Closed Bug 1533957 Opened 5 years ago Closed 5 years ago

Assertion failure: XRE_IsParentProcess(), at src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:676

Categories

(Core :: Networking, defect, P2)

Product:
Core
Component:
Networking
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla71
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 - wontfix
firefox67 --- wontfix
firefox68 --- wontfix
firefox69 --- wontfix
firefox70 --- wontfix
firefox71 + verified
firefox72 --- verified
firefox73 --- verified

People

(Reporter: tsmith, Assigned: valentin)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, sec-moderate, testcase, Whiteboard: [necko-triaged][post-critsmash-triage][adv-main71+r][adv-esr68.3+r])

Crash Data

Attachments

(4 files, 2 obsolete files)

testcase.html
306 bytes, text/html
Details
Bug 1533957 - The request should be cancelled before being removed from the LoadGroup r=bzbarsky
47 bytes, text/x-phabricator-request
dveditz
: sec-approval+
Details | Review
Bug 1533957 - Test that request is cancelled before being removed from a loadGroup r=bzbarsky
47 bytes, text/x-phabricator-request
dveditz
: sec-approval+
Details | Review
Bug 1533957 - Separate nsLoadGroup::RemoveRequest into RemoveRequestFromHashtable and NotifyRemovalObservers r=bzbarsky
47 bytes, text/x-phabricator-request
dveditz
: sec-approval+
Details | Review
Attached file testcase.html (obsolete) —

Reduced with m-c:
BuildID=20190308215337
SourceStamp=67424fa758d40134fdca363ec9a7a992aa92403f

Allow pop-ups to trigger assterion with attached test case.

Assertion failure: XRE_IsParentProcess(), at src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:676

#0 nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, bool, bool, nsDocShellLoadState*, mozIDOMWindowProxy**) src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:1108:3
#1 nsWindowWatcher::OpenWindow(mozIDOMWindowProxy*, char const*, char const*, char const*, nsISupports*, mozIDOMWindowProxy**) src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:290:10
#2 NS_InvokeByIndex src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:106
#3 CallMethodHelper::Call() src/js/xpconnect/src/XPCWrappedNative.cpp:1178:19
#4 XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) src/js/xpconnect/src/XPCWrappedNative.cpp:1144:23
#5 XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:941:10
#6 CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/vm/Interpreter.cpp:442:13
#7 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:534:12
#8 InternalCall(JSContext*, js::AnyInvokeArgs const&) src/js/src/vm/Interpreter.cpp:589:10
#9 Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3058:16
#10 js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:422:10
#11 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:562:13
#12 InternalCall(JSContext*, js::AnyInvokeArgs const&) src/js/src/vm/Interpreter.cpp:589:10
#13 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:605:8
#14 JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2560:10
#15 nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJSClass.cpp:993:17
#16 PrepareAndDispatch src/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:127:37
#17 SharedStub (/home/user/workspace/browsers/m-c-20190308215337-asan-debug/libxul.so+0x44ff8aa)
#18 nsDocumentOpenInfo::DispatchContent(nsIRequest*, nsISupports*) src/uriloader/base/nsURILoader.cpp:485:30
#19 nsDocumentOpenInfo::OnStartRequest(nsIRequest*) src/uriloader/base/nsURILoader.cpp:299:8
#20 nsBaseChannel::OnStartRequest(nsIRequest*) src/netwerk/base/nsBaseChannel.cpp:763:23
#21 nsInputStreamPump::OnStateStart() src/netwerk/base/nsInputStreamPump.cpp:487:21
#22 nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) src/netwerk/base/nsInputStreamPump.cpp:396:21
#23 non-virtual thunk to nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) src/netwerk/base/nsInputStreamPump.cpp
#24 mozilla::NonBlockingAsyncInputStream::RunAsyncWaitCallback(mozilla::NonBlockingAsyncInputStream::AsyncWaitRunnable*, already_AddRefed<nsIInputStreamCallback>) src/xpcom/io/NonBlockingAsyncInputStream.cpp:411:13
#25 mozilla::NonBlockingAsyncInputStream::AsyncWaitRunnable::Run() src/xpcom/io/NonBlockingAsyncInputStream.cpp:29:14
#26 mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:295:32
#27 nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1179:14
#28 NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:482:10
#29 bool mozilla::SpinEventLoopUntil<(mozilla::ProcessFailureBehavior)1, mozilla::dom::ContentChild::ProvideWindowCommon(mozilla::dom::TabChild*, mozIDOMWindowProxy*, bool, unsigned int, bool, bool, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, nsDocShellLoadState*, bool*, mozIDOMWindowProxy**)::$_4>(mozilla::dom::ContentChild::ProvideWindowCommon(mozilla::dom::TabChild*, mozIDOMWindowProxy*, bool, unsigned int, bool, bool, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, nsDocShellLoadState*, bool*, mozIDOMWindowProxy**)::$_4&&, nsIThread*) src/obj-firefox/dist/include/nsThreadUtils.h:348:25
#30 mozilla::dom::ContentChild::ProvideWindowCommon(mozilla::dom::TabChild*, mozIDOMWindowProxy*, bool, unsigned int, bool, bool, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, nsDocShellLoadState*, bool*, mozIDOMWindowProxy**) src/dom/ipc/ContentChild.cpp:1118:5
#31 mozilla::dom::TabChild::ProvideWindow(mozIDOMWindowProxy*, unsigned int, bool, bool, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, nsDocShellLoadState*, bool*, mozIDOMWindowProxy**) src/dom/ipc/TabChild.cpp:924:14
#32 nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, bool, bool, nsDocShellLoadState*, mozIDOMWindowProxy**) src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:753:24
#33 nsWindowWatcher::OpenWindow2(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsISupports*, bool, bool, nsDocShellLoadState*, mozIDOMWindowProxy**) src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:365:10
#34 nsGlobalWindowOuter::OpenInternal(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, bool, bool, bool, bool, bool, nsIArray*, nsISupports*, nsDocShellLoadState*, bool, nsPIDOMWindowOuter**) src/dom/base/nsGlobalWindowOuter.cpp:7199:21
#35 nsGlobalWindowOuter::OpenNoNavigate(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsPIDOMWindowOuter**) src/dom/base/nsGlobalWindowOuter.cpp:5729:10
#36 nsDocShell::PerformRetargeting(nsDocShellLoadState*, nsIDocShell**, nsIRequest**) src/docshell/base/nsDocShell.cpp:8728:15
#37 nsDocShell::InternalLoad(nsDocShellLoadState*, nsIDocShell**, nsIRequest**) src/docshell/base/nsDocShell.cpp:9122:12
#38 nsDocShell::OnLinkClickSync(nsIContent*, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsIInputStream*, nsIInputStream*, bool, nsIDocShell**, nsIRequest**, bool, nsIPrincipal*, nsIContentSecurityPolicy*) src/docshell/base/nsDocShell.cpp:12700:17
#39 mozilla::dom::HTMLFormElement::SubmitSubmission(mozilla::dom::HTMLFormSubmission*) src/dom/html/HTMLFormElement.cpp:707:23
#40 mozilla::dom::HTMLFormElement::DoSubmit(mozilla::WidgetEvent*) src/dom/html/HTMLFormElement.cpp:588:10
#41 mozilla::dom::HTMLFormElement::Submit(mozilla::ErrorResult&) src/dom/html/HTMLFormElement.cpp:227:9
#42 mozilla::dom::HTMLFormElement_Binding::submit(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLFormElement*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/HTMLFormElementBinding.cpp:853:9
#43 bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3144:13
#44 CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/vm/Interpreter.cpp:442:13
#45 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:534:12
#46 InternalCall(JSContext*, js::AnyInvokeArgs const&) src/js/src/vm/Interpreter.cpp:589:10
#47 Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3058:16
#48 js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:422:10
#49 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:562:13
#50 InternalCall(JSContext*, js::AnyInvokeArgs const&) src/js/src/vm/Interpreter.cpp:589:10
#51 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:605:8
#52 JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2623:10
#53 mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:266:37
#54 void mozilla::dom::EventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
#55 mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) src/dom/events/JSEventHandler.cpp:205:12
#56 mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1042:51
#57 mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1237:17
#58 mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:351:17
#59 mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:553:16
#60 mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1048:11
#61 nsDocumentViewer::LoadComplete(nsresult) src/layout/base/nsDocumentViewer.cpp:1102:7
#62 nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) src/docshell/base/nsDocShell.cpp:6560:21
#63 nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp:6361:7
#64 non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp
#65 nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) src/uriloader/base/nsDocLoader.cpp:1313:3
#66 nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:872:14
#67 nsDocLoader::DocLoaderIsEmpty(bool) src/uriloader/base/nsDocLoader.cpp:710:9
#68 nsDocLoader::DocLoaderIsEmpty(bool) src/uriloader/base/nsDocLoader.cpp:713:19
#69 nsDocLoader::OnStopRequest(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:598:5
#70 non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp
#71 mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:568:22
#72 mozilla::net::nsLoadGroup::Cancel(nsresult) src/netwerk/base/nsLoadGroup.cpp:221:11
#73 nsDocLoader::Stop() src/uriloader/base/nsDocLoader.cpp:228:36
#74 nsDocShell::Stop(unsigned int) src/docshell/base/nsDocShell.cpp:4669:5
#75 nsDocShell::Destroy() src/docshell/base/nsDocShell.cpp:4940:3
#76 nsFrameLoader::DestroyDocShell() src/dom/base/nsFrameLoader.cpp:1701:16
#77 nsFrameLoaderDestroyRunnable::Run() src/dom/base/nsFrameLoader.cpp:1637:21
#78 mozilla::dom::Document::MaybeInitializeFinalizeFrameLoaders() src/dom/base/Document.cpp:6052:22
#79 mozilla::dom::Document::EndUpdate() src/dom/base/Document.cpp:4624:3
#80 nsHTMLDocument::EndUpdate() src/dom/html/nsHTMLDocument.cpp:1719:13
#81 mozAutoDocUpdate::~mozAutoDocUpdate() src/dom/base/mozAutoDocUpdate.h:34:18
#82 nsINode::RemoveChildNode(nsIContent*, bool) src/dom/base/nsINode.cpp:1784:1
#83 nsINode::RemoveChild(nsINode&, mozilla::ErrorResult&) src/dom/base/nsINode.cpp:504:3
#84 mozilla::InsertNodeTransaction::UndoTransaction() src/editor/libeditor/InsertNodeTransaction.cpp:133:34
#85 mozilla::TransactionItem::UndoTransaction(mozilla::TransactionManager*) src/editor/txmgr/TransactionItem.cpp:160:22
#86 mozilla::TransactionItem::UndoChildren(mozilla::TransactionManager*) src/editor/txmgr/TransactionItem.cpp:196:29
#87 mozilla::TransactionItem::UndoTransaction(mozilla::TransactionManager*) src/editor/txmgr/TransactionItem.cpp:150:17
#88 mozilla::TransactionManager::Undo() src/editor/txmgr/TransactionManager.cpp:116:25
#89 mozilla::TextEditor::Undo(unsigned int) src/editor/libeditor/TextEditor.cpp:1658:34
#90 mozilla::UndoCommand::DoCommand(char const*, nsISupports*) src/editor/libeditor/EditorCommands.cpp:76:22
#91 nsControllerCommandTable::DoCommand(char const*, nsISupports*) src/dom/commandhandler/nsControllerCommandTable.cpp:140:26
#92 nsBaseCommandController::DoCommand(char const*) src/dom/commandhandler/nsBaseCommandController.cpp:123:25
#93 nsCommandManager::DoCommand(char const*, nsICommandParams*, mozIDOMWindowProxy*) src/dom/commandhandler/nsCommandManager.cpp:199:22
#94 nsHTMLDocument::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) src/dom/html/nsHTMLDocument.cpp:2543:18
#95 mozilla::dom::HTMLDocument_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:619:21
#96 bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3144:13
#97 CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/vm/Interpreter.cpp:442:13
#98 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:534:12
#99 InternalCall(JSContext*, js::AnyInvokeArgs const&) src/js/src/vm/Interpreter.cpp:589:10
#100 Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3058:16
#101 js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:422:10
#102 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:562:13
#103 InternalCall(JSContext*, js::AnyInvokeArgs const&) src/js/src/vm/Interpreter.cpp:589:10
#104 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:605:8
#105 JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2623:10
#106 mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:266:37
#107 void mozilla::dom::EventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
#108 mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) src/dom/events/JSEventHandler.cpp:205:12
#109 mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1042:51
#110 mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1237:17
#111 mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:351:17
#112 mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:553:16
#113 mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1048:11
#114 mozilla::(anonymous namespace)::AsyncTimeEventRunner::Run() src/dom/smil/SMILTimedElement.cpp:97:12
#115 mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:295:32
#116 nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1179:14
#117 NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:482:10
#118 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:88:21
#119 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:315:10
#120 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290:3
#121 nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#122 XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:911:20
#123 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:238:9
#124 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:315:10
#125 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290:3
#126 XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:749:34
#127 content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:49:28
#128 main src/browser/app/nsBrowserApp.cpp:265:18
Flags: in-testsuite?

Seems minor, but maybe mconley would know more about this to make sure there isn't some way to trigger something a content process shouldn't be doing.

Flags: needinfo?(mconley)

I'm unable the reproduce the crash with this test case using the most recent tip of mozilla-central.

I attempted to reproduce this by taking my debug build, and browsing it to the attachment in this bug. I also ensured that Bugzilla was allowed to open popups.

Is there something else I need to do to reproduce this?

Flags: needinfo?(mconley) → needinfo?(twsmith)
Attached file testcase.html (obsolete) —

This test case will trigger the issue on a debug build within a few seconds with dom.disable_open_during_load=false

Attachment #9049706 - Attachment is obsolete: true
Flags: needinfo?(twsmith)
Crash Signature: [@ nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, bool, bool, nsDocShellLoadState*, mozIDOMWindowProxy**)]

Can't reproduce either.

Priority: -- → P3
Attached file testcase.html

This testcase is much more reliable. It consistently reproduces the issue using m-c:
BuildID=20190816094815
SourceStamp=5d4cbfe103bbc517599231eb33d4f3ebbbcede40

Comment on attachment 9056269 [details]
testcase.html

><script>
>function limitReloads(limit) {
>  let reloads = sessionStorage.getItem("reloads")
>  if (reloads === null)
>    reloads = 0
>  else
>    reloads = Number(reloads) + 1
>  if (reloads > limit) {
>    sessionStorage.removeItem("reloads")
>    window.close()
>  }
>  sessionStorage.setItem("reloads", reloads)
>}
>window.requestIdleCallback(() => { window.location.reload(true) })
>limitReloads(4)
>function eh1() {
>  document.createElement("frameset").onfocus = eh2
>}
>function eh2() {
>  a.submit()
>}
>function go() {
>  let b = document.createElement("label")
>  b.addEventListener("DOMAttrModified", eh1)
>  b.setAttribute("onpopstate", "eh2()")
>  window.stop()
>}
></script>
><style onload="go()"></style>
><iframe crossorigin="crossorigin"></iframe>
><form id="a" target="x">
><keygen>
Attachment #9056269 - Attachment is obsolete: true

I confirmed this is still reproducible with m-c:
BuildID=20190913214459
SourceStamp=598d441e4ebaa93ab098d266035a396057c82129

STR (this worked 5/5 tries):

  • launch the browser
  • open test case (drag and drop is fine)
  • enable popups when prompted
  • open new tab and reopen test case

Mike are you able to reproduce this with the latest test case?

status-firefox69: affectedwontfix
status-firefox71: --- → affected
Flags: needinfo?(mconley)

I'm afraid I'm not able to reproduce using these steps and this test case on my Ubuntu VM with rr attached. :(

Flags: needinfo?(mconley)

OK I'll get a Pernosco session.

Flags: needinfo?(twsmith)
Flags: needinfo?(twsmith)

I've reproduced this. Making this a security bug for now, since rr'ing backwards has revealed interesting findings.

Group: core-security

So according to rr, we're running inside of BrowserContentHandler.jsm, but from within the content process. This is pretty unexpected. BrowserContentHandler.jsm is what normally handles requests coming in via either the command line or the operating system to handle various file types.

So the reason that we're asserting is because the content process is attempting to open a window of type dialog, which is unexpected.

Replaying backwards with rr, it looks the testcase causes us to reach nsDocumentOpenInfo::DispatchContent with this stack:

#0  0x00007f0927a7614d in nsDocumentOpenInfo::DispatchContent(nsIRequest*, nsISupports*) (this=0x7f09182f05e0, request=0x7f093d8d3cc8
, aCtxt=0x0) at /home/mconley/Projects/mozilla-central/uriloader/base/nsURILoader.cpp:473
#1  0x00007f0927a75223 in nsDocumentOpenInfo::OnStartRequest(nsIRequest*) (this=0x7f09182f05e0, request=0x7f093d8d3cc8)
    at /home/mconley/Projects/mozilla-central/uriloader/base/nsURILoader.cpp:292
#2  0x00007f0926190307 in nsBaseChannel::OnStartRequest(nsIRequest*) (this=0x7f093d8d3c80, request=0x7f091bc49890)docshell/base/nsDSU    at /home/mconley/Projects/mozilla-central/netwerk/base/nsBaseChannel.cpp:830
#3  0x00007f09261cb460 in nsInputStreamPump::OnStateStart() (this=0x7f091bc49890)
    at /home/mconley/Projects/mozilla-central/netwerk/base/nsInputStreamPump.cpp:487
#4  0x00007f09261caf2c in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) (this=0x7f091bc49890, stream=0x7f091bd4da50)
    at /home/mconley/Projects/mozilla-central/netwerk/base/nsInputStreamPump.cpp:396
#5  0x00007f0925eada71 in mozilla::NonBlockingAsyncInputStream::RunAsyncWaitCallback(mozilla::NonBlockingAsyncInputStream::AsyncWaitR
unnable*, already_AddRefed<nsIInputStreamCallback>) (this=0x7f091bd4da50, aRunnable=0x7f091bc0e640, aCallback=...)
    at /home/mconley/Projects/mozilla-central/xpcom/io/NonBlockingAsyncInputStream.cpp:411
#6  0x00007f0925ec6882 in mozilla::NonBlockingAsyncInputStream::AsyncWaitRunnable::Run() (this=0x7f091bc0e640)
    at /home/mconley/Projects/mozilla-central/xpcom/io/NonBlockingAsyncInputStream.cpp:29
#7  0x00007f0925f774a0 in mozilla::SchedulerGroup::Runnable::Run() (this=0x7f091bc112e0)
    at /home/mconley/Projects/mozilla-central/xpcom/threads/SchedulerGroup.cpp:295
#8  0x00007f0925fa4385 in nsThread::ProcessNextEvent(bool, bool*) (this=0x7f093d886e30, aMayWait=true, aResult=0x7ffe339e3737)
    at /home/mconley/Projects/mozilla-central/xpcom/threads/nsThread.cpp:1225
#9  0x00007f0925fa7b47 in NS_ProcessNextEvent(nsIThread*, bool) (aThread=0x7f093d886e30, aMayWait=true)
    at /home/mconley/Projects/mozilla-central/xpcom/threads/nsThreadUtils.cpp:486
#10 0x00007f092b578ab3 in mozilla::SpinEventLoopUntil<(mozilla::ProcessFailureBehavior)1, mozilla::dom::ContentChild::ProvideWindowCo
mmon(mozilla::dom::BrowserChild*, mozIDOMWindowProxy*, bool, unsigned int, bool, bool, bool, nsIURI*, nsTSubstring<char16_t> const&,
nsTSubstring<char> const&, bool, bool, nsDocShellLoadState*, bool*, mozilla::dom::BrowsingContext**)::$_4>(mozilla::dom::ContentChild
::ProvideWindowCommon(mozilla::dom::BrowserChild*, mozIDOMWindowProxy*, bool, unsigned int, bool, bool, bool, nsIURI*, nsTSubstring<c
har16_t> const&, nsTSubstring<char> const&, bool, bool, nsDocShellLoadState*, bool*, mozilla::dom::BrowsingContext**)::$_4&&, nsIThre
ad*) (aPredicate=..., aThread=0x0) at /home/mconley/Projects/mozilla-central/debug/dist/include/nsThreadUtils.h:348
#11 0x00007f092b577d65 in mozilla::dom::ContentChild::ProvideWindowCommon(mozilla::dom::BrowserChild*, mozIDOMWindowProxy*, bool, uns
igned int, bool, bool, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, bool, nsDocShellLoadState*, boo
l*, mozilla::dom::BrowsingContext**) (this=0x7f093d8b1020, aTabOpener=0x7f0918728800, aParent=0x7f091d1fb220, aIframeMoz=false, aChromeFlags=1052670, aCalledFromJS=false, aPositionSpecified=false, aSizeSpecified=false, aURI=0x7f091bc3eb00, aName=..., aFeatures=...,
aForceNoOpener=false, aForceNoReferrer=false, aLoadState=0x0, aWindowIsNew=0x7ffe339e4fb7, aReturn=0x7ffe339e4f98)
    at /home/mconley/Projects/mozilla-central/dom/ipc/ContentChild.cpp:1225
#12 0x00007f092b5b6efb in mozilla::dom::BrowserChild::ProvideWindow(mozIDOMWindowProxy*, unsigned int, bool, bool, bool, nsIURI*, nsT
Substring<char16_t> const&, nsTSubstring<char> const&, bool, bool, nsDocShellLoadState*, bool*, mozilla::dom::BrowsingContext**) (thi
s=0x7f0918728800, aParent=0x7f091d1fb220, aChromeFlags=1052670, aCalledFromJS=false, aPositionSpecified=false, aSizeSpecified=false,
aURI=0x7f091bc3eb00, aName=..., aFeatures=..., aForceNoOpener=false, aForceNoReferrer=false, aLoadState=0x0, aWindowIsNew=0x7ffe339e4
fb7, aReturn=0x7ffe339e4f98) at /home/mconley/Projects/mozilla-central/dom/ipc/BrowserChild.cpp:947
#13 0x00007f092b5b70c6 in non-virtual thunk to mozilla::dom::BrowserChild::ProvideWindow(mozIDOMWindowProxy*, unsigned int, bool, boo
l, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, bool, nsDocShellLoadState*, bool*, mozilla::dom::Br
owsingContext**) () at /home/mconley/Projects/mozilla-central/debug/dist/bin/libxul.so
#14 0x00007f092eacc8f2 in nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool,
 bool, nsIArray*, bool, bool, bool, nsDocShellLoadState*, mozilla::dom::BrowsingContext**) (this=0x7f091d1fd160, aParent=0x7f091d1fb2
20, aUrl=0x7f091bc2e30c "file:///home/mconley/Documents/testcase.html", aName=0x7ffe339e5714 "x", aFeatures=0x0, aCalledFromJS=false,
 aDialog=false, aNavigate=false, aArgv=0x0, aIsPopupSpam=true, aForceNoOpener=false, aForceNoReferrer=false, aLoadState=0x0, aResult=
#15 0x00007f092eacfc3d in nsWindowWatcher::OpenWindow2(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool,
nsISupports*, bool, bool, bool, nsDocShellLoadState*, mozilla::dom::BrowsingContext**) (this=0x7f091d1fd160, aParent=0x7f091d1fb220,
aUrl=0x7f091bc2e30c "file:///home/mconley/Documents/testcase.html", aName=0x7ffe339e5714 "x", aFeatures=0x0, aCalledFromScript=false,
 aDialog=false, aNavigate=false, aArguments=0x0, aIsPopupSpam=true, aForceNoOpener=false, aForceNoReferrer=false, aLoadState=0x0, aRe
sult=0x7ffe339e5620) at /home/mconley/Projects/mozilla-central/toolkit/components/windowwatcher/nsWindowWatcher.cpp:377
#16 0x00007f092eacfddb in non-virtual thunk to nsWindowWatcher::OpenWindow2(mozIDOMWindowProxy*, char const*, char const*, char const
*, bool, bool, bool, nsISupports*, bool, bool, bool, nsDocShellLoadState*, mozilla::dom::BrowsingContext**) ()
    at /home/mconley/Projects/mozilla-central/debug/dist/bin/libxul.so
#17 0x00007f0928678698 in nsGlobalWindowOuter::OpenInternal(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstrin
g<char16_t> const&, bool, bool, bool, bool, bool, nsIArray*, nsISupports*, nsDocShellLoadState*, bool, mozilla::dom::BrowsingContext*
*) (this=0x7f091d1fb200, aUrl=..., aName=..., aOptions=..., aDialog=false, aContentModal=false, aCalledNoScript=true, aDoJSFixups=fal
se, aNavigate=false, argv=0x0, aExtraArgument=0x0, aLoadState=0x0, aForceNoOpener=false, aReturn=0x7ffe339e5ad0)
    at /home/mconley/Projects/mozilla-central/dom/base/nsGlobalWindowOuter.cpp:7292
#18 0x00007f0928678bd1 in nsGlobalWindowOuter::OpenNoNavigate(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::dom::BrowsingContext**) (this=0x7f091d1fb200, aUrl=..., aName=..., aOptions=..., _retval=0x7ffe339e5ad
0) at /home/mconley/Projects/mozilla-central/dom/base/nsGlobalWindowOuter.cpp:5789
#19 0x00007f092e330bb3 in nsDocShell::PerformRetargeting(nsDocShellLoadState*, nsIDocShell**, nsIRequest**) (this=0x7f091872a000, aLo
adState=0x7f0918ea42e0, aDocShell=0x7ffe339e69d8, aRequest=0x7f091d1fbac0)
    at /home/mconley/Projects/mozilla-central/docshell/base/nsDocShell.cpp:8863
#20 0x00007f092e302496 in nsDocShell::InternalLoad(nsDocShellLoadState*, nsIDocShell**, nsIRequest**) (this=0x7f091872a000, aLoadStat
e=0x7f0918ea42e0, aDocShell=0x7ffe339e69d8, aRequest=0x7f091d1fbac0)
    at /home/mconley/Projects/mozilla-central/docshell/base/nsDocShell.cpp:9256
#21 0x00007f092e341624 in nsDocShell::OnLinkClickSync(nsIContent*, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> con
st&, nsIInputStream*, nsIInputStream*, bool, nsIDocShell**, nsIRequest**, bool, nsIPrincipal*, nsIContentSecurityPolicy*) (this=0x7f0
91872a000, aContent=0x7f091d1fb980, aURI=0x7f091bc3ea00, aTargetSpec=..., aFileName=..., aPostDataStream=0x0, aHeadersDataStream=0x0,
 aNoOpenerImplied=false, aDocShell=0x7ffe339e69d8, aRequest=0x7f091d1fbac0, aIsUserTriggered=false, aTriggeringPrincipal=0x0, aCsp=0x
0) at /home/mconley/Projects/mozilla-central/docshell/base/nsDocShell.cpp:12979
#22 0x00007f092a77b5be in mozilla::dom::HTMLFormElement::SubmitSubmission(mozilla::dom::HTMLFormSubmission*) (this=0x7f091d1fb980, aF
ormSubmission=0x7f091bc0d760) at /home/mconley/Projects/mozilla-central/dom/html/HTMLFormElement.cpp:729
#23 0x00007f092a77aaea in mozilla::dom::HTMLFormElement::DoSubmit(mozilla::WidgetEvent*) (this=0x7f091d1fb980, aEvent=0x0)
    at /home/mconley/Projects/mozilla-central/dom/html/HTMLFormElement.cpp:596
#24 0x00007f092a779a05 in mozilla::dom::HTMLFormElement::DoSubmitOrReset(mozilla::WidgetEvent*, mozilla::EventMessage) (this=0x7f091d
1fb980, aEvent=0x0, aMessage=mozilla::eFormSubmit) at /home/mconley/Projects/mozilla-central/dom/html/HTMLFormElement.cpp:513
#25 0x00007f092a77991e in mozilla::dom::HTMLFormElement::Submit(mozilla::ErrorResult&) (this=0x7f091d1fb980, aRv=...)
    at /home/mconley/Projects/mozilla-central/dom/html/HTMLFormElement.cpp:231
#26 0x00007f0929e4a8e2 in mozilla::dom::HTMLFormElement_Binding::submit(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLFormElem
ent*, JSJitMethodCallArgs const&) (cx=0x7f091aa1b000, obj=..., self=0x7f091d1fb980, args=...) at HTMLFormElementBinding.cpp:853
#27 0x00007f092a04ee97 in mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::b
inding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) (cx=0x7f091aa1b000, argc=0, vp=0x7f0919241268)
    at /home/mconley/Projects/mozilla-central/dom/bindings/BindingUtils.cpp:3168
#28 0x00007f092ed8917c in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (cx=0x7f091aa
1b000, native=0x7f092a04eb10 <mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::do
m::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)>, args=...)
    at /home/mconley/Projects/mozilla-central/js/src/vm/Interpreter.cpp:447
#29 0x00007f092ed723dc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (cx=0x7f091aa1b000, args=.
.., construct=js::NO_CONSTRUCT) at /home/mconley/Projects/mozilla-central/js/src/vm/Interpreter.cpp:539
#30 0x00007f092ed72b8e in InternalCall(JSContext*, js::AnyInvokeArgs const&) (cx=0x7f091aa1b000, args=...)
    at /home/mconley/Projects/mozilla-central/js/src/vm/Interpreter.cpp:594
#31 0x00007f092ed7295d in js::CallFromStack(JSContext*, JS::CallArgs const&) (cx=0x7f091aa1b000, args=...)
    at /home/mconley/Projects/mozilla-central/js/src/vm/Interpreter.cpp:598
#32 0x00007f092ed654c2 in Interpret(JSContext*, js::RunState&) (cx=0x7f091aa1b000, state=...)
    at /home/mconley/Projects/mozilla-central/js/src/vm/Interpreter.cpp:3084
#33 0x00007f092ed5971b in js::RunScript(JSContext*, js::RunState&) (cx=0x7f091aa1b000, state=...)
    at /home/mconley/Projects/mozilla-central/js/src/vm/Interpreter.cpp:424
#34 0x00007f092ed72604 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (cx=0x7f091aa1b000, args=.
.., construct=js::NO_CONSTRUCT) at /home/mconley/Projects/mozilla-central/js/src/vm/Interpreter.cpp:567
#35 0x00007f092ed72b8e in InternalCall(JSContext*, js::AnyInvokeArgs const&) (cx=0x7f091aa1b000, args=...)
    at /home/mconley/Projects/mozilla-central/js/src/vm/Interpreter.cpp:594
#36 0x00007f092ed72c30 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) (cx=0x7f091aa1b000, fval=..., thisv=..., args=..., rval=...)
    at /home/mconley/Projects/mozilla-central/js/src/vm/Interpreter.cpp:610
#37 0x00007f092f5ba5a0 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::Mutable
Handle<JS::Value>) (cx=0x7f091aa1b000, thisv=..., fval=..., args=..., rval=...)
    at /home/mconley/Projects/mozilla-central/js/src/jsapi.cpp:2723
#38 0x00007f0929bfd070 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::Mutabl
eHandle<JS::Value>, mozilla::ErrorResult&) (this=0x7f0918e8c640, cx=0x7f091aa1b000, aThisVal=..., event=..., aRetVal=..., aRv=...)
    at EventHandlerBinding.cpp:267
#39 0x00007f092a60f3fb in mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventT
arget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::
ExceptionHandling, JS::Realm*) (this=0x7f0918e8c640, thisVal=..., event=..., aRetVal=..., aRv=..., aExecutionReason=0x7f0920e5e701 "E
ventHandlerNonNull", aExceptionHandling=mozilla::dom::CallbackObject::eReportExceptions, aRealm=0x0)
    at /home/mconley/Projects/mozilla-central/debug/dist/include/mozilla/dom/EventHandlerBinding.h:363
#40 0x00007f092a5fb269 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) (this=0x7f0918e89460, aEvent=0x7f091bc0d6a0)
    at /home/mconley/Projects/mozilla-central/dom/events/JSEventHandler.cpp:205
#41 0x00007f092a5d9f53 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::E
vent*, mozilla::dom::EventTarget*) (this=0x7f091bd7a200, aListener=0x7f091bd53668, aDOMEvent=0x7f091bc0d6a0, aCurrentTarget=0x7f091bd
b5400) at /home/mconley/Projects/mozilla-central/dom/events/EventListenerManager.cpp:1038
#42 0x00007f092a5da9eb in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Eve
nt**, mozilla::dom::EventTarget*, nsEventStatus*, bool) (this=0x7f091bd7a200, aPresContext=0x7f091bdb5000, aEvent=0x7ffe339ebda8, aDO
MEvent=0x7ffe339eb7f8, aCurrentTarget=0x7f091bdb5400, aEventStatus=0x7ffe339eb800, aItemInShadowTree=false)
    at /home/mconley/Projects/mozilla-central/dom/events/EventListenerManager.cpp:1230
#43 0x00007f092a611e50 in mozilla::EventListenerManager::HandleEvent(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mo
zilla::dom::EventTarget*, nsEventStatus*, bool) (this=0x7f091bd7a200, aPresContext=0x7f091bdb5000, aEvent=0x7ffe339ebda8, aDOMEvent=0
x7ffe339eb7f8, aCurrentTarget=0x7f091bdb5400, aEventStatus=0x7ffe339eb800, aItemInShadowTree=false)
    at /home/mconley/Projects/mozilla-central/debug/dist/include/mozilla/EventListenerManager.h:353
#44 0x00007f092a60447a in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&)
(this=0x7f0918ea6008, aVisitor=..., aCd=...) at /home/mconley/Projects/mozilla-central/dom/events/EventDispatcher.cpp:349
#45 0x00007f092a5d0482 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::Ev
entChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) (aChain=..., aVisitor=..., aCallback=0x0, aCd=...) at /home/mconley/Projects/mozilla-central/dom/events/EventDispatcher.cpp:551
#46 0x00007f092a5d2bdf in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event
*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) (aTarget=0x7f091d1fb220, aPresContext=0
x7f091bdb5000, aEvent=0x7ffe339ebda8, aDOMEvent=0x0, aEventStatus=0x7ffe339ebe3c, aCallback=0x0, aTargets=0x0)
    at /home/mconley/Projects/mozilla-central/dom/events/EventDispatcher.cpp:1045
#47 0x00007f092c132e46 in nsDocumentViewer::LoadComplete(nsresult) (this=0x7f091bd8cbc0, aStatus=nsresult::NS_OK)
    at /home/mconley/Projects/mozilla-central/layout/base/nsDocumentViewer.cpp:1170
#48 0x00007f092e324a34 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) (this=0x7f091872a000, aProgress=0x7f091872a
028, aChannel=0x7f093d88bf58, aStatus=nsresult::NS_OK) at /home/mconley/Projects/mozilla-central/docshell/base/nsDocShell.cpp:6542
#49 0x00007f092e324245 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) (this=0x7f091872a000, aProg
ress=0x7f091872a028, aRequest=0x7f093d88bf58, aStateFlags=131088, aStatus=nsresult::NS_OK)
    at /home/mconley/Projects/mozilla-central/docshell/base/nsDocShell.cpp:6320
#50 0x00007f0927a711d3 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) (this=0x7f091872a000, aProgr
ess=0x7f091872a028, aRequest=0x7f093d88bf58, aStateFlags=@0x7ffe339eca1c: 131088, aStatus=nsresult::NS_OK)
    at /home/mconley/Projects/mozilla-central/uriloader/base/nsDocLoader.cpp:1333
#51 0x00007f0927a70b57 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) (this=0x7f091872a000, request=0x7f093d88bf58, aStatu
s=nsresult::NS_OK) at /home/mconley/Projects/mozilla-central/uriloader/base/nsDocLoader.cpp:892
#52 0x00007f0927a6ebe7 in nsDocLoader::DocLoaderIsEmpty(bool) (this=0x7f091872a000, aFlushLayout=true)
    at /home/mconley/Projects/mozilla-central/uriloader/base/nsDocLoader.cpp:726
#53 0x00007f0927a7a79f in nsDocLoader::ChildDoneWithOnload(nsIDocumentLoader*) (this=0x7f091872a000, aChild=0x7f091d17e800)
    at /home/mconley/Projects/mozilla-central/uriloader/base/nsDocLoader.h:217
#54 0x00007f0927a6ec23 in nsDocLoader::DocLoaderIsEmpty(bool) (this=0x7f091d17e800, aFlushLayout=true)
    at /home/mconley/Projects/mozilla-central/uriloader/base/nsDocLoader.cpp:729
#55 0x00007f0927a70373 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) (this=0x7f091d17e800, aRequest=0x7f093d8d3cc8, aStatus=-2
142568446) at /home/mconley/Projects/mozilla-central/uriloader/base/nsDocLoader.cpp:614
#56 0x00007f09261cfb82 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) (this=0x7f091bd4d8b0, request
=0x7f093d8d3cc8, ctxt=0x0, aStatus=-2142568446) at /home/mconley/Projects/mozilla-central/netwerk/base/nsLoadGroup.cpp:568
#57 0x00007f09261cd9ba in mozilla::net::nsLoadGroup::Cancel(nsresult) (this=0x7f091bd4d8b0, status=-2142568446)
    at /home/mconley/Projects/mozilla-central/netwerk/base/nsLoadGroup.cpp:221
#58 0x00007f0927a6e509 in nsDocLoader::Stop() (this=0x7f091d17e800)
    at /home/mconley/Projects/mozilla-central/uriloader/base/nsDocLoader.cpp:235
#59 0x00007f092e359c05 in nsDocShell::Stop() (this=0x7f091d17e800)
    at /home/mconley/Projects/mozilla-central/docshell/base/nsDocShell.h:213
#60 0x00007f092e2f37cd in nsDocShell::Stop(unsigned int) (this=0x7f091d17e800, aStopFlags=3)
    at /home/mconley/Projects/mozilla-central/docshell/base/nsDocShell.cpp:4651
#61 0x00007f092e2fc452 in nsDocShell::Destroy() (this=0x7f091d17e800)
    at /home/mconley/Projects/mozilla-central/docshell/base/nsDocShell.cpp:4909
#62 0x00007f09289f10c1 in nsFrameLoader::DestroyDocShell() (this=0x7f093d885e40)
    at /home/mconley/Projects/mozilla-central/dom/base/nsFrameLoader.cpp:1880
#63 0x00007f09289f0f37 in nsFrameLoaderDestroyRunnable::Run() (this=0x7f09182e8f80)
    at /home/mconley/Projects/mozilla-central/dom/base/nsFrameLoader.cpp:1816
#64 0x00007f09287b96b1 in mozilla::dom::Document::MaybeInitializeFinalizeFrameLoaders() (this=0x7f091bc57000)
    at /home/mconley/Projects/mozilla-central/dom/base/Document.cpp:8497
#65 0x00007f09287b9350 in mozilla::dom::Document::EndUpdate() (this=0x7f091bc57000)
    at /home/mconley/Projects/mozilla-central/dom/base/Document.cpp:7011
#66 0x00007f0928552c57 in mozAutoDocUpdate::~mozAutoDocUpdate() (this=0x7ffe339ed7d0)
    at /home/mconley/Projects/mozilla-central/dom/base/mozAutoDocUpdate.h:34
#67 0x00007f0928a076c7 in nsINode::RemoveChildNode(nsIContent*, bool) (this=0x7f091bd6b5e0, aKid=0x7f0918e8d380, aNotify=true)
    at /home/mconley/Projects/mozilla-central/dom/base/nsINode.cpp:1821
#68 0x00007f0928a02399 in nsINode::RemoveChild(nsINode&, mozilla::ErrorResult&) (this=0x7f091bd6b5e0, aOldChild=..., aError=...)
    at /home/mconley/Projects/mozilla-central/dom/base/nsINode.cpp:543
#69 0x00007f0928f596fd in mozilla::dom::Node_Binding::removeChild(JSContext*, JS::Handle<JSObject*>, nsINode*, JSJitMethodCallArgs co
nst&) (cx=0x7f091aa1b000, obj=..., self=0x7f091bd6b5e0, args=...) at NodeBinding.cpp:1155
#70 0x00007f092a04ee97 in mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::b
inding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) (cx=0x7f091aa1b000, argc=1, vp=0x7f0919241130)
    at /home/mconley/Projects/mozilla-central/dom/bindings/BindingUtils.cpp:3168
#71 0x00007f092ed8917c in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (cx=0x7f091aa
1b000, native=0x7f092a04eb10 <mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::do
m::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)>, args=...)
    at /home/mconley/Projects/mozilla-central/js/src/vm/Interpreter.cpp:447
#72 0x00007f092ed723dc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (cx=0x7f091aa1b000, args=.
.., construct=js::NO_CONSTRUCT) at /home/mconley/Projects/mozilla-central/js/src/vm/Interpreter.cpp:539
#73 0x00007f092ed72b8e in InternalCall(JSContext*, js::AnyInvokeArgs const&) (cx=0x7f091aa1b000, args=...)
    at /home/mconley/Projects/mozilla-central/js/src/vm/Interpreter.cpp:594
#74 0x00007f092ed7295d in js::CallFromStack(JSContext*, JS::CallArgs const&) (cx=0x7f091aa1b000, args=...)
    at /home/mconley/Projects/mozilla-central/js/src/vm/Interpreter.cpp:598
#75 0x00007f092ed654c2 in Interpret(JSContext*, js::RunState&) (cx=0x7f091aa1b000, state=...)
    at /home/mconley/Projects/mozilla-central/js/src/vm/Interpreter.cpp:3084
#76 0x00007f092ed5971b in js::RunScript(JSContext*, js::RunState&) (cx=0x7f091aa1b000, state=...)
    at /home/mconley/Projects/mozilla-central/js/src/vm/Interpreter.cpp:424
#77 0x00007f092ed72604 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (cx=0x7f091aa1b000, args=.
.., construct=js::NO_CONSTRUCT) at /home/mconley/Projects/mozilla-central/js/src/vm/Interpreter.cpp:567
#78 0x00007f092ed72b8e in InternalCall(JSContext*, js::AnyInvokeArgs const&) (cx=0x7f091aa1b000, args=...)
    at /home/mconley/Projects/mozilla-central/js/src/vm/Interpreter.cpp:594
#79 0x00007f092ed72c30 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) (cx=0x7f091aa1b000, fval=..., thisv=..., args=..., rval=...)
    at /home/mconley/Projects/mozilla-central/js/src/vm/Interpreter.cpp:610
#80 0x00007f092f5ba5a0 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::Mutable
Handle<JS::Value>) (cx=0x7f091aa1b000, thisv=..., fval=..., args=..., rval=...)
    at /home/mconley/Projects/mozilla-central/js/src/jsapi.cpp:2723
#81 0x00007f0929bfd070 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::Mutabl
eHandle<JS::Value>, mozilla::ErrorResult&) (this=0x7f09182f1f00, cx=0x7f091aa1b000, aThisVal=..., event=..., aRetVal=..., aRv=...)
    at EventHandlerBinding.cpp:267
#82 0x00007f092a60f3fb in mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventT
arget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::
ExceptionHandling, JS::Realm*) (this=0x7f09182f1f00, thisVal=..., event=..., aRetVal=..., aRv=..., aExecutionReason=0x7f0920e5e701 "E
ventHandlerNonNull", aExceptionHandling=mozilla::dom::CallbackObject::eReportExceptions, aRealm=0x0)
    at /home/mconley/Projects/mozilla-central/debug/dist/include/mozilla/dom/EventHandlerBinding.h:363
#83 0x00007f092a5fb269 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) (this=0x7f0918e895b0, aEvent=0x7f091bc0c7b0)
    at /home/mconley/Projects/mozilla-central/dom/events/JSEventHandler.cpp:205
#84 0x00007f092a5d9f53 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::E
vent*, mozilla::dom::EventTarget*) (this=0x7f091bd7a660, aListener=0x0, aDOMEvent=0x7f091bc0c7b0, aCurrentTarget=0x7f091bdb8000)
    at /home/mconley/Projects/mozilla-central/dom/events/EventListenerManager.cpp:1038
#85 0x00007f092a5da9eb in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Eve
nt**, mozilla::dom::EventTarget*, nsEventStatus*, bool) (this=0x7f091bd7a660, aPresContext=0x7f091bdb5000, aEvent=0x7ffe339f2840, aDO
MEvent=0x7ffe339f2518, aCurrentTarget=0x7f091bdb8000, aEventStatus=0x7ffe339f2520, aItemInShadowTree=false)
    at /home/mconley/Projects/mozilla-central/dom/events/EventListenerManager.cpp:1230
#86 0x00007f092a611e50 in mozilla::EventListenerManager::HandleEvent(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mo
zilla::dom::EventTarget*, nsEventStatus*, bool) (this=0x7f091bd7a660, aPresContext=0x7f091bdb5000, aEvent=0x7ffe339f2840, aDOMEvent=0
x7ffe339f2518, aCurrentTarget=0x7f091bdb8000, aEventStatus=0x7ffe339f2520, aItemInShadowTree=false)
    at /home/mconley/Projects/mozilla-central/debug/dist/include/mozilla/EventListenerManager.h:353
#87 0x00007f092a60447a in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&)
(this=0x7f091bc02008, aVisitor=..., aCd=...) at /home/mconley/Projects/mozilla-central/dom/events/EventDispatcher.cpp:349
#88 0x00007f092a5d0482 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::Ev
entChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) (aChain=..., aVisitor=..., aCallback=0x0, aCd=...) at /home/mconley/Projects/mozilla-central/dom/events/EventDispatcher.cpp:551
#89 0x00007f092a5d2bdf in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event
*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) (aTarget=0x7f091bdb8000, aPresContext=0
x7f091bdb5000, aEvent=0x7ffe339f2840, aDOMEvent=0x0, aEventStatus=0x0, aCallback=0x0, aTargets=0x0)
    at /home/mconley/Projects/mozilla-central/dom/events/EventDispatcher.cpp:1045
#90 0x00007f092b794c57 in mozilla::(anonymous namespace)::AsyncTimeEventRunner::Run() (this=0x7f091bc0e340)
    at /home/mconley/Projects/mozilla-central/dom/smil/SMILTimedElement.cpp:97
#91 0x00007f0925f774a0 in mozilla::SchedulerGroup::Runnable::Run() (this=0x7f09182ef5b0)
    at /home/mconley/Projects/mozilla-central/xpcom/threads/SchedulerGroup.cpp:295
#92 0x00007f0925fa4385 in nsThread::ProcessNextEvent(bool, bool*) (this=0x7f093d886e30, aMayWait=false, aResult=0x7ffe339f30d7)
    at /home/mconley/Projects/mozilla-central/xpcom/threads/nsThread.cpp:1225
#93 0x00007f0925fa7b47 in NS_ProcessNextEvent(nsIThread*, bool) (aThread=0x7f093d886e30, aMayWait=false)
    at /home/mconley/Projects/mozilla-central/xpcom/threads/nsThreadUtils.cpp:486
#94 0x00007f0926c70251 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) (this=0x7f093d8a1920, aDelegate=0x7ffe339f35d8
) at /home/mconley/Projects/mozilla-central/ipc/glue/MessagePump.cpp:88
#95 0x00007f0926c70fdb in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) (this=0x7f093d8a1920, aDelegate
=0x7ffe339f35d8) at /home/mconley/Projects/mozilla-central/ipc/glue/MessagePump.cpp:271
#96 0x00007f0926b7429f in MessageLoop::RunInternal() (this=0x7ffe339f35d8)
    at /home/mconley/Projects/mozilla-central/ipc/chromium/src/base/message_loop.cc:315
#97 0x00007f0926b74215 in MessageLoop::RunHandler() (this=0x7ffe339f35d8)
    at /home/mconley/Projects/mozilla-central/ipc/chromium/src/base/message_loop.cc:308
#98 0x00007f0926b741d0 in MessageLoop::Run() (this=0x7ffe339f35d8)
    at /home/mconley/Projects/mozilla-central/ipc/chromium/src/base/message_loop.cc:290
#99 0x00007f092bcdd991 in nsBaseAppShell::Run() (this=0x7f091d15bf20)
    at /home/mconley/Projects/mozilla-central/widget/nsBaseAppShell.cpp:137
#100 0x00007f092eb7e5bf in XRE_RunAppShell() () at /home/mconley/Projects/mozilla-central/toolkit/xre/nsEmbedFunctions.cpp:934
#101 0x00007f0926c70e23 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) (this=0x7f093d8a1920, aDelegat
e=0x7ffe339f35d8) at /home/mconley/Projects/mozilla-central/ipc/glue/MessagePump.cpp:238
#102 0x00007f0926b7429f in MessageLoop::RunInternal() (this=0x7ffe339f35d8)
    at /home/mconley/Projects/mozilla-central/ipc/chromium/src/base/message_loop.cc:315
#102 0x00007f0926b7429f in MessageLoop::RunInternal() (this=0x7ffe339f35d8)
    at /home/mconley/Projects/mozilla-central/ipc/chromium/src/base/message_loop.cc:315
---Type <return> to continue, or q <return> to quit---
#103 0x00007f0926b74215 in MessageLoop::RunHandler() (this=0x7ffe339f35d8)
    at /home/mconley/Projects/mozilla-central/ipc/chromium/src/base/message_loop.cc:308
#104 0x00007f0926b741d0 in MessageLoop::Run() (this=0x7ffe339f35d8)
    at /home/mconley/Projects/mozilla-central/ipc/chromium/src/base/message_loop.cc:290
#105 0x00007f092eb7dc18 in XRE_InitChildProcess(int, char**, XREChildData const*) (aArgc=13, aArgv=0x7ffe339f3a68, aChildData=0x7ffe3
39f38e0) at /home/mconley/Projects/mozilla-central/toolkit/xre/nsEmbedFunctions.cpp:769
#106 0x00007f092eb8a477 in mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) (this=0x7f093d8026c0, argc=
15, argv=0x7ffe339f3a68, aChildData=0x7ffe339f38e0) at /home/mconley/Projects/mozilla-central/toolkit/xre/Bootstrap.cpp:67
#107 0x00005580cafd3198 in content_process_main(mozilla::Bootstrap*, int, char**) (bootstrap=0x7f093d8026c0, argc=15, argv=0x7ffe339f
3a68) at /home/mconley/Projects/mozilla-central/browser/app/../../ipc/contentproc/plugin-container.cpp:56
#108 0x00005580cafd3333 in main(int, char**, char**) (argc=16, argv=0x7ffe339f3a68, envp=0x7ffe339f3af0)
    at /home/mconley/Projects/mozilla-central/browser/app/nsBrowserApp.cpp:272

In this case, the type that we're attempting to handle is text/html. I suspect it's pretty odd that the content process is trying to figure out how to handle text/html like this, since that's its dayjob.

So the simplest solution is probably to update the browser components registration here to only register in the parent process.

That should allow us to avoid calling into BrowserContentHandler, and then we avoid the assertion.

However, is it problematic that we got to nsDocumentOpenInfo::DispatchContent in the first place? Is this expected?

valentin, do you know?

Flags: needinfo?(valentin.gosu)

(In reply to Mike Conley (:mconley) (:⚙️) from comment #40)

So the simplest solution is probably to update the browser components registration here to only register in the parent process.

That should allow us to avoid calling into BrowserContentHandler, and then we avoid the assertion.

However, is it problematic that we got to nsDocumentOpenInfo::DispatchContent in the first place? Is this expected?

valentin, do you know?

I don't. bz might have some input.

Flags: needinfo?(valentin.gosu) → needinfo?(bzbarsky)

So the sequence of events here is as follows:

  1. Appending the iframe to the DOM starts an about:blank load in it (see bug 543435).
  2. Removing the iframe from the DOM then tears down the docshell in that iframe.
  3. Tearing down the docshell calls Stop() on the loadgroup in the subframe, which stops all loads in there, and triggers the load event on the parent (because there are no more loads anywhere under the parent).
  4. The load event on the parent does a form submission to a nonexistent window name, which tries to open a new window.
  5. Opening the new window spins the event loop.
  6. Spinning the event loop processes the runnables for the about:blank load from step 1, landing it in DispatchContent.
  7. DispatchContent tries to hand over the load to the docshell inside the subframe via nsDSURIContentListener::DoContent. This fails out because mDocShell is null, because it got torn down around step 2.
  8. DispatchContent then tries other ways of dispatching the type, which lands us in BrowserContentHandler.

OK, so why are we trying to dispatch this content at all, when we're tearing the docshell down and calling Stop()? That's because Stop() cancels the loadgroup, and the code at https://searchfox.org/mozilla-central/rev/4218cb868d8deed13e902718ba2595d85e12b86b/netwerk/base/nsLoadGroup.cpp#216-224 first removes the request from the loadgroup, then cancels it. Since the removal synchronously fires the load event, and that load event spins the event loop, the request ends up trying to get processed before we get a chance to cancel it.

At first glance, that code in nsLoadGroup::Cancel looks pretty weird to me; we should really cancel the request before removing it. In fact, given that RemoveRequest might end up running random script for any request, not just the last one in the group, it seems like we should cancel all the requests, remove them all from our hashtable, and only then do the notification parts of RemoveRequest for all of them, so that by the time script is running we're in a consistent "all requests are canceled and not in the loagroup anymore" state. The load event tracking in docloader should be OK with this as long as we don't decrement mForegroundCount until right before notifying the removal for every request.

That said, that loadgroup code has been around for a while and messing with it might be a tad risky... But I really do think the way it's set up right now doesn't make sense.

Component: Window Management → Networking
Flags: needinfo?(bzbarsky)

The other thing we could do is have nsDSURIContentListener::DoContent just cancel the load, instead of bailing out and hoping someone else will handle it, of mDocShell is null. We may want to do that in addition to the loadgroup change.

Thanks for the thorough investigation Boris.

(In reply to Boris Zbarsky [:bzbarsky, bz on IRC] from comment #42)

At first glance, that code in nsLoadGroup::Cancel looks pretty weird to me; we should really cancel the request before removing it. In fact, given that RemoveRequest might end up running random script for any request, not just the last one in the group, it seems like we should cancel all the requests, remove them all from our hashtable, and only then do the notification parts of RemoveRequest for all of them, so that by the time script is running we're in a consistent "all requests are canceled and not in the loagroup anymore" state. The load event tracking in docloader should be OK with this as long as we don't decrement mForegroundCount until right before notifying the removal for every request.

That said, that loadgroup code has been around for a while and messing with it might be a tad risky... But I really do think the way it's set up right now doesn't make sense.

That's a fair point. I've pushed to try to see if there are any issues with this:
https://treeherder.mozilla.org/#/jobs?repo=try&revision=5382631af45cfaae2d43c877c927344f8d91d9d9

Will report back soon.

Group: core-security → network-core-security

I filed bug 1583362 about getting those components to only be registered in the parent process.

Assignee: nobody → valentin.gosu
Priority: P3 → P2
Whiteboard: [necko-triaged]

Comment on attachment 9094175 [details]
Bug 1533957 - The request should be cancelled before being removed from the LoadGroup r=bzbarsky

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: Not sure. What the patch does is fairly obvious, but I don't know how easy it would be to actually exploit this.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Unknown
  • Which older supported branches are affected by this flaw?: all
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?: This code hasn't changed much over the last few releases. It merges without conflicts to beta, release, esr68
  • How likely is this patch to cause regressions; how much testing does it need?: There is a small chance for regressions as mentioned in comment 42, but none of them have shown up on try.
Attachment #9094175 - Flags: sec-approval?
Attachment #9095169 - Flags: sec-approval?
Attachment #9095170 - Flags: sec-approval?
Attachment #9094175 - Flags: sec-approval? → sec-approval+
Attachment #9095169 - Flags: sec-approval? → sec-approval+
Attachment #9095170 - Flags: sec-approval? → sec-approval+

There was indeed a bug in the code.
Calling cancel on the request could cause it to be removed from the loadgroup synchronously (as DocumentChannelChild does).
That led to mForegroundCount underflowing.

Boris, could you take another look to make sure the changes are OK?

Flags: needinfo?(valentin.gosu) → needinfo?(bzbarsky)

Yep, those changes make sense.

Flags: needinfo?(bzbarsky)

There is an increase in the frequency of this failure which starts a few hours before this landed.

Perry, please check if that is from bug 1456995 and create a new secure bug to track this if it applies.

Recent failures: https://treeherder.mozilla.org/intermittent-failures.html#/bugdetails?startday=2019-09-11&endday=2019-10-11&tree=all&bug=1533957

Flags: needinfo?(perry)
Flags: qe-verify+
Whiteboard: [necko-triaged] → [necko-triaged][post-critsmash-triage]

Bughunter can still reproduce this assertion on Linux and Windows. Is that expected? I don't have visibility into other security bugs. Do we still have bugs open for this?

There is bug 1587686. Should it be set as duplicate of this one and this one also get reopened?

Flags: needinfo?(valentin.gosu)

(In reply to Sebastian Hengst [:aryx] (needinfo on intermittent or backout) from comment #61)

There is bug 1587686. Should it be set as duplicate of this one and this one also get reopened?

I don't have access to that one. I think that's a question for BZ

Flags: needinfo?(valentin.gosu) → needinfo?(bzbarsky)

Maybe we also need this to make the assertion go away?

(In reply to Boris Zbarsky [:bzbarsky, bz on IRC] from comment #43)

The other thing we could do is have nsDSURIContentListener::DoContent just cancel the load, instead of bailing out and hoping someone else will handle it, of mDocShell is null. We may want to do that in addition to the loadgroup change.

I don't have access to bug 1587686 either.

Bob, are you still reproducing this assertion with the sort of stack comment 0 has, or something else?

Flags: needinfo?(bzbarsky)
Flags: needinfo?(bob)
Flags: needinfo?(aryx.bugmail)

So bug 1587686 is reported with the sort of stack we had here, but it was also filed before this patch landed on the relevant branch, afaict.

I would not reopen this bug, though it might be worth adding some information to the summary to make it clear what problem was being addressed.

I'll try to reproduce the issue on the URL in bug 1587686 comment 3.

(In reply to Boris Zbarsky [:bzbarsky, bz on IRC] from comment #64)

Bob, are you still reproducing this assertion with the sort of stack comment 0 has, or something else?

pretty much at least through about frame 10.

Assertion failure: XRE_IsParentProcess(), at /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:700
#01: nsWindowWatcher::OpenWindow(mozIDOMWindowProxy*, char const*, char const*, char const*, nsISupports*, mozIDOMWindowProxy**) [toolkit/components/windowwatcher/nsWindowWatcher.cpp:292]
#02: NS_InvokeByIndex
#03: CallMethodHelper::Call() [js/xpconnect/src/XPCWrappedNative.cpp:1183]
#04: XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) [js/xpconnect/src/XPCWrappedNative.cpp:1149]
#05: XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) [js/xpconnect/src/XPCWrappedNativeJSOps.cpp:946]
#06: CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) [js/src/vm/Interpreter.cpp:457]
#07: js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) [js/src/vm/Interpreter.cpp:549]
#08: Interpret(JSContext*, js::RunState&) [js/src/vm/Interpreter.cpp:0]
#09: js::RunScript(JSContext*, js::RunState&) [js/src/vm/Interpreter.cpp:424]
#10: js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) [js/src/vm/Interpreter.cpp:590]
#11: <name omitted> [js/src/vm/Interpreter.cpp:635]
#12: JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) [js/src/jsapi.cpp:2659]
#13: nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) [js/xpconnect/src/XPCWrappedJSClass.cpp:978]
#14: PrepareAndDispatch [xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:125]
#15: SharedStub
#16: nsDocumentOpenInfo::DispatchContent(nsIRequest*, nsISupports*) [uriloader/base/nsURILoader.cpp:477]
#17: nsDocumentOpenInfo::OnStartRequest(nsIRequest*) [uriloader/base/nsURILoader.cpp:292]
#18: mozilla::net::HttpChannelChild::DoOnStartRequest(nsIRequest*, nsISupports*) [netwerk/protocol/http/HttpChannelChild.cpp:682]
#19: mozilla::net::HttpChannelChild::OnStartRequest(nsresult const&, mozilla::net::nsHttpResponseHead const&, bool const&, mozilla::net::nsHttpHeaderArray const&, mozilla::net::ParentLoadInfoForwarderArgs const&, bool const&, bool const&, bool const&, unsigned long const&, int const&, unsigned int const&, nsTString<char> const&, nsTString<char> const&, mozilla::net::NetAddr const&, mozilla::net::NetAddr const&, unsigned int const&, nsTString<char> const&, long const&, bool const&, bool const&, bool const&, mozilla::net::ResourceTimingStruct const&, bool const&) [netwerk/protocol/http/HttpChannelChild.cpp:608]
#20: mozilla::net::StartRequestEvent::Run() [netwerk/protocol/http/HttpChannelChild.cpp:433]
#21: mozilla::net::ChannelEventQueue::RunOrEnqueue(mozilla::net::ChannelEvent*, bool) [netwerk/ipc/ChannelEventQueue.h:211]
#22: mozilla::net::HttpChannelChild::RecvOnStartRequest(nsresult const&, mozilla::net::nsHttpResponseHead const&, bool const&, mozilla::net::nsHttpHeaderArray const&, mozilla::net::ParentLoadInfoForwarderArgs const&, bool const&, bool const&, bool const&, unsigned long const&, int const&, unsigned int const&, nsTString<char> const&, nsTString<char> const&, mozilla::net::NetAddr const&, mozilla::net::NetAddr const&, short const&, unsigned int const&, nsTString<char> const&, long const&, bool const&, bool const&, bool const&, mozilla::net::ResourceTimingStruct const&, bool const&) [netwerk/protocol/http/HttpChannelChild.cpp:502]
#23: mozilla::net::PHttpChannelChild::OnMessageReceived(IPC::Message const&) [s3:gecko-generated-sources:1027720f1f8b6ec3b5dbd83a7d1477e5a4b1ba02a6b6633509e27a3a8859c168808e1439d7410c7d4a5bf6bacd90d320ec3465002b4b16f3d9445697b7e64cfa/ipc/ipdl/PHttpChannelChild.cpp::833]
#24: mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) [s3:gecko-generated-sources:32cd8e0d57a6ca6b1abf75740afe2c773fecda4a1e90295c6041f690c8827e1e757830aa656488bf13f77f66f28139465bd3ffc3dee8169799fd2076c348aa26/ipc/ipdl/PContentChild.cpp::7838]
#25: mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) [ipc/glue/MessageChannel.cpp:2186]
#26: mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) [ipc/glue/MessageChannel.cpp:2112]
#27: mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) [ipc/glue/MessageChannel.cpp:0]
#28: mozilla::ipc::MessageChannel::MessageTask::Run() [ipc/glue/MessageChannel.cpp:1987]
#29: mozilla::SchedulerGroup::Runnable::Run() [xpcom/threads/SchedulerGroup.cpp:295]
#30: nsThread::ProcessNextEvent(bool, bool*) [xpcom/threads/nsThread.cpp:1225]
#31: NS_ProcessNextEvent(nsIThread*, bool) [xpcom/threads/nsThreadUtils.cpp:486]
#32: mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) [ipc/glue/MessagePump.cpp:88]
#33: MessageLoop::Run() [ipc/chromium/src/base/message_loop.cc:291]
#34: nsBaseAppShell::Run() [widget/nsBaseAppShell.cpp:139]
#35: XRE_RunAppShell() [toolkit/xre/nsEmbedFunctions.cpp:934]
#36: mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) [ipc/glue/MessagePump.cpp:238]
#37: MessageLoop::Run() [ipc/chromium/src/base/message_loop.cc:291]
#38: XRE_InitChildProcess(int, char**, XREChildData const*) [toolkit/xre/nsEmbedFunctions.cpp:769]
#39: content_process_main(mozilla::Bootstrap*, int, char**) [ipc/contentproc/plugin-container.cpp:57]
#40: main [browser/app/nsBrowserApp.cpp:272]
#41: libc.so.6 + 0x23f43
#42: _start
Flags: needinfo?(bob)

Maybe we also need this to make the assertion go away?

We could, but it's worth investigating why we're ending up in this situation anyway.

That is, imo we should assert anyway if we get a DoContent in the "no docshell" state; we just shouldn't hand it off to the window watcher machinery.

What's the status of this bug? Is this something we should uplift to ESR68? Is there more follow-up work still needing to be done before?

Flags: needinfo?(valentin.gosu)

(In reply to Ryan VanderMeulen [:RyanVM] from comment #68)

What's the status of this bug? Is this something we should uplift to ESR68? Is there more follow-up work still needing to be done before?

I'm not sure how serious the issue is in ESR - or if it can be exploited. :bz can probably answer that.
Bug 1587686 also needs to be fixed for the assertion to go away completely.
In terms of risk, I'd say it's medium - the code hadn't changed for a long time and while we didn't see any problems in automation it's conceivable that some sites may be affected by the different order of operations.

Flags: needinfo?(valentin.gosu) → needinfo?(bzbarsky)

I actually don't have a good feel for what the failure mode in opt builds is when this XRE_IsParentProcess() assertion fails. I'm hoping Mike (who added the assertion) might know...

Flags: needinfo?(bzbarsky) → needinfo?(mconley)

The failure mode I guess is that, in theory, a content process could potentially ask the parent to create a dialog window. According to this documentation, that mainly means that the min/max/close buttons are not displayed. That doesn't sound disastrous on the face of it, but it's certainly not a thing that web content is supposed to be able to do. I'm honestly not sure what sorts of things a hostile actor could do if they had the ability to open a dialog window.

Flags: needinfo?(mconley)

a content process could potentially ask the parent to create a dialog window

On this specific codepath here, the URL of that dialog is not under content control: it's the helper app dialog. That probably helps...

Flags: needinfo?(perry)

Based on the discussion above, it sounds like this isn't something we need to backport to ESR. Feel free to nominate for uplift if you feel strongly otherwise, but note that 68.3esr go-to-build is next week and we'd need that request to happen Really Soon Now.

status-firefox-esr68: affectedwontfix
See Also: → 1599498
Whiteboard: [necko-triaged][post-critsmash-triage] → [necko-triaged][post-critsmash-triage][adv-main71+r]
Whiteboard: [necko-triaged][post-critsmash-triage][adv-main71+r] → [necko-triaged][post-critsmash-triage][adv-main71+r][adv-esr68.3+r]

I could not successfully reproduce it with:

All of them performed normally, the errors in comment 0, comment 39 and comment 66 were not seen in the logs and no kind of crash happened.

Which build type should I take to reproduce this issue? Which OS? Are there any other steps that I need to take in order to reproduce it correctly (considering comment 35)?

Flags: needinfo?(twsmith)

(In reply to Bodea Daniel [:danibodea] from comment #74)

Which build type should I take to reproduce this issue? Which OS? Are there any other steps that I need to take in order to reproduce it correctly (considering comment 35)?

The steps in comment 34 work.

Flags: needinfo?(twsmith)

Sorry for insisting, but can you answer the remaining questions, please?

  1. Which build type should I take to reproduce this issue?
  2. Which OS?
    Thanks.
Flags: needinfo?(twsmith)

Can reproduce this on older builds with Linux x64 debug. Loading the testcase initially doesn't crash until dom.disable_open_during_load gets set to false and the test case reloaded. That crashes it and even after switching dom.disable_open_during_load back to true the crashes can be reproduced. Use this build from Oct 6: https://treeherder.mozilla.org/#/jobs?repo=mozilla-central&resultStatus=success%2Ctestfailed%2Cbusted%2Cexception&searchStr=linux%2Cdebug%2Cbuild&revision=7bbdfe6958a4305ea430db9d217771a5230c1cd5&selectedJob=269954075

I have managed to reproduce this issue on Nightly v72.0a1 asan debug [https://tools.taskcluster.net/index/gecko.v2.mozilla-central.pushdate.2019.10.08.20191008041542.firefox/win64-asan-debug]
As a crash does ont occur, I have verified the fix in:

I deem this bug verified. Tests were performed on Windows 10 x64.

Status: RESOLVED → VERIFIED
status-firefox71: fixedverified
status-firefox72: --- → verified
status-firefox73: --- → verified
Flags: qe-verify+
Flags: needinfo?(twsmith)
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: