490701 - Schema validation crash when called from modal window in chrome [@ nsSchemaLoader::GetResolvedURI]

Status: RESOLVED DUPLICATE of bug 490983

(Core Graveyard :: XForms, defect)

Description

[Philipp Wagner [:imphil]]

User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.0.9) Gecko/2009041500 SUSE/3.0.9-0.1.1 Firefox/3.0.9
Build Identifier: 

Given the following case (see that attached testcase):

* XUL window inside chrome (chrome:// url)
* This window opens another xul:window (or xul:dialog) containing a XForms form using window.open (or openDialog) with modal=yes.

If the form's model does not include a schema, everything is ok.
As soon as I include a schema="schema.xsd" line in the model, Firefox crashes.

###!!! ASSERTION: You can't dereference a NULL nsCOMPtr with
operator->().: 'mRawPtr != 0', file
../../../dist/include/xpcom/nsCOMPtr.h, line 868

Program received signal SIGSEGV, Segmentation fault.
0x00007fffdd9779d8 in nsSchemaLoader::GetResolvedURI (this=0xe33050,
aSchemaURI=@0x7fffffff55b0,
    aMethod=0x7fffdd9a906a "loadAsync", aURI=0x7fffffff5260)
    at
/home/philipp/src/mozilla/extensions/schema-validation/src/nsSchemaLoader.cpp:655
655           principal->GetURI(getter_AddRefs(baseURI));
Current language:  auto; currently c++
(gdb) bt
#0  0x00007fffdd9779d8 in nsSchemaLoader::GetResolvedURI (this=0xe33050,
aSchemaURI=@0x7fffffff55b0,
    aMethod=0x7fffdd9a906a "loadAsync", aURI=0x7fffffff5260)
    at
/home/philipp/src/mozilla/extensions/schema-validation/src/nsSchemaLoader.cpp:655
#1  0x00007fffdd97a4fc in nsSchemaLoader::LoadAsyncWithPrincipal
(this=0xe33050, schemaURI=@0x7fffffff55b0,
    aListener=0x88f3e0, aPrincipal=0x880020)
    at
/home/philipp/src/mozilla/extensions/schema-validation/src/nsSchemaLoader.cpp:718

Now have a look at http://mxr.mozilla.org/mozilla/source/extensions/schema-validation/src/nsSchemaLoader.cpp#632:

I did some debugging of the nsSchemaLoader::GetResolvedURI() function and found out that only (!) when opening a modal window inside chrome, or if the window containing the form is opened from a parent window that is modal, the call to GetCurrentNativeCallContext(&cc) returns a valid nsAXPCNativeCallContext. In all other cases, cc is nsnull and the code path below is skipped and everybody is happy.

My problem now is that I do not know what exactly the point of the code is. Only resolving relative URIs? All URIs I've seen being passed to that method are already absolute URLs. Apart from that, resolving relative URLs always relative to the currently loaded document is wrong anyways (e.g. a relative URI for a xsd:include needs to be relative to the schema's location). Security checks are done elsewhere, too - so what are they doing here?

After having spent three days on getting a reproducable testcase together I'll be thankful for any ideas on that matter.

PS: See the README file of the testcase for information on how to add the testcase to the chrome folder.

Reproducible: Always

Comment 1

[Philipp Wagner [:imphil]]

Attachment: testcase

Comment 2

[timeless]

http://mxr.mozilla.org/mozilla-central/source/caps/idl/nsIScriptSecurityManager.idl#194

193     ///////////////// Principals /////////////////////// 
194     /**
195      * Return the principal of the innermost frame of the currently 
196      * executing script. Will return null if there is no script 
197      * currently executing.
198      */
199     [noscript] nsIPrincipal getSubjectPrincipal();

i'd assume the goal is to prevent a web page from resolving a chrome schema or some other thing it isn't allowed to read.

Comment 3

[Philipp Wagner [:imphil]]

That's ok, but security checks are done elsewhere in the code (e.g. loadAsyncWithPrincipal), too. 
Even if they are done twice, the code that's causing problems is only executed when opening a modal window inside chrome. It's not executed when opening a non-modal window inside chrome, and not when opening a modal window from a file:// url. That's what causes my confusion...