Closed
Bug 1433044
Opened 7 years ago
Closed 7 years ago
Crash in `anonymous namespace'::AssertLoadingPrincipalAndClientInfoMatch
Categories
(Core :: DOM: Service Workers, defect, P2)
Tracking
()
VERIFIED
FIXED
mozilla60
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox58 | --- | unaffected |
firefox59 | --- | unaffected |
firefox60 | --- | verified |
People
(Reporter: calixte, Assigned: bkelly)
References
(Blocks 1 open bug)
Details
(Keywords: crash, regression)
Crash Data
Attachments
(2 files, 2 obsolete files)
1.71 KB,
patch
|
asuth
:
review+
|
Details | Diff | Splinter Review |
10.50 KB,
patch
|
asuth
:
review+
|
Details | Diff | Splinter Review |
This bug was filed from the Socorro interface and is
report bp-0decce3d-7578-4dda-966a-01e010180125.
=============================================================
Top 10 frames of crashing thread:
0 xul.dll `anonymous namespace'::AssertLoadingPrincipalAndClientInfoMatch netwerk/base/nsNetUtil.cpp:260
1 xul.dll NS_NewChannel netwerk/base/nsNetUtil.cpp:305
2 xul.dll mozilla::dom::FetchDriver::HttpFetch dom/fetch/FetchDriver.cpp:524
3 xul.dll mozilla::dom::FetchDriver::Fetch dom/fetch/FetchDriver.cpp:397
4 xul.dll mozilla::dom::MainThreadFetchRunnable::Run dom/fetch/Fetch.cpp:444
5 xul.dll mozilla::ThrottledEventQueue::Inner::ExecuteRunnable xpcom/threads/ThrottledEventQueue.cpp:193
6 xul.dll mozilla::ThrottledEventQueue::Inner::Executor::Run xpcom/threads/ThrottledEventQueue.cpp:79
7 xul.dll mozilla::ThrottledEventQueue::Inner::ExecuteRunnable xpcom/threads/ThrottledEventQueue.cpp:193
8 xul.dll mozilla::ThrottledEventQueue::Inner::Executor::Run xpcom/threads/ThrottledEventQueue.cpp:79
9 xul.dll mozilla::SchedulerGroup::Runnable::Run xpcom/threads/SchedulerGroup.cpp:395
=============================================================
There are 32 crashes (from are 16 installations) in nightly 60 with buildid 20180124220129. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1231211.
[1] https://hg.mozilla.org/mozilla-central/rev?node=60a29396c52f
Flags: needinfo?(bkelly)
Reporter | ||
Updated•7 years ago
|
Crash Signature: [@ `anonymous namespace'::AssertLoadingPrincipalAndClientInfoMatch] → [@ `anonymous namespace'::AssertLoadingPrincipalAndClientInfoMatch]
[@ (anonymous namespace)::AssertLoadingPrincipalAndClientInfoMatch]
Comment 1•7 years ago
|
||
In case it helps, a user reported that crash on the Nightly blog and provided an url where it crashes for him
https://blog.nightly.mozilla.org/2018/01/18/these-weeks-in-firefox-issue-30/#comment-4790
Assignee | ||
Comment 2•7 years ago
|
||
Pascal, does that user have any extensions installed?
Flags: needinfo?(bkelly) → needinfo?(pascalc)
Assignee | ||
Updated•7 years ago
|
Flags: needinfo?(bkelly)
Assignee | ||
Updated•7 years ago
|
Assignee: nobody → bkelly
Status: NEW → ASSIGNED
Flags: needinfo?(bkelly)
Assignee | ||
Comment 3•7 years ago
|
||
I guess crash stats does not show any extensions...
Flags: needinfo?(pascalc)
Assignee | ||
Comment 4•7 years ago
|
||
These are all fetch() calls from worker threads.
Assignee | ||
Comment 5•7 years ago
|
||
Ok, I have steps to reproduce:
1. Open http://example.com
2. Run this in the web console:
new Worker('data:text/javascript,fetch("http://example.com")');
Assignee | ||
Comment 6•7 years ago
|
||
Amazingly this means we don't have *any* tests that call fetch() from a data URL worker...
Comment 7•7 years ago
|
||
(In reply to Ben Kelly [:bkelly] from comment #6)
> Amazingly this means we don't have *any* tests that call fetch() from a data
> URL worker...
that's really surprising, we should include some as part of this bug.
Updated•7 years ago
|
Priority: -- → P2
Assignee | ||
Comment 8•7 years ago
|
||
Instead of writing a new test I decided to expand the scope of coverage in local-url-inherit-controller.https.html. It was already creating data URL workers. This both provokes the crash and reveals another bug. While we're inheriting the service worker for local URL we're not actually intercepting subresource requests from it.
Assignee | ||
Comment 9•7 years ago
|
||
Assignee | ||
Comment 10•7 years ago
|
||
Comment on attachment 8945522 [details] [diff] [review]
P1 Make workers keep the same null principal even if GetChannelResultPrincipal() returns different null principals. r=baku
Andrea, it turns out that this happens with data URL nsIChannels:
nsCOMPtr<nsIPrincipal> p1;
ssm->GetChannelResultPrincipal(channel, getter_AddRefs(p1));
nsCOMPtr<nsIPrincipal> p2;
ssm->GetChannelResultPrincipal(channel, getter_AddRefs(p2));
// Not equal!
p1->Equals(p2);
This is because GetChannelResultPrincipal() mints a new null principal each time AFAICT.
The ClientSource is created before we actually AsyncOpen() the nsIChannel. So we get the principal once then. We then rely on the idea that the principal will not change since workers are same-origin. We end up getting a different null principal, though.
To work around this lets just avoid overwriting the null principal for a worker. Once it has a null principal it just keeps it.
Attachment #8945522 -
Flags: review?(amarchesini)
Assignee | ||
Comment 11•7 years ago
|
||
Attachment #8945515 -
Attachment is obsolete: true
Assignee | ||
Comment 12•7 years ago
|
||
(In reply to Ben Kelly [:bkelly] from comment #8)
> workers. This both provokes the crash and reveals another bug. While we're
> inheriting the service worker for local URL we're not actually intercepting
> subresource requests from it.
The "other bug" was a problem in the test. We're intercepting like we should.
Assignee | ||
Comment 13•7 years ago
|
||
Assignee | ||
Updated•7 years ago
|
Attachment #8945530 -
Attachment description: hg log → P2 Update local-url-inherit-controller.https.html to test fetch() interception in local URL windows and workers. r=asuth
Assignee | ||
Updated•7 years ago
|
Attachment #8945525 -
Attachment is obsolete: true
Assignee | ||
Comment 14•7 years ago
|
||
Comment on attachment 8945530 [details] [diff] [review]
P2 Update local-url-inherit-controller.https.html to test fetch() interception in local URL windows and workers. r=asuth
Andrew, this patch further expands local-url-inherit-controller.https.html to run fetch() in the local URL clients to see if its intercepted. This gives us better test coverage that service workers are actually working and also happens to trigger this crash.
Attachment #8945530 -
Flags: review?(bugmail)
Assignee | ||
Comment 15•7 years ago
|
||
Assignee | ||
Comment 16•7 years ago
|
||
Comment 17•7 years ago
|
||
Comment on attachment 8945530 [details] [diff] [review]
P2 Update local-url-inherit-controller.https.html to test fetch() interception in local URL windows and workers. r=asuth
Review of attachment 8945530 [details] [diff] [review]:
-----------------------------------------------------------------
::: testing/web-platform/tests/service-workers/service-worker/resources/local-url-inherit-controller-frame.html
@@ +13,1 @@
> </` + `script>`;
Makes you almost miss <![CDATA[, right? ;)
Attachment #8945530 -
Flags: review?(bugmail) → review+
Assignee | ||
Comment 18•7 years ago
|
||
Comment on attachment 8945522 [details] [diff] [review]
P1 Make workers keep the same null principal even if GetChannelResultPrincipal() returns different null principals. r=baku
Redirecting this to Andrew since Andrea is probably done for the day and this is a high frequency crasher.
Please see comment 10.
Attachment #8945522 -
Flags: review?(amarchesini) → review?(bugmail)
Comment 19•7 years ago
|
||
Comment on attachment 8945522 [details] [diff] [review]
P1 Make workers keep the same null principal even if GetChannelResultPrincipal() returns different null principals. r=baku
Review of attachment 8945522 [details] [diff] [review]:
-----------------------------------------------------------------
Restating: This is a workaround for the interaction of bug 1433181 that we are minting a new null principal for each call to GetChannelResultPrincipal(). Bug 1431771 may also generally come into play because that one is about null principals with the same UUID not being equals. The specific assertion crash triggers because the principals are not Equals() because they are separate instances, and then their stringified origins are not equal either (because they're also different UUIDs). Those bugs will make this logic go away.
This logic is consistent with :bkelly's prior changes to WorkerPrivate r+'d by baku in bug 1333573 where WorkerPrivate::FinalChannelPrincipalIsValid which added the following logic:
// Verify that the channel is still a null principal. We don't care
// if these are the exact same null principal object, though. From
// the worker's perspective its the same effect.
if (principal->GetIsNullPrincipal() && mPrincipal->GetIsNullPrincipal()) {
return true;
}
// Otherwise we require exact equality. Redirects can happen, but they
// are not allowed to change our principal.
if (principal->Equals(mPrincipal)) {
return true;
}
Attachment #8945522 -
Flags: review?(bugmail) → review+
Assignee | ||
Comment 20•7 years ago
|
||
> Bug 1431771 may also generally come into play because that one is about null principals
> with the same UUID not being equals.
Just to clarify, that is actually unrelated because we are getting different UUIDs as well. So the origin string is different.
Comment 21•7 years ago
|
||
Pushed by bkelly@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/c0e6a1684ad6
P1 Make workers keep the same null principal even if GetChannelResultPrincipal() returns different null principals. r=baku
https://hg.mozilla.org/integration/mozilla-inbound/rev/c48ec0d13931
P2 Update local-url-inherit-controller.https.html to test fetch() interception in local URL windows and workers. r=asuth
Comment 22•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/c0e6a1684ad6
https://hg.mozilla.org/mozilla-central/rev/c48ec0d13931
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
Reporter | ||
Updated•7 years ago
|
Crash Signature: [@ `anonymous namespace'::AssertLoadingPrincipalAndClientInfoMatch]
[@ (anonymous namespace)::AssertLoadingPrincipalAndClientInfoMatch] → [@ `anonymous namespace'::AssertLoadingPrincipalAndClientInfoMatch]
[@ (anonymous namespace)::AssertLoadingPrincipalAndClientInfoMatch]
[@ AssertLoadingPrincipalAndClientInfoMatch]
Reporter | ||
Comment 23•7 years ago
|
||
No more crashes since the patches landed.
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•