Closed
Bug 267311
Opened 21 years ago
Closed 21 years ago
netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect") in a XBL constructor make mozilla crash. [@ JS_FrameIterator]
Categories
(Core :: Security: CAPS, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jantonio122, Assigned: timeless)
References
()
Details
(Keywords: crash)
Crash Data
Attachments
(2 files)
|
3.00 KB,
patch
|
dveditz
:
review+
jst
:
superreview+
|
Details | Diff | Splinter Review |
|
1.46 KB,
patch
|
jst
:
review+
bzbarsky
:
superreview+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20041001 Firefox/0.10.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a5) Gecko/20041028
xbl constructor, make mozilla crash.
the files on the test are
test.xul
widgets.css
widgets.xml
Reproducible: Always
Steps to Reproduce:
1. create a simple widget with a constructor containing the line:
netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect")
2. create a xul with a binding to that widget.
3. run the xul.
Actual Results:
Mozilla crash, and the application is closed.
Expected Results:
Mozilla crash, and the application is closed.
js3250.dll
|
||
Comment 1•21 years ago
|
||
*** Bug 267305 has been marked as a duplicate of this bug. ***
|
|
||
Comment 2•21 years ago
|
||
*** Bug 267306 has been marked as a duplicate of this bug. ***
|
|
||
Comment 3•21 years ago
|
||
*** Bug 267308 has been marked as a duplicate of this bug. ***
|
|
||
Comment 4•21 years ago
|
||
*** Bug 267315 has been marked as a duplicate of this bug. ***
|
|
||
Comment 5•21 years ago
|
||
*** Bug 267316 has been marked as a duplicate of this bug. ***
|
Reporter | |
Comment 6•21 years ago
|
||
while I was trying tu submit this bug, an internal server error was reported as
a result of the submit, so I try to submit the bug again a few times.
The duplicated bugs are for this reason.
Sorry.
first bug is caps, so to caps it goes
js3250.dll!JS_FrameIterator(JSContext * cx=0x00000000, JSStackFrame * *
iteratorp=0x0012f228) Line 652 + 0xe C
caps.dll!nsScriptSecurityManager::GetPrincipalAndFrame(JSContext *
cx=0x00000000, nsIPrincipal * * result=0x0012f3cc, JSStackFrame * *
frameResult=0x0012f3c8) Line 1900 + 0x15 C++
> caps.dll!nsScriptSecurityManager::EnableCapability(const char *
capability=0x03b1d1e0) Line 2314 + 0x1b C++
caps.dll!netscape_security_enablePrivilege(JSContext * cx=0x0317da40, JSObject
* obj=0x03298038, unsigned int argc=0x00000001, long * argv=0x039c128c, long *
rval=0x0012f44c) Line 143 + 0xf C++
js3250.dll!js_Invoke(JSContext * cx=0x0012f35c, unsigned int argc=0x00000000,
unsigned int flags=0x77f58a3a) Line 1286 + 0x11 C
js3250.dll!js_Interpret(JSContext * cx=0x00000000, long * result=0x77f58a3a)
Line 3500 C
js3250.dll!js_Invoke(JSContext * cx=0x0012f35c, unsigned int argc=0x00000000,
unsigned int flags=0x77f58a3a) Line 1306 + 0xa C
js3250.dll!js_InternalInvoke(JSContext * cx=0x0317da40, JSObject *
obj=0x02f538d8, long fval=0x02f53c98, unsigned int flags=0x00000000, unsigned
int argc=0x0317da6c, long * argv=0x00000000, long * rval=0x0012f788) Line
1428 + 0x13 C
js3250.dll!JS_CallFunctionValue(JSContext * cx=0x0317da40, JSObject *
obj=0x02f538d8, long fval=0x02f53c98, unsigned int argc=0x00000000, long *
argv=0x00000000, long * rval=0x0012f788) Line 3783 + 0x1c C
gklayout.dll!nsXBLProtoImplAnonymousMethod::Execute(nsIContent *
aBoundElement=0x03bec0b8) Line 283 + 0x11 C++
gklayout.dll!nsXBLBinding::ExecuteAttachedHandler() Line 849 C++
gklayout.dll!nsBindingManager::ProcessAttachedQueue() Line 932 C++
gklayout.dll!nsCSSFrameConstructor::ContentInserted(nsPresContext *
aPresContext=0x03903de0, nsIContent * aContainer=0x01845508, nsIFrame *
aContainerFrame=0x038a0a4c, nsIContent * aChild=0x03bec0b8, int
aIndexInContainer=0x01845508, nsILayoutHistoryState * aFrameState=0x00000000,
int aInReinsertContent=0x00000000) Line 9329 C++
gklayout.dll!PresShell::ContentInserted(nsIDocument * aDocument=0x030e9418,
