Closed
Bug 604368
Opened 14 years ago
Closed 14 years ago
Sandbox.evalInSandbox() crash [@ XPCWrappedNative::GetObjectPrincipal ] [@ nsXPConnect::GetPrincipal(JSObject*, int)]
Categories
(Core :: XPConnect, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
blocking2.0 | --- | beta7+ |
People
(Reporter: scoobidiver, Assigned: mrbkap)
References
Details
(4 keywords)
Crash Data
Attachments
(2 files)
3.83 KB,
patch
|
peterv
:
review+
|
Details | Diff | Splinter Review |
6.12 KB,
patch
|
peterv
:
review+
|
Details | Diff | Splinter Review |
Build: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b8pre) Gecko/20101014 Firefox/4.0b8pre This is a new crash signature. Crashes first appeared in b8pre/20101011 build. It happens on Mac OS X and linux. It is #7 top crasher in 4.0b8pre for the last week. Signature XPCWrappedNative::GetObjectPrincipal UUID b44377e0-5c92-454a-a75b-3f1792101014 Time 2010-10-14 07:35:55.20714 Uptime 684 Last Crash 686 seconds (11.4 minutes) before submission Install Age 1657 seconds (27.6 minutes) since version was first installed. Product Firefox Version 4.0b8pre Build ID 20101013214358 Branch 2.0 OS Mac OS X OS Version 10.6.5 10H542 CPU amd64 CPU Info family 6 model 15 stepping 11 Crash Reason EXC_BAD_ACCESS / 0x0000000d Crash Address 0x0 App Notes Renderers: 0x22600,0x20400 Frame Module Signature [Expand] Source 0 XUL XPCWrappedNative::GetObjectPrincipal js/src/xpconnect/src/xpcprivate.h:1465 1 XUL nsXPConnect::GetPrincipal js/src/xpconnect/src/nsXPConnect.cpp:2442 2 XUL xpc::Transparent js/src/xpconnect/wrappers/XrayWrapper.cpp:444 3 XUL xpc::XrayWrapper<JSCrossCompartmentWrapper,xpc::CrossCompartmentXray>::getPropertyDescriptor js/src/xpconnect/wrappers/XrayWrapper.cpp:531 4 XUL js::JSProxyHandler::has js/src/jsproxy.cpp:96 5 XUL xpc::XrayWrapper<JSCrossCompartmentWrapper,xpc::CrossCompartmentXray>::has js/src/xpconnect/wrappers/XrayWrapper.cpp:782 6 XUL js::proxy_LookupProperty js/src/jsproxy.cpp:760 7 XUL js_LookupPropertyWithFlags js/src/jsobj.h:1034 8 XUL js_FindPropertyHelper js/src/jsobj.cpp:4745 9 XUL js::Interpret js/src/jsinterp.cpp:4819 10 XUL js::Execute js/src/jsinterp.cpp:638 11 XUL JS_EvaluateUCScriptForPrincipals js/src/jsapi.cpp:4882 12 XUL xpc_EvalInSandbox js/src/xpconnect/src/xpccomponents.cpp:3661 13 XUL nsXPCComponents_Utils::EvalInSandbox js/src/xpconnect/src/xpccomponents.cpp:3551 14 XUL NS_InvokeByIndex_P xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:208 15 XUL XPCWrappedNative::CallMethod js/src/xpconnect/src/xpcwrappednative.cpp:3054 16 XUL XPC_WN_CallMethod js/src/xpconnect/src/xpcwrappednativejsops.cpp:1631 17 XUL js::Interpret js/src/jscntxtinlines.h:652 ... The regression range is : http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=26c47ba8064f&tochange=5a41a70eb631 More reports at: http://crash-stats.mozilla.com/report/list?range_value=4&range_unit=weeks&signature=XPCWrappedNative%3A%3AGetObjectPrincipal
Comment 1•14 years ago
|
||
cc'ing roc and mats who are suspect in that regression range I hit this a couple of times this morning, both times on osx64, seemed to be related to this URL: http://rypp.ly/bHk8Lk (couldn't get other people to reproduce it, though)
Updated•14 years ago
|
blocking2.0: --- → beta8+
Comment 2•14 years ago
|
||
Actually, turns out that my crash is slightly different, but related. Mine looks like this: http://crash-stats.mozilla.com/report/index/bp-0f4cb3d7-1467-4829-864f-dd36b2101014
Comment 3•14 years ago
|
||
I think this is a dup of bug 544610.
Reporter | ||
Updated•14 years ago
|
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Comment 5•14 years ago
|
||
This doesn't seem a dupe, since current stacks consistently contain an Sandbox.evalInSandbox() call and compartments definitely mess with Sandbox, as seen in bug 604346
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Summary: crash [@ XPCWrappedNative::GetObjectPrincipal ] → Sandbox.evalInSandbox() crash [@ XPCWrappedNative::GetObjectPrincipal ]
Comment 6•14 years ago
|
||
Can't get it to happen in Safe Mode, which implies one of my add-ons; more as I know it!
Status: REOPENED → NEW
blocking2.0: beta8+ → ---
Comment 7•14 years ago
|
||
I believe that one of Account Manager or Contacts was causing the problem; Hanson/Mills, can you take a look at the stack and see if that's a possibility?
Comment 8•14 years ago
|
||
(In reply to comment #7) > I believe that one of Account Manager or Contacts was causing the problem; > Hanson/Mills, can you take a look at the stack and see if that's a possibility? NoScript is reported to cause that, even though I didn't manage to reproduce, and looking at the stacks (which contain both evalInSandbox() and notifyObservers()) I'm almost sure it's the Script Surrogate feature, which executes scripts in a Sandbox with the content window principal in a content-document-global-created observer.
Reporter | ||
Comment 9•14 years ago
|
||
From b8pre/20101011 build, crashes on Windows with nsXPConnect::GetPrincipal(JSObject*, int) as a crash signature have also a stack trace that contains Sandbox.evalInSandbox() call.
Comment 10•14 years ago
|
||
Contacts does use evalInSandbox() but we haven't released a version that supports 4.0b* - unless they're running a prerelease users are unlikely to be using Contacts on 4.0.
Updated•14 years ago
|
blocking2.0: --- → beta7+
Comment 11•14 years ago
|
||
This is likely related to a evalInSandbox API change.
Comment 12•14 years ago
|
||
(In reply to comment #11) > This is likely related to a evalInSandbox API change. Which change, exactly?
Comment 13•14 years ago
|
||
Account Manager does not use evalInSandbox(), but it does (in the addon version, not the patch) call ProcessNextEvent to simulate synchronous functions. It does so in the middle of a request handler (onDataAvailable and such).
Comment 14•14 years ago
|
||
In the past you could create a sandbox and then set its __proto__ to another object. You know have to request the object to be assigned that proto at sandbox creation time. Also, you can pick the wrapper you get (xray or not) with an optional parameter.
Comment 15•14 years ago
|
||
(In reply to comment #14) > In the past you could create a sandbox and then set its __proto__ to another > object. You know have to request the object to be assigned that proto at > sandbox creation time. Also, you can pick the wrapper you get (xray or not) > with an optional parameter. Where are these changes documented? I couldn't find anything at http://mxr.mozilla.org/mozilla-central/source/js/src/xpconnect/idl/xpccomponents.idl At any rate, NoScript is not replacing __proto__ nor is picking any wrapper. The code is: var w = document.defaultView; try { var s = new CU.Sandbox(w); s.window = (typeof w.wrappedJSObject == "object") ? w.wrappedJSObject : w; CU.evalInSandbox("with(window) {" + scriptBlock + "}", s); } catch(e) { if (ns.consoleDump) ns.dump(e); if (this.debug) CU.reportError(e); } where document is a content document and scriptBlock is a configurable but trusted script source.
Reporter | ||
Updated•14 years ago
|
OS: Mac OS X → All
Summary: Sandbox.evalInSandbox() crash [@ XPCWrappedNative::GetObjectPrincipal ] → Sandbox.evalInSandbox() crash [@ XPCWrappedNative::GetObjectPrincipal ] [@ nsXPConnect::GetPrincipal(JSObject*, int)]
Comment 18•14 years ago
|
||
(In reply to comment #10) > Contacts does use evalInSandbox() but we haven't released a version that > supports 4.0b* - unless they're running a prerelease users are unlikely to be > using Contacts on 4.0. Yeah, I was running it and Account Manager with the Add-on Compatibility reporter forcing compatibility on. I guess the pages I crashed on were tickling those Add-ons. I suspect that this topcrasher might be heavily correlated with other Add-ons that do the same. Gal: you've said this is related to a change, but I can't tell if you're saying that it's a bug from that change you intend to fix, or if we need to make sure Add-on authors know. Either way, a straight-out crash isn't a great outcome :(
Comment 19•14 years ago
|
||
FWIW, I hit this crash pretty much every time I load any URL on twitter.com, logged in (and using the NewTwitter preview). e.g. https://twitter.com/mozillagary triggered it for me. I was able to reproduce in reliably in a fresh profile, with Noscript development version installed, set to allow all scripts on the page (on a per-script-domain basis, using the icon in the Addon Toolbar). (The final domain that I allowed before it started crashing was google-analytics.com)
Comment 20•14 years ago
|
||
Adding 'dogfood' keyword, as this crash makes today's nightly hard to dogfood when viewing popular sites like twitter that trigger it. :(
Keywords: dogfood
Comment 21•14 years ago
|
||
(In reply to comment #20) > Adding 'dogfood' keyword, as this crash makes today's nightly hard to dogfood > when viewing popular sites like twitter that trigger it. :( Works in safe mode, doesn't it? That implies that it's a dogfood issue for some of the add-ons.
Updated•14 years ago
|
Keywords: reproducible
Comment 22•14 years ago
|
||
It's a dogfood issue for those who like to run Firefox with NoScript (myself included).
Assignee | ||
Comment 23•14 years ago
|
||
The bug here is that NoScript creates a sandbox object around a window that has document.domain set and we aren't prepared to handle that. This fixes the bug without slowing down nsXPConnect::GetPrincipal for the normal case.
Updated•14 years ago
|
Attachment #483344 -
Flags: review?(peterv) → review+
Comment 26•14 years ago
|
||
After http://crash-stats.mozilla.com/report/index/bp-c4152c9e-191d-4951-a044-c3f812101014 , I moved greasemonkey out of the zoo and firefox became sane again.
Comment 27•14 years ago
|
||
(In reply to comment #23) > Created attachment 483344 [details] [diff] [review] > Fix > > The bug here is that NoScript creates a sandbox object around a window that has > document.domain set and we aren't prepared to handle that. Do you mean document.domain set by some content script to something different than document.documentURI's host? If so, how can it be possible during a content-document-global-created notification, when no content script has been ran yet?
Assignee | ||
Comment 29•14 years ago
|
||
(In reply to comment #27) > Do you mean document.domain set by some content script to something different > than document.documentURI's host? > If so, how can it be possible during a content-document-global-created > notification, when no content script has been ran yet? document.domain actually mutates the principals of the page that it's set on, and then the behavior derives from that. So, when the sandbox runs, we end up behaving like document.domain has been set, which the code wasn't prepared to do in a sandbox.
Assignee | ||
Comment 30•14 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/72d1bbea09ed
Whiteboard: fixed-in-tracemonkey
Assignee | ||
Comment 31•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/c66660664ec7
Status: ASSIGNED → RESOLVED
Closed: 14 years ago → 14 years ago
Resolution: --- → FIXED
Comment 32•14 years ago
|
||
I still crash with http://hg.mozilla.org/mozilla-central/rev/c66660664ec7 and noscript
Comment 33•14 years ago
|
||
(In reply to comment #32) > I still crash with http://hg.mozilla.org/mozilla-central/rev/c66660664ec7 > > and noscript Stack?
Comment 34•14 years ago
|
||
http://crash-stats.mozilla.com/report/index/bp-4481444c-cc99-4870-937e-3f1482101016 no symbols the nightly isn't out yet
Comment 35•14 years ago
|
||
new stack with symbols http://crash-stats.mozilla.com/report/index/29dd17e5-85e9-4de7-9791-387012101016
Comment 36•14 years ago
|
||
(In reply to comment #35) > new stack with symbols > > http://crash-stats.mozilla.com/report/index/29dd17e5-85e9-4de7-9791-387012101016 Looks like the same bug, indeed, or the same call chain at least.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Comment 37•14 years ago
|
||
With build "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b8pre) Gecko/20101016 Firefox/4.0b8pre ID:20101016041245", I get the following crash: http://crash-stats.mozilla.com/report/index/450ba00e-4308-4a60-b1a1-b4fd12101016 when trying to open http://www.wunderground.com/cgi-bin/findweather/getForecast?query=43147. However, it may be add-on related as the page does not crash the browser in a fairly new, no installed add-ons profile. My main profile does not have either ABP or NoScript installed. I am providing the crash ID in case it helps to troubleshoot this.
Status: REOPENED → RESOLVED
Closed: 14 years ago → 14 years ago
Resolution: --- → FIXED
Updated•14 years ago
|
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Comment 38•14 years ago
|
||
(In reply to comment #37) > However, it may be add-on related as the page does not crash the browser in a > fairly new, no installed add-ons profile. My main profile does not have either > ABP or NoScript installed. > It's GreaseMonkey, in your case.
Whiteboard: fixed-in-tracemonkey
Comment 39•14 years ago
|
||
(In reply to comment #38) > (In reply to comment #37) > > However, it may be add-on related as the page does not crash the browser in a > > fairly new, no installed add-ons profile. My main profile does not have either > > ABP or NoScript installed. > > > It's GreaseMonkey, in your case. After trying the disable/enable troubleshooting, I discovered I had to clear the browser cache, too, to get the crash. After disabling GM, the crashes have stopped. My GM version is the 2010.10.14beta. I need to see if the new nightly has been generated yet.
Comment 40•14 years ago
|
||
(In reply to comment #39) > (In reply to comment #38) > > (In reply to comment #37) > > > However, it may be add-on related as the page does not crash the browser in a > > > fairly new, no installed add-ons profile. My main profile does not have either > > > ABP or NoScript installed. > > > > > It's GreaseMonkey, in your case. > > After trying the disable/enable troubleshooting, I discovered I had to clear > the browser cache, too, to get the crash. > > After disabling GM, the crashes have stopped. My GM version is the > 2010.10.14beta. I need to see if the new nightly has been generated yet. Crash even with the 2010.10.15beta version of GM. Other crashes: http://crash-stats.mozilla.com/report/index/bp-029ac9e9-4049-4af7-a07a-6b7142101016 http://crash-stats.mozilla.com/report/index/bp-f13f7123-2416-41f1-a067-a94972101016 http://crash-stats.mozilla.com/report/index/bp-c743688e-87cd-48f6-9097-4c3832101016 http://crash-stats.mozilla.com/report/index/bp-dea834c8-28e1-4091-ae44-652322101016 http://crash-stats.mozilla.com/report/index/bp-62dc7d6e-e570-4cbe-82a6-f30802101016
Comment 41•14 years ago
|
||
The STR in comment 19 (with Twitter) still repro this for me, too: Mozilla/5.0 (X11; Linux i686; rv:2.0b8pre) Gecko/20101016 Firefox/4.0b8pre bp-552314d2-17d0-411b-9a71-0b6932101016
Comment 42•14 years ago
|
||
Using Greasemonkey[1] and Autopagerize[2] I still get the crash on Mozilla/5.0 (Windows NT 5.1; rv:2.0b8pre) Gecko/20101016 Firefox/4.0b8pre, but the stack is different: http://crash-stats.mozilla.com/report/index/bp-05dc4092-f88f-4da2-96cc-c5f672101016 http://crash-stats.mozilla.com/report/index/bp-598c599b-1f64-4fb6-a7fb-2b0652101016 Same Bug? Different Bug? [1] https://arantius.com/misc/gm-nightly/greasemonkey-2010.10.15.beta.xpi [2] http://userscripts.org/scripts/show/8551
Assignee | ||
Comment 44•14 years ago
|
||
I didn't realize the code fixed here had been copied. This shares the two copies of the code (and makes the fix apply to the copied bit in the process).
Attachment #483772 -
Flags: review?(peterv)
Updated•14 years ago
|
Attachment #483772 -
Flags: review?(peterv) → review+
Comment 45•14 years ago
|
||
Code copying considered harmful (buckets of it in methodjit from jsinterp.cpp too). Avoid. /be
Updated•14 years ago
|
Blocks: CVE-2010-3774
Comment 47•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/22028fb65bb2
Status: REOPENED → RESOLVED
Closed: 14 years ago → 14 years ago
Resolution: --- → FIXED
Updated•14 years ago
|
Crash Signature: [@ XPCWrappedNative::GetObjectPrincipal ]
[@ nsXPConnect::GetPrincipal(JSObject*, int)]
You need to log in
before you can comment on or make changes to this bug.
Description
•