Closed
Bug 836811
Opened 12 years ago
Closed 12 years ago
crash in nsMixedContentBlocker::ShouldLoad
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
FIXED
mozilla21
| Tracking | Status | |
|---|---|---|
| firefox20 | --- | unaffected |
| firefox21 | + | fixed |
People
(Reporter: scoobidiver, Assigned: tanvi)
References
Details
(Keywords: crash, regression, topcrash, Whiteboard: [startupcrash] [leave open])
Crash Data
Attachments
(1 file)
|
2.01 KB,
patch
|
smaug
:
review+
|
Details | Diff | Splinter Review |
It first showed up in 21.0a1/20130131. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=677e87c11252&tochange=20bbf73921f4
It's likely a regression caused by bug 822367.
Signature nsMixedContentBlocker::ShouldLoad(unsigned int, nsIURI*, nsIURI*, nsISupports*, nsACString_internal const&, nsISupports*, nsIPrincipal*, short*) More Reports Search
UUID 22c7ed11-0a57-40ca-a90b-1db2a2130131
Date Processed 2013-01-31 16:28:02
Uptime 8
Last Crash 16 seconds before submission
Install Age 28.5 minutes since version was first installed.
Install Time 2013-01-31 15:59:29
Product Firefox
Version 21.0a1
Build ID 20130131031009
Release Channel nightly
OS Windows NT
OS Version 6.1.7600
Build Architecture x86
Build Architecture Info GenuineIntel family 6 model 37 stepping 5
Crash Reason EXCEPTION_ACCESS_VIOLATION_READ
Crash Address 0x0
App Notes
AdapterVendorID: 0x8086, AdapterDeviceID: 0x0046, AdapterSubsysID: 392017aa, AdapterDriverVersion: 8.15.10.2104
D3D10 Layers? D3D10 Layers- D3D9 Layers? D3D9 Layers+
Processor Notes sp-processor09.phx1.mozilla.com_15932:2008
EMCheckCompatibility True
Adapter Vendor ID 0x8086
Adapter Device ID 0x0046
Total Virtual Memory 2147352576
Available Virtual Memory 1727983616
System Memory Use Percentage 43
Available Page File 4653727744
Available Physical Memory 1732050944
Frame Module Signature Source
0 xul.dll nsMixedContentBlocker::ShouldLoad content/base/src/nsMixedContentBlocker.cpp:370
1 xul.dll nsContentPolicy::CheckPolicy content/base/src/nsContentPolicy.cpp:127
2 xul.dll nsContentPolicy::ShouldLoad content/base/src/nsContentPolicy.cpp:190
3 xul.dll NS_CheckContentLoadPolicy obj-firefox/dist/include/nsContentPolicyUtils.h:212
4 xul.dll nsContentUtils::CanLoadImage content/base/src/nsContentUtils.cpp:2643
5 xul.dll nsImageLoadingContent::LoadImage content/base/src/nsImageLoadingContent.cpp:691
6 xul.dll nsImageLoadingContent::LoadImage content/base/src/nsImageLoadingContent.cpp:627
7 xul.dll mozilla::dom::HTMLImageElement::SetAttr content/html/content/src/HTMLImageElement.cpp:385
8 xul.dll mozilla::dom::Element::SetAttribute content/base/src/Element.cpp:748
9 xul.dll mozilla::dom::ElementBinding::setAttribute obj-firefox/dom/bindings/ElementBinding.cpp:240
10 xul.dll mozilla::dom::ElementBinding::genericMethod obj-firefox/dom/bindings/ElementBinding.cpp:1991
11 mozjs.dll js::InvokeKernel js/src/jsinterp.cpp:390
12 mozjs.dll js::Interpret js/src/jsinterp.cpp:2376
13 mozjs.dll js::types::TypeSet::addType js/src/jsinferinlines.h:1469
14 mozjs.dll js::types::TypeScript::SetThis js/src/jsinferinlines.h:1043
...
More reports at:
https://crash-stats.mozilla.com/report/list?signature=nsMixedContentBlocker%3A%3AShouldLoad%28unsigned+int%2C+nsIURI*%2C+nsIURI*%2C+nsISupports*%2C+nsACString_internal+const%26%2C+nsISupports*%2C+nsIPrincipal*%2C+short*%29
|
||
Comment 1•12 years ago
|
||
tvyas@120347
367 nsCOMPtr<nsISecureBrowserUI> SecurityUI;
tvyas@120347
368 rootShell->GetSecurityUI(getter_AddRefs(SecurityUI));
tvyas@120347
369 NS_ASSERTION(SecurityUI, "No SecurityUI from the root docShell.");
tvyas@120347
370 nsresult stateRV = SecurityUI->GetState(&State);
Crash is on that last line, with a null-deref. I bet that assertion fails too.
Which makes sense: there is zero requirement to have a security ui on the root. I mean... what if the window here is page info or something?
|
|
||
Updated•12 years ago
|
tracking-firefox21:
--- → ?
|
Assignee | |
Comment 2•12 years ago
|
||
(In reply to Boris Zbarsky (:bz) from comment #1)
> tvyas@120347
> 367 nsCOMPtr<nsISecureBrowserUI> SecurityUI;
> tvyas@120347
> 368 rootShell->GetSecurityUI(getter_AddRefs(SecurityUI));
> tvyas@120347
> 369 NS_ASSERTION(SecurityUI, "No SecurityUI from the root docShell.");
> tvyas@120347
> 370 nsresult stateRV = SecurityUI->GetState(&State);
>
> Crash is on that last line, with a null-deref. I bet that assertion fails
> too.
>
> Which makes sense: there is zero requirement to have a security ui on the
> root. I mean... what if the window here is page info or something?
I am looking into this.
|
|
Assignee | |
Comment 3•12 years ago
|
||
Trying to write a test case that reproduces the crash. Interestingly, the urls where the crashes occurred are all http pages, which means that they should never have gotten to line 370 of nsMixedContentBlocker.cpp (unless they had https iframes). So there might be something missing in the logic that detects if the parent is https.
The crash seems to occur after an image src is created through javascript and a image load is attempted.
|
|
Assignee | |
Comment 4•12 years ago
|
||
Some basic tests that try creating a image and setting the source attribute in javascript. These tests don't crash the browser:
http://people.mozilla.com/~tvyas/crashtest.html
http://people.mozilla.com/~tvyas/crashtest2.html
https://people.mozilla.com/~tvyas/crashtest.html
https://people.mozilla.com/~tvyas/crashtest2.html
|
||
Comment 5•12 years ago
|
||
Perhaps this need to be fixed without any concrete url for testing. Need to just go through the
code and see why we end up to the unexpected situation.
|
|
Assignee | |
Comment 6•12 years ago
|
||
Smaug was able to reproduce with a xul:iframe:
http://www.pastebin.mozilla.org/2102149
Attachment #708857 -
Flags: review?(bugs)
|
|
||
Comment 7•12 years ago
|
||
Comment on attachment 708857 [details] [diff] [review]
Return if there is no Security UI v1
We need a test for this, but let's get this landed asap.
And we may want to think other approaches later.
Attachment #708857 -
Flags: review?(bugs) → review+
|
|
Assignee | |
Comment 8•12 years ago
|
||
* Waiting for inbound to open to push to inbound.
* Also a limited push to try: https://tbpl.mozilla.org/?tree=Try&rev=1f7eb3373978
* Plus adding leave open to the whiteboard for the testcase that needs to be done for this.
Whiteboard: [startupcrash] → [startupcrash] [leave open]
|
|
Assignee | |
Updated•12 years ago
|
Keywords: checkin-needed
|
|
Assignee | |
Comment 9•12 years ago
|
||
Pushed to inbound: http://hg.mozilla.org/integration/mozilla-inbound/rev/91befa7c2488
|
|
||
Comment 10•12 years ago
|
||
Whit a profile where Facebook Social API was previously enabled, I updated Nightly to Latest.
Hit Restart to upgrade and then at first use of Latest, while sidebar was loading, this crash appeared.
Reproduced every time Facebook sidebar was loading. Not reproducible for a clean profile because I could not turn on Messenger fo Firefox, not even from about:config.
[@ nsMixedContentBlocker::ShouldLoad(unsigned int, nsIURI*, nsIURI*, nsISupports*, nsACString_internal const&, nsISupports*, nsIPrincipal*, short*) ]
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:19.0) Gecko/20100101 Firefox/19.0
Build ID: 20130130080006
|
|
||
Comment 11•12 years ago
|
||
Sorry for the User Agent from previous comment, it's from Firefox 19.0 beta 4.
This is the correct one from Latest Nightly.
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:21.0) Gecko/20130131 Firefox/21.0
Build ID: 20130131031009
|
||
Updated•12 years ago
|
Keywords: checkin-needed
|
|
||
Comment 12•12 years ago
|
||
|
||
Updated•12 years ago
|
|
|
Reporter | |
Comment 13•12 years ago
|
||
Crashes have stopped since 21.0a1/20130202.
|
|
||
Comment 14•12 years ago
|
||
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:21.0) Gecko/20130203 Firefox/21.0
Fixes the problem here as well with my old profile.
1. Open a profile with facebook social activated and password remembered
2. Wait for the sidebar to load.
Doesn't crash with the latest Nightly.
|
|
||
Updated•12 years ago
|
Assignee: nobody → tanvi
|
|
||
Comment 15•12 years ago
|
||
It looks like URLs are no longer needed, but here's the top few:
15 https://www.facebook.com/?ref=tn_tnmn
14 about:sessionrestore
7 http://www.facebook.com/
6 about:blank
In the ones with lower volume of hits, there's pretty much a mix of http and https.
Keywords: needURLs
|
|
Reporter | |
Comment 16•12 years ago
|
||
What about the testcase to close this bug?
Flags: needinfo?(tanvi)
|
|
Reporter | |
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla21
|
|
Assignee | |
Comment 17•12 years ago
|
||
Pastebin test case to reproduce this is now gone. The code landed a long time ago without a test and the bug is closed. Removing the needinfo flag. If anyone feels we still need a test for this, please file another bug.
Flags: needinfo?(tanvi)
|
||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•