Open Bug 1566075 Opened 6 years ago Updated 3 years ago

Crash in [@ ExpandedPrincipal::GetHashValue]

Categories

(Core :: CSS Parsing and Computation, defect, P3)

Product:
Core
Component:
CSS Parsing and Computation
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox69 --- affected
firefox70 --- affected

People

(Reporter: Gankra, Unassigned)

Details

(Keywords: crash)

Crash Data

This bug is for crash report bp-38dfda8e-bb08-44ba-8f89-40b0b0190715.

Top 10 frames of crashing thread:

0 XUL ExpandedPrincipal::GetHashValue caps/ExpandedPrincipal.cpp:130
1 XUL non-virtual thunk to ExpandedPrincipal::GetHashValue caps/ExpandedPrincipal.cpp
2 XUL mozilla::dom::FontFaceSet::FindOrCreateUserFontEntryFromFontFace gfx/thebes/gfxFontSrcPrincipal.cpp:20
3 XUL mozilla::dom::FontFaceSet::UpdateRules layout/style/FontFaceSet.cpp:883
4 XUL mozilla::dom::Document::FlushUserFontSet dom/base/Document.cpp:14765
5 XUL mozilla::PresShell::DoFlushPendingNotifications layout/base/PresShell.cpp:4163
6 XUL mozilla::dom::Document::FlushPendingNotifications dom/base/Document.cpp:10011
7 XUL nsComputedDOMStyle::UpdateCurrentStyleSources layout/style/nsComputedDOMStyle.cpp:812
8 XUL nsComputedDOMStyle::GetPropertyValue layout/style/nsComputedDOMStyle.cpp:424
9 XUL nsComputedDOMStyle::GetPropertyValue layout/style/nsComputedDOMStyle.cpp:370

deterministic STR on my machine (macos 10.14, latest firefox nightly):

Adding 69 as affected since some crashes show up in crash stats.

status-firefox69: --- → affected

The priority flag is not set for this bug.
:hiro, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(hikezoe.birchill)

Kris, bz, any insights on this?

I suspect bug 1412345 still keeps happening. Unfortunately I can't reproduce the crash locally (probably due to lack of extensions that trigger the crash?) but it seems Gankro can reliably reproduce the crash so that this is an actionable bug?

Flags: needinfo?(kmaglione+bmo)
Flags: needinfo?(hikezoe.birchill)
Flags: needinfo?(bzbarsky)

The STR I posted doesn't work for me anymore, sadly. I expect something fixed it on nightly?

Looks like we're getting to https://searchfox.org/mozilla-central/rev/38c88cbf4be87dfa0636d15a5d3599a8ea0d1a72/layout/style/FontFaceSet.cpp#1093-1094 with the principal in extraData an expanded principal. Then the gfxFontSrcPrincipal constructor gets the hash value and we hit the MOZ_CRASH.

This is a pretty different situation from bug 1412345.

Presumably what's needed here to reproduce is an extension-principled stylesheet with a font-face rule, right? Alexis, do any of the extensions you have installed have such things in them?

I'm really not sure what behavior we expect here in that situation or why we don't allow hashing expanded principals.

Flags: needinfo?(bzbarsky)

uBlock Origin and LastPass are the only two extensions I have which affect page content in a way relevant to github.com (other installed ones at the time: BugzillaJS, HistoryBlock, MyQOnly). I wouldn't expect either of those addons to be touching font-faces though. It looks like a bunch of "native" features of firefox show up as addons in the crash report though. Perhaps one of those things went rogue?

I tried adding a style sheet with an @font-face rule using the Stylish addon, but couldn't reproduce the crash.

Priority: -- → P3

I just found a very oddly-named signature for this crash. The raw crash reason is the same and the stack is similar.

Crash Signature: [@ ExpandedPrincipal::GetHashValue] → [@ ExpandedPrincipal::GetHashValue] [@ {virtual override thunk}]

I've looked, but I can't figure out any way we'd create a stylesheet or a font face with an expanded principal from an extension at this point. Can't do any more without a way to reproduce this.

Flags: needinfo?(kmaglione+bmo)
Severity: critical → S3

(In reply to Kris Maglione [:kmag] from comment #9)

I've looked, but I can't figure out any way we'd create a stylesheet or a font face

(The mention of font face makes me wonder if this is somehow related to bug 1746997; just dropping the link in case it is.)

Crash Signature: [@ ExpandedPrincipal::GetHashValue] [@ {virtual override thunk}] → [@ ExpandedPrincipal::GetHashValue] [@ {virtual override thunk}] [@ gfxFontSrcPrincipal::gfxFontSrcPrincipal ]
You need to log in before you can comment on or make changes to this bug.