Closed Bug 1616254 Opened 6 years ago Closed 6 years ago

Crash in [@ mozilla::dom::ServiceWorkerManager::RegistrationDataPerPrincipal::ScopeContainer::MatchScope]

Categories

(Core :: DOM: Service Workers, defect, P2)

Product:
Core
Component:
DOM: Service Workers
Platform:
Unspecified
Windows 10
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla75
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox73 --- unaffected
firefox74 --- disabled
firefox75 --- fixed

People

(Reporter: pascalc, Assigned: perry)

References

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

Bug 1616254 - MatchScope should check same-origin using ScopeToPrincipal helper r?#dom-workers-and-storage,asuth
47 bytes, text/x-phabricator-request
Details | Review

This bug is for crash report bp-64b88d71-391c-4dfa-817d-474260200218.

Top 10 frames of crashing thread:

0 xul.dll mozilla::dom::ServiceWorkerManager::RegistrationDataPerPrincipal::ScopeContainer::MatchScope const dom/serviceworkers/ServiceWorkerManager.cpp:239
1 xul.dll static mozilla::dom::ServiceWorkerManager::FindScopeForPath dom/serviceworkers/ServiceWorkerManager.cpp:1813
2 xul.dll mozilla::dom::ServiceWorkerManager::GetServiceWorkerRegistrationInfo const dom/serviceworkers/ServiceWorkerManager.cpp:1716
3 xul.dll mozilla::dom::ServiceWorkerManager::GetServiceWorkerRegistrationInfo const dom/serviceworkers/ServiceWorkerManager.cpp:1700
4 xul.dll mozilla::dom::ServiceWorkerManager::IsAvailable dom/serviceworkers/ServiceWorkerManager.cpp:2270
5 xul.dll mozilla::dom::ServiceWorkerInterceptController::ShouldPrepareForIntercept dom/serviceworkers/ServiceWorkerInterceptController.cpp:44
6 xul.dll mozilla::net::HttpBaseChannel::ShouldIntercept netwerk/protocol/http/HttpBaseChannel.cpp:2836
7 xul.dll mozilla::net::nsHttpChannel::Connect netwerk/protocol/http/nsHttpChannel.cpp:742
8 xul.dll mozilla::net::nsHttpChannel::ContinueOnBeforeConnect netwerk/protocol/http/nsHttpChannel.cpp:709
9 xul.dll mozilla::net::nsHttpChannel::OnBeforeConnect netwerk/protocol/http/nsHttpChannel.cpp:635

First crash started with 20200215095617
Changelog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=f8ec5d8b4718a6456446b56c40ea32c50c631d48&tochange=02b1aa498dd2269ea45fb47e7e50f3d45d26bd3c

Perry, these are the diagnostic asserts introduced by bug 1609665. Does this help?

Flags: needinfo?(perry)
See Also: → 1609665

Yeah, this definitely looks like it will help.

Assignee: nobody → perry
Flags: needinfo?(perry)
Priority: -- → P2

I'm hitting a full-browser crash with this signature, 100% reliably, when trying to visit https://finance.yahoo.com/quote/%5EGSPC?p=^GSPC (which is the URL you land on if you visit finance.yahoo.com and click "S&P 500"). I crash right away when the page finishes loading.

Sample crash report (in a fresh profile): bp-16b0b62e-e7bf-4c30-8790-d74f30200224

Given the stock market drop today, I wouldn't be surprised if we start seeing this a lot, for folks checking graphs on Yahoo Finance...

Perry, maybe you could take a look (particularly if this URL ^^ helps you reproduce/investigate)?

Flags: needinfo?(perry)

(In reply to Daniel Holbert [:dholbert] from comment #3)

I'm hitting a full-browser crash with this signature, 100% reliably, when trying to visit https://finance.yahoo.com/quote/%5EGSPC?p=^GSPC (which is the URL you land on if you visit finance.yahoo.com and click "S&P 500"). I crash right away when the page finishes loading.

Sample crash report (in a fresh profile): bp-16b0b62e-e7bf-4c30-8790-d74f30200224

Given the stock market drop today, I wouldn't be surprised if we start seeing this a lot, for folks checking graphs on Yahoo Finance...

Perry, maybe you could take a look (particularly if this URL ^^ helps you reproduce/investigate)?

Thanks for STR, I'm looking into it now

Flags: needinfo?(perry)

FWIW my STR aren't triggering the crash for me on a different machine (still fresh profile, latest nightly), so it might depend on precisely which ads you get served (and I got "lucky" earlier on when I was crashing).

It tries to check that "https://finance.yahoo.com/quote/%5EGSPC?p=^GSPC" and "https://finance.yahoo.com" have equals principals, but "https://finance.yahoo.com/quote/%5EGSPC?p=^GSPC" fails to parse as a principal because the "^GSPC" suffix is being interpreted as an invalid origin attributes key-value pair. The "^" is supposed to be encoded though, according to https://www.ietf.org/rfc/rfc1738.txt on [Page 2]:

Other characters are unsafe because gateways and other transport agents are known to sometimes modify such characters. These characters are "{", "}", "|", "", "^", "~", "[", "]", and "`".

All unsafe characters must always be encoded within a URL.

Fixes an issue where directly converting a string to principal causes the
string to fail to be parsed due to "^" being interpreted as the start of
origin attributes (and the rest of the string isn't able to be parsed as
origin attributes).

Pushed by pjiang@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/6a748b335653 MatchScope should check same-origin using ScopeToPrincipal helper r=dom-workers-and-storage-reviewers,asuth

https://hg.mozilla.org/mozilla-central/rev/6a748b335653

Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox75: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla75

If this is not risky: Should we think about uplifting?

Flags: needinfo?(perry)

It's not risky, but I don't think we need to worry about uplifting because the MOZ_DIAGNOSTIC_ASSERT is disabled for beta (and the assertion failure appears to have been a false positive anyways).

Flags: needinfo?(perry)
Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: