Crash in mozilla::dom::FeaturePolicy::AllowsFeatureInternal

RESOLVED FIXED in Firefox 64

Status

()

defect
P2
critical
RESOLVED FIXED
10 months ago
9 months ago

People

(Reporter: calixte, Assigned: baku)

Tracking

(Blocks 1 bug, {crash, regression})

unspecified
mozilla64
Unspecified
Linux
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox-esr60 unaffected, firefox62 unaffected, firefox63 unaffected, firefox64 fixed)

Details

(Whiteboard: [domsecurity-active], crash signature)

Attachments

(1 attachment, 1 obsolete attachment)

This bug was filed from the Socorro interface and is
report bp-eb6d6e98-7013-4e3b-8670-8bddb0181002.
=============================================================

Top 10 frames of crashing thread:

0 libxul.so mozilla::dom::FeaturePolicy::AllowsFeatureInternal const xpcom/ds/nsTArray.h:510
1 libxul.so mozilla::dom::FeaturePolicy::InheritPolicy const dom/security/featurepolicy/FeaturePolicy.cpp:55
2 libxul.so mozilla::dom::FeaturePolicyUtils::ForEachFeature clang/include/c++/4.9.4/functional:2440
3 libxul.so mozilla::dom::FeaturePolicy::InheritPolicy dom/security/featurepolicy/FeaturePolicy.cpp:38
4 libxul.so mozilla::dom::HTMLIFrameElement::RefreshFeaturePolicy dom/html/HTMLIFrameElement.cpp:309
5 libxul.so mozilla::dom::HTMLIFrameElement::AfterSetAttr dom/html/HTMLIFrameElement.cpp:180
6 libxul.so mozilla::dom::Element::SetAttrAndNotify dom/base/Element.cpp:2762
7 libxul.so mozilla::dom::Element::SetAttr dom/base/Element.cpp:2609
8 libxul.so nsHtml5TreeOperation::SetHTMLElementAttributes dom/base/Element.h:864
9 libxul.so nsHtml5TreeOperation::CreateHTMLElement parser/html/nsHtml5TreeOperation.cpp:506

=============================================================

There is 1 crash in nightly 64 with buildid 20181001220118. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1390801.

[1] https://hg.mozilla.org/mozilla-central/rev?node=8edf2b229c9c
Flags: needinfo?(amarchesini)
I suspect this is going to be fixed by bug 1496034.
Flags: needinfo?(amarchesini)
No longer blocks: 1390801
Depends on: 1496034
See Also: → 1390801
Posted patch aa.patch (obsolete) — Splinter Review
I managed to reproduce it. Sometimes StartLoad() is called after checking mFeaturePolicy.
Assignee: nobody → amarchesini
Attachment #9016728 - Flags: review?(ckerschb)
Posted patch aa.patchSplinter Review
Attachment #9016728 - Attachment is obsolete: true
Attachment #9016728 - Flags: review?(ckerschb)
Attachment #9016778 - Flags: review?(ckerschb)
Comment on attachment 9016778 [details] [diff] [review]
aa.patch

Review of attachment 9016778 [details] [diff] [review]:
-----------------------------------------------------------------

good catch. r=me
Attachment #9016778 - Flags: review?(ckerschb) → review+
Status: NEW → ASSIGNED
Priority: -- → P2
Whiteboard: [domsecurity-active]
Pushed by amarchesini@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/d49ecfa61467
Ensure FeaturePolicy creation in the document, r=ckerschb
https://hg.mozilla.org/mozilla-central/rev/d49ecfa61467
Status: ASSIGNED → RESOLVED
Closed: 9 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
You need to log in before you can comment on or make changes to this bug.