Last Comment Bug 322683 - [FIX] Yahoo Beta Mail related crash [@ nsScriptSecurityManager::CheckSameOriginPrincipalInternal()]
: [FIX] Yahoo Beta Mail related crash [@ nsScriptSecurityManager::CheckSameOrig...
Status: RESOLVED FIXED
required for 317380 [rft-dl]
: crash, fixed1.8.1, regression, verified1.8.0.2
Product: Core
Classification: Components
Component: XSLT (show other bugs)
: Trunk
: x86 All
: P1 critical with 4 votes (vote)
: mozilla1.9alpha1
Assigned To: Boris Zbarsky [:bz] (still a bit busy)
:
: Andrew Overholt [:overholt]
Mentors:
: 322684 331975 (view as bug list)
Depends on:
Blocks: 317380 322480 336708
  Show dependency treegraph
 
Reported: 2006-01-07 09:24 PST by Peter van der Woude [:Peter6]
Modified: 2006-11-10 12:13 PST (History)
16 users (show)
bzbarsky: blocking1.9a1+
dveditz: blocking1.8.0.2+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Proposed patch (5.01 KB, patch)
2006-01-10 11:53 PST, Boris Zbarsky [:bz] (still a bit busy)
jonas: review+
bryner: superreview+
peterv: approval‑branch‑1.8.1+
dveditz: approval1.8.0.2+
Details | Diff | Splinter Review

Description Peter van der Woude [:Peter6] 2006-01-07 09:24:12 PST
There is no clear regressionwindow/cause found for this bug but it is too critical to wait reporting

reported on

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20060106 Firefox/1.5 ID:2006010603
TB13674807W

and
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8) Gecko/20060106 Firefox/1.5 ID:2006010603
TB13673645G

Incident ID: 13674807
Stack Signature	nsScriptSecurityManager::CheckSameOriginPrincipalInternal b86a7215
Product ID	Firefox2
Build ID	2006010603
Trigger Time	2006-01-07 07:25:35.0
Platform	Win32
Operating System	Windows NT 5.1 build 2600
Module	firefox.exe + (0009fcca)
URL visited	Yahoo! Beta Mail
User Comments	
Since Last Crash	3730 sec
Total Uptime	3730 sec
Trigger Reason	Access violation
Source File, Line No.	c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/caps/src/nsScriptSecurityManager.cpp, line 849
Stack Trace 	
nsScriptSecurityManager::CheckSameOriginPrincipalInternal  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/caps/src/nsScriptSecurityManager.cpp, line 849]
nsScriptSecurityManager::CheckSameOriginPrincipal  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/caps/src/nsScriptSecurityManager.cpp, line 596]
nsGenericElement::doReplaceChild  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 3583]
nsDocument::ReplaceChild  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsDocument.cpp, line 3526]
XPCWrappedNative::CallMethod  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2139]
XPC_WN_CallMethod  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1444]
js_Invoke  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1177]
js_Interpret  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 3523]
js_Invoke  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1197]
js_Interpret  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 3523]
js_Invoke  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1197]
fun_apply  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsfun.c, line 1606]
js_Invoke  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1177]
js_Interpret  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 3523]
js_Invoke  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1197]
nsXPCWrappedJSClass::CallMethod  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp, line 1369]
nsXPCWrappedJS::CallMethod  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappedjs.cpp, line 462]
SharedStub  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp, line 147]
nsXMLHttpRequest::ChangeState  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/extensions/xmlextras/base/src/nsXMLHttpRequest.cpp, line 1857]
nsXMLHttpRequest::RequestCompleted  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/extensions/xmlextras/base/src/nsXMLHttpRequest.cpp, line 1411]
nsXMLHttpRequest::OnStopRequest  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/extensions/xmlextras/base/src/nsXMLHttpRequest.cpp, line 1359]
nsMultipartProxyListener::OnStopRequest  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/extensions/xmlextras/base/src/nsXMLHttpRequest.cpp, line 202]
Comment 1 u88484 2006-01-07 09:49:32 PST
*** Bug 322684 has been marked as a duplicate of this bug. ***
Comment 2 Peter van der Woude [:Peter6] 2006-01-07 09:51:17 PST
note: on trunk this is Bug 322480 with a completely different trace ,[@ js3250.dll]
Comment 3 Peter van der Woude [:Peter6] 2006-01-07 09:58:52 PST
This is reported NOT to crash in
Firefox 1.5.0.1
Mac -> http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2006-01-06-03-mozilla1.8.0/
Comment 4 gahbmw1 2006-01-07 12:19:53 PST
Confirmed crash on: New Profile and No Exts...
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20060106 Firefox/1.5 ID:2006010603

TB13680380W ***

However upon advice from Peter's Official Win32 20060108 Thread:
can you both try this build, Firefox 1.5.0.1
Windows -> http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2006-01-06-05-mozilla1.8.0/
Does not produce a crash
Comment 5 Faxmaster 2006-01-07 13:09:42 PST
Two crashes today; it does NOT happen every time I login/return.

Talkback IDs:
TB13684357E
TB13682156Y

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20060107 Firefox/1.5
Comment 6 gahbmw1 2006-01-07 21:13:54 PST
Peter(6) wrote:
Just to get things straight,
it works in the 20060105 nighty branch build
it crashes in the 20060106 nighty branch build
correct ?[/quote]

No crash reported on:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20060105 Firefox/1.5

Although the FF script pop-up comes on (but evenually it continues), more then likely coding @Yahoo! Mail Beta, but at least this will now give Devs a definite regression period...
Comment 8 Peter van der Woude [:Peter6] 2006-01-08 03:09:41 PST
Ria, do you have any branch builds between these 2 nightlies ?
Comment 9 Ria Klaassen (not reading all bugmail) 2006-01-08 03:20:46 PST
(In reply to comment #8)
No. Another Yahoo beta mail crash: Bug 322722.
Comment 11 Boris Zbarsky [:bz] (still a bit busy) 2006-01-09 07:46:40 PST
Greg, what are the steps to reproduce this crash?  I don't see any in this bug...
Comment 12 Greg Onufer 2006-01-09 08:29:41 PST
(In reply to comment #11)
> Greg, what are the steps to reproduce this crash?  I don't see any in this
> bug...

Login to Yahoo Mail Beta (http://mail.yahoo.com/, requires access to the beta program)... after authentication it partially loads, displays a "Loading Yahoo Mail" interstitial message, then the browser crashes before it ever renders the complete, normal mail user interface.

I also rebuilt the tip of MOZILLA_1_8_BRANCH, verified it still fails, then backed out only the Bug 317380 changes and verified that no longer fails (FC4).  This fails on Solaris SPARC as well, the recompile with the changes backed out hasn't finished yet.
Comment 13 Boris Zbarsky [:bz] (still a bit busy) 2006-01-10 11:34:36 PST
So the problem here is that the patch for bug 317380 assumes that all documents have a channel.  That's not the case.  For example, a document created via DOMImplementation has no channel and can be a perfectly valid source document for XSLT.

That said, the old code didn't handle principals right, in my opinion.  That is, the result doc ended up with a principal based on the URI of the source doc, whereas I assume it should end up with the same principal.  So perhaps this code needs an explicit SetPrincipal call?
Comment 14 Jonas Sicking (:sicking) No longer reading bugmail consistently 2006-01-10 11:35:44 PST
Yes, very good point. We should absolutly do that.
Comment 15 Boris Zbarsky [:bz] (still a bit busy) 2006-01-10 11:53:39 PST
Created attachment 208105 [details] [diff] [review]
Proposed patch

This lets me log in to yahoo mail beta...
Comment 16 Boris Zbarsky [:bz] (still a bit busy) 2006-01-10 13:59:09 PST
Comment on attachment 208105 [details] [diff] [review]
Proposed patch

We need to fix this on the 1.8.x branch, since bug 317380 landed there.
Comment 17 Boris Zbarsky [:bz] (still a bit busy) 2006-01-10 13:59:31 PST
Fixed on trunk.
Comment 18 Peter Van der Beken [:peterv] 2006-01-11 02:47:31 PST
Comment on attachment 208105 [details] [diff] [review]
Proposed patch

>Index: content/xslt/src/base/txURIUtils.cpp
>===================================================================

>+        // XXXbz passing nsnull as the first arg to Reset is illegal
>         aNewDoc->Reset(nsnull, nsnull);

>+        // XXXbz passing nsnull as the first arg to Reset is illegal
>         aNewDoc->Reset(nsnull, nsnull);

Can you please file a bug on this? (It wasn't illegal when the code was written)
Comment 19 Boris Zbarsky [:bz] (still a bit busy) 2006-01-15 14:19:07 PST
Filed bug 323554
Comment 20 Daniel Veditz [:dveditz] 2006-02-14 15:53:22 PST
Comment on attachment 208105 [details] [diff] [review]
Proposed patch

approved for 1.8.0 branch, a=dveditz for drivers
Comment 21 Boris Zbarsky [:bz] (still a bit busy) 2006-02-22 19:34:23 PST
Fixed for 1.8.0.2.
Comment 22 Dave Liebreich [:davel] 2006-03-01 16:29:36 PST
Marking [rft-dl] (ready for testing in Firefox 1.5.0.2 release candidates).  Testing will consist of logging in to yahoo mail beta.  Please comment if additional testing is recommended.
Comment 23 Jay Patel [:jay] 2006-03-02 15:10:11 PST
v.fixed on 1.8.0 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060302 Firefox/1.5.0.1, I'm able to login and out of Yahoo! Mail Beta with no crashes... as well as actually use it without problems (although there are TONS of js warnings). ;-)
Comment 24 Steve England [:stevee] 2006-03-29 05:51:59 PST
*** Bug 331975 has been marked as a duplicate of this bug. ***
Comment 25 Smokey Ardisson (offline for a while; not following bugs - do not email) 2006-05-05 22:03:35 PDT
Is there a chance that the patch in this bug never having landed on the 1.8(.1) branch (only on trunk and 1.8.0, at least as far as I can discover via keywords and bonsai) is causing Camino 1.8-branch builds and BonEcho nightlies to never finish loading the new Yahoo Mail Beta (bug 336708)?
Comment 26 Boris Zbarsky [:bz] (still a bit busy) 2006-05-05 22:30:06 PDT
Yeah, this never landed on 1.8 branch.  Since I didn't request the approval, and there was no comment when it was granted, I never got bugmail about it...

I'll try to get this checked in Sunday, I guess.
Comment 27 Smokey Ardisson (offline for a while; not following bugs - do not email) 2006-05-13 22:48:24 PDT
Boris, just checking to make sure that this is still on your radar for landing whenever 1.8 finally reopens....
Comment 28 Boris Zbarsky [:bz] (still a bit busy) 2006-05-14 13:10:31 PDT
It is, yes.  Too bad there's no way to indicate this to others short of giving them access to my IMAP account.  ;)
Comment 29 Boris Zbarsky [:bz] (still a bit busy) 2006-05-15 10:10:50 PDT
Fixed on branch.

Note You need to log in before you can comment on or make changes to this bug.