Closed Bug 604368 Opened 14 years ago Closed 14 years ago

Sandbox.evalInSandbox() crash [@ XPCWrappedNative::GetObjectPrincipal ] [@ nsXPConnect::GetPrincipal(JSObject*, int)]

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- beta7+

People

(Reporter: scoobidiver, Assigned: mrbkap)

References

Details

(4 keywords)

Crash Data

Attachments

(2 files)

Fix
3.83 KB, patch
peterv
: review+
Details | Diff | Splinter Review
Followup
6.12 KB, patch
peterv
: review+
Details | Diff | Splinter Review 
Build: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b8pre) Gecko/20101014
Firefox/4.0b8pre

This is a new crash signature. Crashes first appeared in b8pre/20101011 build.
It happens on Mac OS X and linux.
It is #7 top crasher in 4.0b8pre for the last week.

Signature	XPCWrappedNative::GetObjectPrincipal
UUID	b44377e0-5c92-454a-a75b-3f1792101014
Time 	2010-10-14 07:35:55.20714
Uptime	684
Last Crash	686 seconds (11.4 minutes) before submission
Install Age	1657 seconds (27.6 minutes) since version was first installed.
Product	Firefox
Version	4.0b8pre
Build ID	20101013214358
Branch	2.0
OS	Mac OS X
OS Version	10.6.5 10H542
CPU	amd64
CPU Info	family 6 model 15 stepping 11
Crash Reason	EXC_BAD_ACCESS / 0x0000000d
Crash Address	0x0
App Notes 	Renderers: 0x22600,0x20400

Frame 	Module 	Signature [Expand] 	Source
0 	XUL 	XPCWrappedNative::GetObjectPrincipal 	js/src/xpconnect/src/xpcprivate.h:1465
1 	XUL 	nsXPConnect::GetPrincipal 	js/src/xpconnect/src/nsXPConnect.cpp:2442
2 	XUL 	xpc::Transparent 	js/src/xpconnect/wrappers/XrayWrapper.cpp:444
3 	XUL 	xpc::XrayWrapper<JSCrossCompartmentWrapper,xpc::CrossCompartmentXray>::getPropertyDescriptor 	js/src/xpconnect/wrappers/XrayWrapper.cpp:531
4 	XUL 	js::JSProxyHandler::has 	js/src/jsproxy.cpp:96
5 	XUL 	xpc::XrayWrapper<JSCrossCompartmentWrapper,xpc::CrossCompartmentXray>::has 	js/src/xpconnect/wrappers/XrayWrapper.cpp:782
6 	XUL 	js::proxy_LookupProperty 	js/src/jsproxy.cpp:760
7 	XUL 	js_LookupPropertyWithFlags 	js/src/jsobj.h:1034
8 	XUL 	js_FindPropertyHelper 	js/src/jsobj.cpp:4745
9 	XUL 	js::Interpret 	js/src/jsinterp.cpp:4819
10 	XUL 	js::Execute 	js/src/jsinterp.cpp:638
11 	XUL 	JS_EvaluateUCScriptForPrincipals 	js/src/jsapi.cpp:4882
12 	XUL 	xpc_EvalInSandbox 	js/src/xpconnect/src/xpccomponents.cpp:3661
13 	XUL 	nsXPCComponents_Utils::EvalInSandbox 	js/src/xpconnect/src/xpccomponents.cpp:3551
14 	XUL 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:208
15 	XUL 	XPCWrappedNative::CallMethod 	js/src/xpconnect/src/xpcwrappednative.cpp:3054
16 	XUL 	XPC_WN_CallMethod 	js/src/xpconnect/src/xpcwrappednativejsops.cpp:1631
17 	XUL 	js::Interpret 	js/src/jscntxtinlines.h:652
...

The regression range is :
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=26c47ba8064f&tochange=5a41a70eb631

More reports at:
http://crash-stats.mozilla.com/report/list?range_value=4&range_unit=weeks&signature=XPCWrappedNative%3A%3AGetObjectPrincipal
cc'ing roc and mats who are suspect in that regression range

I hit this a couple of times this morning, both times on osx64, seemed to be related to this URL: http://rypp.ly/bHk8Lk (couldn't get other people to reproduce it, though)
blocking2.0: --- → beta8+
Actually, turns out that my crash is slightly different, but related. Mine looks like this:

http://crash-stats.mozilla.com/report/index/bp-0f4cb3d7-1467-4829-864f-dd36b2101014
I think this is a dup of bug 544610.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
This doesn't seem a dupe, since current stacks consistently contain an Sandbox.evalInSandbox() call and compartments definitely mess with Sandbox, as seen in bug 604346
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Summary: crash [@ XPCWrappedNative::GetObjectPrincipal ] → Sandbox.evalInSandbox() crash [@ XPCWrappedNative::GetObjectPrincipal ]
Can't get it to happen in Safe Mode, which implies one of my add-ons; more as I know it!
Status: REOPENED → NEW
blocking2.0: beta8+ → ---
I believe that one of Account Manager or Contacts was causing the problem; Hanson/Mills, can you take a look at the stack and see if that's a possibility?
(In reply to comment #7)
> I believe that one of Account Manager or Contacts was causing the problem;
> Hanson/Mills, can you take a look at the stack and see if that's a possibility?

NoScript is reported to cause that, even though I didn't manage to reproduce, and looking at the stacks (which contain both evalInSandbox() and notifyObservers()) I'm almost sure it's the Script Surrogate feature, which executes scripts in a Sandbox with the content window principal in a content-document-global-created observer.
From b8pre/20101011 build, crashes on Windows with nsXPConnect::GetPrincipal(JSObject*, int) as a crash signature have also a stack trace that contains Sandbox.evalInSandbox() call.
Contacts does use evalInSandbox() but we haven't released a version that supports 4.0b* - unless they're running a prerelease users are unlikely to be using Contacts on 4.0.
blocking2.0: --- → beta7+
This is likely related to a evalInSandbox API change.
(In reply to comment #11)
> This is likely related to a evalInSandbox API change.

Which change, exactly?
Account Manager does not use evalInSandbox(), but it does (in the addon version, not the patch) call ProcessNextEvent to simulate synchronous functions.  It does so in the middle of a request handler (onDataAvailable and such).
In the past you could create a sandbox and then set its __proto__ to another object. You know have to request the object to be assigned that proto at sandbox creation time. Also, you can pick the wrapper you get (xray or not) with an optional parameter.
(In reply to comment #14)
> In the past you could create a sandbox and then set its __proto__ to another
> object. You know have to request the object to be assigned that proto at
> sandbox creation time. Also, you can pick the wrapper you get (xray or not)
> with an optional parameter.

Where are these changes documented? I couldn't find anything at http://mxr.mozilla.org/mozilla-central/source/js/src/xpconnect/idl/xpccomponents.idl

At any rate, NoScript is not replacing __proto__ nor is picking any wrapper.

The code is:

    var w = document.defaultView;
    try {
      var s = new CU.Sandbox(w);
      s.window = (typeof w.wrappedJSObject == "object") ? w.wrappedJSObject : w;
      CU.evalInSandbox("with(window) {" + scriptBlock + "}", s);
    } catch(e) {
      if (ns.consoleDump) ns.dump(e);
      if (this.debug) CU.reportError(e);
    }

where document is a content document and scriptBlock is a configurable but trusted script source.
OS: Mac OS X → All
Summary: Sandbox.evalInSandbox() crash [@ XPCWrappedNative::GetObjectPrincipal ] → Sandbox.evalInSandbox() crash [@ XPCWrappedNative::GetObjectPrincipal ] [@ nsXPConnect::GetPrincipal(JSObject*, int)]
(In reply to comment #10)
> Contacts does use evalInSandbox() but we haven't released a version that
> supports 4.0b* - unless they're running a prerelease users are unlikely to be
> using Contacts on 4.0.

Yeah, I was running it and Account Manager with the Add-on Compatibility reporter forcing compatibility on. I guess the pages I crashed on were tickling those Add-ons. I suspect that this topcrasher might be heavily correlated with other Add-ons that do the same.

Gal: you've said this is related to a change, but I can't tell if you're saying that it's a bug from that change you intend to fix, or if we need to make sure Add-on authors know. Either way, a straight-out crash isn't a great outcome :(
FWIW, I hit this crash pretty much every time I load any URL on twitter.com, logged in (and using the NewTwitter preview). e.g. https://twitter.com/mozillagary triggered it for me.

I was able to reproduce in reliably in a fresh profile, with Noscript development version installed, set to allow all scripts on the page (on a per-script-domain basis, using the icon in the Addon Toolbar).  (The final domain that I allowed before it started crashing was google-analytics.com)
Adding 'dogfood' keyword, as this crash makes today's nightly hard to dogfood when viewing popular sites like twitter that trigger it. :(
Keywords: dogfood
(In reply to comment #20)
> Adding 'dogfood' keyword, as this crash makes today's nightly hard to dogfood
> when viewing popular sites like twitter that trigger it. :(

Works in safe mode, doesn't it? That implies that it's a dogfood issue for some of the add-ons.
Keywords: reproducible
It's a dogfood issue for those who like to run Firefox with NoScript (myself included).
Attached patch FixSplinter Review 
The bug here is that NoScript creates a sandbox object around a window that has document.domain set and we aren't prepared to handle that. This fixes the bug without slowing down nsXPConnect::GetPrincipal for the normal case.
Assignee: nobody → mrbkap
Status: NEW → ASSIGNED
Attachment #483344 - Flags: review?(peterv)
Attachment #483344 - Flags: review?(peterv) → review+
After  http://crash-stats.mozilla.com/report/index/bp-c4152c9e-191d-4951-a044-c3f812101014 , I moved greasemonkey out of the zoo and firefox became sane again.
(In reply to comment #23)
> Created attachment 483344 [details] [diff] [review]
> Fix
> 
> The bug here is that NoScript creates a sandbox object around a window that has
> document.domain set and we aren't prepared to handle that.

Do you mean document.domain set by some content script to something different than document.documentURI's host?
If so, how can it be possible during a content-document-global-created notification, when no content script has been ran yet?
(In reply to comment #27)
> Do you mean document.domain set by some content script to something different
> than document.documentURI's host?
> If so, how can it be possible during a content-document-global-created
> notification, when no content script has been ran yet?

document.domain actually mutates the principals of the page that it's set on, and then the behavior derives from that. So, when the sandbox runs, we end up behaving like document.domain has been set, which the code wasn't prepared to do in a sandbox.
http://hg.mozilla.org/mozilla-central/rev/c66660664ec7
Status: ASSIGNED → RESOLVED
Closed: 14 years ago14 years ago
Resolution: --- → FIXED
I still crash with http://hg.mozilla.org/mozilla-central/rev/c66660664ec7

and noscript
(In reply to comment #32)
> I still crash with http://hg.mozilla.org/mozilla-central/rev/c66660664ec7
> 
> and noscript

Stack?
(In reply to comment #35)
> new stack with symbols
> 
> http://crash-stats.mozilla.com/report/index/29dd17e5-85e9-4de7-9791-387012101016

Looks like the same bug, indeed, or the same call chain at least.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
With build "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b8pre) Gecko/20101016 Firefox/4.0b8pre ID:20101016041245", I get the following crash:

http://crash-stats.mozilla.com/report/index/450ba00e-4308-4a60-b1a1-b4fd12101016

when trying to open http://www.wunderground.com/cgi-bin/findweather/getForecast?query=43147. However, it may be add-on related as the page does not crash the browser in a fairly new, no installed add-ons profile. My main profile does not have either ABP or NoScript installed.

I am providing the crash ID in case it helps to troubleshoot this.
Status: REOPENED → RESOLVED
Closed: 14 years ago14 years ago
Resolution: --- → FIXED
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
(In reply to comment #37)
> However, it may be add-on related as the page does not crash the browser in a
> fairly new, no installed add-ons profile. My main profile does not have either
> ABP or NoScript installed.
> 
It's GreaseMonkey, in your case.
Whiteboard: fixed-in-tracemonkey
(In reply to comment #38)
> (In reply to comment #37)
> > However, it may be add-on related as the page does not crash the browser in a
> > fairly new, no installed add-ons profile. My main profile does not have either
> > ABP or NoScript installed.
> > 
> It's GreaseMonkey, in your case.

After trying the disable/enable troubleshooting, I discovered I had to clear the browser cache, too, to get the crash.

After disabling GM, the crashes have stopped. My GM version is the 2010.10.14beta. I need to see if the new nightly has been generated yet.
(In reply to comment #39)
> (In reply to comment #38)
> > (In reply to comment #37)
> > > However, it may be add-on related as the page does not crash the browser in a
> > > fairly new, no installed add-ons profile. My main profile does not have either
> > > ABP or NoScript installed.
> > > 
> > It's GreaseMonkey, in your case.
> 
> After trying the disable/enable troubleshooting, I discovered I had to clear
> the browser cache, too, to get the crash.
> 
> After disabling GM, the crashes have stopped. My GM version is the
> 2010.10.14beta. I need to see if the new nightly has been generated yet.

Crash even with the 2010.10.15beta version of GM.

Other crashes:
http://crash-stats.mozilla.com/report/index/bp-029ac9e9-4049-4af7-a07a-6b7142101016
http://crash-stats.mozilla.com/report/index/bp-f13f7123-2416-41f1-a067-a94972101016
http://crash-stats.mozilla.com/report/index/bp-c743688e-87cd-48f6-9097-4c3832101016
http://crash-stats.mozilla.com/report/index/bp-dea834c8-28e1-4091-ae44-652322101016
http://crash-stats.mozilla.com/report/index/bp-62dc7d6e-e570-4cbe-82a6-f30802101016
The STR in comment 19 (with Twitter) still repro this for me, too:
Mozilla/5.0 (X11; Linux i686; rv:2.0b8pre) Gecko/20101016 Firefox/4.0b8pre
bp-552314d2-17d0-411b-9a71-0b6932101016
Using Greasemonkey[1] and Autopagerize[2] I still get the crash on 
Mozilla/5.0 (Windows NT 5.1; rv:2.0b8pre) Gecko/20101016 Firefox/4.0b8pre,
but the stack is different:
http://crash-stats.mozilla.com/report/index/bp-05dc4092-f88f-4da2-96cc-c5f672101016
http://crash-stats.mozilla.com/report/index/bp-598c599b-1f64-4fb6-a7fb-2b0652101016

Same Bug? Different Bug?

[1] https://arantius.com/misc/gm-nightly/greasemonkey-2010.10.15.beta.xpi
[2] http://userscripts.org/scripts/show/8551
Attached patch FollowupSplinter Review 
I didn't realize the code fixed here had been copied. This shares the two copies of the code (and makes the fix apply to the copied bit in the process).
Attachment #483772 - Flags: review?(peterv)
Attachment #483772 - Flags: review?(peterv) → review+
Code copying considered harmful (buckets of it in methodjit from jsinterp.cpp too). Avoid.

/be
http://hg.mozilla.org/mozilla-central/rev/22028fb65bb2
Status: REOPENED → RESOLVED
Closed: 14 years ago14 years ago
Resolution: --- → FIXED
Crash Signature: [@ XPCWrappedNative::GetObjectPrincipal ] [@ nsXPConnect::GetPrincipal(JSObject*, int)]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: