Crash in mozilla::dom::ClientSource::WindowExecutionReady
Categories
(Core :: Privacy: Anti-Tracking, defect, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | wontfix |
| firefox64 | --- | wontfix |
| firefox65 | --- | wontfix |
| firefox66 | --- | wontfix |
| firefox67 | --- | wontfix |
| firefox68 | --- | wontfix |
| firefox69 | --- | wontfix |
| firefox70 | --- | wontfix |
| firefox71 | --- | disabled |
| firefox72 | --- | disabled |
| firefox73 | --- | disabled |
| firefox74 | --- | disabled |
| firefox75 | --- | wontfix |
| firefox76 | --- | verified |
People
(Reporter: baku, Assigned: baku)
References
Details
(Keywords: crash, regression, steps-wanted, Whiteboard: [privacy65][anti-tracking])
Crash Data
Attachments
(1 file)
|
||
Comment 1•6 years ago
|
||
|
||
Updated•6 years ago
|
|
||
Comment 2•6 years ago
|
||
|
||
Updated•6 years ago
|
|
|
||
Comment 3•6 years ago
|
||
|
Assignee | |
Comment 4•6 years ago
|
||
|
|
||
Comment 5•6 years ago
|
||
|
||
Comment 6•6 years ago
|
||
|
||
Comment 7•6 years ago
|
||
|
|
||
Updated•6 years ago
|
|
|
||
Updated•6 years ago
|
|
||
Comment 8•6 years ago
|
||
This has a Target Milestone and is set to P1 so let's leave it off the 66 affected radar.
|
|
Assignee | |
Updated•6 years ago
|
|
|
Assignee | |
Updated•6 years ago
|
|
||
Updated•6 years ago
|
|
|
||
Updated•6 years ago
|
|
|
||
Updated•6 years ago
|
|
|
||
Comment 9•6 years ago
•
|
||
(I was wrong; the crash widget thing here seems to not match Socorro) There are quite a few patches across all channels, many at the same address. baku, can you take another look here?
|
|
||
Updated•6 years ago
|
|
||
Comment 10•6 years ago
|
||
Baku, any news on this bug?
|
||
Updated•6 years ago
|
|
|
Assignee | |
Updated•6 years ago
|
|
|
||
Comment 12•5 years ago
|
||
Only one crash since 68 beta 9, so wontfix for 68
|
||
Comment 13•5 years ago
|
||
Adding 70 as affected. This is visible in 69 and one comment says "Still 100% tab crash on innoreader.com in RSS article with YouTube video in it. "
|
||
Comment 14•5 years ago
|
||
(In reply to Marcia Knous [:marcia - needinfo? me] from comment #13)
Adding 70 as affected. This is visible in 69 and one comment says "Still 100% tab crash on innoreader.com in RSS article with YouTube video in it. "
It was me, I have last nightly and it still 100% crash on inoreader.com in RSS article with YouTube video in it 🙂
Steps to reproduce:
- Open https://www.inoreader.com/ and sign in or create new account.
- Subscribe to feed with many video articles, for example https://feeds.feedburner.com/failblog.
- Open article with embedded video in this feed.
Gah. Your tab just crashed.
|
||
Comment 15•5 years ago
|
||
I got this crash (bp-051f94bd-6c2c-47c6-b6fb-8af6e0190809) on https://inexpensive-daisy.glitch.me/. Youtube had this service worker from about:serviceworkers:
Origin: https://www.youtube.com
Scope: https://www.youtube.com/
Script Spec: https://www.youtube.com/sw.js
Current Worker URL: https://www.youtube.com/sw.js
Active Cache Name: {ea8bd166-b827-4207-a351-8078d59a6524}
Waiting Cache Name: {$name}
Push Endpoint: null
|
|
||
Comment 16•5 years ago
|
||
(In reply to :Ehsan Akhgari from comment #15)
I got this crash (bp-051f94bd-6c2c-47c6-b6fb-8af6e0190809) on https://inexpensive-daisy.glitch.me/.
