crash in nsDocShell::GetAllowMixedContentAndConnectionData @ nsINode::NodePrincipal

VERIFIED FIXED in Firefox 21

Status

()

Core
DOM
--
critical
VERIFIED FIXED
5 years ago
5 years ago

People

(Reporter: Scoobidiver (away), Assigned: tanvi)

Tracking

({crash, regression, topcrash})

21 Branch
mozilla21
x86
Windows XP
crash, regression, topcrash
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox20 unaffected, firefox21+ verified)

Details

(crash signature)

Attachments

(1 attachment, 3 obsolete attachments)

(Reporter)

Description

5 years ago
It first showed up in 21.0a1/20130131. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=677e87c11252&tochange=20bbf73921f4
It's likely a regression from bug 822367.

Signature 	nsINode::NodePrincipal() More Reports Search
UUID	accd880e-bb9e-4a01-869b-5b00c2130201
Date Processed	2013-02-01 10:44:54
Uptime	4
Last Crash	42 seconds before submission
Install Age	18.4 hours since version was first installed.
Install Time	2013-01-31 16:19:21
Product	Firefox
Version	21.0a1
Build ID	20130131031009
Release Channel	nightly
OS	Windows NT
OS Version	5.1.2600 Service Pack 3
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 23 stepping 6
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0xc
App Notes 	
AdapterVendorID: 0x10de, AdapterDeviceID: 0x0e22, AdapterSubsysID: 00000000, AdapterDriverVersion: 6.14.13.681
D3D10 Layers? D3D10 Layers- 
Processor Notes 	sp-processor08.phx1.mozilla.com_14844:2008
EMCheckCompatibility	False
Adapter Vendor ID	0x10de
Adapter Device ID	0x0e22
Total Virtual Memory	2147352576
Available Virtual Memory	1925124096
System Memory Use Percentage	36
Available Page File	4249829376
Available Physical Memory	2123603968

Frame 	Module 	Signature 	Source
0 	xul.dll 	nsINode::NodePrincipal 	obj-firefox/dist/include/nsINode.h:744
1 	xul.dll 	nsDocShell::GetAllowMixedContentAndConnectionData 	docshell/base/nsDocShell.cpp:5389
2 	xul.dll 	nsHTMLDocument::Open 	content/html/document/src/nsHTMLDocument.cpp:1629
3 	xul.dll 	nsHTMLDocument::Open 	content/html/document/src/nsHTMLDocument.cpp:1410
4 	xul.dll 	nsHTMLDocument::WriteCommon 	content/html/document/src/nsHTMLDocument.cpp:1890
5 	xul.dll 	nsHTMLDocument::WriteCommon 	content/html/document/src/nsHTMLDocument.cpp:1824
6 	xul.dll 	mozilla::dom::HTMLDocumentBinding::write 	obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:648
7 	xul.dll 	mozilla::dom::HTMLDocumentBinding::genericMethod 	obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:1536
8 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:390
9 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:437
10 	mozjs.dll 	js::CrossCompartmentWrapper::call 	js/src/jswrapper.cpp:631
11 	mozjs.dll 	proxy_Call 	js/src/jsproxy.cpp:3015
12 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:383
13 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:2376
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=nsINode%3A%3ANodePrincipal%28%29
The relevant code is:

5386   nsCOMPtr<nsIDocument> rootDoc = do_GetInterface(sameTypeRoot);
5387   NS_ASSERTION(rootDoc, "No root document from document shell root tree item.");
5388 
5389   nsCOMPtr<nsIPrincipal> rootPrincipal = rootDoc->NodePrincipal();
5390   NS_ASSERTION(rootPrincipal, "No root principal from root document");

and the crash is on line 5389 with a null-deref.  Presumably either sameTypeRoot is ending up null or the do_GetInterface is returning null...
Assignee: nobody → tanvi
tracking-firefox21: --- → ?
(Assignee)

Comment 2

5 years ago
This is occurring after a document.open().  Trying to reproduce.
Keywords: needURLs
(Assignee)

Comment 3

5 years ago
Created attachment 709209 [details] [diff] [review]
Check if rootDoc exists before checking if the page is https and if the user has allowed mixed content

This should fix the crash, but I think we still need a test case to show
1) this patch actually fixes the issue
2) what types of situations are there were we don't have a rootDoc but have a document.open().  I tried some of the developer tools, but haven't had any luck so far.
Attachment #709209 - Flags: review?(bugs)

Updated

5 years ago
tracking-firefox21: ? → +
Comment on attachment 709209 [details] [diff] [review]
Check if rootDoc exists before checking if the page is https and if the user has allowed mixed content

(nsCOMPtr<nsIDocShell> rootDocShell = do_GetInterface(sameTypeRoot); should use
QueryInterface, not GetInterface. Both should work in this case, but QI is a bit faster)

I wonder if the crash happens when we're about to destroy the sameTypeRoot
(mIsBeingDestroyed == true), yet some script is executing document.write for a
subdocument.

I think we should change the default for aRootHasSecureConnection.
Make it true, and if principal is chrome or uri is null or non-https, then change it to false.
Attachment #709209 - Flags: review?(bugs) → review-
QA Contact: virgil.dicu
(Assignee)

Comment 5

5 years ago
Created attachment 709928 [details] [diff] [review]
Check if rootDoc exists before checking if the page is https and if the user has allowed mixed content v2

(In reply to Olli Pettay [:smaug] from comment #4)
> Comment on attachment 709209 [details] [diff] [review]
> Check if rootDoc exists before checking if the page is https and if the user
> has allowed mixed content
> 
> (nsCOMPtr<nsIDocShell> rootDocShell = do_GetInterface(sameTypeRoot); should
> use
> QueryInterface, not GetInterface. Both should work in this case, but QI is a
> bit faster)
> 
Are you sure?  Both nsCOMPtr<nsIDocument> rootDoc(do_QueryInterface(sameTypeRoot)); and nsCOMPtr<nsIDocument> rootDoc = do_QueryInterface(sameTypeRoot); give me a null rootdoc.  Am I missing something?

> I wonder if the crash happens when we're about to destroy the sameTypeRoot
> (mIsBeingDestroyed == true), yet some script is executing document.write for
> a
> subdocument.
> 

This is a windows only crash.  Going to see if I can borrow a windows laptop from Desktop today, but so far I have had no luck reproducing this on Mac, and dveditz had no luck reproducing it on Windows with some test cases I wrote for this bug.

> I think we should change the default for aRootHasSecureConnection.
> Make it true, and if principal is chrome or uri is null or non-https, then
> change it to false.

I did this.
Attachment #709209 - Attachment is obsolete: true
Attachment #709928 - Flags: review?(bugs)
> Both nsCOMPtr<nsIDocument>

Olli was talking about nsIDocShell, not nsIDocument....
(Assignee)

Comment 7

5 years ago
Created attachment 709983 [details] [diff] [review]
Check if rootDoc exists before checking if the page is https and if the user has allowed mixed content v3

(In reply to Boris Zbarsky (:bz) from comment #6)
> > Both nsCOMPtr<nsIDocument>
> 
> Olli was talking about nsIDocShell, not nsIDocument....

Thanks BZ.  Here is an updated patch.
Attachment #709983 - Flags: review?(bugs)
(Reporter)

Comment 8

5 years ago
It's #10 top browser crasher over the last three days.
Keywords: topcrash
(Assignee)

Updated

5 years ago
Attachment #709928 - Attachment is obsolete: true
Attachment #709928 - Flags: review?(bugs)
(Assignee)

Comment 9

5 years ago
Got a Windows machine from IT with Windows 7 on it and I am still not able to reproduce the crash.

Version 6.1 Build 7600

Virgil, do you have some time to help and see if you can reproduce this crash?
(Assignee)

Comment 10

5 years ago
I tried all the urls I could find from the crash-stats and tried session restore (since many reports have a short uptime).  No luck.  I will wait for Olli's review comments.
Comment on attachment 709983 [details] [diff] [review]
Check if rootDoc exists before checking if the page is https and if the user has allowed mixed content v3


>+  if (rootDoc) {
>+    nsCOMPtr<nsIPrincipal> rootPrincipal = rootDoc->NodePrincipal();
>+    NS_ASSERTION(rootPrincipal, "No root principal from root document");
You could drop this assertion. NodePrincipal() doesn't start with Get* and in general
such methods in DOM code can't fail.


>+    // For things with system principal (e.g. scratchpad) there is no uri
>+    // aRootHasSecureConnection should be false.
>+    if (nsContentUtils::IsSystemPrincipal(rootPrincipal)) {
>+      *aRootHasSecureConnection = false;
>+    } else {
>+      nsCOMPtr<nsIURI> rootUri;
>+      rootPrincipal->GetURI(getter_AddRefs(rootUri));
>+      NS_ASSERTION(rootUri, "No root uri from root principal");
>+      nsresult rv = rootUri->SchemeIs("https", aRootHasSecureConnection);
>+      NS_ENSURE_SUCCESS(rv, rv);
Could you make this 
nsCOMPtr<nsIURI> rootUri;
if (nsContentUtils::IsSystemPrincipal(rootPrincipal) ||
    NS_FAILED(rootPrincipal->GetURI(getter_AddRefs(rootUri))) || !rootURI ||
    NS_FAILED(rootUri->SchemeIs("https", aRootHasSecureConnection))) {
  *aRootHasSecureConnection = false;
}
Attachment #709983 - Flags: review?(bugs) → review+
(Assignee)

Updated

5 years ago
Blocks: 834836
(Assignee)

Comment 12

5 years ago
Created attachment 710455 [details] [diff] [review]
Check if rootDoc exists before checking if the page is https and if the user has allowed mixed content v4

Addressed Olli's review comments.  Carrying over r+.

Here is a push to try:https://tbpl.mozilla.org/?tree=Try&rev=a8694f84f167

Will land after I get the results.
Attachment #710455 - Flags: review+
(In reply to Tanvi Vyas [:tanvi] from comment #9)
> Virgil, do you have some time to help and see if you can reproduce this
> crash?

Mozilla/5.0 (Windows NT 6.1; rv:21.0) Gecko/20130205 Firefox/21.0

Tried on Windows 7, but couldn't reproduce unfortunately - there's not much data at the moment to try and reproduce. Turned the prefs on/off, navigated to random mixed content sites, remember password/log out/on (e.g. quality.mozilla.org), installed security related add-ons. Session restore, several browser restarts, disabled/enabled protection through doorhanger.
(Assignee)

Updated

5 years ago
Attachment #709983 - Attachment is obsolete: true
(Assignee)

Comment 14

5 years ago
Pushed to inbound:
http://hg.mozilla.org/integration/mozilla-inbound/rev/1a489ff14285
https://hg.mozilla.org/mozilla-central/rev/1a489ff14285
Status: NEW → RESOLVED
Last Resolved: 5 years ago
status-firefox21: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla21

Updated

5 years ago
Keywords: needURLs
https://crash-stats.mozilla.com/report/list?query_search=signature&query_type=contains&reason_type=contains&range_value=2&range_unit=weeks&hang_type=any&process_type=any&signature=nsINode%3A%3ANodePrincipal%28%29

No crashes with this signature in the last two weeks - since the patch landed. It's ok to call it verified.
Status: RESOLVED → VERIFIED
status-firefox21: fixed → verified
You need to log in before you can comment on or make changes to this bug.