Closed
Bug 1437361
Opened 6 years ago
Closed 4 years ago
firefox segfaults on first page load with umatrix extension
Categories
(Core :: DOM: Core & HTML, defect, P3)
Tracking
()
RESOLVED
DUPLICATE
of bug 1430818
People
(Reporter: sergeev917, Unassigned)
Details
(Keywords: crash, regression)
Attachments
(2 files)
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 Build ID: 20100101 Steps to reproduce: Note: this specific problem is originally filed against umatrix extension (https://github.com/gorhill/uMatrix/issues/949). But since the firefox process crashes with a segmentation fault, it seems there might be unsufficient validation & sanity checks along the way. That is the primary concern for this bug filing. Steps to reproduce: - install firefox 58.0.1 - make sure no prior profile data is present (move or delete ~/.mozilla) - open the browser, navigate to about:config and set the following prefs: privacy.sanitize.sanitizeOnShutdown = true privacy.sanitize.timeSpan = 0 - navigate to about:addons; install umatrix extension (1.3.2) - click preferences on umatrix addon and load the following ruleset: https-strict: behind-the-scene false matrix-off: about-scheme true matrix-off: behind-the-scene true matrix-off: chrome-extension-scheme true matrix-off: chrome-scheme true matrix-off: moz-extension-scheme true matrix-off: opera-scheme true matrix-off: wyciwyg-scheme true noscript-spoof: * true referrer-spoof: * true referrer-spoof: behind-the-scene false * * * block * * css allow * * frame block * * image allow * 1st-party * allow * 1st-party frame allow felixcloutier.com 1st-party * inherit www.felixcloutier.com 1st-party frame inherit - commit the ruleset (via a button) - navigate to http://www.felixcloutier.com/x86/CPUID.xml Actual results: "Gah. Your tab just crashed". This happens the first time the page is accessed, but then works fine (until restart). Expected results: An error message about unability to perform xslt transform (ie not a crash).
Managed to reproduce this issue on Firefox 58.0.2 and Nightly 60.0a1(2018-02-13) on Windows 10 x64 using the STR from the description. The issue is not reproducible with the default values of preferences: "privacy.sanitize.sanitizeOnShutdown=False" and "privacy.sanitize.timeSpan=1".
Status: UNCONFIRMED → NEW
status-firefox58:
--- → affected
status-firefox60:
--- → affected
Component: Untriaged → WebExtensions: General
Ever confirmed: true
Product: Firefox → Toolkit
|
||
Updated•6 years ago
|
Component: WebExtensions: General → DOM
Product: Toolkit → Core
|
||
Comment 2•6 years ago
|
||
Wennie, this feels like something your team would be interested in. Roxana, since you can reproduce, is there a chance you can get a regression window?
Flags: needinfo?(wleung)
Flags: needinfo?(roxana.leitan)
Priority: -- → P3
Hi Andrew, I cannot reproduce the issue anymore on Firefox 58.0.1 or latest Nightly 61.0a1 with umatrix, version 1.3.2 or 1.3.4 using the same STR. Please note that the latest umatrix version is 1.3.4. Alexander, can you reproduce the issue using the latest umatrix version 1.3.4?
Flags: needinfo?(roxana.leitan) → needinfo?(sergeev917)
|
Reporter | |
Comment 4•6 years ago
|
||
Hi,
> can you reproduce the issue using the latest umatrix version 1.3.4?
I will look into that, though it might take some time (hopefully, within day window).
Regarding the latest version -- I'm not sure that is the goal: whatever is happening in the extension js code, the worker process should not crash. I mean the 1.3.4 version might be changed in a way so it no longer triggers the problem, but it would not mean that there is no problem anymore.|
|
Reporter | |
Comment 5•6 years ago
|
||
> I will look into that, though it might take some time
I cannot reproduce the issue as well on 59.0.2 and umatrix 1.3.2/1.3.4.
I will try to recompile 58.0.1 in a clean vm sometime this week.|
|
||
Comment 6•6 years ago
|
||
(In reply to Alexander Sergeyev from comment #4) > Regarding the latest version -- I'm not sure that is the goal: whatever is > happening in the extension js code, the worker process should not crash. I > mean the 1.3.4 version might be changed in a way so it no longer triggers > the problem, but it would not mean that there is no problem anymore. I think it's more to have a clear STR (steps to reproduce) so we can debug and fix :)
|
|
Reporter | |
Comment 7•6 years ago
|
||
Sorry it took that long, but I finally get my hands on the problem.
> I cannot reproduce the issue anymore on Firefox 58.0.1 or latest Nightly 61.0a1 with umatrix, version 1.3.2 or 1.3.4 using the same STR.
Same here, but I have a good idea about the reason.
As can be seen in the original STR, the original page was actually xml (with xslt transformation into html). Now, the link is redirected to .html and there are no xslt transformations happening client-side. So, to continue with this problem we would require either an another similarly functioning page/testcase or some backup version of the original page.Flags: needinfo?(sergeev917)
|
||
Comment 8•6 years ago
|
||
https://web.archive.org/web/*/https://github.com/gorhill/uMatrix/ maybe?
|
|
Reporter | |
Comment 9•6 years ago
|
||
(In reply to Alex Vincent [:WeirdAl] from comment #8) > https://web.archive.org/web/*/https://github.com/gorhill/uMatrix/ maybe? The problem is not about an unavailable umatrix build (it is available at https://addons.mozilla.org/en-US/firefox/addon/umatrix/versions/). I meant that http://www.felixcloutier.com/x86/CPUID.xml is changed. When the bug was reported, the page performed XSLT transformation from an XML document, but now it's redirecting to html page.
|
Assignee | |
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
|
||
Comment 10•5 years ago
|
||
Hi Baku, please take a look at this. thanks!
Flags: needinfo?(wleung) → needinfo?(amarchesini)
|
||
Comment 11•5 years ago
|
||
Bugbug thinks this bug is a regression, but please revert this change in case of error.
Keywords: regression
|
||
Comment 12•5 years ago
|
||
Alexander, Is it possible to have a copy of of that XML + XSLT?
peterv, do you have ideas about why we crash here? It seems that mSource is null when notifyError() is called. This can happen (if I read the code correctly) only if: CreateDocumentFragment() returns null.
Flags: needinfo?(sergeev917)
Flags: needinfo?(peterv)
Flags: needinfo?(amarchesini)
|
|
Reporter | |
Comment 13•5 years ago
|
||
|
|
Reporter | |
Comment 14•5 years ago
|
||
Hi,
(In reply to Andrea Marchesini [:baku] from comment #12)
Alexander, Is it possible to have a copy of of that XML + XSLT?
I'm not affiliated with the site from STR, but was using it at the time. I didn't make a copy of fetched pages then, but it seems to be possible to use data from archive.org. Its use doesn't guarantee a successful bug reproduction, but maybe it's worth a try. I've attached an archive with such source files.
Flags: needinfo?(sergeev917)
|
||
Comment 15•4 years ago
|
||
I'm going to mark this as a duplicate of bug 1430818, which I think fixed this.
Status: NEW → RESOLVED
Closed: 4 years ago
Flags: needinfo?(peterv)
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•