Reproduced the crash on the same page again: bp-042cf8ba-1858-4fa7-b732-e23bc0190812
|
|
||
Comment 17•5 years ago
•
|
||
STR using the latest Nightly:
- Set
browser.startup.pageto 3 anddom.serviceWorkers.parent_interceptto false. - Visit youtube.com, and about:serviceworkers. Ensure that the YouTube service worker is installed.
- Make sure you only have one tab open. In that tab, navigate to https://inexpensive-daisy.glitch.me/.
- Quit Nightly.
- Restart Firefox. At this point the session is restored, and the
inexpensive-daisypage crashes while restoring with this signature (see comment 15 and 16).
|
|
||
Comment 18•5 years ago
|
||
Ehsan is this is the correct component or should it be in DOM::Service Workers ? I'm seeing a bit of a spike in nightly 70 right now so I'm a little worried how this is going to look in beta 70. Can you suggest an owner for this bug?
|
||
Updated•5 years ago
|
|
|
||
Comment 19•5 years ago
|
||
(In reply to Liz Henry (:lizzard) from comment #18)
Ehsan is this is the correct component or should it be in DOM::Service Workers ? I'm seeing a bit of a spike in nightly 70 right now so I'm a little worried how this is going to look in beta 70. Can you suggest an owner for this bug?
It is in the right component I guess, really what matters is who looks at it. This is the intersection of service workers and anti-tracking.
I'm quite certain that this only impacts youtube embeds in ETP with level 2 blocking which isn't shipping yet (it's limited to nightly and early beta). This can be verified in the STR in comment 17 by setting the privacy.annotate_channels.strict_list.enabled pref to false.
Andrea is very busy on the secure proxy project, perhaps Andrew has some time to have a look now that we have a reliable STR here?
|
|
||
Comment 20•5 years ago
|
||
Ah, that explains why the crash volume dropped off after beta 7. So, this shouldn't affect 70 release (at least not much.)
|
|
||
Comment 21•5 years ago
|
||
I debugged the steps to reproduce in comment 17. Here is what happens.
When loading the embedded youtube iframes when restoring the session, we start to run nsGlobalWindowInner::ExecutionReady(). First we run nsGlobalWindowInner::EnsureClientSource() which calls SetController().
SetController() has similar diagnostic asserts to the ones that fail and crash here, but those do not run yet since mOwner is nullptr so both GetInnerWindow() and GetWorkerPrivate() return nullptr. Note that mOwner is only set in WindowExecutionReady/WorkerExecutionReady, which haven't been called yet (see the above paragraph!)
So the first conclusion here is that we should be crashing earlier, but by sheer accident, we don't...
But why is the assertion not holding in the first place? We must have decided to intercept the channel when we shouldn't have. Let's see why that is. If we look at the anti-tracking check that happens within nsDocShell::ShouldPrepareForIntercept() when it's called for the embedded youtube's document channel, it bails out from here, even though youtube.com is a third-party tracker. The reason why IsThirdPartyTrackingResource() returns false here is that ShouldInterceptURI() is called very early before the channel is classified...
This is very similar to bug 1516309, it's just that we saw the same problem there with HTTP redirects, but here we are seeing it with service worker interceptions.
For service worker interceptions, given how close we are to turning on parent interception by default (which calls ShouldIntercept() after classification has happened) I think it makes sense to just wait on bug 1588154 instead of working on a fix here which would become obsolete either in this release cycle or the next...
|
|
||
Comment 22•5 years ago
|
||
Marking as disabled for 71 as it depends on the privacy.annotate_channels.strict_list.enabled pref, disabled on the release channel.
|
|
||
Comment 23•5 years ago
|
||
I noticed that I am still seeing these crashes with a STR similar to comment 17, except that dom.serviceWorkers.parent_intercept is true and the crash happens once Firefox is restarted.
I wonder if the fact that this happens during a restart is somehow related to bug 1599379... But before we rule that out, I wanted to double check an assumption that I made in comment 21 and now I cannot remember why I assumed that. Andrew, do you mind helping me verify that this call to ShouldInterceptURI can only be made when dom.serviceWorkers.parent_intercept is false? Thanks!
|
||
Comment 24•5 years ago
•
|
||
EDIT: I mis-spoke somewhat here. There should not be an intercept controller because the client docshell won't create one. This means the real call-stack is:
Calls:
- HttpChannelChild::AsyncOpenInternal calls ShouldIntercepURI
- HCC:ShouldInterceptURI calls HttpBaseChannel::ShouldIntercept
- HBC::ShouldIntercept will not have a controller and not be able to call ShouldPrepareForIntercept
Original Comment
I think that call to ShouldInterceptURI will be made, but because content-process ServiceWorkerManagers have no registrations, the call-chain[1] that terminates in a call to ServiceWorkerManager::IsAvailable will return false at that point. Unfortunately, all the logic related to STS upgrades and maybe other side-effects happen.
I think we want a parent-intercept guard at the ShouldInterceptURI call-site. Probably we should be asserting that if parent-intercept is on, mPostRedirectChannelShouldIntercept is false, and we should not invoke that call.
1: Calls:
- HttpChannelChild::AsyncOpenInternal calls ShouldIntercepURI
- HCC:ShouldInterceptURI calls HttpBaseChannel::ShouldIntercept
- HBC::ShouldIntercept calls nsINetworkInterceptController::ShouldPrepareForIntercept
- ServiceWorkerInterceptController::ShouldPrepareForIntercept calls ServiceWorkerManager::IsAvailable
- SWM::IsAvailable gets a null registration
|
|
||
Comment 25•5 years ago
|
||
An update on comment 23: I seem to no longer be able to reproduce this using the STR we have with no combination of prefs that I can think of at all, so it's possible that there is indeed nothing that we need to do here any more?
|
|
||
Updated•5 years ago
|
|
|
||
Comment 26•5 years ago
|
||
There are still regular crashes in 73 in this signature. - 34 crashes/26 installations in the last 7 days. All but one have MOZ_DIAGNOSTIC_ASSERT(spec.LowerCaseEqualsLiteral("about:blank") || StringBeginsWith(spec, static_cast<const nsLiteralCString&>(nsLiteralCString("" "blob:"))) || StorageAllowedForWindow(aInnerWindow) == StorageAccess::eAllow) .
|
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
|
|
||
Comment 27•5 years ago
|
||
Note: using mozregression I found out that the STR in comment 17 stopped working after these patches: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=720c1e5a8dd3f5bda4ae32137d1c624a1ad55301&tochange=be9a6289486a6f366e431782b84a0c0633f8fec2
|
|
||
Comment 28•5 years ago
|
||
Given comment 27, it sounds like this might have been at least partially mitigated for 73+ by sw-e10s, though there's still some crashes showing up in Beta builds with low-ish volume.
|
||
Comment 29•5 years ago
•
|
||
I manage to reproduce the issue on a build from 2019-08-12 using Windows 10 x64 and a computer that has Intel HD Graphics Family by following the steps from comment 17.
Using the Latest Nightly on the same machine I tried various combination of scenarios ( changing prefs, restarting the browser, opening a lot of sites that have youtube videos embedded, installing various add-ons that I found in the crash reports) and sites that I took both from the comments left on the crash-stats.mozilla.org for this signature and from a list that was provided from englehardt (Thank you, Steve), but I didn't manage to reproduce the crash.
However, I did find out two things:
- The crash is more inclined to appear on a machine that has an Intel gpu and uses Windows 10.
- And I managed to find another crash: https://crash-stats.mozilla.org/report/index/2b5b4721-93e0-4bd7-a327-609810200115
Can you please take a look and see if it's related to this issue? Because for this one I have steps and it reproduces 4 times out of 5.
|
|
||
Comment 30•5 years ago
|
||
Thanks for trying to reproduce this.
(In reply to Oana Botisan, Desktop Release QA from comment #29)
I manage to reproduce the issue on a build from 2019-08-12 using Windows 10 x64 and a computer that has Intel HD Graphics Family by following the steps from comment 17.
That matches the regression range I found in comment 27 (in that the crash STR stopped working around October 9).
Using the Latest Nightly on the same machine I tried various combination of scenarios ( changing prefs, restarting the browser, opening a lot of sites that have youtube videos embedded, installing various add-ons that I found in the crash reports) and sites that I took both from the comments left on the crash-stats.mozilla.org for this signature and from a list that was provided from englehardt (Thank you, Steve), but I didn't manage to reproduce the crash.
However, I did find out two things:
- The crash is more inclined to appear on a machine that has an Intel gpu and uses Windows 10.
- And I managed to find another crash: https://crash-stats.mozilla.org/report/index/2b5b4721-93e0-4bd7-a327-609810200115
Can you please take a look and see if it's related to this issue? Because for this one I have steps and it reproduces 4 times out of 5.
That bug is unrelated, but please file it separately in the service workers component and make it block bug 1588154. Thanks!
|
|
||
Comment 31•5 years ago
|
||
However, I did find out two things:
- The crash is more inclined to appear on a machine that has an Intel gpu and uses Windows 10.
- And I managed to find another crash: https://crash-stats.mozilla.org/report/index/2b5b4721-93e0-4bd7-a327-609810200115
Can you please take a look and see if it's related to this issue? Because for this one I have steps and it reproduces 4 times out of 5.That bug is unrelated, but please file it separately in the service workers component and make it block bug 1588154. Thanks!
I logged bug 1610501 for this crash.
|
|
||
Comment 32•5 years ago
|
||
Is there anything else that we can help you with regarding this issue?
|
|
||
Comment 33•5 years ago
|
||
(In reply to Oana Botisan, Desktop Release QA from comment #32)
Is there anything else that we can help you with regarding this issue?
We still need steps to reproduce for the crash...
|
|
||
Updated•5 years ago
|
|
||
Comment 34•5 years ago
|
||
Lots of crashes on the 2/26 Linux Nightly. Lots of URLs are https://www.thecrag.com/ where one of the crashes has the comment "Site has started crashing with last few nightlies.". Just visiting the site doesn't reproduce the crash for me.
|
||
Updated•5 years ago
|
|
||
Comment 35•5 years ago
|
||
The crashtest layout/generic/crashtests/471360.html in fission crashtests (not run anywhere by default) hits this pretty reliably. (You have to disable a couple other crashtests that crash for other reasons first to get to this test).
|
||
Comment 37•5 years ago
|
||
(In reply to Timothy Nikkel (:tnikkel) from comment #35)
The crashtest layout/generic/crashtests/471360.html in fission crashtests (not run anywhere by default) hits this pretty reliably. (You have to disable a couple other crashtests that crash for other reasons first to get to this test).
Crashtest dom/base/crashtests/607222.html also intermittently hits this crash when Fission is enabled. That is duplicate bug 1620674.
|
|
||
Updated•5 years ago
|
|
|
||
Comment 38•5 years ago
|
||
Can we turn the diagnostic assert into a MOZ_ASSERT so this stops crashing for users, if we're not going to actually fix the crash soon?
It's become fairly common on nightly and DevEdition now.
|
|
Assignee | |
Updated•5 years ago
|
|
|
Assignee | |
Comment 39•5 years ago
|
||
|
||
Updated•5 years ago
|
|
|
Assignee | |
Comment 40•5 years ago
|
||
I wrote the patch, but if there is a STR, I'm happy to work on it.
|
||
Comment 41•5 years ago
|
||
|
||
Comment 42•5 years ago
|
||
| bugherder | ||
|
|
||
Updated•5 years ago
|
|
||
Updated•5 years ago
|
|
||
Comment 43•5 years ago
|
||
Reproduced the crash using Firefox 70.0a1 (20190812095530) on Windows 10 and STR from comment 17. Here is the crash report.
The issue is verified fixed using Firefox 76.0a1 (20200327215207) and Firefox 76.0b7 (20200421231527) on Windows 10x64. No crashes encountered while following STR from comment 17 and visiting https://www.thecrag.com/.
Description
•