Closed Bug 837075 Opened 11 years ago Closed 11 years ago

crash in nsDocShell::GetAllowMixedContentAndConnectionData @ nsINode::NodePrincipal

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Version:
21 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla21
Tracking Flags:
Tracking Status
firefox20 --- unaffected
firefox21 + verified

People

(Reporter: scoobidiver, Assigned: tanvi)

References

Details

(Keywords: crash, regression, topcrash)

Crash Data

Attachments

(1 file, 3 obsolete files)

Check if rootDoc exists before checking if the page is https and if the user has allowed mixed content v4
3.55 KB, patch
tanvi
: review+
Details | Diff | Splinter Review 
It first showed up in 21.0a1/20130131. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=677e87c11252&tochange=20bbf73921f4
It's likely a regression from bug 822367.

Signature 	nsINode::NodePrincipal() More Reports Search
UUID	accd880e-bb9e-4a01-869b-5b00c2130201
Date Processed	2013-02-01 10:44:54
Uptime	4
Last Crash	42 seconds before submission
Install Age	18.4 hours since version was first installed.
Install Time	2013-01-31 16:19:21
Product	Firefox
Version	21.0a1
Build ID	20130131031009
Release Channel	nightly
OS	Windows NT
OS Version	5.1.2600 Service Pack 3
Build Architecture	x86
Build Architecture Info	GenuineIntel family 6 model 23 stepping 6
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0xc
App Notes 	
AdapterVendorID: 0x10de, AdapterDeviceID: 0x0e22, AdapterSubsysID: 00000000, AdapterDriverVersion: 6.14.13.681
D3D10 Layers? D3D10 Layers- 
Processor Notes 	sp-processor08.phx1.mozilla.com_14844:2008
EMCheckCompatibility	False
Adapter Vendor ID	0x10de
Adapter Device ID	0x0e22
Total Virtual Memory	2147352576
Available Virtual Memory	1925124096
System Memory Use Percentage	36
Available Page File	4249829376
Available Physical Memory	2123603968

Frame 	Module 	Signature 	Source
0 	xul.dll 	nsINode::NodePrincipal 	obj-firefox/dist/include/nsINode.h:744
1 	xul.dll 	nsDocShell::GetAllowMixedContentAndConnectionData 	docshell/base/nsDocShell.cpp:5389
2 	xul.dll 	nsHTMLDocument::Open 	content/html/document/src/nsHTMLDocument.cpp:1629
3 	xul.dll 	nsHTMLDocument::Open 	content/html/document/src/nsHTMLDocument.cpp:1410
4 	xul.dll 	nsHTMLDocument::WriteCommon 	content/html/document/src/nsHTMLDocument.cpp:1890
5 	xul.dll 	nsHTMLDocument::WriteCommon 	content/html/document/src/nsHTMLDocument.cpp:1824
6 	xul.dll 	mozilla::dom::HTMLDocumentBinding::write 	obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:648
7 	xul.dll 	mozilla::dom::HTMLDocumentBinding::genericMethod 	obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:1536
8 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:390
9 	mozjs.dll 	js::Invoke 	js/src/jsinterp.cpp:437
10 	mozjs.dll 	js::CrossCompartmentWrapper::call 	js/src/jswrapper.cpp:631
11 	mozjs.dll 	proxy_Call 	js/src/jsproxy.cpp:3015
12 	mozjs.dll 	js::InvokeKernel 	js/src/jsinterp.cpp:383
13 	mozjs.dll 	js::Interpret 	js/src/jsinterp.cpp:2376
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=nsINode%3A%3ANodePrincipal%28%29
The relevant code is:

5386   nsCOMPtr<nsIDocument> rootDoc = do_GetInterface(sameTypeRoot);
5387   NS_ASSERTION(rootDoc, "No root document from document shell root tree item.");
5388 
5389   nsCOMPtr<nsIPrincipal> rootPrincipal = rootDoc->NodePrincipal();
5390   NS_ASSERTION(rootPrincipal, "No root principal from root document");

and the crash is on line 5389 with a null-deref.  Presumably either sameTypeRoot is ending up null or the do_GetInterface is returning null...
Assignee: nobody → tanvi
tracking-firefox21: --- → ?
This is occurring after a document.open().  Trying to reproduce.
Keywords: needURLs
This should fix the crash, but I think we still need a test case to show
1) this patch actually fixes the issue
2) what types of situations are there were we don't have a rootDoc but have a document.open().  I tried some of the developer tools, but haven't had any luck so far.
Attachment #709209 - Flags: review?(bugs)
Comment on attachment 709209 [details] [diff] [review]
Check if rootDoc exists before checking if the page is https and if the user has allowed mixed content

(nsCOMPtr<nsIDocShell> rootDocShell = do_GetInterface(sameTypeRoot); should use
QueryInterface, not GetInterface. Both should work in this case, but QI is a bit faster)

I wonder if the crash happens when we're about to destroy the sameTypeRoot
(mIsBeingDestroyed == true), yet some script is executing document.write for a
subdocument.

I think we should change the default for aRootHasSecureConnection.
Make it true, and if principal is chrome or uri is null or non-https, then change it to false.
Attachment #709209 - Flags: review?(bugs) → review-
QA Contact: virgil.dicu
(In reply to Olli Pettay [:smaug] from comment #4)
> Comment on attachment 709209 [details] [diff] [review]
> Check if rootDoc exists before checking if the page is https and if the user
> has allowed mixed content
> 
> (nsCOMPtr<nsIDocShell> rootDocShell = do_GetInterface(sameTypeRoot); should
> use
> QueryInterface, not GetInterface. Both should work in this case, but QI is a
> bit faster)
> 
Are you sure?  Both nsCOMPtr<nsIDocument> rootDoc(do_QueryInterface(sameTypeRoot)); and nsCOMPtr<nsIDocument> rootDoc = do_QueryInterface(sameTypeRoot); give me a null rootdoc.  Am I missing something?

> I wonder if the crash happens when we're about to destroy the sameTypeRoot
> (mIsBeingDestroyed == true), yet some script is executing document.write for
> a
> subdocument.
> 

This is a windows only crash.  Going to see if I can borrow a windows laptop from Desktop today, but so far I have had no luck reproducing this on Mac, and dveditz had no luck reproducing it on Windows with some test cases I wrote for this bug.

> I think we should change the default for aRootHasSecureConnection.
> Make it true, and if principal is chrome or uri is null or non-https, then
> change it to false.

I did this.
Attachment #709209 - Attachment is obsolete: true
Attachment #709928 - Flags: review?(bugs)
> Both nsCOMPtr<nsIDocument>

Olli was talking about nsIDocShell, not nsIDocument....
(In reply to Boris Zbarsky (:bz) from comment #6)
> > Both nsCOMPtr<nsIDocument>
> 
> Olli was talking about nsIDocShell, not nsIDocument....

Thanks BZ.  Here is an updated patch.
Attachment #709983 - Flags: review?(bugs)
It's #10 top browser crasher over the last three days.
Keywords: topcrash
Attachment #709928 - Attachment is obsolete: true
Attachment #709928 - Flags: review?(bugs)
Got a Windows machine from IT with Windows 7 on it and I am still not able to reproduce the crash.

Version 6.1 Build 7600

Virgil, do you have some time to help and see if you can reproduce this crash?
I tried all the urls I could find from the crash-stats and tried session restore (since many reports have a short uptime).  No luck.  I will wait for Olli's review comments.
Comment on attachment 709983 [details] [diff] [review]
Check if rootDoc exists before checking if the page is https and if the user has allowed mixed content v3


>+  if (rootDoc) {
>+    nsCOMPtr<nsIPrincipal> rootPrincipal = rootDoc->NodePrincipal();
>+    NS_ASSERTION(rootPrincipal, "No root principal from root document");
You could drop this assertion. NodePrincipal() doesn't start with Get* and in general
such methods in DOM code can't fail.


>+    // For things with system principal (e.g. scratchpad) there is no uri
>+    // aRootHasSecureConnection should be false.
>+    if (nsContentUtils::IsSystemPrincipal(rootPrincipal)) {
>+      *aRootHasSecureConnection = false;
>+    } else {
>+      nsCOMPtr<nsIURI> rootUri;
>+      rootPrincipal->GetURI(getter_AddRefs(rootUri));
>+      NS_ASSERTION(rootUri, "No root uri from root principal");
>+      nsresult rv = rootUri->SchemeIs("https", aRootHasSecureConnection);
>+      NS_ENSURE_SUCCESS(rv, rv);
Could you make this 
nsCOMPtr<nsIURI> rootUri;
if (nsContentUtils::IsSystemPrincipal(rootPrincipal) ||
    NS_FAILED(rootPrincipal->GetURI(getter_AddRefs(rootUri))) || !rootURI ||
    NS_FAILED(rootUri->SchemeIs("https", aRootHasSecureConnection))) {
  *aRootHasSecureConnection = false;
}
Attachment #709983 - Flags: review?(bugs) → review+
Blocks: 834836
Addressed Olli's review comments.  Carrying over r+.

Here is a push to try:https://tbpl.mozilla.org/?tree=Try&rev=a8694f84f167

Will land after I get the results.
Attachment #710455 - Flags: review+
(In reply to Tanvi Vyas [:tanvi] from comment #9)
> Virgil, do you have some time to help and see if you can reproduce this
> crash?

Mozilla/5.0 (Windows NT 6.1; rv:21.0) Gecko/20130205 Firefox/21.0

Tried on Windows 7, but couldn't reproduce unfortunately - there's not much data at the moment to try and reproduce. Turned the prefs on/off, navigated to random mixed content sites, remember password/log out/on (e.g. quality.mozilla.org), installed security related add-ons. Session restore, several browser restarts, disabled/enabled protection through doorhanger.
Attachment #709983 - Attachment is obsolete: true
https://hg.mozilla.org/mozilla-central/rev/1a489ff14285
Status: NEW → RESOLVED
Closed: 11 years ago
status-firefox21: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla21
Keywords: needURLs
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: