crash in NS_GetInnermostURI

RESOLVED WORKSFORME

Status

()

Core
Security: CAPS
--
critical
RESOLVED WORKSFORME
6 years ago
5 years ago

People

(Reporter: Martijn Wargers (zombie), Unassigned)

Tracking

({crash, testcase})

Trunk
x86
Windows 7
crash, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(2 attachments)

(Reporter)

Description

6 years ago
Created attachment 663722 [details]
testcase (uses specialpowers)

This bug was filed from the Socorro interface and is 
report bp-3a08f037-83b8-47cd-b18f-961ee2120922 .
============================================================= 
0 	xul.dll 	NS_GetInnermostURI 	obj-firefox/dist/include/nsNetUtil.h:1639
1 	xul.dll 	NS_SecurityHashURI 	obj-firefox/dist/include/nsNetUtil.h:1680
2 	xul.dll 	nsScriptSecurityManager::HashPrincipalByOrigin 	caps/src/nsScriptSecurityManager.cpp:996
3 	xul.dll 	nsPrincipal::GetHashValue 	caps/src/nsPrincipal.cpp:961
4 	xul.dll 	PrincipalKey::HashKey 	caps/include/nsScriptSecurityManager.h:99
5 	xul.dll 	nsTHashtable<nsBaseHashtableET<PrincipalKey,nsCOMPtr<nsIPrincipal> > >::s_HashKe 	obj-firefox/dist/include/nsTHashtable.h:432
6 	xul.dll 	PL_DHashTableOperate 	obj-firefox/xpcom/build/pldhash.cpp:576
7 	xul.dll 	nsTHashtable<nsPtrHashKey<nsObjectFrame> >::GetEntry 	obj-firefox/dist/include/nsTHashtable.h:149
8 	xul.dll 	nsRefPtrHashtable<nsPtrHashKey<PRThread>,nsThread>::Get 	obj-firefox/dist/include/nsInterfaceHashtable.h:90
9 	xul.dll 	nsScriptSecurityManager::GetCodebasePrincipalInternal 	caps/src/nsScriptSecurityManager.cpp:2068
10 	xul.dll 	nsScriptSecurityManager::GetNoAppCodebasePrincipal 	caps/src/nsScriptSecurityManager.cpp:2011


See testcase, which uses specialpowers. The testcase crashes on permissionmanager.testPermission({}, "");

Updated

6 years ago
Keywords: testcase
OS: Windows NT → Windows 7
Version: unspecified → Trunk
So the real problem here is that XPConnect manufactures a completely bogus nsIURI impl for us here.  Then we construct a principal for it.  Then we try to hash the URI, and hit this code:

1635     NS_PRECONDITION(uri, "Must have URI");
1636     
1637     nsCOMPtr<nsINestedURI> nestedURI(do_QueryInterface(uri));
1638     if (!nestedURI) {
1639         NS_ADDREF(uri);
1640         return uri;
1641     }

This is crashing with a null-deref on the NS_ADDREF.  So presumably uri is null?  I wonder how that happened, actually...

Martijn, how do I actually run this testcase?
The problem is in nsScriptSecurityManager::HashPrincipalByOrigin.  The code looks like this:

992         nsCOMPtr<nsIURI> uri;
993         aPrincipal->GetDomain(getter_AddRefs(uri));
994         if (!uri)
995             aPrincipal->GetURI(getter_AddRefs(uri));
996         return SecurityHashURI(uri);

But GetURI can return null if the URI could not be marked immutable, which will be the case with the bogo-URI here.

We really need to switch to always-immutable URIs.  :(
(Reporter)

Comment 4

5 years ago
Created attachment 751516 [details]
updated testcase (uses specialpowers)

I had to update the testcase, because Components doesn't exist anymore in content.
This testcase doesn't seem to crash anymore in trunk, I'm now getting this js error in the console:
Timestamp: 5/20/13 1:57:47 AM
Error: [Exception... "'JavaScript component does not have a method named: "clone"' when calling method: [nsIURI::clone]"  nsresult: "0x80570030 (NS_ERROR_XPC_JSOBJECT_HAS_NO_FUNCTION_NAMED)"  location: "JS frame :: chrome://specialpowers/content/specialpowersAPI.js :: doApply :: line 83"  data: no]
Source File: chrome://specialpowers/content/specialpowersAPI.js
Line: 83
Timestamp: 5/20/13 1:57:47 AM
Error: [Exception... "'JavaScript component does not have a method named: "clone"' when calling method: [nsIURI::clone]"  nsresult: "0x80570030 (NS_ERROR_XPC_JSOBJECT_HAS_NO_FUNCTION_NAMED)"  location: "JS frame :: chrome://specialpowers/content/specialpowersAPI.js :: doApply :: line 83"  data: no]
Source File: chrome://specialpowers/content/specialpowersAPI.js
Line: 83
Timestamp: 5/20/13 1:57:47 AM
Error: NS_ERROR_XPC_JSOBJECT_HAS_NO_FUNCTION_NAMED: 'JavaScript component does not have a method named: "clone"' when calling method: [nsIURI::clone]
Source File: chrome://specialpowers/content/specialpowersAPI.js
Line: 83
(Reporter)

Comment 5

5 years ago
I guess this bug can be closed then, right?

Updated

5 years ago
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.