Closed Bug 1590777 Opened 6 years ago Closed 6 years ago

Crash in [@ DOMSecurityManager::ParseCSPAndEnforceFrameAncestorCheck]

Categories

(Core :: DOM: Security, defect, P1)

Product:
Core
Component:
DOM: Security
Platform:
Unspecified
Windows 10
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla72
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox69 --- unaffected
firefox70 --- unaffected
firefox71 --- unaffected
firefox72 --- fixed

People

(Reporter: calixte, Assigned: ckerschb)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: crash, regression, Whiteboard: [domsecurity-active])

Crash Data

Attachments

(1 file)

Bug 1590777: Add Null check for referrerinfo within ParseCSPAndEnforceFrameAncestorCheck. r=tnguyen
47 bytes, text/x-phabricator-request
Details | Review

This bug is for crash report bp-13bef52a-dcea-4184-a4ad-1efd20191023.

Top 10 frames of crashing thread:

0 xul.dll nsresult DOMSecurityManager::ParseCSPAndEnforceFrameAncestorCheck dom/security/DOMSecurityManager.cpp:170
1 xul.dll nsresult DOMSecurityManager::Observe dom/security/DOMSecurityManager.cpp:111
2 xul.dll nsObserverService::NotifyObservers xpcom/ds/nsObserverService.cpp:291
3 xul.dll mozilla::net::nsHttpHandler::NotifyObservers netwerk/protocol/http/nsHttpHandler.cpp:806
4 xul.dll nsresult mozilla::net::nsHttpChannel::ProcessResponse netwerk/protocol/http/nsHttpChannel.cpp:2474
5 xul.dll nsresult mozilla::net::nsHttpChannel::OnStartRequest netwerk/protocol/http/nsHttpChannel.cpp:7705
6 xul.dll unsigned int nsInputStreamPump::OnStateStart netwerk/base/nsInputStreamPump.cpp:487
7 xul.dll nsresult nsInputStreamPump::OnInputStreamReady netwerk/base/nsInputStreamPump.cpp:396
8 xul.dll nsresult nsInputStreamReadyEvent::Run xpcom/io/nsStreamUtils.cpp:91
9 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1225

There are 32 crashes (from 15 installations) in nightly 72 starting with buildid 20191022214314. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1584993.

[1] https://hg.mozilla.org/mozilla-central/rev?node=e21ad27bfd0a

Flags: needinfo?(ckerschb)
Assignee: nobody → ckerschb
Status: NEW → ASSIGNED
Flags: needinfo?(ckerschb)
Priority: -- → P1
Whiteboard: [domsecurity-active]

Pushed by rmaries@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/6dffdf63221a
Add Null check for referrerinfo within ParseCSPAndEnforceFrameAncestorCheck. r=tnguyen

Keywords: checkin-needed

https://hg.mozilla.org/mozilla-central/rev/6dffdf63221a

Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox72: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla72
Crash Signature: [@ DOMSecurityManager::ParseCSPAndEnforceFrameAncestorCheck] → [@ DOMSecurityManager::ParseCSPAndEnforceFrameAncestorCheck] [@ DOMSecurityManager::Observe]

Hi Cristoph, is there something manually verificable? And if yes, could you provide some steps? Thanks!

Crash Signature: [@ DOMSecurityManager::ParseCSPAndEnforceFrameAncestorCheck] [@ DOMSecurityManager::Observe] → [@ DOMSecurityManager::ParseCSPAndEnforceFrameAncestorCheck] [@ DOMSecurityManager::Observe]
Flags: needinfo?(ckerschb)

(In reply to Catalin Sasca, QA [:csasca] from comment #5)

Hi Cristoph, is there something manually verificable? And if yes, could you provide some steps? Thanks!

I don't think there is actually, we just looked at the crash signature and added a null check before derefing the pointer, but there was not testcase and I also can't think of a testcase which would trigger that codeline.

Flags: needinfo?(ckerschb)
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: