Closed Bug 322683 Opened 19 years ago Closed 19 years ago

[FIX] Yahoo Beta Mail related crash [@ nsScriptSecurityManager::CheckSameOriginPrincipalInternal()]

Categories

(Core :: XSLT, defect, P1)

Product:
Core
Component:
XSLT
Platform:
x86
All
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9alpha1

People

(Reporter: Peter6, Assigned: bzbarsky)

References

Details

(4 keywords, Whiteboard: required for 317380 [rft-dl])

Crash Data

Attachments

(1 file)

Proposed patch
5.01 KB, patch
sicking
: review+
bryner
: superreview+
peterv
: approval-branch-1.8.1+
dveditz
: approval1.8.0.2+
Details | Diff | Splinter Review 
There is no clear regressionwindow/cause found for this bug but it is too critical to wait reporting

reported on

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20060106 Firefox/1.5 ID:2006010603
TB13674807W

and
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8) Gecko/20060106 Firefox/1.5 ID:2006010603
TB13673645G

Incident ID: 13674807
Stack Signature	nsScriptSecurityManager::CheckSameOriginPrincipalInternal b86a7215
Product ID	Firefox2
Build ID	2006010603
Trigger Time	2006-01-07 07:25:35.0
Platform	Win32
Operating System	Windows NT 5.1 build 2600
Module	firefox.exe + (0009fcca)
URL visited	Yahoo! Beta Mail
User Comments	
Since Last Crash	3730 sec
Total Uptime	3730 sec
Trigger Reason	Access violation
Source File, Line No.	c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/caps/src/nsScriptSecurityManager.cpp, line 849
Stack Trace 	
nsScriptSecurityManager::CheckSameOriginPrincipalInternal  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/caps/src/nsScriptSecurityManager.cpp, line 849]
nsScriptSecurityManager::CheckSameOriginPrincipal  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/caps/src/nsScriptSecurityManager.cpp, line 596]
nsGenericElement::doReplaceChild  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 3583]
nsDocument::ReplaceChild  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsDocument.cpp, line 3526]
XPCWrappedNative::CallMethod  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2139]
XPC_WN_CallMethod  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1444]
js_Invoke  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1177]
js_Interpret  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 3523]
js_Invoke  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1197]
js_Interpret  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 3523]
js_Invoke  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1197]
fun_apply  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsfun.c, line 1606]
js_Invoke  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1177]
js_Interpret  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 3523]
js_Invoke  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1197]
nsXPCWrappedJSClass::CallMethod  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp, line 1369]
nsXPCWrappedJS::CallMethod  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappedjs.cpp, line 462]
SharedStub  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp, line 147]
nsXMLHttpRequest::ChangeState  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/extensions/xmlextras/base/src/nsXMLHttpRequest.cpp, line 1857]
nsXMLHttpRequest::RequestCompleted  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/extensions/xmlextras/base/src/nsXMLHttpRequest.cpp, line 1411]
nsXMLHttpRequest::OnStopRequest  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/extensions/xmlextras/base/src/nsXMLHttpRequest.cpp, line 1359]
nsMultipartProxyListener::OnStopRequest  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/extensions/xmlextras/base/src/nsXMLHttpRequest.cpp, line 202]
Assignee: nobody → dveditz
Component: General → Security: CAPS
Product: Firefox → Core
QA Contact: general
Version: 1.5 Branch → 1.8 Branch
*** Bug 322684 has been marked as a duplicate of this bug. ***
note: on trunk this is Bug 322480 with a completely different trace ,[@ js3250.dll]
Keywords: crash
This is reported NOT to crash in
Firefox 1.5.0.1
Mac -> http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2006-01-06-03-mozilla1.8.0/

Confirmed crash on: New Profile and No Exts...
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20060106 Firefox/1.5 ID:2006010603

TB13680380W ***

However upon advice from Peter's Official Win32 20060108 Thread:
can you both try this build, Firefox 1.5.0.1
Windows -> http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2006-01-06-05-mozilla1.8.0/
Does not produce a crash
Two crashes today; it does NOT happen every time I login/return.

Talkback IDs:
TB13684357E
TB13682156Y

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20060107 Firefox/1.5
Peter(6) wrote:
Just to get things straight,
it works in the 20060105 nighty branch build
it crashes in the 20060106 nighty branch build
correct ?[/quote]

No crash reported on:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20060105 Firefox/1.5

Although the FF script pop-up comes on (but evenually it continues), more then likely coding @Yahoo! Mail Beta, but at least this will now give Devs a definite regression period...
Ria, do you have any branch builds between these 2 nightlies ?
(In reply to comment #8)
No. Another Yahoo beta mail crash: Bug 322722.

Greg, what are the steps to reproduce this crash?  I don't see any in this bug...
Flags: blocking1.9a1?
Flags: blocking1.8.1?
Blocks: 317380
(In reply to comment #11)
> Greg, what are the steps to reproduce this crash?  I don't see any in this
> bug...

Login to Yahoo Mail Beta (http://mail.yahoo.com/, requires access to the beta program)... after authentication it partially loads, displays a "Loading Yahoo Mail" interstitial message, then the browser crashes before it ever renders the complete, normal mail user interface.

I also rebuilt the tip of MOZILLA_1_8_BRANCH, verified it still fails, then backed out only the Bug 317380 changes and verified that no longer fails (FC4).  This fails on Solaris SPARC as well, the recompile with the changes backed out hasn't finished yet.
Depends on: 322480
Blocks: 322480
No longer depends on: 322480
So the problem here is that the patch for bug 317380 assumes that all documents have a channel.  That's not the case.  For example, a document created via DOMImplementation has no channel and can be a perfectly valid source document for XSLT.

That said, the old code didn't handle principals right, in my opinion.  That is, the result doc ended up with a principal based on the URI of the source doc, whereas I assume it should end up with the same principal.  So perhaps this code needs an explicit SetPrincipal call?
Flags: blocking1.9a1? → blocking1.9a1+
Yes, very good point. We should absolutly do that.
Attached patch Proposed patchSplinter Review 
This lets me log in to yahoo mail beta...
Attachment #208105 - Flags: superreview?(bryner)
Attachment #208105 - Flags: review?(bugmail)
Assignee: dveditz → bzbarsky
Component: Security: CAPS → XSLT
Priority: -- → P1
Target Milestone: --- → mozilla1.8.1
Version: 1.8 Branch → Trunk
Summary: Yahoo Beta Mail related crash [@ nsScriptSecurityManager::CheckSameOriginPrincipalInternal()] → [FIX] Yahoo Beta Mail related crash [@ nsScriptSecurityManager::CheckSameOriginPrincipalInternal()]
Attachment #208105 - Flags: superreview?(bryner) → superreview+
Comment on attachment 208105 [details] [diff] [review]
Proposed patch

We need to fix this on the 1.8.x branch, since bug 317380 landed there.
Attachment #208105 - Flags: approval1.8.1?
Fixed on trunk.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Target Milestone: mozilla1.8.1 → mozilla1.9alpha
Comment on attachment 208105 [details] [diff] [review]
Proposed patch

>Index: content/xslt/src/base/txURIUtils.cpp
>===================================================================

>+        // XXXbz passing nsnull as the first arg to Reset is illegal
>         aNewDoc->Reset(nsnull, nsnull);

>+        // XXXbz passing nsnull as the first arg to Reset is illegal
>         aNewDoc->Reset(nsnull, nsnull);

Can you please file a bug on this? (It wasn't illegal when the code was written)
Filed bug 323554
Attachment #208105 - Flags: approval1.8.1? → branch-1.8.1?(bugmail)
Attachment #208105 - Flags: branch-1.8.1?(bugmail) → branch-1.8.1?(peterv)
Flags: blocking1.8.0.2+
Whiteboard: required for 317380
Attachment #208105 - Flags: approval1.8.0.2?
Comment on attachment 208105 [details] [diff] [review]
Proposed patch

approved for 1.8.0 branch, a=dveditz for drivers
Attachment #208105 - Flags: approval1.8.0.2? → approval1.8.0.2+
Fixed for 1.8.0.2.
Keywords: fixed1.8.0.2
Marking [rft-dl] (ready for testing in Firefox 1.5.0.2 release candidates).  Testing will consist of logging in to yahoo mail beta.  Please comment if additional testing is recommended.
Whiteboard: required for 317380 → required for 317380 [rft-dl]
v.fixed on 1.8.0 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060302 Firefox/1.5.0.1, I'm able to login and out of Yahoo! Mail Beta with no crashes... as well as actually use it without problems (although there are TONS of js warnings). ;-)
Keywords: fixed1.8.0.2verified1.8.0.2
Attachment #208105 - Flags: approval-branch-1.8.1?(peterv) → approval-branch-1.8.1+
*** Bug 331975 has been marked as a duplicate of this bug. ***
Is there a chance that the patch in this bug never having landed on the 1.8(.1) branch (only on trunk and 1.8.0, at least as far as I can discover via keywords and bonsai) is causing Camino 1.8-branch builds and BonEcho nightlies to never finish loading the new Yahoo Mail Beta (bug 336708)?
Yeah, this never landed on 1.8 branch.  Since I didn't request the approval, and there was no comment when it was granted, I never got bugmail about it...

I'll try to get this checked in Sunday, I guess.
Boris, just checking to make sure that this is still on your radar for landing whenever 1.8 finally reopens....
It is, yes.  Too bad there's no way to indicate this to others short of giving them access to my IMAP account.  ;)
Fixed on branch.
Keywords: fixed1.8.1
Flags: blocking1.8.1?
Crash Signature: [@ nsScriptSecurityManager::CheckSameOriginPrincipalInternal()]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: