Closed Bug 1495862 Opened 2 years ago Closed 2 years ago

Crash in mozilla::dom::FeaturePolicy::AllowsFeatureInternal

Categories

(Core :: DOM: Security, defect, P2)

Product:
Core
Component:
DOM: Security
Platform:
Unspecified
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla64
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox62 --- unaffected
firefox63 --- unaffected
firefox64 --- fixed

People

(Reporter: calixte, Assigned: baku)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, Whiteboard: [domsecurity-active])

Crash Data

Attachments

(1 file, 1 obsolete file)

aa.patch
1.58 KB, patch
ckerschb
: review+
Details | Diff | Splinter Review 
This bug was filed from the Socorro interface and is
report bp-eb6d6e98-7013-4e3b-8670-8bddb0181002.
=============================================================

Top 10 frames of crashing thread:

0 libxul.so mozilla::dom::FeaturePolicy::AllowsFeatureInternal const xpcom/ds/nsTArray.h:510
1 libxul.so mozilla::dom::FeaturePolicy::InheritPolicy const dom/security/featurepolicy/FeaturePolicy.cpp:55
2 libxul.so mozilla::dom::FeaturePolicyUtils::ForEachFeature clang/include/c++/4.9.4/functional:2440
3 libxul.so mozilla::dom::FeaturePolicy::InheritPolicy dom/security/featurepolicy/FeaturePolicy.cpp:38
4 libxul.so mozilla::dom::HTMLIFrameElement::RefreshFeaturePolicy dom/html/HTMLIFrameElement.cpp:309
5 libxul.so mozilla::dom::HTMLIFrameElement::AfterSetAttr dom/html/HTMLIFrameElement.cpp:180
6 libxul.so mozilla::dom::Element::SetAttrAndNotify dom/base/Element.cpp:2762
7 libxul.so mozilla::dom::Element::SetAttr dom/base/Element.cpp:2609
8 libxul.so nsHtml5TreeOperation::SetHTMLElementAttributes dom/base/Element.h:864
9 libxul.so nsHtml5TreeOperation::CreateHTMLElement parser/html/nsHtml5TreeOperation.cpp:506

=============================================================

There is 1 crash in nightly 64 with buildid 20181001220118. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1390801.

[1] https://hg.mozilla.org/mozilla-central/rev?node=8edf2b229c9c
Flags: needinfo?(amarchesini)
I suspect this is going to be fixed by bug 1496034.
Flags: needinfo?(amarchesini)
Attached patch aa.patch (obsolete) — Splinter Review 
I managed to reproduce it. Sometimes StartLoad() is called after checking mFeaturePolicy.
Assignee: nobody → amarchesini
Attachment #9016728 - Flags: review?(ckerschb)
Attached patch aa.patchSplinter Review
Attachment #9016728 - Attachment is obsolete: true
Attachment #9016728 - Flags: review?(ckerschb)
Attachment #9016778 - Flags: review?(ckerschb)
Comment on attachment 9016778 [details] [diff] [review]
aa.patch

Review of attachment 9016778 [details] [diff] [review]:
-----------------------------------------------------------------

good catch. r=me
Attachment #9016778 - Flags: review?(ckerschb) → review+
Status: NEW → ASSIGNED
Priority: -- → P2
Whiteboard: [domsecurity-active]
Pushed by amarchesini@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/d49ecfa61467
Ensure FeaturePolicy creation in the document, r=ckerschb
https://hg.mozilla.org/mozilla-central/rev/d49ecfa61467
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox64: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
You need to log in before you can comment on or make changes to this bug.