crash in nsGlobalWindow::SetInitialPrincipalToSubject

RESOLVED FIXED in Firefox 56

Status

()

defect
--
critical
RESOLVED FIXED
7 years ago
3 months ago

People

(Reporter: scoobidiver, Assigned: baku)

Tracking

({crash, regression, testcase})

16 Branch
mozilla57
x86
Windows 7
Points:
---

Firefox Tracking Flags

(firefox-esr52 wontfix, firefox55 wontfix, firefox56 fixed, firefox57 fixed)

Details

(crash signature)

Attachments

(5 attachments)

Reporter

Description

7 years ago
It first appeared in 16.0b3 and is currently #44 top browser crasher in this build. The regression range is:
http://hg.mozilla.org/releases/mozilla-beta/pushloghtml?fromchange=cad589192f3c&tochange=de3f06a549de
It's likely a regression from bug 774633.

Signature 	nsGlobalWindow::SetInitialPrincipalToSubject() More Reports Search
UUID	378c2d1a-613c-4df3-a31b-9b3232120915
Date Processed	2012-09-15 06:53:19
Uptime	2116
Last Crash	8.8 weeks before submission
Install Age	4.2 hours since version was first installed.
Install Time	2012-09-15 02:38:12
Product	Firefox
Version	16.0
Build ID	20120911232325
Release Channel	beta
OS	Windows NT
OS Version	6.1.7600
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 23 stepping 6
Crash Reason	EXCEPTION_ACCESS_VIOLATION_WRITE
Crash Address	0xa6
App Notes 	
AdapterVendorID: 0x10de, AdapterDeviceID: 0x06e0, AdapterSubsysID: 00000000, AdapterDriverVersion: 8.17.12.6658
D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ 
EMCheckCompatibility	True
Adapter Vendor ID	0x10de
Adapter Device ID	0x06e0
Total Virtual Memory	2147352576
Available Virtual Memory	1174827008
System Memory Use Percentage	40
Available Page File	5004394496
Available Physical Memory	1919893504

Frame 	Module 	Signature 	Source
0 	xul.dll 	nsGlobalWindow::SetInitialPrincipalToSubject 	dom/base/nsGlobalWindow.cpp:1544
1 	xul.dll 	nsAppShellService::RegisterTopLevelWindow 	xpfe/appshell/src/nsAppShellService.cpp:458
2 	xul.dll 	nsAppShellService::CreateTopLevelWindow 	xpfe/appshell/src/nsAppShellService.cpp:152
3 	xul.dll 	nsAppStartup::CreateChromeWindow2 	toolkit/components/startup/nsAppStartup.cpp:623
4 	xul.dll 	nsWindowWatcher::OpenWindowJSInternal 	embedding/components/windowwatcher/src/nsWindowWatcher.cpp:706
5 	xul.dll 	nsWindowWatcher::OpenWindow 	embedding/components/windowwatcher/src/nsWindowWatcher.cpp:381
6 	xul.dll 	nsAlertsService::ShowAlertNotification 	toolkit/components/alerts/nsAlertsService.cpp:179
7 	xul.dll 	nsDownload::SetState 	toolkit/components/downloads/nsDownloadManager.cpp:2271
8 	xul.dll 	nsDownloadScanner::Scan::Run 	toolkit/components/downloads/nsDownloadScanner.cpp:416
9 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:624
10 	xul.dll 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:82
11 	xul.dll 	MessageLoop::RunHandler 	ipc/chromium/src/base/message_loop.cc:201
12 	xul.dll 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:175
13 	xul.dll 	nsBaseAppShell::Run 	widget/xpwidgets/nsBaseAppShell.cpp:163
14 	xul.dll 	nsAppShell::Run 	widget/windows/nsAppShell.cpp:232
15 	xul.dll 	nsAppStartup::Run 	toolkit/components/startup/nsAppStartup.cpp:257
16 	xul.dll 	XREMain::XRE_mainRun 	toolkit/xre/nsAppRunner.cpp:3794
17 	xul.dll 	XREMain::XRE_main 	toolkit/xre/nsAppRunner.cpp:3871
18 	xul.dll 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3947

More reports at:
https://crash-stats.mozilla.com/report/list?signature=nsGlobalWindow%3A%3ASetInitialPrincipalToSubject%28%29
So, it looks like the call to CreateAboutBlankContentViewer is failing:

http://hg.mozilla.org/releases/mozilla-beta/annotate/de3f06a549de/dom/base/nsGlobalWindow.cpp#l1543

In particular, it must be failing before this callstack completes: 
nsGlobalWindow::SetNewDocument
nsDocumentViewer::InitInternal
nsDocumentViewer::Init
nsDocShell::SetupNewViewer
nsDocShell::CreateAboutBlankContentViewer

which sets mDoc to the relevant about:blank document.

We _could_ check for this, return an NS_ERROR_FAILURE, and bubble it all the way up. But we'd have to add error handling to a number of ancestor callers before getting anywhere that could handle the failure.

As such, I'd prefer if we could reproduce the crash (or correlate it with an addon) and figure out what's going wrong.
Reporter

Comment 2

7 years ago
It's correlated to Helper Bar (installed without the permission of users):
  nsGlobalWindow::SetInitialPrincipalToSubject()|EXCEPTION_ACCESS_VIOLATION_WRITE (28 crashes)
    100% (28/28) vs.   1% (427/54486) helperbar@helperbar.com
Summary: crash in nsGlobalWindow::SetInitialPrincipalToSubject → crash in nsGlobalWindow::SetInitialPrincipalToSubject with Helper Bar
Ok, so clearly they're messing with the docshell somehow and causing it to fail to create about:blank documents. Jorge, What's our next step here? Developer outreach?
(In reply to Scoobidiver from comment #2)
> It's correlated to Helper Bar (installed without the permission of users):
>  
> nsGlobalWindow::
> SetInitialPrincipalToSubject()|EXCEPTION_ACCESS_VIOLATION_WRITE (28 crashes)
>     100% (28/28) vs.   1% (427/54486) helperbar@helperbar.com

What do we know about Helper Bar? A quick search for it didn't yield any useful results.
Reporter

Comment 5

7 years ago
(In reply to Jorge Villalobos [:jorgev] from comment #4)
> What do we know about Helper Bar? A quick search for it didn't yield any
> useful results.
It seems to be Linkury's SmartBar: http://www.threatexpert.com/report.aspx?md5=aa448be2db215b61b17b8537f0c11be4
I've contacted them with information about this bug. I'll give them until the end of next week before we go with blocklisting.
The Linkury folks got back to me asking for steps to reproduce. Do we have any?
Reporter

Comment 8

7 years ago
(In reply to Jorge Villalobos [:jorgev] from comment #7)
> The Linkury folks got back to me asking for steps to reproduce. Do we have
> any?
There are no comments in crash reports.

It seems now correlated to other add-ons:
     94% (72/77) vs.   1% (401/57413) helperbar@helperbar.com
     27% (21/77) vs.   2% (1334/57413) bbrs_002@blabbers.com
     27% (21/77) vs.   3% (1574/57413) {EB9394A3-4AD6-4918-9537-31A1FD8E8EDF}
     16% (12/77) vs.   5% (2640/57413) avg@toolbar
     16% (12/77) vs.   5% (2657/57413) ffxtlbr@funmoods.com
     18% (14/77) vs.  10% (5549/57413) ffxtlbr@babylon.com
      9% (7/77) vs.   1% (707/57413) {F53C93F1-07D5-430c-86D4-C9531B27DFAF}
Summary: crash in nsGlobalWindow::SetInitialPrincipalToSubject with Helper Bar → crash in nsGlobalWindow::SetInitialPrincipalToSubject mainly with Helper Bar
Keywords: qawanted
QA Contact: jbecerra
Reporter

Updated

7 years ago
Summary: crash in nsGlobalWindow::SetInitialPrincipalToSubject mainly with Helper Bar → crash in nsGlobalWindow::SetInitialPrincipalToSubject
I could not install the Linkury SmartBar when trying to reproduce the issue, all I got while install it was a virus warning (Mixidj_intl.exe).

