494453 - Crash when accessing sessionStorage object from chrome

Status: RESOLVED FIXED

(Core :: DOM: Core & HTML, defect)

Description

[Chris AtLee [:catlee]]

If I have both jetpack (0.1.2) and firebug (1.4.0a28) enabled, and go to about:jetpack with the latest Shiretoko nightly, or a debug build as of revision 213e1980f998, I get a segfault, with the backtrace below.

At frame #1, 'p aPrincipal' returns "(Cannot access memory at address 0x8000ffff"

#0  0x00007f5863a21987 in NS_GetInnermostURI (uri=0x7f5845d74cc0)
    at ../../dist/include/necko/nsNetUtil.h:1427
#1  0x00007f5863dda32f in nsDOMStorage::InitAsSessionStorage (this=0x7f5845d0a600, 
    aPrincipal=0x8000ffff) at nsDOMStorage.cpp:589
#2  0x00007f5863f6c2fa in nsDocShell::GetSessionStorageForPrincipal (this=0x7fff6cec8960, 
    aPrincipal=0x7f58547346c0, aCreate=1, aStorage=0x7fff6cec8b90) at nsDocShell.cpp:1775
#3  0x00007f5863da86ef in nsGlobalWindow::GetSessionStorage (this=0x7f5848433400, 
    aSessionStorage=0x7fff6cec8b90) at nsGlobalWindow.cpp:6825
#4  0x00007f5863da868d in nsGlobalWindow::GetSessionStorage (this=0x8000ffff, 
    aSessionStorage=0x7fff6cec8b90) at nsGlobalWindow.cpp:6811
#5  0x00007f58639e0621 in nsIDOMStorageWindow_1_9_1_GetSessionStorage (cx=0x7f58490c4400, 
    obj=0x7f5863db80aa, id=140017253187668, vp=0x7fff6cec8e68) at dom_quickstubs.cpp:10398
#6  0x00007f586329727a in js_NativeGet (cx=0x7f58490c4400, obj=0x7f586329a668, 
    pobj=0x7f58483fec00, sprop=0x7f584d9721d0, vp=0x7fff6cec8e68) at jsscope.h:370
#7  0x00007f586329a8d5 in js_GetPropertyHelper (cx=0x7f58490c4400, obj=0x7f584937dd80, 
    id=140017253187668, cacheResult=32767, vp=0x7fff6cec8e68) at jsobj.cpp:4330
#8  0x00007f586328669d in js_Interpret (cx=0x7f58490c4400) at jsinterp.cpp:4830
#9  0x00007f586329099b in js_Invoke (cx=0x7f58490c4400, argc=32600, vp=0x7f584845d4e0, flags=0)
    at jsinterp.cpp:1394
#10 0x00007f586327e8d6 in js_fun_apply (cx=0x7f58490c4400, argc=1212536064, vp=0x7fff6cec9228)
    at jsfun.cpp:1788
#11 0x00007f586328d5b6 in js_Interpret (cx=0x7f58490c4400) at jsinterp.cpp:5139
#12 0x00007f586329099b in js_Invoke (cx=0x7f58490c4400, argc=32600, vp=0x7f584845d038, flags=0)
    at jsinterp.cpp:1394
#13 0x00007f58639c17f5 in nsXPCWrappedJSClass::CallMethod (this=0x7f584e9c7c40, 
    wrapper=0x7fff6cec9648, methodIndex=0, info=0x7f5850338c60, nativeParams=0x7f584910b1d0)
    at xpcwrappedjsclass.cpp:1621
#14 0x00007f58641dc3c9 in PrepareAndDispatch (self=0x7f5848493300, methodIndex=1680636544, 
    args=0x7fff6cec9820, gpregs=0x7fff6cec9850, fpregs=0x7f58641dc3c9)
    at xptcstubs_x86_64_linux.cpp:151
#15 0x00007f58641db893 in SharedStub ()
   from /home/catlee/mozilla/mozilla-1.9.1/dist/bin/libxul.so
#16 0x00007f5863cb6972 in nsEventListenerManager::HandleEventSubType (this=0x7fff6cec98f8, 
    aListenerStruct=0x7f5845b3c058, aListener=0x7f5848493300, aDOMEvent=0x7f58478ad100, 
    aCurrentTarget=0x7f58490c4078, aPhaseFlags=1169453056) at nsEventListenerManager.cpp:1098
#17 0x00007f5863cb6f1c in nsEventListenerManager::HandleEvent (this=0x7f5848598380, 
    aPresContext=0x7fff6cec9bd0, aEvent=0x7f5847896380, aDOMEvent=0x7f58490c4078, 
    aCurrentTarget=0x200000002, aFlags=32600, aEventStatus=0x7f5863cd1774)
    at nsEventListenerManager.cpp:1206

Comment 1

[Mike Shaver (:shaver emeritus)]

http://crash-stats.mozilla.com/report/index/4d9f8b5b-8d62-4024-a188-2a1492090522 crash report!

Comment 2

[Mike Shaver (:shaver emeritus)]

People with Jetpack and Firebug installed are seeing this when upgrading from b4 to current-nightly, I'll dup rey's bug against this.

Comment 3

[Boris Zbarsky [:bzbarsky]]

Looks like a regression from bug 455070.  GetURI on an nsIPrincipal can hand back null, and the code is passing that to a function that one is not allowed to pass null to.

In this case, aPrincipal is an nsSystemPrincipal, and has a null URI.

Comment 4

[Mike Beltzner [:beltzner, not reading bugmail]]

-> all:all based on comment 2

Comment 5

[Mike Beltzner [:beltzner, not reading bugmail]]

cc'ing jst and Honza based on comment 3

Comment 6

[Mike Beltzner [:beltzner, not reading bugmail]]

Oops, sdwilsh said he was fixing.

Comment 7

[Honza Bambas (:mayhemer)]

Ups, probably same problem and fix as in bug 485396.

Comment 8

[Shawn Wilsher :sdwilsh]

Attachment: v1.0

This is running on the try server now to make sure unit tests are A-OK.  Should start getting results soon.

Comment 9

[Shawn Wilsher :sdwilsh]

(In reply to comment #7)
> Ups, probably same problem and fix as in bug 485396.
Indeed it is, and I'm fixing this by unifying those two code paths so we don't have this issue in the future.

Comment 10

[Shawn Wilsher :sdwilsh]

Cooking up a unit test for this and bug 485396 while I wait for the try server results.

Comment 11

[Chris AtLee [:catlee]]

I can confirm that this fixes the crash on my machine.

Comment 12

[Shawn Wilsher :sdwilsh]

Attachment: tests v1.0

because tests are awesome and stuff.  Adds a test for this bug and for bug 485369.

Comment 13

[Shawn Wilsher :sdwilsh]

Attachment: tests v1.1

Updated per discussion on irc.

Comment 14

[Boris Zbarsky [:bzbarsky]]

Comment on attachment 379266 [details] [diff] [review]
tests v1.1

You want todo_is.  With that change, looks good.

Comment 15

[Shawn Wilsher :sdwilsh]

http://hg.mozilla.org/mozilla-central/rev/611edb416cd5

And the tests:
http://hg.mozilla.org/mozilla-central/rev/909d0b9c7c96

I'll land these on 1.9.1 once they cycle green on mozilla-central later tonight (go ahead and call me paranoid - I'm OK with that).

Comment 16

[Shawn Wilsher :sdwilsh]

http://hg.mozilla.org/releases/mozilla-1.9.1/rev/ec02f227f498
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/3b1fa6b45efc