[FIX] Yahoo Beta Mail related crash [@ nsScriptSecurityManager::CheckSameOriginPrincipalInternal()]

RESOLVED FIXED in mozilla1.9alpha1

Status

()

Core
XSLT
P1
critical
RESOLVED FIXED
12 years ago
11 years ago

People

(Reporter: Peter6, Assigned: bz)

Tracking

(4 keywords)

Trunk
mozilla1.9alpha1
x86
All
crash, fixed1.8.1, regression, verified1.8.0.2
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.9a1 +
blocking1.8.0.2 +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: required for 317380 [rft-dl], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

12 years ago
There is no clear regressionwindow/cause found for this bug but it is too critical to wait reporting

reported on

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20060106 Firefox/1.5 ID:2006010603
TB13674807W

and
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8) Gecko/20060106 Firefox/1.5 ID:2006010603
TB13673645G

Incident ID: 13674807
Stack Signature	nsScriptSecurityManager::CheckSameOriginPrincipalInternal b86a7215
Product ID	Firefox2
Build ID	2006010603
Trigger Time	2006-01-07 07:25:35.0
Platform	Win32
Operating System	Windows NT 5.1 build 2600
Module	firefox.exe + (0009fcca)
URL visited	Yahoo! Beta Mail
User Comments	
Since Last Crash	3730 sec
Total Uptime	3730 sec
Trigger Reason	Access violation
Source File, Line No.	c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/caps/src/nsScriptSecurityManager.cpp, line 849
Stack Trace 	
nsScriptSecurityManager::CheckSameOriginPrincipalInternal  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/caps/src/nsScriptSecurityManager.cpp, line 849]
nsScriptSecurityManager::CheckSameOriginPrincipal  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/caps/src/nsScriptSecurityManager.cpp, line 596]
nsGenericElement::doReplaceChild  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsGenericElement.cpp, line 3583]
nsDocument::ReplaceChild  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/content/base/src/nsDocument.cpp, line 3526]
XPCWrappedNative::CallMethod  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp, line 2139]
XPC_WN_CallMethod  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp, line 1444]
js_Invoke  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1177]
js_Interpret  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 3523]
js_Invoke  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1197]
js_Interpret  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 3523]
js_Invoke  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1197]
fun_apply  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsfun.c, line 1606]
js_Invoke  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1177]
js_Interpret  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 3523]
js_Invoke  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/jsinterp.c, line 1197]
nsXPCWrappedJSClass::CallMethod  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp, line 1369]
nsXPCWrappedJS::CallMethod  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/js/src/xpconnect/src/xpcwrappedjs.cpp, line 462]
SharedStub  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp, line 147]
nsXMLHttpRequest::ChangeState  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/extensions/xmlextras/base/src/nsXMLHttpRequest.cpp, line 1857]
nsXMLHttpRequest::RequestCompleted  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/extensions/xmlextras/base/src/nsXMLHttpRequest.cpp, line 1411]
nsXMLHttpRequest::OnStopRequest  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/extensions/xmlextras/base/src/nsXMLHttpRequest.cpp, line 1359]
nsMultipartProxyListener::OnStopRequest  [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/extensions/xmlextras/base/src/nsXMLHttpRequest.cpp, line 202]
Assignee: nobody → dveditz
Component: General → Security: CAPS
Product: Firefox → Core
QA Contact: general
Version: 1.5 Branch → 1.8 Branch

Comment 1

12 years ago
*** Bug 322684 has been marked as a duplicate of this bug. ***
(Reporter)

Comment 2

12 years ago
note: on trunk this is Bug 322480 with a completely different trace ,[@ js3250.dll]

Updated

12 years ago
Keywords: crash
(Reporter)

Comment 3

12 years ago
This is reported NOT to crash in
Firefox 1.5.0.1
Mac -> http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2006-01-06-03-mozilla1.8.0/

Comment 4

12 years ago
Confirmed crash on: New Profile and No Exts...
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20060106 Firefox/1.5 ID:2006010603

TB13680380W ***

However upon advice from Peter's Official Win32 20060108 Thread:
can you both try this build, Firefox 1.5.0.1
Windows -> http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2006-01-06-05-mozilla1.8.0/
Does not produce a crash

Comment 5

12 years ago
Two crashes today; it does NOT happen every time I login/return.

Talkback IDs:
TB13684357E
TB13682156Y

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20060107 Firefox/1.5

Comment 6

12 years ago
Peter(6) wrote:
Just to get things straight,
it works in the 20060105 nighty branch build
it crashes in the 20060106 nighty branch build
correct ?[/quote]

No crash reported on:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20060105 Firefox/1.5

Although the FF script pop-up comes on (but evenually it continues), more then likely coding @Yahoo! Mail Beta, but at least this will now give Devs a definite regression period...
(Reporter)

Comment 7

12 years ago
regressionwindow 
works in 20060105 0420pst build
fails in 20060106 0415pst build

http://tinderbox.mozilla.org/bonsai/cvsquery.cgi?treeid=default&module=AviarySuiteBranchTinderbox&branch=MOZILLA_1_8_BRANCH&branchtype=match&filetype=match&whotype=match&sortby=Date&hours=2&date=explicit&mindate=20060105+0330&maxdate=20060106+0415&cvsroot=%2Fcvsroot
(Reporter)

Comment 8

12 years ago
Ria, do you have any branch builds between these 2 nightlies ?
(In reply to comment #8)
No. Another Yahoo beta mail crash: Bug 322722.

Comment 10

12 years ago
After binary searching throught the relevant commits, backing this out allows me to use Yahoo Mail 2.0Beta again on FC4/i686:

http://tinderbox.mozilla.org/bonsai/cvsquery.cgi?treeid=default&module=AviarySuiteBranchTinderbox&branch=MOZILLA_1_8_BRANCH&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=20060105+1320&maxdate=20060105+1322&cvsroot=%2Fcvsroot
(Assignee)

Comment 11

12 years ago
Greg, what are the steps to reproduce this crash?  I don't see any in this bug...
Flags: blocking1.9a1?
Flags: blocking1.8.1?
(Assignee)

Updated

12 years ago
Blocks: 317380

Comment 12

12 years ago
(In reply to comment #11)
> Greg, what are the steps to reproduce this crash?  I don't see any in this
> bug...

Login to Yahoo Mail Beta (http://mail.yahoo.com/, requires access to the beta program)... after authentication it partially loads, displays a "Loading Yahoo Mail" interstitial message, then the browser crashes before it ever renders the complete, normal mail user interface.

I also rebuilt the tip of MOZILLA_1_8_BRANCH, verified it still fails, then backed out only the Bug 317380 changes and verified that no longer fails (FC4).  This fails on Solaris SPARC as well, the recompile with the changes backed out hasn't finished yet.
(Assignee)

Updated

12 years ago
Depends on: 322480
(Assignee)

Updated

12 years ago
Blocks: 322480
No longer depends on: 322480
(Assignee)

Comment 13

12 years ago
So the problem here is that the patch for bug 317380 assumes that all documents have a channel.  That's not the case.  For example, a document created via DOMImplementation has no channel and can be a perfectly valid source document for XSLT.

That said, the old code didn't handle principals right, in my opinion.  That is, the result doc ended up with a principal based on the URI of the source doc, whereas I assume it should end up with the same principal.  So perhaps this code needs an explicit SetPrincipal call?
Flags: blocking1.9a1? → blocking1.9a1+
Yes, very good point. We should absolutly do that.
(Assignee)

Comment 15

12 years ago
Created attachment 208105 [details] [diff] [review]
Proposed patch

This lets me log in to yahoo mail beta...
Attachment #208105 - Flags: superreview?(bryner)
Attachment #208105 - Flags: review?(bugmail)
(Assignee)

Updated

12 years ago
Assignee: dveditz → bzbarsky
Component: Security: CAPS → XSLT
Priority: -- → P1
Target Milestone: --- → mozilla1.8.1
Version: 1.8 Branch → Trunk
(Assignee)

Updated

12 years ago
Summary: Yahoo Beta Mail related crash [@ nsScriptSecurityManager::CheckSameOriginPrincipalInternal()] → [FIX] Yahoo Beta Mail related crash [@ nsScriptSecurityManager::CheckSameOriginPrincipalInternal()]
Attachment #208105 - Flags: review?(bugmail) → review+
Attachment #208105 - Flags: superreview?(bryner) → superreview+
(Assignee)

Comment 16

12 years ago
Comment on attachment 208105 [details] [diff] [review]
Proposed patch

We need to fix this on the 1.8.x branch, since bug 317380 landed there.
Attachment #208105 - Flags: approval1.8.1?
(Assignee)

Comment 17

12 years ago
Fixed on trunk.
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
Target Milestone: mozilla1.8.1 → mozilla1.9alpha
Comment on attachment 208105 [details] [diff] [review]
Proposed patch

>Index: content/xslt/src/base/txURIUtils.cpp
>===================================================================

>+        // XXXbz passing nsnull as the first arg to Reset is illegal
>         aNewDoc->Reset(nsnull, nsnull);

>+        // XXXbz passing nsnull as the first arg to Reset is illegal
>         aNewDoc->Reset(nsnull, nsnull);

Can you please file a bug on this? (It wasn't illegal when the code was written)
(Assignee)

Comment 19

12 years ago
Filed bug 323554
Attachment #208105 - Flags: approval1.8.1? → branch-1.8.1?(bugmail)
Attachment #208105 - Flags: branch-1.8.1?(bugmail) → branch-1.8.1?(peterv)
Flags: blocking1.8.0.2+
Whiteboard: required for 317380
(Assignee)

Updated

12 years ago
Attachment #208105 - Flags: approval1.8.0.2?
Comment on attachment 208105 [details] [diff] [review]
Proposed patch

approved for 1.8.0 branch, a=dveditz for drivers
Attachment #208105 - Flags: approval1.8.0.2? → approval1.8.0.2+
(Assignee)

Comment 21

12 years ago
Fixed for 1.8.0.2.
Keywords: fixed1.8.0.2
Marking [rft-dl] (ready for testing in Firefox 1.5.0.2 release candidates).  Testing will consist of logging in to yahoo mail beta.  Please comment if additional testing is recommended.
Whiteboard: required for 317380 → required for 317380 [rft-dl]

Comment 23

12 years ago
v.fixed on 1.8.0 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060302 Firefox/1.5.0.1, I'm able to login and out of Yahoo! Mail Beta with no crashes... as well as actually use it without problems (although there are TONS of js warnings). ;-)
Keywords: fixed1.8.0.2 → verified1.8.0.2
Attachment #208105 - Flags: approval-branch-1.8.1?(peterv) → approval-branch-1.8.1+
*** Bug 331975 has been marked as a duplicate of this bug. ***
Is there a chance that the patch in this bug never having landed on the 1.8(.1) branch (only on trunk and 1.8.0, at least as far as I can discover via keywords and bonsai) is causing Camino 1.8-branch builds and BonEcho nightlies to never finish loading the new Yahoo Mail Beta (bug 336708)?
(Assignee)

Comment 26

11 years ago
Yeah, this never landed on 1.8 branch.  Since I didn't request the approval, and there was no comment when it was granted, I never got bugmail about it...

I'll try to get this checked in Sunday, I guess.
Boris, just checking to make sure that this is still on your radar for landing whenever 1.8 finally reopens....
(Assignee)

Comment 28

11 years ago
It is, yes.  Too bad there's no way to indicate this to others short of giving them access to my IMAP account.  ;)
(Assignee)

Comment 29

11 years ago
Fixed on branch.
Keywords: fixed1.8.1
Blocks: 336708
(Assignee)

Updated

11 years ago
Flags: blocking1.8.1?
Crash Signature: [@ nsScriptSecurityManager::CheckSameOriginPrincipalInternal()]
You need to log in before you can comment on or make changes to this bug.