I downloaded the Linkury SmartBar from:
http://download.cnet.com/Linkury-SmartBar/3000-2378_4-75415460.html

Does anyone know a good link from where I could download and install a usable Linkury Smartbar?
According to the developers, you can get it here: http://www.linkury.com/index-6_solutions_b.html
Thanks Jorge!

Mozilla/5.0 (Windows NT 6.1; rv:26.0) Gecko/20100101 Firefox/26.0
Build ID: 20131014004003

I could not reproduce the crash while browsing (sent/read e-mails, played games and videos, navigated to different pages in several tabs, etc) on the latest Aurora 26.0a2 with the following add-ons enabled:
- Linkury Smartbar 1.1
- Funmnoods New Tab 9.5.3
- Babylon toolbar 1.5.0
(I could not find the Blabbers and DealPly add-ons for Firefox - all I found required Chrome as their browser).

I'm removing the qawanted keyword since QA could not reproduce the crash locally. Please re-add it if anything else is needed from the QA side.
Keywords: qawanted

Updated

4 years ago
Crash Signature: [@ nsGlobalWindow::SetInitialPrincipalToSubject()] → [@ nsGlobalWindow::SetInitialPrincipalToSubject()] [@ nsGlobalWindow::SetInitialPrincipalToSubject]
Posted file test_case.html
STR:
1) allow pop-ups
2) open test case
Posted file asan_log.txt
Keywords: testcase

Comment 14

2 years ago
this crash signature is also spiking up in the last couple of days - "WebGL+" seems to be always active during those crashes, users of es builds seem to be affected inproportionally often and url correlations point to shink.in a couple of tiimes...
Andrew, can you find somebody to look at this crash?  We even have a testcase!
Flags: needinfo?(overholt)
Oh, it's really spiking recently. baku, please investigate.
Flags: needinfo?(overholt) → needinfo?(amarchesini)
Assignee

Comment 17

2 years ago
All the rest of that method does check mDoc, except that line.
Assignee: nobody → amarchesini
Flags: needinfo?(amarchesini)
Attachment #8905106 - Flags: review?(kyle)
Attachment #8905106 - Flags: review?(kyle) → review+

Comment 18

2 years ago
Pushed by amarchesini@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/64bf8308a282
nsGlobalWindow::SetInitialPrincipalToSubject should check the existence of mDoc, r=qdot
https://hg.mozilla.org/mozilla-central/rev/64bf8308a282
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla57
Please request Beta/ESR52 approval on this when you get a chance.
Flags: needinfo?(amarchesini)
Assignee

Comment 21

2 years ago
Comment on attachment 8905106 [details] [diff] [review]
doc_check.patch

Approval Request Comment
[Feature/Bug causing the regression]: bug 774633
[User impact if declined]: a crash can occur in same rare conditions
[Is this code covered by automated tests?]: no
[Has the fix been verified in Nightly?]: hard to verify
[Needs manual test from QE? If yes, steps to reproduce]: n/a 
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: no
[Why is the change risky/not risky?]: the fix is just a null check.
[String changes made/needed]: none

[Approval Request Comment]
Fix Landed on Version: 57
Flags: needinfo?(amarchesini)
Attachment #8905106 - Flags: approval-mozilla-esr52?
Attachment #8905106 - Flags: approval-mozilla-beta?
Assignee

Comment 22

2 years ago
Posted patch esr52Splinter Review
Assignee

Comment 23

2 years ago
Posted patch m-bSplinter Review
Assignee

Updated

2 years ago
Attachment #8906232 - Attachment description: 64bf8308a282 → m-b
Attachment #8906232 - Attachment is patch: true
Comment on attachment 8905106 [details] [diff] [review]
doc_check.patch

Fix a crash. Beta56+.
Attachment #8905106 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Comment on attachment 8905106 [details] [diff] [review]
doc_check.patch

old bug, low volume crash, going to leave that out of esr.
Attachment #8905106 - Flags: approval-mozilla-esr52? → approval-mozilla-esr52-
This brought an improvement:

== Change summary for alert #9589 (as of September 21 2017 08:41 UTC) ==

Improvements:

  3%  tpaint summary windows7-32 opt e10s     276.47 -> 269.50

For up to date results, see: https://treeherder.mozilla.org/perf.html#/alerts?id=9589
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.