Closed Bug 1942517 Opened 1 month ago Closed 1 month ago

Crash in [@ mozilla::dom::WorkerPrivate::GetCSPInfo]

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Platform:
Unspecified
Windows 11
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
136 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 --- unaffected
firefox134 --- unaffected
firefox135 --- unaffected
firefox136 + fixed

People

(Reporter: dmeehan, Assigned: fredw)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: crash, regression, Whiteboard: [domsecurity-active])

Crash Data

Attachments

(1 file)

Bug 1942517 - Skip trusted type check for DOMParser when global object is not a Window. r=smaug
48 bytes, text/x-phabricator-request
Details | Review

Crash report: https://crash-stats.mozilla.org/report/index/1d984d0e-8d7f-4968-bfd1-1d1d60250119

Reason:

EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames:

0  xul.dll  mozilla::UniquePtr<mozilla::ipc::CSPInfo, mozilla::DefaultDelete<mozilla::ipc...  mfbt/UniquePtr.h:287
0  xul.dll  mozilla::UniquePtr<mozilla::ipc::CSPInfo, mozilla::DefaultDelete<mozilla::ipc...  mfbt/UniquePtr.h:278
0  xul.dll  mozilla::dom::WorkerPrivate::GetCSPInfo() const  dom/workers/WorkerPrivate.h:937
0  xul.dll  mozilla::dom::TrustedTypeUtils::GetTrustedTypesCompliantString(mozilla::dom::...  dom/security/trusted-types/TrustedTypeUtils.cpp:489
0  xul.dll  mozilla::dom::TrustedTypeUtils::GetTrustedTypesCompliantString(mozilla::dom::...  dom/security/trusted-types/TrustedTypeUtils.cpp:552
1  xul.dll  mozilla::dom::DOMParser::ParseFromString(mozilla::dom::TrustedHTMLOrString co...  dom/base/DOMParser.cpp:110
1  xul.dll  mozilla::dom::DOMParser_Binding::parseFromString(JSContext*, JS::Handle<JSObj...  dom/bindings/DOMParserBinding.cpp:97
2  xul.dll  mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::Nor...  dom/bindings/BindingUtils.cpp:3290
3  xul.dll  CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::...  js/src/vm/Interpreter.cpp:532
3  xul.dll  js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstru...  js/src/vm/Interpreter.cpp:628

:iain is it possible this is a regression from Bug 1932864?

Flags: needinfo?(iireland)

Fred, could you take a look at this regression from bug 1901492?

Flags: needinfo?(fwang)

Yes, from the backtrace this is likely due to this change.

I had checked callers in https://phabricator.services.mozilla.com/D233507?id=967939#inline-1302263

and DOMParser was supposed to be only used in a Window global scope: https://html.spec.whatwg.org/multipage/dynamic-markup-insertion.html#domparser

Maybe this is an edge case when DOMParser::mOwner is actually null and we wrongly go to the else branch for workers https://searchfox.org/mozilla-central/rev/9a66d18cb35595c89f499a1011c9dd7e573fce77/dom/security/trusted-types/TrustedTypeUtils.cpp#489 (in the past this was just returning early and so hiding the problem).

Do we actually have a test case we can use to reproduce the issue?

Flags: needinfo?(fwang) → needinfo?(smaug)

DOMParser can be used outside Window, in those system JS globals what I mentioned on Matrix.

https://searchfox.org/mozilla-central/search?q=new+DOMParser%28&path=&case=false&regexp=false

I guess the crash happens only if one has dom.security.trusted_types.enabled enabled?

Flags: needinfo?(smaug)

Thanks, I'll check more.

Yes, the affected code only runs dom.security.trusted_types.enabled enabled.

tracking-firefox136: --- → +
Component: JavaScript Engine → DOM: Security
Blocks: trusted-types

The bug is marked as tracked for firefox136 (nightly). We have limited time to fix this, the soft freeze is in 8 days. However, the bug still isn't assigned.

:freddy, could you please find an assignee for this tracked bug? Given that it is a regression and we know the cause, we could also simply backout the regressor. If you disagree with the tracking decision, please talk with the release managers.

For more information, please visit BugBot documentation.

Flags: needinfo?(fbraun)
Assignee: nobody → fwang
Severity: -- → S3
Priority: -- → P2
Whiteboard: [domsecurity-active]

Downranking Priority as this is only happening for. builds that have trusted types enabled (off by default).

Flags: needinfo?(fbraun)
Priority: P2 → P3
Pushed by fwang@igalia.com: https://hg.mozilla.org/integration/autoland/rev/f3b4d635577f Skip trusted type check for DOMParser when global object is not a Window. r=smaug

https://hg.mozilla.org/mozilla-central/rev/f3b4d635577f

Status: NEW → RESOLVED
Closed: 1 month ago
Resolution: --- → FIXED
Target Milestone: --- → 136 Branch

Set release status flags based on info from the regressing bug 1901492

status-firefox137: --- → affected
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: