Closed Bug 604368 Opened 15 years ago Closed 15 years ago

Sandbox.evalInSandbox() crash [@ XPCWrappedNative::GetObjectPrincipal ] [@ nsXPConnect::GetPrincipal(JSObject*, int)]

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- beta7+

People

(Reporter: scoobidiver, Assigned: mrbkap)

References

Details

(4 keywords)

Crash Data

Attachments

(2 files)

Fix
3.83 KB, patch
peterv
: review+
Details | Diff | Splinter Review
Followup
6.12 KB, patch
peterv
: review+
Details | Diff | Splinter Review
Build: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b8pre) Gecko/20101014 Firefox/4.0b8pre This is a new crash signature. Crashes first appeared in b8pre/20101011 build. It happens on Mac OS X and linux. It is #7 top crasher in 4.0b8pre for the last week. Signature XPCWrappedNative::GetObjectPrincipal UUID b44377e0-5c92-454a-a75b-3f1792101014 Time 2010-10-14 07:35:55.20714 Uptime 684 Last Crash 686 seconds (11.4 minutes) before submission Install Age 1657 seconds (27.6 minutes) since version was first installed. Product Firefox Version 4.0b8pre Build ID 20101013214358 Branch 2.0 OS Mac OS X OS Version 10.6.5 10H542 CPU amd64 CPU Info family 6 model 15 stepping 11 Crash Reason EXC_BAD_ACCESS / 0x0000000d Crash Address 0x0 App Notes Renderers: 0x22600,0x20400 Frame Module Signature [Expand] Source 0 XUL XPCWrappedNative::GetObjectPrincipal js/src/xpconnect/src/xpcprivate.h:1465 1 XUL nsXPConnect::GetPrincipal js/src/xpconnect/src/nsXPConnect.cpp:2442 2 XUL xpc::Transparent js/src/xpconnect/wrappers/XrayWrapper.cpp:444 3 XUL xpc::XrayWrapper<JSCrossCompartmentWrapper,xpc::CrossCompartmentXray>::getPropertyDescriptor js/src/xpconnect/wrappers/XrayWrapper.cpp:531 4 XUL js::JSProxyHandler::has js/src/jsproxy.cpp:96 5 XUL xpc::XrayWrapper<JSCrossCompartmentWrapper,xpc::CrossCompartmentXray>::has js/src/xpconnect/wrappers/XrayWrapper.cpp:782 6 XUL js::proxy_LookupProperty js/src/jsproxy.cpp:760 7 XUL js_LookupPropertyWithFlags js/src/jsobj.h:1034 8 XUL js_FindPropertyHelper js/src/jsobj.cpp:4745 9 XUL js::Interpret js/src/jsinterp.cpp:4819 10 XUL js::Execute js/src/jsinterp.cpp:638 11 XUL JS_EvaluateUCScriptForPrincipals js/src/jsapi.cpp:4882 12 XUL xpc_EvalInSandbox js/src/xpconnect/src/xpccomponents.cpp:3661 13 XUL nsXPCComponents_Utils::EvalInSandbox js/src/xpconnect/src/xpccomponents.cpp:3551 14 XUL NS_InvokeByIndex_P xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:208 15 XUL XPCWrappedNative::CallMethod js/src/xpconnect/src/xpcwrappednative.cpp:3054 16 XUL XPC_WN_CallMethod js/src/xpconnect/src/xpcwrappednativejsops.cpp:1631 17 XUL js::Interpret js/src/jscntxtinlines.h:652 ... The regression range is : http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=26c47ba8064f&tochange=5a41a70eb631 More reports at: http://crash-stats.mozilla.com/report/list?range_value=4&range_unit=weeks&signature=XPCWrappedNative%3A%3AGetObjectPrincipal
cc'ing roc and mats who are suspect in that regression range I hit this a couple of times this morning, both times on osx64, seemed to be related to this URL: http://rypp.ly/bHk8Lk (couldn't get other people to reproduce it, though)
blocking2.0: --- → beta8+
Actually, turns out that my crash is slightly different, but related. Mine looks like this: http://crash-stats.mozilla.com/report/index/bp-0f4cb3d7-1467-4829-864f-dd36b2101014
I think this is a dup of bug 544610.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
This doesn't seem a dupe, since current stacks consistently contain an Sandbox.evalInSandbox() call and compartments definitely mess with Sandbox, as seen in bug 604346
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Summary: crash [@ XPCWrappedNative::GetObjectPrincipal ] → Sandbox.evalInSandbox() crash [@ XPCWrappedNative::GetObjectPrincipal ]
Can't get it to happen in Safe Mode, which implies one of my add-ons; more as I know it!
Status: REOPENED → NEW
blocking2.0: beta8+ → ---
I believe that one of Account Manager or Contacts was causing the problem; Hanson/Mills, can you take a look at the stack and see if that's a possibility?
(In reply to comment #7) > I believe that one of Account Manager or Contacts was causing the problem; > Hanson/Mills, can you take a look at the stack and see if that's a possibility? NoScript is reported to cause that, even though I didn't manage to reproduce, and looking at the stacks (which contain both evalInSandbox() and notifyObservers()) I'm almost sure it's the Script Surrogate feature, which executes scripts in a Sandbox with the content window principal in a content-document-global-created observer.
From b8pre/20101011 build, crashes on Windows with nsXPConnect::GetPrincipal(JSObject*, int) as a crash signature have also a stack trace that contains Sandbox.evalInSandbox() call.
Contacts does use evalInSandbox() but we haven't released a version that supports 4.0b* - unless they're running a prerelease users are unlikely to be using Contacts on 4.0.
blocking2.0: --- → beta7+
This is likely related to a evalInSandbox API change.
(In reply to comment #11) > This is likely related to a evalInSandbox API change. Which change, exactly?
Account Manager does not use evalInSandbox(), but it does (in the addon version, not the patch) call ProcessNextEvent to simulate synchronous functions. It does so in the middle of a request handler (onDataAvailable and such).
In the past you could create a sandbox and then set its __proto__ to another object. You know have to request the object to be assigned that proto at sandbox creation time. Also, you can pick the wrapper you get (xray or not) with an optional parameter.
(In reply to comment #14) > In the past you could create a sandbox and then set its __proto__ to another > object. You know have to request the object to be assigned that proto at > sandbox creation time. Also, you can pick the wrapper you get (xray or not) > with an optional parameter. Where are these changes documented? I couldn't find anything at http://mxr.mozilla.org/mozilla-central/source/js/src/xpconnect/idl/xpccomponents.idl At any rate, NoScript is not replacing __proto__ nor is picking any wrapper. The code is: var w = document.defaultView; try { var s = new CU.Sandbox(w); s.window = (typeof w.wrappedJSObject == "object") ? w.wrappedJSObject : w; CU.evalInSandbox("with(window) {" + scriptBlock + "}", s); } catch(e) { if (ns.consoleDump) ns.dump(e); if (this.debug) CU.reportError(e); } where document is a content document and scriptBlock is a configurable but trusted script source.
OS: Mac OS X → All
Summary: Sandbox.evalInSandbox() crash [@ XPCWrappedNative::GetObjectPrincipal ] → Sandbox.evalInSandbox() crash [@ XPCWrappedNative::GetObjectPrincipal ] [@ nsXPConnect::GetPrincipal(JSObject*, int)]
(In reply to comment #10) > Contacts does use evalInSandbox() but we haven't released a version that > supports 4.0b* - unless they're running a prerelease users are unlikely to be > using Contacts on 4.0. Yeah, I was running it and Account Manager with the Add-on Compatibility reporter forcing compatibility on. I guess the pages I crashed on were tickling those Add-ons. I suspect that this topcrasher might be heavily correlated with other Add-ons that do the same. Gal: you've said this is related to a change, but I can't tell if you're saying that it's a bug from that change you intend to fix, or if we need to make sure Add-on authors know. Either way, a straight-out crash isn't a great outcome :(
FWIW, I hit this crash pretty much every time I load any URL on twitter.com, logged in (and using the NewTwitter preview). e.g. https://twitter.com/mozillagary triggered it for me. I was able to reproduce in reliably in a fresh profile, with Noscript development version installed, set to allow all scripts on the page (on a per-script-domain basis, using the icon in the Addon Toolbar). (The final domain that I allowed before it started crashing was google-analytics.com)
Adding 'dogfood' keyword, as this crash makes today's nightly hard to dogfood when viewing popular sites like twitter that trigger it. :(
Keywords: dogfood
(In reply to comment #20) > Adding 'dogfood' keyword, as this crash makes today's nightly hard to dogfood > when viewing popular sites like twitter that trigger it. :( Works in safe mode, doesn't it? That implies that it's a dogfood issue for some of the add-ons.
Keywords: reproducible
It's a dogfood issue for those who like to run Firefox with NoScript (myself included).
Attached patch FixSplinter Review
The bug here is that NoScript creates a sandbox object around a window that has document.domain set and we aren't prepared to handle that. This fixes the bug without slowing down nsXPConnect::GetPrincipal for the normal case.
Assignee: nobody → mrbkap
Status: NEW → ASSIGNED
Attachment #483344 - Flags: review?(peterv)
Attachment #483344 - Flags: review?(peterv) → review+
After http://crash-stats.mozilla.com/report/index/bp-c4152c9e-191d-4951-a044-c3f812101014 , I moved greasemonkey out of the zoo and firefox became sane again.
(In reply to comment #23) > Created attachment 483344 [details] [diff] [review] > Fix > > The bug here is that NoScript creates a sandbox object around a window that has > document.domain set and we aren't prepared to handle that. Do you mean document.domain set by some content script to something different than document.documentURI's host? If so, how can it be possible during a content-document-global-created notification, when no content script has been ran yet?
