Closed Bug 893537 Opened 11 years ago Closed 11 years ago

Crash when removing srcdoc attribute from iframe

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
Windows 8
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla25

People

(Reporter: jkitch, Assigned: jkitch)

References

Details

(Keywords: crash)

Attachments

(2 files, 1 obsolete file)

manual testcase
269 bytes, text/html
Details
fix + test
3.17 KB, patch
bzbarsky
: review+
Details | Diff | Splinter Review
Attached file manual testcase 
There appears to be a crash related to removing the srcdoc attribute from an iframe.

Steps to reproduce:

1. Compile/run a debug build of Nightly.
2. Load the attached testcase
3. Reload the page

Result
Null-deref crash in content/base/src/nsContentUtils:6111

>    if (aForceOwner) {
>      nsAutoCString uriStr;
>      aURI->GetSpec(uriStr);
>      if(!uriStr.EqualsLiteral("about:srcdoc")) {
>        nsCOMPtr<nsIURI> ownerURI;
>        nsresult rv = aLoadingPrincipal->GetURI(getter_AddRefs(ownerURI)); //offending line
>        MOZ_ASSERT(NS_SUCCEEDED(rv) && SchemeIs(ownerURI, NS_NULLPRINCIPAL_SCHEME));
>      }
>    }
Assignee: nobody → jkitch.bug
Keywords: crash
Blocks: 802895
Fwiw, I can't reproduce so far...
tracking-firefox25: --- → ?
Attached patch fix + test (obsolete) — Splinter Review 
I've identified the cause.  nsSHEntry instances are reused when the nsIWebNavigation::LOAD_FLAGS_REPLACE_HISTORY flag is set.  Before this patch, mIsSrcdocEntry wasn't touched by the Create() function, so the previous srcdoc status is inherited by the new entry, causing it to be wrongly flagged as a srcdoc entry.

Because the URI is correctly updated to the new URI, the exception to deal with srcdoc entries in nsContentUtils::SetUpChannelOwner() isn't triggered, resulting in the crash.

The attached patch resets mIsSrcdocEntry whenever the nsSHEntry instance is reused.

Regarding the original testcase: The testcase needs to be run from a local disk as https/the mixed content blocker appears to be affecting the outcome.   The browser must also be a debug build.  (It may also need Windows, I haven't tried other platforms).
Attachment #776312 - Flags: review?(bzbarsky)
Attached patch fix + testSplinter Review 
Removed some commented out, legacy test code.
Attachment #776312 - Attachment is obsolete: true
Attachment #776312 - Flags: review?(bzbarsky)
Attachment #776318 - Flags: review?(bzbarsky)
Comment on attachment 776318 [details] [diff] [review]
fix + test

r=me
Attachment #776318 - Flags: review?(bzbarsky) → review+
https://hg.mozilla.org/mozilla-central/rev/964be82efbf3
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: