Closed Bug 1433044 Opened 6 years ago Closed 6 years ago

Crash in `anonymous namespace'::AssertLoadingPrincipalAndClientInfoMatch

Categories

(Core :: DOM: Service Workers, defect, P2)

Product:
Core
Component:
DOM: Service Workers
Platform:
Unspecified
Windows 10
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla60
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox58 --- unaffected
firefox59 --- unaffected
firefox60 --- verified

People

(Reporter: calixte, Assigned: bkelly)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(2 files, 2 obsolete files)

P1 Make workers keep the same null principal even if GetChannelResultPrincipal() returns different null principals. r=baku
1.71 KB, patch
asuth
: review+
Details | Diff | Splinter Review
P2 Update local-url-inherit-controller.https.html to test fetch() interception in local URL windows and workers. r=asuth
10.50 KB, patch
asuth
: review+
Details | Diff | Splinter Review 
This bug was filed from the Socorro interface and is
report bp-0decce3d-7578-4dda-966a-01e010180125.
=============================================================

Top 10 frames of crashing thread:

0 xul.dll `anonymous namespace'::AssertLoadingPrincipalAndClientInfoMatch netwerk/base/nsNetUtil.cpp:260
1 xul.dll NS_NewChannel netwerk/base/nsNetUtil.cpp:305
2 xul.dll mozilla::dom::FetchDriver::HttpFetch dom/fetch/FetchDriver.cpp:524
3 xul.dll mozilla::dom::FetchDriver::Fetch dom/fetch/FetchDriver.cpp:397
4 xul.dll mozilla::dom::MainThreadFetchRunnable::Run dom/fetch/Fetch.cpp:444
5 xul.dll mozilla::ThrottledEventQueue::Inner::ExecuteRunnable xpcom/threads/ThrottledEventQueue.cpp:193
6 xul.dll mozilla::ThrottledEventQueue::Inner::Executor::Run xpcom/threads/ThrottledEventQueue.cpp:79
7 xul.dll mozilla::ThrottledEventQueue::Inner::ExecuteRunnable xpcom/threads/ThrottledEventQueue.cpp:193
8 xul.dll mozilla::ThrottledEventQueue::Inner::Executor::Run xpcom/threads/ThrottledEventQueue.cpp:79
9 xul.dll mozilla::SchedulerGroup::Runnable::Run xpcom/threads/SchedulerGroup.cpp:395

=============================================================

There are 32 crashes (from are 16 installations) in nightly 60 with buildid 20180124220129. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1231211.

[1] https://hg.mozilla.org/mozilla-central/rev?node=60a29396c52f
Flags: needinfo?(bkelly)
Crash Signature: [@ `anonymous namespace'::AssertLoadingPrincipalAndClientInfoMatch] → [@ `anonymous namespace'::AssertLoadingPrincipalAndClientInfoMatch] [@ (anonymous namespace)::AssertLoadingPrincipalAndClientInfoMatch]
In case it helps, a user reported that crash on the Nightly blog and provided an url where it crashes for him
https://blog.nightly.mozilla.org/2018/01/18/these-weeks-in-firefox-issue-30/#comment-4790
Pascal, does that user have any extensions installed?
Flags: needinfo?(bkelly) → needinfo?(pascalc)
Flags: needinfo?(bkelly)
Assignee: nobody → bkelly
Status: NEW → ASSIGNED
Flags: needinfo?(bkelly)
I guess crash stats does not show any extensions...
Flags: needinfo?(pascalc)
These are all fetch() calls from worker threads.
Ok, I have steps to reproduce:

1. Open http://example.com
2. Run this in the web console:

  new Worker('data:text/javascript,fetch("http://example.com")');
Amazingly this means we don't have *any* tests that call fetch() from a data URL worker...
(In reply to Ben Kelly [:bkelly] from comment #6)
> Amazingly this means we don't have *any* tests that call fetch() from a data
> URL worker...

that's really surprising, we should include some as part of this bug.
Priority: -- → P2
Instead of writing a new test I decided to expand the scope of coverage in local-url-inherit-controller.https.html.  It was already creating data URL workers.  This both provokes the crash and reveals another bug.  While we're inheriting the service worker for local URL we're not actually intercepting subresource requests from it.
Comment on attachment 8945522 [details] [diff] [review]
P1 Make workers keep the same null principal even if GetChannelResultPrincipal() returns different null principals. r=baku

Andrea, it turns out that this happens with data URL nsIChannels:

  nsCOMPtr<nsIPrincipal> p1;
  ssm->GetChannelResultPrincipal(channel, getter_AddRefs(p1));

  nsCOMPtr<nsIPrincipal> p2;
  ssm->GetChannelResultPrincipal(channel, getter_AddRefs(p2));

  // Not equal!
  p1->Equals(p2);

This is because GetChannelResultPrincipal() mints a new null principal each time AFAICT.

The ClientSource is created before we actually AsyncOpen() the nsIChannel.  So we get the principal once then.  We then rely on the idea that the principal will not change since workers are same-origin.  We end up getting a different null principal, though.

To work around this lets just avoid overwriting the null principal for a worker.  Once it has a null principal it just keeps it.
Attachment #8945522 - Flags: review?(amarchesini)
(In reply to Ben Kelly [:bkelly] from comment #8)
> workers.  This both provokes the crash and reveals another bug.  While we're
> inheriting the service worker for local URL we're not actually intercepting
> subresource requests from it.

The "other bug" was a problem in the test.  We're intercepting like we should.
Attachment #8945530 - Attachment description: hg log → P2 Update local-url-inherit-controller.https.html to test fetch() interception in local URL windows and workers. r=asuth
Attachment #8945525 - Attachment is obsolete: true
Comment on attachment 8945530 [details] [diff] [review]
P2 Update local-url-inherit-controller.https.html to test fetch() interception in local URL windows and workers. r=asuth

Andrew, this patch further expands local-url-inherit-controller.https.html to run fetch() in the local URL clients to see if its intercepted.  This gives us better test coverage that service workers are actually working and also happens to trigger this crash.
Attachment #8945530 - Flags: review?(bugmail)
See Also: → 1433181
Comment on attachment 8945530 [details] [diff] [review]
P2 Update local-url-inherit-controller.https.html to test fetch() interception in local URL windows and workers. r=asuth

Review of attachment 8945530 [details] [diff] [review]:
-----------------------------------------------------------------

::: testing/web-platform/tests/service-workers/service-worker/resources/local-url-inherit-controller-frame.html
@@ +13,1 @@
>  </` + `script>`;

Makes you almost miss <![CDATA[, right? ;)
Attachment #8945530 - Flags: review?(bugmail) → review+
Comment on attachment 8945522 [details] [diff] [review]
P1 Make workers keep the same null principal even if GetChannelResultPrincipal() returns different null principals. r=baku

Redirecting this to Andrew since Andrea is probably done for the day and this is a high frequency crasher.

Please see comment 10.
Attachment #8945522 - Flags: review?(amarchesini) → review?(bugmail)
Comment on attachment 8945522 [details] [diff] [review]
P1 Make workers keep the same null principal even if GetChannelResultPrincipal() returns different null principals. r=baku

Review of attachment 8945522 [details] [diff] [review]:
-----------------------------------------------------------------

Restating: This is a workaround for the interaction of bug 1433181 that we are minting a new null principal for each call to GetChannelResultPrincipal().  Bug 1431771 may also generally come into play because that one is about null principals with the same UUID not being equals.  The specific assertion crash triggers because the principals are not Equals() because they are separate instances, and then their stringified origins are not equal either (because they're also different UUIDs).  Those bugs will make this logic go away.

This logic is consistent with :bkelly's prior changes to WorkerPrivate r+'d by baku in bug 1333573 where WorkerPrivate::FinalChannelPrincipalIsValid which added the following logic:

  // Verify that the channel is still a null principal.  We don't care
  // if these are the exact same null principal object, though.  From
  // the worker's perspective its the same effect.
  if (principal->GetIsNullPrincipal() && mPrincipal->GetIsNullPrincipal()) {
    return true;
  }

  // Otherwise we require exact equality.  Redirects can happen, but they
  // are not allowed to change our principal.
  if (principal->Equals(mPrincipal)) {
    return true;
  }
Attachment #8945522 - Flags: review?(bugmail) → review+
> Bug 1431771 may also generally come into play because that one is about null principals
> with the same UUID not being equals.

Just to clarify, that is actually unrelated because we are getting different UUIDs as well.  So the origin string is different.
Pushed by bkelly@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/c0e6a1684ad6
P1 Make workers keep the same null principal even if GetChannelResultPrincipal() returns different null principals. r=baku
https://hg.mozilla.org/integration/mozilla-inbound/rev/c48ec0d13931
P2 Update local-url-inherit-controller.https.html to test fetch() interception in local URL windows and workers. r=asuth
https://hg.mozilla.org/mozilla-central/rev/c0e6a1684ad6
https://hg.mozilla.org/mozilla-central/rev/c48ec0d13931
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox60: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
Crash Signature: [@ `anonymous namespace'::AssertLoadingPrincipalAndClientInfoMatch] [@ (anonymous namespace)::AssertLoadingPrincipalAndClientInfoMatch] → [@ `anonymous namespace'::AssertLoadingPrincipalAndClientInfoMatch] [@ (anonymous namespace)::AssertLoadingPrincipalAndClientInfoMatch] [@ AssertLoadingPrincipalAndClientInfoMatch]
No more crashes since the patches landed.
Status: RESOLVED → VERIFIED
status-firefox60: fixedverified
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: