Closed Bug 332807 Opened 19 years ago Closed 18 years ago

document.open() in a xbl constructor

Categories

(Core :: XBL, defect)

Product:
Core
Component:
XBL
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: guninski, Assigned: bzbarsky)

References

Details

(Keywords: crash, fixed1.8.1.13, testcase, Whiteboard: [sg:critical?] maybe safe crash on 1.8-branch after landing 267833)

Attachments

(11 files)

crash
1.32 KB, application/xhtml+xml
Details
windoze testcase
1.32 KB, application/xhtml+xml
Details
xbl2-no-need-for-document.write
827 bytes, text/xml
Details
html2-crash
237 bytes, text/html
Details
xbl removing iframe from ctor/dtor (xbl)
1.31 KB, text/xml
Details
xbl removing iframe from ctor/dtor (inner html)
343 bytes, text/html
Details
xbl removing iframe from ctor/dtor (open this)
138 bytes, text/html
Details
xul iframe doing parent.open() - xbl
1.25 KB, text/xml
Details
xul iframe doing parent.document.open() - open this
340 bytes, text/html
Details
This seems to fix it...
2.89 KB, patch
dbaron
: review+
dbaron
: superreview+
Details | Diff | Splinter Review
Branch merge of the patch
5.40 KB, patch
dveditz
: approval1.8.1.13+
asac
: approval1.8.0.next?
Details | Diff | Splinter Review
document.open() in a xbl constructor causes crash, probably due to deleted objects. debug builds try to call 0xdddddddd, optimized builds try to call 0x0 (on linux). if document.close() is added in the constructor, the crash is different. affects ff 1.5/trunk and at least seamonkey trunk from today. testcase soon.
Attached file crash
crash
Testcase doesn't crash here, using latest windows trunk build.
Blocks: 267833
Component: General → XBL
Keywords: crash, testcase
Product: Firefox → Core
Attached file windoze testcase
windoze testcase
"windoze testcase" crashes seamonkey trunk under wine. "crash" doesn't indeed.
Whiteboard: [sg:critical?]
my stack: [Switching to Thread 46912555133632 (LWP 21843)] 0x00002aaab25cc359 in nsCSSFrameConstructor::WipeContainingBlock ( this=0x1206af0, aState=@0x7fffffbe0c50, aContainingBlock=0x1237ca8, aFrame=0x1237ca8, aFrameList=0x12468d0) at /opt/joro/firefox-cvs/mozilla/layout/base/nsCSSFrameConstructor.cpp:13206 13206 nsIAtom* frameType = aFrame->GetType(); (gdb) p *aFrame $1 = {<nsISupports> = {_vptr.nsISupports = 0x0}, mRect = {x = -572662307, y = -572662307, width = -572662307, height = -572662307}, mContent = 0xdddddddddddddddd, mStyleContext = 0xdddddddddddddddd, mParent = 0xdddddddddddddddd, mNextSibling = 0xdddddddddddddddd, mState = 3722304989} (gdb) info stack #0 0x00002aaab25cc359 in nsCSSFrameConstructor::WipeContainingBlock ( this=0x1206af0, aState=@0x7fffffbe0c50, aContainingBlock=0x1237ca8, aFrame=0x1237ca8, aFrameList=0x12468d0) #1 0x00002aaab25ca913 in nsCSSFrameConstructor::ContentInserted ( this=0x1206af0, aContainer=0x124b230, aChild=0x124b3d0, aIndexInContainer=1, aFrameState=0x0, aInReinsertContent=0) at /opt/joro/firefox-cvs/mozilla/layout/base/nsCSSFrameConstructor.cpp:9640 #2 0x00002aaab2627b81 in PresShell::ContentInserted (this=0x12063a0, aDocument=0x6a4ea0, aContainer=0x124b230, aChild=0x124b3d0, aIndexInContainer=1) at /opt/joro/firefox-cvs/mozilla/layout/base/nsPresShell.cpp:5215 #3 0x00002aaab2a55b79 in nsXBLBindingRequest::DocumentLoaded ( this=0x94bb78, aBindingDoc=0x1238d90) at /opt/joro/firefox-cvs/mozilla/content/xbl/src/nsXBLService.cpp:166 #4 0x00002aaab2a52a25 in nsXBLStreamListener::Load (this=0x123abd0, aEvent=0x1223570) at /opt/joro/firefox-cvs/mozilla/content/xbl/src/nsXBLService.cpp:418 #5 0x00002aaab28e7905 in DispatchToInterface (aEvent=0x1223570, aListener=0x123abd8, aMethod={__pfn = 0x21, __delta = 0}, aIID=@0x2aaab2d3a510, aHasInterface=0x7fffffbe11dc)
iirc someone suggested ditching xbl constructors from luserland. if there is a bug "ditch the whole xbl for luserland" i would vote for it.
First issue is that any of this works in any way in XHTML. I filed bug 332848 on that. I assume that you can reproduce the issue as text/html too (possibly with the binding in a separate file)? If so, bug 267833 might help. Also, do you get similar crashes if you do the whole thing in an iframe and have the constructor remove the iframe from its parent document? Or does it really have to be document.open that blows the document away?
No longer blocks: 267833
Depends on: 267833
(In reply to comment #7) > > I assume that you can reproduce the issue as text/html too (possibly with the > binding in a separate file)? If so, bug 267833 might help. > it works the binding in a separate file. > Also, do you get similar crashes if you do the whole thing in an iframe and > have the constructor remove the iframe from its parent document? Or does it > really have to be document.open that blows the document away? > have not tried this yet. not sure if only document.open blows the document.
(In reply to comment #7) > I assume that you can reproduce the issue as text/html it works as html.
Attached file html2-crash
(In reply to comment #7) > > Also, do you get similar crashes if you do the whole thing in an iframe and > have the constructor remove the iframe from its parent document? Or does it > really have to be document.open that blows the document away? > another crash in the same place is via: <xul:iframe src='javascript:alert("doco "+parent.document.open())' width="100" height="100" /> this in xbl
an html only (no xbl) iframe removing itself is Bug 332971
(In reply to comment #7) > Also, do you get similar crashes if you do the whole thing in an iframe and > have the constructor remove the iframe from its parent document? removing an iframe from ctor also crashes - check https://bugzilla.mozilla.org/attachment.cgi?id=217412 xbl removing iframe from ctor/dtor (open this) >Or does it > really have to be document.open that blows the document away? >
> another crash in the same place is via: Is that covered by one of the testcases in this bug?
Ah, nevermind. That's bug 332971. OK.
(In reply to comment #19) > Ah, nevermind. That's bug 332971. OK. > i am not quite sure the <xul:iframe> mess is the same as the above bug - in html sometimes reloads are needed, while this crashes one shot. may be wrong though. testcase in this bug to come
btw, recent trunk is somewhat broken - window creation is *visibly* slow - and new windows stay white for 1-3 seconds. on both the fox and the monkey. is the problem in my box?
(In reply to comment #20) > i am not quite sure the <xul:iframe> mess is the same as the above bug - in > html sometimes reloads are needed, while this crashes one shot. may be wrong > though. > though Bug 332971 is fixed, this abuse continues to crash. bz: there are several testcases in this bug - should i fork the bug in several "issues" or "anomalies" as some call them?
No, they all look like the same issue (bug 267833) to me.
a small modification of html2-crash crashes with clear signs of using free()ed memory on firefox 2.0-latest
mean that 'html2-crash' also crashes, but in not very scary way.
Critical security bugs must have owners. If you can't work on this bug please help us find another active owner for it.
Assignee: nobody → jonas
jonas/boris, any ideas on a fix?
same thing here, lets fix bug 267833 and see if this is still an issue after that.
Though for branches we might want something too... Not sure. There are so many other ways branches can screw with XBL constructors...
(In reply to comment #31) > There are so many > other ways branches can screw with XBL constructors... > bz, do you suspect other code may screw by blowing objects? :)
I'm not sure what you're asking.
since you know other ways for abuse of xbl constructors do you know other methods/objects that may be abused in a similar manner?
Not offhand, no.
some xbl related stuff still crashes after bz's fix, investigating testcases. in some cases (manually typing url in location) xbl destructors doesn't fire - this may be a sign of leak.
https://bugzilla.mozilla.org/attachment.cgi?id=217441 xul iframe doing parent.document.open() - open this (340 bytes, text/html) still crashes
Flags: in-testsuite?
We really need roc's compositor. All this flushing is getting annoying. ;)
Attachment #258368 - Flags: superreview?(dbaron)
Attachment #258368 - Flags: review?(dbaron)
Comment on attachment 258368 [details] [diff] [review] This seems to fix it... >+ // gotten destroyed. I presume you mean |Destroy|ed and not destroyed. If not, then somebody else should be holding an reference to the pres shell while calling a method on it. r+sr=dbaron
Attachment #258368 - Flags: superreview?(dbaron)
Attachment #258368 - Flags: superreview+
Attachment #258368 - Flags: review?(dbaron)
Attachment #258368 - Flags: review+
Yeah, I meant Destroy()ed. I'll update the comment accordingly.
Checked in, with the improved comment. We should land the tests once this becomes public, I guess...
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
is this good stuff for the branch also? any problems showing up in trunk baking?
Flags: blocking1.8.1.4?
Flags: blocking1.8.1.4?
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.12+
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
I'm not sure trunk is getting enough "baking" to be relevant, to be honest. :( As for branch... we could make this change, probably. That still leaves bug 267833 on branches, so I'm not sure it's worth it.
Flags: blocking1.8.1.5?
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.13?
Flags: blocking1.8.0.12+
Flags: blocking1.8.1.5?
Flags: blocking1.8.1.5+
Flags: blocking1.8.0.13?
Flags: blocking1.8.0.13+
Flags: blocking1.8.1.5+ → blocking1.8.1.6+
Flags: blocking1.8.0.13+ → blocking1.8.0.14?
bug 267833 has landed on the 1.8 branch, but some of the testcases in this bug remain a problem (hangs rather than crashes). The patch here doesn't really apply so we'll need something else.
Flags: blocking1.8.1.8+ → blocking1.8.1.9+
Daniel, which testcases hang for you? I get a crash from "xul iframe doing parent.document.open() - open this" and nothing from the others... It's pretty simple to port this patch to branch, for what it's worth.
I'm not sure I'll be able to drive this into the branch, esp. as it doesn't fix the parent.document.open() crash...
Flags: blocking1.8.0.14? → blocking1.8.0.15?
The crash in attachment 217441 [details] looks like a safe null-deref on the branch now. Maybe the fixes in but 267833 were sufficient to address the security problems.
What's the status of this bug on the branch? Do we need attachment 283134 [details] [diff] [review], can we live without it?
The status is that the attachment is probably required to fix the remaining crashes, but not sufficient.
Flags: blocking1.8.1.12+ → blocking1.8.1.13?
Whiteboard: [sg:critical?] → [sg:critical?] maybe safe crash on 1.8-branch after landing 267833
We should take the patch we can even if it's not a complete fix. Seems to make things better.
Flags: blocking1.8.1.13? → blocking1.8.1.13+
Flags: blocking1.8.0.15? → blocking1.8.0.15+
Guess this is assigned wrong since bz wrote the patches...
Assignee: jonas → bzbarsky
Comment on attachment 283134 [details] [diff] [review] Branch merge of the patch I guess let's get this in on branch... And I suppose file a followup bug on the remaining branch crashes, since QA won't be able to verify this one...
Attachment #283134 - Flags: approval1.8.1.13?
Comment on attachment 283134 [details] [diff] [review] Branch merge of the patch approved for 1.8.1.13, a=dveditz for release-drivers
Attachment #283134 - Flags: approval1.8.1.13? → approval1.8.1.13+
Keywords: checkin-needed
Whiteboard: [sg:critical?] maybe safe crash on 1.8-branch after landing 267833 → [Needs 1.8 branch checkin][sg:critical?] maybe safe crash on 1.8-branch after landing 267833
Checked in on branch.
Keywords: checkin-neededfixed1.8.1
Whiteboard: [Needs 1.8 branch checkin][sg:critical?] maybe safe crash on 1.8-branch after landing 267833 → [sg:critical?] maybe safe crash on 1.8-branch after landing 267833
I'll check this in the release candidate for 2.0.0.13 tomorrow (when it is built) but I checked this in the 3/8 build from ftp://ftp.mozilla.org/pub/firefox/nightly/2008-03-08-03-mozilla1.8 and https://bugzilla.mozilla.org/attachment.cgi?id=217441 still crashes. That build should have been made after your check-in.
Al, ee comment 46 and comment 52. This patch was necessary to fix the crashes on branch, but not sufficient; someone needs to file a separate branch-only bug on the remaining crashes.
filed Bug 422338 on the crash and on clickable xul button in print preview
(In reply to comment #56) > Al, ee comment 46 and comment 52. This patch was necessary to fix the crashes > on branch, but not sufficient; someone needs to file a separate branch-only bug > on the remaining crashes. > I see that was done. To be 100% clear, which crashes should this bug actually fix out of the attached repro cases?
I have no idea, to be honest. It might be none. It'll fix some crash locations, but there might be others in every testcase.
this bug is a clear example why i suggested killing xbl for untrusted content
Comment on attachment 283134 [details] [diff] [review] Branch merge of the patch distro patch. caillon please sign off.
Attachment #283134 - Flags: approval1.8.0.15?
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: