The default bug view has changed. See this FAQ.

Crash on my.yahoo.com when sending password request [@ nsSHEntry::ContentInserted] [@ nsSHEntry::DropPresentationState] [@ nsSHEntry::DocumentMutated]

RESOLVED FIXED

Status

()

Core
Document Navigation
--
critical
RESOLVED FIXED
12 years ago
6 years ago

People

(Reporter: marcia, Assigned: sicking)

Tracking

(4 keywords)

1.8 Branch
crash, fixed1.8, regression, topcrash
Points:
---
Bug Flags:
blocking1.8rc1 +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:fix], crash signature, URL)

Attachments

(4 attachments)

(Reporter)

Description

12 years ago
From Asa's blog, I filed this bug because we are getting numerous reports:

Build 2005100418 for Mac OS X crashed on http://my.yahoo.com each time I tried
to send the password via the request form of the my.yahoo.com e-mail module,
which is NOT the standard login of my.yahoo.com. The nightly of 2005-10-03 (06
or 07, can't remember) didn't have that problem.

I also am getting a consistent crash visiting store.mozilla.org site and logging
in. I can reproduce this 100% on the 2005100418 Mac build but not on the 2005103
build.

The first lines of my Apple stack show commonality with the yahoo stack trace -
nsSHEentry:

1 org.mozilla.firefox 0x002f1610 nsSHEntry::DocumentMutated() + 224
2 org.mozilla.firefox 0x001b159c nsDocument::ContentRemoved(nsIContent*,
nsIContent*, int) + 140
3 org.mozilla.firefox 0x00248e60 nsGenericElement::RemoveChildAt(unsigned, int)
+ 856

Updated

12 years ago
Severity: normal → critical
Keywords: regression

Comment 1

12 years ago
Some folks have suggested that this might be related to Bug 292962
Blocks: 292962

Comment 2

12 years ago
This crash accounts for at least 11 of the 24 crashes reported against the
2005-10-04-18 branch builds of Firefox:
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=1&searchby=stacksig&match=contains&searchfor=&vendor=All&product=Firefox15&platform=All&buildid=2005100418&sdate=10%2F04%2F2005&stime=10%3A00%3A00&edate=&etime=&sortby=bbid

This crash looks exploitabe.
Flags: blocking1.8b5?
Keywords: topcrash
Summary: Crash on my.yahoo.com when sending password request → Crash on my.yahoo.com when sending password request [@ nsSHEntry::ContentInserted] [@ nsSHEntry::DropPresentationState] [@ nsSHEntry::DocumentMutated]

Updated

12 years ago
Group: security

Updated

12 years ago
Flags: blocking1.8b5? → blocking1.8b5+

Comment 3

12 years ago
cc'ing some people that were involved at bug 292962. Sounds like we have to get
this fixed for beta 2. 

Comment 4

12 years ago
This is all platforms. 

OS: MacOS X → All
Hardware: Macintosh → All

Comment 5

12 years ago
Created attachment 198634 [details]
stack trace from talkback report
Component: General → History: Session
Product: Firefox → Core
QA Contact: general → history.session
Version: 1.5 Branch → 1.8 Branch

Updated

12 years ago
Whiteboard: [sg:fix]

Updated

12 years ago
Assignee: nobody → bugmail

Comment 6

12 years ago
Created attachment 198636 [details]
another stack with one more line at the top
So.. we should really not be triggering on the DOM mutations Sanitize()
triggers, at the very least.
No, we shouldn't, or most pages won't be cached.
That's what both stacks are showing -- we hit a DOM mutation from inside
Sanitize(), which causes us to drop everything.  Not sure why that crashes, but...

Updated

12 years ago
Group: security

Comment 10

12 years ago
Created attachment 198642 [details] [diff] [review]
back out 292962

After a mini pow-wow with bryner and Asa. We think we should just back out
292962, respin some bits so we have something that doesn't crash for our end
users.

292962 wasn't fixing any known bug or crash.

This at least gives us a build in hand we can ship with as a backup plan.

Comment 11

12 years ago
backed out on the branch for now. 
Ok, this is wrong on many levels

1. We set up the mutation-observer before we sanitize the document (wrong)
2. The sanitation causes document mutations (why?)
3. We end up in nsSHEntry::DropPresentationState which sets
   mContentViewer = nsnull
   where mContentViewer is 0xdddddddd  (why)

Still looking, but there are bigger problems here then just bug 292962
> 2. The sanitation causes document mutations (why?)

It resets the value of inputs, which means modifying the anonymous content
inside the editor.  That notification goes to the document observers, of course.

>   where mContentViewer is 0xdddddddd  (why)

Sounds like the nsSHEntry has been deleted.  Presumably, the only ref being held
to it at this point is by the content viewer, so it dies when
mContentViewer->ClearHistoryEntry() is called...
Ok, so what happens is that we first set up the mutationobserver. We then
sanitize the document causing a mutation and DropPresentationState is called.
The first thing it does is to tell the contentviewer to release the reference to
the SHEntry. However the contentviewer holds the last entry to the SHEntry and
so the SHEntry dies. When DropPresentationState then continues all members are
of course deleted.

Working on a patch now.
So I can fix 1 and I understand 2, but 3 is still a mystery to me. If i put a
breakpoint in nsDocumentViewerImpl::Destroy mSHEntry usually has a refcount of
2. However on the page where the crash happens the refcount is for some reason
1. So even once i've fixed the observer to be set up at the right time we are
still going to go through a bunch of hassle to save the presentation in the
SHEntry and then just delete the SHEntry when the contentviewer releases its
reference to it.

I'll file that as a new bug, but ideas are welcome.
Created attachment 198647 [details] [diff] [review]
Set up mutation observer at right place

I think we want this patch either way. Without it there is going to be a lot of
pages that we don't store in the bfcache. Specifically all pages with forms
modified by the user (not sure the 'modified by user' requirement is there
even)
Attachment #198647 - Flags: superreview?(bryner)
Attachment #198647 - Flags: review?(bryner)
Btw, steps I used to reproduce:

1. Enter the mozilla store.
2. If you are logged in, log out.
3. Click the 'My Account' link.
4. Enter a bogus email and passwd and press 'sign in'
5. Repeat 4

I always crash when pressing 'sign in' the second time.
So the reason the SHEntry is about to die is that we're doing a LOAD_LINK load
of the same URI.  We get into nsDocShell::OnNewURI (called from
CreateContentViewer _after_ the last time we check CanSavePresentation) and this
resets mLoadType to LOAD_NORMAL_REPLACE (see line 7278).  So we save the
presentation in the old SHEntry, then do a replace and drop the old SHEntry on
the floor.
(Reporter)

Comment 19

12 years ago
anyone on this cc list - if you can please try to reproduce the crash on
my.yahoo.com on the new set of builds we just put out -
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2005-10-05-18-mozilla1.8/.
It should no longer crash due to a backout.

On the Mac build from that directory, I no longer see the store.mozilla.org crash.

Comment 20

12 years ago
crash on store.mozilla.org confirmed with 2005100504 linux build, 2005100517 is ok

Comment 21

12 years ago
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2005-10-05-18-mozilla1.8/.

On windows cannot repro crash

Comment 22

12 years ago
I wrote the comment on Asa's blog you quoted. 

With the Build 2005100518 on MAC the password request form of the my.yahoo.com
email module works perfectly again. Not the slightest problem anymore, thanks!!
No problem with the Build 2005100517 on WinXP Pro SP2 either.

Dex

Comment 23

12 years ago
*** Bug 311144 has been marked as a duplicate of this bug. ***

Comment 24

12 years ago
*** Bug 311351 has been marked as a duplicate of this bug. ***

Comment 25

12 years ago
someone label this with the keyword:

fixed1.8
Comment on attachment 198647 [details] [diff] [review]
Set up mutation observer at right place

Would be nice if we could avoid the kungFuDeathGrip, but that's fairly
difficult when both the SHEntry and the ContentViewer are going to be
destroyed.
Attachment #198647 - Flags: superreview?(bryner)
Attachment #198647 - Flags: superreview+
Attachment #198647 - Flags: review?(bryner)
Attachment #198647 - Flags: review+

Comment 27

12 years ago
putting the keyword back. This was fixed for 1.5 Beta 2 by backing out 292962.
We need this keyword or it shows up as a blocker which hasn't been checked in
yet in our queries. Please don't remove it. 
Keywords: fixed1.8
Comment on attachment 198647 [details] [diff] [review]
Set up mutation observer at right place

So I think we should land this for 1.8.

Without this patch we will never put pages with password fields or fields with
autocomplete=off in the bfcache.

Not sure if we should try to also reland the patch that got backed out, though
this patch does fix the crash that we saw on two levels.
Attachment #198647 - Flags: approval1.8rc1?
Fwiw, I think we should take 292962 if there are no outstanding issues from it.

Comment 30

12 years ago
Comment on attachment 198647 [details] [diff] [review]
Set up mutation observer at right place

It's too late to make serious changes after beta2 since we won't get any more
serious testing opportunities. The added perf we'd get from this on password
pages isn't worth the risk at this point.
Attachment #198647 - Flags: approval1.8rc1? → approval1.8rc1-
Asa, I'm pretty unhappy about shipping bfcache enabled if we're not planning to
fix bug 292962.  I realize that testing is going to be hard to come by, but then
again I think this bug should have blocked 1.8b5 like it's flagged to...

Updated

12 years ago
Flags: blocking1.8b5+

Comment 32

12 years ago
Comment on attachment 198647 [details] [diff] [review]
Set up mutation observer at right place

OK. let's get this landed ASAP.
Attachment #198647 - Flags: approval1.8rc1- → approval1.8rc1+

Updated

12 years ago
Flags: blocking1.8rc1+
Keywords: fixed1.8
Does this mean that we want to reverse the backout done on the branch too?

Comment 34

12 years ago
yup, we plussed 292962 again for the branch so it can be re-landed.
done and done
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Keywords: fixed1.8
Resolution: --- → FIXED

Updated

9 years ago
Component: History: Session → Document Navigation
QA Contact: history.session → docshell
Crash Signature: [@ nsSHEntry::ContentInserted] [@ nsSHEntry::DropPresentationState] [@ nsSHEntry::DocumentMutated]
You need to log in before you can comment on or make changes to this bug.