ago Closed 8 years ago

Assertion failure: originAttrsLoadInfo.mUserContextId == originAttrsLoadContext.mUserContextId during loading of about:preferences

Categories

(Core :: DOM: Security, defect, P1)

Product:
Core
Component:
DOM: Security
Version:
51 Branch
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla52
Tracking Flags:
Tracking Status
firefox50 --- unaffected
firefox51 --- verified
firefox52 --- verified

People

(Reporter: mccr8, Assigned: allstars.chh)

References

(Blocks 1 open bug)

Details

(Keywords: regression, sec-moderate, Whiteboard: [domsecurity-active][OA])

Attachments

(2 files, 2 obsolete files)

complete stack of crash
5.08 KB, text/plain
Details
Patch. v3
2.16 KB, patch
allstars.chh
: review+
gchang
: approval-mozilla-aurora+
Details | Diff | Splinter Review 
The test browser/components/contextualidentity/test/browser/browser_aboutURLs.js loads every about: page. It is currently disabled on Windows and Linux debug for an intermittent negative leak (bug 1271182). I tried reenabling it to see what would happen, and it turns out there's an assertion failure every time it is run (unrelated to the negative leak):

Assertion failure: originAttrsLoadInfo.mUserContextId == originAttrsLoadContext.mUserContextId (The value of mUserContextId in the loadContext and in the loadInfo are not the same!), at /home/worker/workspace/build/src/netwerk/base/nsNetUtil.cpp:2447
#01: nsBaseChannel::AsyncOpen [netwerk/base/nsBaseChannel.cpp:660]
#02: nsBaseChannel::AsyncOpen2 [netwerk/base/nsBaseChannel.cpp:704]
#03: imgLoader::LoadImage [image/imgLoader.cpp:2206]
#04: nsContentUtils::LoadImage [dom/base/nsContentUtils.cpp:3306]
#05: nsImageBoxFrame::UpdateImage [layout/xul/nsImageBoxFrame.cpp:241]
#06: nsImageBoxFrame::AttributeChanged [layout/xul/nsImageBoxFrame.cpp:139]
#07: mozilla::RestyleManager::AttributeChanged [xpcom/glue/nsTArray.h:878]
#08: PresShell::AttributeChanged [layout/base/RestyleManagerHandleInlines.h:150]
#09: nsNodeUtils::AttributeChanged [dom/base/nsNodeUtils.cpp:145]
#10: mozilla::dom::Element::SetAttrAndNotify [dom/base/Element.cpp:2548]

It looks like this happens when the test loads about:preferences.

I don't know if this is a security issue or not, so I'm filing this hidden.

Here's a log with the failure:
https://treeherder.mozilla.org/logviewer.html#?job_id=28866297&repo=try
Dragana, do you know how bad of an assertion this is? Thanks.
Flags: needinfo?(dd.mozilla)
This assertion shows up on Linux64, but not OSX. I haven't tried Windows.
(In reply to Andrew McCreight [:mccr8] from comment #1)
> Dragana, do you know how bad of an assertion this is? Thanks.

Christoph is a better person to ask.
Flags: needinfo?(dd.mozilla) → needinfo?(ckerschb)
Assignee: nobody → allstars.chh
Flags: needinfo?(ckerschb)
Status: NEW → ASSIGNED
Component: Networking → DOM: Security
Whiteboard: [domsecurity-active]
An easier STR is to open about:preference in a container tab.
And it asserts because the loadInfo->LoadingPrincipal() is SystemPrincical, hence no userContextId is stored on the origin attributes, however I remembered this worked before.

Kamil, can you help to look which bug regresses this?

Thanks
Blocks: ContextualIdentity
Flags: needinfo?(kjozwiak)
Assignee: allstars.chh → nobody
Status: ASSIGNED → NEW
This assertions seems to only happen on Linux. Windows and OSX are both fine.
The test was disabled on Linux in bug 1271182 comment 75, which hit inbound July 27.
I tried going through mozregression using "--build-type debug" under Ubuntu 16.04. Unfortunately I kept receiving "ERROR: Unable to find build info using the taskcluster route" error so I ended up going through this process manually using the following inbound builds:
* https://tools.taskcluster.net/index/artifacts/#gecko.v2.mozilla-inbound.pushdate.2016.08.05/gecko.v2.mozilla-inbound.pushdate.2016.08.05

Results:
========

20160805094455 - good
20160805094630 - good
20160805100501 - good
20160805103349 - good
20160805115216 - bad
20160805130059 - bad
20160805132614 - bad
20160805134925 - bad

Regression range:
* https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=4a431f553e0c8bc5e005f5c1684d4a1da026a47a&tochange=46d487ebf9afe289928ca424071bb58a870c65cd

Possible suspect:
* https://bugzilla.mozilla.org/show_bug.cgi?id=1264231

Yoshi, mind taking a look and seeing if bug#1264231 caused this regression?
Flags: needinfo?(kjozwiak) → needinfo?(allstars.chh)
Priority: -- → P1
Whiteboard: [domsecurity-active] → [domsecurity-active][OA]
Group: core-security → dom-core-security
(In reply to Kamil Jozwiak [:kjozwiak] from comment #7)
> Yoshi, mind taking a look and seeing if bug#1264231 caused this regression?
Yeah, that's it. 
Thanks for finding this.
Assignee: nobody → allstars.chh
Flags: needinfo?(allstars.chh)
Status: NEW → ASSIGNED
I'm running into the following crash when opening about:preferences in the default container while another website is also being loaded in the personal container at the same time. I can consistently reproduce under macOS 10.12 using xCode 8.0 (8A218a).

STR:

* launch the latest version m-c debug
* open a personal container via File -> New Container Tab
* open a regular tab via File -> New Tab
* load gmail.com within the personal container
* while gmail.com is loading, load about:preference in the regular tab (default container)

Yoshi, could this be related to this bug as it involves about:preferences? Or should I spawn this into it's own separate bug?

Assertion failure: docShellAttrs.mUserContextId == attrs.mUserContextId (docshell and necko should have the same userContextId attribute.), at /Users/kjozwiak/projects/m-c/netwerk/protocol/http/HttpBaseChannel.cpp:2948
#01: mozilla::net::HttpBaseChannel::SetupReplacementChannel(nsIURI*, nsIChannel*, bool, unsigned int)[/Users/kjozwiak/projects/m-c/objdir-ff-debug/dist/NightlyDebug.app/Contents/MacOS/XUL +0x877c24]
#02: mozilla::net::nsHttpChannel::SetupReplacementChannel(nsIURI*, nsIChannel*, bool, unsigned int)[/Users/kjozwiak/projects/m-c/objdir-ff-debug/dist/NightlyDebug.app/Contents/MacOS/XUL +0x8ed6f9]
#03: mozilla::net::nsHttpChannel::ContinueProcessRedirectionAfterFallback(nsresult)[/Users/kjozwiak/projects/m-c/objdir-ff-debug/dist/NightlyDebug.app/Contents/MacOS/XUL +0x8f7050]
#04: mozilla::net::nsHttpChannel::AsyncProcessRedirection(unsigned int)[/Users/kjozwiak/projects/m-c/objdir-ff-debug/dist/NightlyDebug.app/Contents/MacOS/XUL +0x8df584]
#05: mozilla::net::nsHttpChannel::ContinueProcessResponse1(nsresult)[/Users/kjozwiak/projects/m-c/objdir-ff-debug/dist/NightlyDebug.app/Contents/MacOS/XUL +0x8e882d]
#06: mozilla::net::nsHttpChannel::ProcessResponse()[/Users/kjozwiak/projects/m-c/objdir-ff-debug/dist/NightlyDebug.app/Contents/MacOS/XUL +0x8e83f7]
#07: mozilla::net::nsHttpChannel::OnStartRequest(nsIRequest*, nsISupports*)[/Users/kjozwiak/projects/m-c/objdir-ff-debug/dist/NightlyDebug.app/Contents/MacOS/XUL +0x8ff174]
#08: non-virtual thunk to mozilla::net::nsHttpChannel::OnStartRequest(nsIRequest*, nsISupports*)[/Users/kjozwiak/projects/m-c/objdir-ff-debug/dist/NightlyDebug.app/Contents/MacOS/XUL +0x8ff837]
#09: nsInputStreamPump::OnStateStart()[/Users/kjozwiak/projects/m-c/objdir-ff-debug/dist/NightlyDebug.app/Contents/MacOS/XUL +0x35f395]
#10: nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*)[/Users/kjozwiak/projects/m-c/objdir-ff-debug/dist/NightlyDebug.app/Contents/MacOS/XUL +0x35eebd]
#11: non-virtual thunk to nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*)[/Users/kjozwiak/projects/m-c/objdir-ff-debug/dist/NightlyDebug.app/Contents/MacOS/XUL +0x36002c]
#12: nsInputStreamReadyEvent::Run()[/Users/kjozwiak/projects/m-c/objdir-ff-debug/dist/NightlyDebug.app/Contents/MacOS/XUL +0x190329]
#13: nsThread::ProcessNextEvent(bool, bool*)[/Users/kjozwiak/projects/m-c/objdir-ff-debug/dist/NightlyDebug.app/Contents/MacOS/XUL +0x1cdc19]
(In reply to Kamil Jozwiak [:kjozwiak] from comment #9)
> I'm running into the following crash when opening about:preferences in the
> default container while another website is also being loaded in the personal
> container at the same time. I can consistently reproduce under macOS 10.12
> using xCode 8.0 (8A218a).
> 
Should be a different bug. I'll check this.
Does this need to be a security sensitive bug?
(In reply to Yoshi Huang[:allstars.chh] from comment #10)
> Should be a different bug. I'll check this.

Created bug#1310276.
(In reply to Tanvi Vyas [:tanvi] from comment #11)
> Does this need to be a security sensitive bug?

I have no idea if it needs to be security sensitive or not. I just saw the principal stuff and was concerned that it might be sensitive.
Blocks: 1271182
Comment on attachment 8800987 [details] [diff] [review]
Patch.

Review of attachment 8800987 [details] [diff] [review]:
-----------------------------------------------------------------

::: netwerk/base/nsNetUtil.cpp
@@ +2401,5 @@
>        nsCString spec = uri->GetSpecOrDefault();
>        isAboutPage = spec.EqualsLiteral("about:newtab") ||
> +                    spec.EqualsLiteral("about:sync-tabs") ||
> +                    spec.EqualsLiteral("about:preferences") ||
> +                    spec.EqualsLiteral("about:addons");

should we generalize this a bit more? Should we use the scheme?
Attachment #8800987 - Flags: review?(amarchesini)
Attached patch Patch. v2 (obsolete) — Splinter Review 
use scheme to check.
Attachment #8800987 - Attachment is obsolete: true
Comment on attachment 8802052 [details] [diff] [review]
Patch. v2

Review of attachment 8802052 [details] [diff] [review]:
-----------------------------------------------------------------

Hi, Baku
Thanks for your review, this time I use scheme to check the URI.
Can you review this again?

Thanks
Attachment #8802052 - Flags: review?(amarchesini)
Comment on attachment 8802052 [details] [diff] [review]
Patch. v2

Review of attachment 8802052 [details] [diff] [review]:
-----------------------------------------------------------------

::: netwerk/base/nsNetUtil.cpp
@@ +2397,5 @@
>    if (node) {
>      nsIDocument* doc = node->OwnerDoc();
>      if (doc) {
>        nsIURI* uri = doc->GetDocumentURI();
> +      nsAutoCString scheme;

uri->SchemeIs("about", &isAboutPage);
Attachment #8802052 - Flags: review?(amarchesini) → review+
Attached patch Patch. v3Splinter Review 

        Attachment #8802052 -
        Attachment is obsolete: true

        Attachment #8802410 -
        Flags: review+
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED

    
    

    
  
I'll request uplift to 51 as this is regressed from bug 1264231.

    
    

    
  
The flag is "status-firefox51: 	affected", so it should be uplifted soon.

    
    

    
  
Hi :allstars.chh,
Please create a uplift request for 51 aurora.
Flags: needinfo?(allstars.chh)

    
    

    
  
Comment on attachment 8802410 [details] [diff] [review]
Patch. v3

Approval Request Comment

[Feature/regressing bug #]:
bug 1264231

[User impact if declined]:
Open about:preferences in a container tab will crash in debug build.

[Describe test coverage new/current, TreeHerder]:
https://treeherder.mozilla.org/#/jobs?repo=try&revision=b38b3df8e2ac

[Risks and why]:
Low, the assertion are used to check the loading in content side, for about: pages it's done in chrome side, so we should skip the check if it's about: pages.

[String/UUID change made/needed]:
No
Flags: needinfo?(allstars.chh)

        Attachment #8802410 -
        Flags: approval-mozilla-aurora?

    
    

    
  
Comment on attachment 8802410 [details] [diff] [review]
Patch. v3

Forgot to mention that,
Please uplift this after bug 1271182 has been uplifted to firefox51, otherwise my patch will have a conflict here.

See https://bugzilla.mozilla.org/show_bug.cgi?id=1271182#c131
https://bugzilla.mozilla.org/show_bug.cgi?id=1271182#c132

Thanks

    
    

    
  
Comment on attachment 8802410 [details] [diff] [review]
Patch. v3

Fix a sec-moderate issue. Take it in 51 aurora.

        Attachment #8802410 -
        Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Group: dom-core-security → core-security-release

    
    

    
  
Went through verification using the following test cases:

* opened about:preferences in several containers (all at the same time as well)
* opened about:preferences within the default container
* opened about:preferences within PB
* opened all the about: sites listed under about:about in a container

Builds being used:

* fx52.0a1 (--enable-debug), buildId: 20161111172704, changeset: fc104971a4db
* fx51.0a2 (--enable-debug), buildId: 20161111183120, changeset: 3d380055aaed
Status: RESOLVED → VERIFIED

          status-firefox51:
          fixedverified

          status-firefox52:
          fixedverified
Group: core-security-release
Version: unspecified → 51 Branch

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: