Closed Bug 311269 Opened 20 years ago Closed 20 years ago

Crash on my.yahoo.com when sending password request [@ nsSHEntry::ContentInserted] [@ nsSHEntry::DropPresentationState] [@ nsSHEntry::DocumentMutated]

Categories

(Core :: DOM: Navigation, defect)

Product:
Core
Component:
DOM: Navigation
Version:
1.8 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: marcia, Assigned: sicking)

References

(
URL
)

Details

(4 keywords, Whiteboard: [sg:fix])

Crash Data

Attachments

(4 files)

stack trace from talkback report
3.53 KB, text/plain
Details
another stack with one more line at the top
2.15 KB, text/plain
Details
back out 292962
2.62 KB, patch
Details | Diff | Splinter Review
Set up mutation observer at right place
2.66 KB, patch
bryner
: review+
bryner
: superreview+
asa
: approval1.8rc1+
Details | Diff | Splinter Review
From Asa's blog, I filed this bug because we are getting numerous reports: Build 2005100418 for Mac OS X crashed on http://my.yahoo.com each time I tried to send the password via the request form of the my.yahoo.com e-mail module, which is NOT the standard login of my.yahoo.com. The nightly of 2005-10-03 (06 or 07, can't remember) didn't have that problem. I also am getting a consistent crash visiting store.mozilla.org site and logging in. I can reproduce this 100% on the 2005100418 Mac build but not on the 2005103 build. The first lines of my Apple stack show commonality with the yahoo stack trace - nsSHEentry: 1 org.mozilla.firefox 0x002f1610 nsSHEntry::DocumentMutated() + 224 2 org.mozilla.firefox 0x001b159c nsDocument::ContentRemoved(nsIContent*, nsIContent*, int) + 140 3 org.mozilla.firefox 0x00248e60 nsGenericElement::RemoveChildAt(unsigned, int) + 856
Severity: normal → critical
Keywords: regression
Some folks have suggested that this might be related to Bug 292962
Blocks: 292962
This crash accounts for at least 11 of the 24 crashes reported against the 2005-10-04-18 branch builds of Firefox: http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=1&searchby=stacksig&match=contains&searchfor=&vendor=All&product=Firefox15&platform=All&buildid=2005100418&sdate=10%2F04%2F2005&stime=10%3A00%3A00&edate=&etime=&sortby=bbid This crash looks exploitabe.
URL: http://my.yahoo.com/
Flags: blocking1.8b5?
Keywords: topcrash
Summary: Crash on my.yahoo.com when sending password request → Crash on my.yahoo.com when sending password request [@ nsSHEntry::ContentInserted] [@ nsSHEntry::DropPresentationState] [@ nsSHEntry::DocumentMutated]
Group: security
Flags: blocking1.8b5? → blocking1.8b5+
cc'ing some people that were involved at bug 292962. Sounds like we have to get this fixed for beta 2.
This is all platforms.
OS: MacOS X → All
Hardware: Macintosh → All
Component: General → History: Session
Product: Firefox → Core
QA Contact: general → history.session
Version: 1.5 Branch → 1.8 Branch
Whiteboard: [sg:fix]
Assignee: nobody → bugmail
So.. we should really not be triggering on the DOM mutations Sanitize() triggers, at the very least.
No, we shouldn't, or most pages won't be cached.
That's what both stacks are showing -- we hit a DOM mutation from inside Sanitize(), which causes us to drop everything. Not sure why that crashes, but...
Group: security
Attached patch back out 292962Splinter Review
After a mini pow-wow with bryner and Asa. We think we should just back out 292962, respin some bits so we have something that doesn't crash for our end users. 292962 wasn't fixing any known bug or crash. This at least gives us a build in hand we can ship with as a backup plan.
backed out on the branch for now.
Ok, this is wrong on many levels 1. We set up the mutation-observer before we sanitize the document (wrong) 2. The sanitation causes document mutations (why?) 3. We end up in nsSHEntry::DropPresentationState which sets mContentViewer = nsnull where mContentViewer is 0xdddddddd (why) Still looking, but there are bigger problems here then just bug 292962
> 2. The sanitation causes document mutations (why?) It resets the value of inputs, which means modifying the anonymous content inside the editor. That notification goes to the document observers, of course. > where mContentViewer is 0xdddddddd (why) Sounds like the nsSHEntry has been deleted. Presumably, the only ref being held to it at this point is by the content viewer, so it dies when mContentViewer->ClearHistoryEntry() is called...
Ok, so what happens is that we first set up the mutationobserver. We then sanitize the document causing a mutation and DropPresentationState is called. The first thing it does is to tell the contentviewer to release the reference to the SHEntry. However the contentviewer holds the last entry to the SHEntry and so the SHEntry dies. When DropPresentationState then continues all members are of course deleted. Working on a patch now.
So I can fix 1 and I understand 2, but 3 is still a mystery to me. If i put a breakpoint in nsDocumentViewerImpl::Destroy mSHEntry usually has a refcount of 2. However on the page where the crash happens the refcount is for some reason 1. So even once i've fixed the observer to be set up at the right time we are still going to go through a bunch of hassle to save the presentation in the SHEntry and then just delete the SHEntry when the contentviewer releases its reference to it. I'll file that as a new bug, but ideas are welcome.
I think we want this patch either way. Without it there is going to be a lot of pages that we don't store in the bfcache. Specifically all pages with forms modified by the user (not sure the 'modified by user' requirement is there even)
Attachment #198647 - Flags: superreview?(bryner)
Attachment #198647 - Flags: review?(bryner)
Btw, steps I used to reproduce: 1. Enter the mozilla store. 2. If you are logged in, log out. 3. Click the 'My Account' link. 4. Enter a bogus email and passwd and press 'sign in' 5. Repeat 4 I always crash when pressing 'sign in' the second time.
So the reason the SHEntry is about to die is that we're doing a LOAD_LINK load of the same URI. We get into nsDocShell::OnNewURI (called from CreateContentViewer _after_ the last time we check CanSavePresentation) and this resets mLoadType to LOAD_NORMAL_REPLACE (see line 7278). So we save the presentation in the old SHEntry, then do a replace and drop the old SHEntry on the floor.
anyone on this cc list - if you can please try to reproduce the crash on my.yahoo.com on the new set of builds we just put out - http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2005-10-05-18-mozilla1.8/. It should no longer crash due to a backout. On the Mac build from that directory, I no longer see the store.mozilla.org crash.
crash on store.mozilla.org confirmed with 2005100504 linux build, 2005100517 is ok
I wrote the comment on Asa's blog you quoted. With the Build 2005100518 on MAC the password request form of the my.yahoo.com email module works perfectly again. Not the slightest problem anymore, thanks!! No problem with the Build 2005100517 on WinXP Pro SP2 either. Dex
*** Bug 311144 has been marked as a duplicate of this bug. ***
*** Bug 311351 has been marked as a duplicate of this bug. ***
someone label this with the keyword: fixed1.8
Comment on attachment 198647 [details] [diff] [review] Set up mutation observer at right place Would be nice if we could avoid the kungFuDeathGrip, but that's fairly difficult when both the SHEntry and the ContentViewer are going to be destroyed.
Attachment #198647 - Flags: superreview?(bryner)
Attachment #198647 - Flags: superreview+
Attachment #198647 - Flags: review?(bryner)
Attachment #198647 - Flags: review+
putting the keyword back. This was fixed for 1.5 Beta 2 by backing out 292962. We need this keyword or it shows up as a blocker which hasn't been checked in yet in our queries. Please don't remove it.
Keywords: fixed1.8
Comment on attachment 198647 [details] [diff] [review] Set up mutation observer at right place So I think we should land this for 1.8. Without this patch we will never put pages with password fields or fields with autocomplete=off in the bfcache. Not sure if we should try to also reland the patch that got backed out, though this patch does fix the crash that we saw on two levels.
Attachment #198647 - Flags: approval1.8rc1?
Fwiw, I think we should take 292962 if there are no outstanding issues from it.
Comment on attachment 198647 [details] [diff] [review] Set up mutation observer at right place It's too late to make serious changes after beta2 since we won't get any more serious testing opportunities. The added perf we'd get from this on password pages isn't worth the risk at this point.
Attachment #198647 - Flags: approval1.8rc1? → approval1.8rc1-
Asa, I'm pretty unhappy about shipping bfcache enabled if we're not planning to fix bug 292962. I realize that testing is going to be hard to come by, but then again I think this bug should have blocked 1.8b5 like it's flagged to...
Flags: blocking1.8b5+
Comment on attachment 198647 [details] [diff] [review] Set up mutation observer at right place OK. let's get this landed ASAP.
Attachment #198647 - Flags: approval1.8rc1- → approval1.8rc1+
Flags: blocking1.8rc1+
Keywords: fixed1.8
Does this mean that we want to reverse the backout done on the branch too?
yup, we plussed 292962 again for the branch so it can be re-landed.
done and done
Status: NEW → RESOLVED
Closed: 20 years ago
Keywords: fixed1.8
Resolution: --- → FIXED
Component: History: Session → Document Navigation
QA Contact: history.session → docshell
Crash Signature: [@ nsSHEntry::ContentInserted] [@ nsSHEntry::DropPresentationState] [@ nsSHEntry::DocumentMutated]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: