Crash in [@ mozilla::dom::WorkerPrivate::GetCSPInfo]
Categories
(Core :: DOM: Security, defect, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr115 | --- | unaffected |
firefox-esr128 | --- | unaffected |
firefox134 | --- | unaffected |
firefox135 | --- | unaffected |
firefox136 | + | fixed |
People
(Reporter: dmeehan, Assigned: fredw)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: crash, regression, Whiteboard: [domsecurity-active])
Crash Data
Attachments
(1 file)
Crash report: https://crash-stats.mozilla.org/report/index/1d984d0e-8d7f-4968-bfd1-1d1d60250119
Reason:
EXCEPTION_ACCESS_VIOLATION_READ
Top 10 frames:
0 xul.dll mozilla::UniquePtr<mozilla::ipc::CSPInfo, mozilla::DefaultDelete<mozilla::ipc... mfbt/UniquePtr.h:287
0 xul.dll mozilla::UniquePtr<mozilla::ipc::CSPInfo, mozilla::DefaultDelete<mozilla::ipc... mfbt/UniquePtr.h:278
0 xul.dll mozilla::dom::WorkerPrivate::GetCSPInfo() const dom/workers/WorkerPrivate.h:937
0 xul.dll mozilla::dom::TrustedTypeUtils::GetTrustedTypesCompliantString(mozilla::dom::... dom/security/trusted-types/TrustedTypeUtils.cpp:489
0 xul.dll mozilla::dom::TrustedTypeUtils::GetTrustedTypesCompliantString(mozilla::dom::... dom/security/trusted-types/TrustedTypeUtils.cpp:552
1 xul.dll mozilla::dom::DOMParser::ParseFromString(mozilla::dom::TrustedHTMLOrString co... dom/base/DOMParser.cpp:110
1 xul.dll mozilla::dom::DOMParser_Binding::parseFromString(JSContext*, JS::Handle<JSObj... dom/bindings/DOMParserBinding.cpp:97
2 xul.dll mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::Nor... dom/bindings/BindingUtils.cpp:3290
3 xul.dll CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::... js/src/vm/Interpreter.cpp:532
3 xul.dll js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstru... js/src/vm/Interpreter.cpp:628
Reporter | ||
Comment 1•20 days ago
|
||
:iain is it possible this is a regression from Bug 1932864?
![]() |
||
Updated•20 days ago
|
![]() |
||
Comment 2•20 days ago
|
||
Fred, could you take a look at this regression from bug 1901492?
Assignee | ||
Comment 3•20 days ago
|
||
Yes, from the backtrace this is likely due to this change.
I had checked callers in https://phabricator.services.mozilla.com/D233507?id=967939#inline-1302263
and DOMParser was supposed to be only used in a Window global scope: https://html.spec.whatwg.org/multipage/dynamic-markup-insertion.html#domparser
Maybe this is an edge case when DOMParser::mOwner is actually null and we wrongly go to the else branch for workers https://searchfox.org/mozilla-central/rev/9a66d18cb35595c89f499a1011c9dd7e573fce77/dom/security/trusted-types/TrustedTypeUtils.cpp#489 (in the past this was just returning early and so hiding the problem).
Do we actually have a test case we can use to reproduce the issue?
Comment 5•19 days ago
|
||
DOMParser can be used outside Window, in those system JS globals what I mentioned on Matrix.
https://searchfox.org/mozilla-central/search?q=new+DOMParser%28&path=&case=false®exp=false
I guess the crash happens only if one has dom.security.trusted_types.enabled enabled?
Assignee | ||
Comment 6•19 days ago
|
||
Thanks, I'll check more.
Yes, the affected code only runs dom.security.trusted_types.enabled enabled.
Reporter | ||
Updated•18 days ago
|
Updated•18 days ago
|
Updated•18 days ago
|
Comment 7•18 days ago
|
||
The bug is marked as tracked for firefox136 (nightly). We have limited time to fix this, the soft freeze is in 8 days. However, the bug still isn't assigned.
:freddy, could you please find an assignee for this tracked bug? Given that it is a regression and we know the cause, we could also simply backout the regressor. If you disagree with the tracking decision, please talk with the release managers.
For more information, please visit BugBot documentation.
Assignee | ||
Updated•18 days ago
|
Assignee | ||
Comment 8•17 days ago
|
||
Updated•17 days ago
|
Comment 9•17 days ago
|
||
Downranking Priority as this is only happening for. builds that have trusted types enabled (off by default).
Updated•17 days ago
|
Comment 10•17 days ago
|
||
Comment 11•16 days ago
|
||
bugherder |
Comment 12•4 days ago
|
||
Set release status flags based on info from the regressing bug 1901492
Updated•4 days ago
|
Description
•