nsIContent * aContainer=0x01845508, nsIContent * aChild=0x03bec0b8, int
aIndexInContainer=0x00000000) Line 5141 C++
gklayout.dll!nsXBLBindingRequest::DocumentLoaded(nsIDocument *
aBindingDoc=0x038f7048) Line 175 C++
gklayout.dll!nsXBLStreamListener::Load(nsIDOMEvent * aEvent=0x02f893f0) Line
426 + 0xa C++
gklayout.dll!nsEventListenerManager::HandleEvent(nsPresContext *
aPresContext=0x03aa49b4, nsEvent * aEvent=0x0012fadc, nsIDOMEvent * *
aDOMEvent=0x0012faac, nsIDOMEventTarget * aCurrentTarget=0x038f70f0, unsigned
int aFlags=0x00000007, nsEventStatus * aEventStatus=0x0012fb1c) Line 1607 +
0x2c C++
gklayout.dll!nsDocument::HandleDOMEvent(nsPresContext *
aPresContext=0x00000000, nsEvent * aEvent=0x0012fadc, nsIDOMEvent * *
aDOMEvent=0x0012faac, unsigned int aFlags=0x00000001, nsEventStatus *
aEventStatus=0x0012fb1c) Line 3828 C++
gklayout.dll!nsXMLDocument::EndLoad() Line 643 C++
gklayout.dll!nsXMLContentSink::DidBuildModel() Line 295 C++
gkparser.dll!nsExpatDriver::DidBuildModel(unsigned int anErrorCode=0x00000000,
int aNotifySink=0x00000001, nsIParser * aParser=0x038dab88, nsIContentSink *
aSink=0x03be9ec0) Line 1062 C++
gkparser.dll!nsParser::DidBuildModel(unsigned int anErrorCode=0x00000000)
Line 1248 + 0xe C++
gkparser.dll!nsParser::ResumeParse(int allowIteration=0x00000001, int
aIsFinalChunk=0x00000001, int aCanInterrupt=0x00000001) Line 1832 C++
gkparser.dll!nsParser::OnStopRequest(nsIRequest * request=0x03a1d890,
nsISupports * aContext=0x00000000, unsigned int status=0x00000000) Line 2495 C++
gklayout.dll!nsXBLStreamListener::OnStopRequest(nsIRequest *
request=0x03a1d890, nsISupports * aCtxt=0x00000000, unsigned int
aStatus=0x00000000) Line 319 + 0x14 C++
necko.dll!nsStreamListenerTee::OnStopRequest(nsIRequest * request=0x03a1d890,
nsISupports * context=0x00000000, unsigned int status=0x00000000) Line 65 +
0x19 C++
necko.dll!nsHttpChannel::OnStopRequest(nsIRequest * request=0x03746cf0,
nsISupports * ctxt=0x00000000, unsigned int status=0x00000000) Line 3723 C++
necko.dll!nsInputStreamPump::OnStateStop() Line 505 C++
necko.dll!nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream *
stream=0x03991dc8) Line 342 C++
xpcom_core.dll!nsInputStreamReadyEvent::EventHandler(PLEvent *
plevent=0x03992544) Line 119 C++
xpcom_core.dll!PL_HandleEvent(PLEvent * self=0x03992544) Line 693 C
xpcom_core.dll!PL_ProcessPendingEvents(PLEventQueue * self=0x01063ec8) Line 628 C
xpcom_core.dll!_md_EventReceiverProc(HWND__ * hwnd=0x000d2c70, unsigned int
uMsg=0x0000c14e, unsigned int wParam=0x00000000, long lParam=0x01063ec8) Line
1434 C
user32.dll!77d43a50()
user32.dll!77d43b1f()
user32.dll!GetMessageW() + 0x125
user32.dll!DispatchMessageW() + 0xb
appshell.dll!nsAppShellService::Run() Line 484 C++
mozilla.exe!main1(int argc=0x0012f35c, char * * argv=0x00000000, nsISupports *
nativeApp=0x77f58a3a) Line 1336 C++
mozilla.exe!main(int argc=0x00000001, char * * argv=0x003f7b88) Line 1827 +
0x16 C++
mozilla.exe!mainCRTStartup() Line 400 + 0x11 C
kernel32.dll!TermsrvAppInstallMode() + 0x269
Assignee: hyatt → dveditz
Status: UNCONFIRMED → NEW
Component: XBL → Security: CAPS
Ever confirmed: true
Keywords: crash
QA Contact: ian
Summary: netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect") in a XBL constructor make mozilla crash. → netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect") in a XBL constructor make mozilla crash. [@ JS_FrameIterator]
Attachment #164301 -
Flags: superreview?(jst)
Attachment #164301 -
Flags: review?(dveditz)
|
||
Comment 9•21 years ago
|
||
Comment on attachment 164301 [details] [diff] [review]
don't call jsapis with invalid params (null cx), and null check GetPrincipalAndFrame's principal out since null seems to be very legal (see tail of that function)
Seems to me that the problem here is not that we're calling caps with bogus
arguments, rather that the arguments shouldn't be what they apparently are
here.
Looks like nsXBLProtoImplAnonymousMethod::Execute() needs to push the context
on which it is executing JS onto the context stack, not doing that can have
security problems etc.
Attachment #164301 -
Flags: superreview?(jst) → superreview-
|
|
||
Comment 10•21 years ago
|
||
Comment on attachment 164301 [details] [diff] [review]
don't call jsapis with invalid params (null cx), and null check GetPrincipalAndFrame's principal out since null seems to be very legal (see tail of that function)
On second thought, this is a step in the right direction nonetheless. sr=jst,
but in addition to this we should fix the XBL code to push the right context
onto the stack, and more importantly, this code needs to throw JS exceptions on
failure, right now any failures will result in silent errors (unless I missed
something).
Attachment #164301 -
Flags: superreview- → superreview+
|
Assignee | |
Comment 11•21 years ago
|
||
Attachment #164331 -
Flags: superreview?
Attachment #164331 -
Flags: review?(jst)
|
|
||
Comment 12•21 years ago
|
||
Comment on attachment 164331 [details] [diff] [review]
xbl changes
r=jst
Attachment #164331 -
Flags: review?(jst) → review+
Attachment #164331 -
Flags: superreview? → superreview?(bzbarsky)
|
|
||
Comment 13•21 years ago
|
||
So why do we need beginrequest/endrequest here?
|
|
Assignee | |
Comment 14•21 years ago
|
||
i think the general idea is that gecko doesn't abide by the jsapi and we need to
start adding JS_BeginRequest/JS_EndRequest blocks at times. Someone else will
have to correct me if i misplaced them.
shaver volunteered to explain it.
|
|
||
Comment 15•21 years ago
|
||
Initial knee-jerk answer: No, we do not need requests in the main thread. The
request model is for symmetric multi-threading of JS scripts, which run to
completion or block in native methods that know to suspend their requests.
Mozilla is asymmetric: the only place GC can run is on the main thread, where it
single-threads with DOM-based scripts, including XBL scripts.
Or so the story went, before the request model was extended to do more than
interlock the GC with N concurrent script executions. When I made locking
almost zero-cost (bug 54743), I extended the request model to subsume all
single-threaded objects' (scopes') locks under the request interlock mechanism
(which uses the per-runtime GC lock). That means that any objects shared with
background threads in Gecko embeddings can suffer deadlocks if the main thread
fails to use the begin- and end-request APIs.
But that's a bug for another day. I do not think this bug's patch should start
introducing request-model API usage in the main thread.
/be
|
||
Comment 16•21 years ago
|
||
Comment on attachment 164301 [details] [diff] [review]
don't call jsapis with invalid params (null cx), and null check GetPrincipalAndFrame's principal out since null seems to be very legal (see tail of that function)
r=dveditz
Attachment #164301 -
Flags: review?(dveditz) → review+
|
|
||
Comment 17•21 years ago
|
||
Comment on attachment 164331 [details] [diff] [review]
xbl changes
sr=bzbarsky if you remove the beginrequest/endrequest stuff.
Attachment #164331 -
Flags: superreview?(bzbarsky) → superreview+
|
|
Assignee | |
Comment 18•21 years ago
|
||
mozilla/content/xbl/src/nsXBLProtoImplMethod.cpp 1.16
mozilla/caps/src/nsScriptSecurityManager.cpp 1.241
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
|
||
Updated•14 years ago
|
Crash Signature: [@ JS_FrameIterator]
You need to log in
before you can comment on or make changes to this bug.
Description
•