(In reply to comment #27) > Do you mean document.domain set by some content script to something different > than document.documentURI's host? > If so, how can it be possible during a content-document-global-created > notification, when no content script has been ran yet? document.domain actually mutates the principals of the page that it's set on, and then the behavior derives from that. So, when the sandbox runs, we end up behaving like document.domain has been set, which the code wasn't prepared to do in a sandbox.
http://hg.mozilla.org/mozilla-central/rev/c66660664ec7
Status: ASSIGNED → RESOLVED
Closed: 15 years ago15 years ago
Resolution: --- → FIXED
I still crash with http://hg.mozilla.org/mozilla-central/rev/c66660664ec7 and noscript
(In reply to comment #32) > I still crash with http://hg.mozilla.org/mozilla-central/rev/c66660664ec7 > > and noscript Stack?
(In reply to comment #35) > new stack with symbols > > http://crash-stats.mozilla.com/report/index/29dd17e5-85e9-4de7-9791-387012101016 Looks like the same bug, indeed, or the same call chain at least.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
With build "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b8pre) Gecko/20101016 Firefox/4.0b8pre ID:20101016041245", I get the following crash: http://crash-stats.mozilla.com/report/index/450ba00e-4308-4a60-b1a1-b4fd12101016 when trying to open http://www.wunderground.com/cgi-bin/findweather/getForecast?query=43147. However, it may be add-on related as the page does not crash the browser in a fairly new, no installed add-ons profile. My main profile does not have either ABP or NoScript installed. I am providing the crash ID in case it helps to troubleshoot this.
Status: REOPENED → RESOLVED
Closed: 15 years ago15 years ago
Resolution: --- → FIXED
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
(In reply to comment #37) > However, it may be add-on related as the page does not crash the browser in a > fairly new, no installed add-ons profile. My main profile does not have either > ABP or NoScript installed. > It's GreaseMonkey, in your case.
Whiteboard: fixed-in-tracemonkey
(In reply to comment #38) > (In reply to comment #37) > > However, it may be add-on related as the page does not crash the browser in a > > fairly new, no installed add-ons profile. My main profile does not have either > > ABP or NoScript installed. > > > It's GreaseMonkey, in your case. After trying the disable/enable troubleshooting, I discovered I had to clear the browser cache, too, to get the crash. After disabling GM, the crashes have stopped. My GM version is the 2010.10.14beta. I need to see if the new nightly has been generated yet.
(In reply to comment #39) > (In reply to comment #38) > > (In reply to comment #37) > > > However, it may be add-on related as the page does not crash the browser in a > > > fairly new, no installed add-ons profile. My main profile does not have either > > > ABP or NoScript installed. > > > > > It's GreaseMonkey, in your case. > > After trying the disable/enable troubleshooting, I discovered I had to clear > the browser cache, too, to get the crash. > > After disabling GM, the crashes have stopped. My GM version is the > 2010.10.14beta. I need to see if the new nightly has been generated yet. Crash even with the 2010.10.15beta version of GM. Other crashes: http://crash-stats.mozilla.com/report/index/bp-029ac9e9-4049-4af7-a07a-6b7142101016 http://crash-stats.mozilla.com/report/index/bp-f13f7123-2416-41f1-a067-a94972101016 http://crash-stats.mozilla.com/report/index/bp-c743688e-87cd-48f6-9097-4c3832101016 http://crash-stats.mozilla.com/report/index/bp-dea834c8-28e1-4091-ae44-652322101016 http://crash-stats.mozilla.com/report/index/bp-62dc7d6e-e570-4cbe-82a6-f30802101016
The STR in comment 19 (with Twitter) still repro this for me, too: Mozilla/5.0 (X11; Linux i686; rv:2.0b8pre) Gecko/20101016 Firefox/4.0b8pre bp-552314d2-17d0-411b-9a71-0b6932101016
Using Greasemonkey[1] and Autopagerize[2] I still get the crash on Mozilla/5.0 (Windows NT 5.1; rv:2.0b8pre) Gecko/20101016 Firefox/4.0b8pre, but the stack is different: http://crash-stats.mozilla.com/report/index/bp-05dc4092-f88f-4da2-96cc-c5f672101016 http://crash-stats.mozilla.com/report/index/bp-598c599b-1f64-4fb6-a7fb-2b0652101016 Same Bug? Different Bug? [1] https://arantius.com/misc/gm-nightly/greasemonkey-2010.10.15.beta.xpi [2] http://userscripts.org/scripts/show/8551
Attached patch FollowupSplinter Review
I didn't realize the code fixed here had been copied. This shares the two copies of the code (and makes the fix apply to the copied bit in the process).
Attachment #483772 - Flags: review?(peterv)
Attachment #483772 - Flags: review?(peterv) → review+
Code copying considered harmful (buckets of it in methodjit from jsinterp.cpp too). Avoid. /be
http://hg.mozilla.org/mozilla-central/rev/22028fb65bb2
Status: REOPENED → RESOLVED
Closed: 15 years ago15 years ago
Resolution: --- → FIXED
Crash Signature: [@ XPCWrappedNative::GetObjectPrincipal ] [@ nsXPConnect::GetPrincipal(JSObject*, int)]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: