Closed Bug 775197 Opened 13 years ago Closed 11 years ago

Opening window with iframe crashes debug build

Categories

(Core :: Security: CAPS, defect)

Product:
Core
Component:
Security: CAPS
Version:
16 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INVALID
Tracking Flags:
Tracking Status
firefox16 - affected
firefox17 - affected

People

(Reporter: nick, Unassigned)

References

Details

(Keywords: crash, regression, reproducible)

Crash Data

Attachments

(1 file)

crashing page
680 bytes, text/html
Details
Attached file crashing page
6/28 good http://hg.mozilla.org/mozilla-central/rev/bf8f2961d0cc 6/29 bad http://hg.mozilla.org/mozilla-central/rev/4a8e0d5fc954 http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=bf8f2961d0cc&tochange=4a8e0d5fc954 Assertion failure: equal, at /Users/ndesaulniers/Work/services-central/dom/base/nsJSEnvironment.cpp:1421 https://crash-stats.mozilla.com/report/index/5823e2df-ac14-4f06-b9c9-28b582120718 Components.utils.import("resource://gre/modules/Services.jsm"); Services.wm.getMostRecentWindow("navigator:browser").open("file:///Users/ndesaulniers/Work/services-central/tos.html", "aitc_tos_window", "chrome,height=400,width=640"); except modify the path to the attached html file to recreate. I'm trying to open a window with chrome privileges, then use JS to modify the DOM of the newly opened window. I'm trying to dynamically set an iframe's src attribute but that causes a crash. Creating the iframe statically in the HTML also causes the crash (see attachment).
Nick - Can you paste a link to your crash report here? You can get that by going to about:crashes, finding and clicking the link for the time of when your crash occurred, and copying and pasting the URL here.
Severity: normal → critical
I can reproduce the crash on a debug build (https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012-07-18-mozilla-central-debug/firefox-17.0a1.en-US.debug-mac.dmg): Components.utils.import("resource://gre/modules/Services.jsm"); Services.wm.getMostRecentWindow("navigator:browser").open("https://bug775197.bugzilla.mozilla.org/attachment.cgi?id=643473", "aitc_tos_window", "chrome,height=400,width=640"); My report: https://crash-stats.mozilla.com/report/index/48291ffd-e482-4660-aca6-e98392120718 Nick's report: https://crash-stats.mozilla.com/report/index/5823e2df-ac14-4f06-b9c9-28b582120718 Both seem to have the same stack: Firefox 17.0a1 Crash Report [@ XUL@0xe044a8 | XUL@0x9a6d13 | XUL@0x9a7689 | XUL@0x9aa937 | XUL@0x9a2f1e | XUL@0x116b5a8 | XUL@0x116c0db | XUL@0x11793ed | XUL@0x211f896 | XUL@0x209ac36 | XUL@0x1cb4cd3 | XUL@0x1c50592 | CoreFoundation@0x1213e ]
Keywords: stackwanted
Crash Signature: [@ XUL@0xe044a8 | XUL@0x9a6d13 | XUL@0x9a7689 | XUL@0x9aa937 | XUL@0x9a2f1e | XUL@0x116b5a8 | XUL@0x116c0db | XUL@0x11793ed | XUL@0x211f896 | XUL@0x209ac36 | XUL@0x1cb4cd3 | XUL@0x1c50592 | CoreFoundation@0x1213e]
Keywords: reproducible
I think this is because you're trying to load untrusted content into a chrome iframe (not the safest thing to do), which we current don't handle very well. I'm working on this over in bug 774633.
Assignee: nobody → bobbyholley+bmo
The actual source will be where the Apps In The Cloud (AITC) Privacy Policy and Terms of Service are hosted. Cat.com was just an example. Also, I'm denied access to 774633. Can you CC me on it please?
(In reply to Nick Desaulniers [:\n] from comment #5) > The actual source will be where the Apps In The Cloud (AITC) Privacy Policy > and Terms of Service are hosted. Cat.com was just an example. When I say "untrusted content" I mean "web content". The issue is that you're passing "chrome" to the window open call. > Also, I'm denied access to 774633. Can you CC me on it please? ok.
Looks like this crashes for privileged pages too.
Depends on: 774633
Does this crash only occur with debug builds? How common of a user issue would this be?
tracking-firefox16: +?
tracking-firefox17: +?
I don't get the principal equality assertion mentioned in comment 0, so I'm guessing that was fixed by bug 774633. I do, however, get a fatal CSS assertion: http://pastebin.mozilla.org/1807916 Unassigning myself. Please let me know if anyone can reproduce a dom-related assertion here.
Assignee: bobbyholley+bmo → nobody
Adding qawanted and verifyme to answer comment 9. If not reproducible and fixed by bug 774633 we can untrack this bug.
Keywords: qawanted, verifyme
QA Contact: jbecerra
Juan, can you check if this bug is reproducible before and after bug 774633 was fixed? Thanks
I was not able to reproduce this bug on debug builds prior or post bug 774633.
(In reply to juan becerra [:juanb] from comment #12) > I was not able to reproduce this bug on debug builds prior or post bug > 774633. Thanks Juan. Alex, based on Juan's testing, QA can neither confirm nor deny that bug 774633 fixed this bug. How did you want to proceed with this bug?
This isn't reproducible in QA or a top crash, so no need to track.
tracking-firefox16: ?-
tracking-firefox17: ?-
As per comment 13 and 14 I'm dropping qawanted and verifyme as well. We should probably drop the reproducible keyword as well if we can't find steps that reliably reproduce this crash.
Keywords: qawanted, verifyme
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: