927256 - HTTPS Everywhere and Pure URL add-ons crash in nsExternalResourceMap::AddExternalResource(nsIURI*, nsIContentViewer*, nsILoadGroup*, nsIDocument*)

Status: RESOLVED WORKSFORME

(Core :: Networking, defect, P3)

Description

[Chris Peterson [:cpeterson]]

This bug was filed from the Socorro interface and is 
report bp-63b20c71-fefe-4292-9c18-018472131016.
=============================================================

This crash is 100% reproducible in Nightly 27 build 2013-10-15 when loading the Australis design specs page:

https://people.mozilla.org/~shorlander/files/australis-designSpecs/australis-designSpecs-windows7-mainWindow.html

Comment 1

[Chris Peterson [:cpeterson]]

To reproduce this bug you must install the HTTPS Everywhere addon. I am using HTTPS Everywhere version 3.4.2.

https://www.eff.org/https-everywhere

* If you uncheck "Mozilla" from HTTPS Everywhere's site list, then this page no longer crashes Firefox.

This crash is not a regression in Firefox, though it could be a bug in HTTPS Everywhere. I can reproduce this crash all the way back to Firefox 17 ESR.

Comment 2

[Steven Michaud [:smichaud] (Retired)]

These also happen on Windows and Linux:

https://crash-stats.mozilla.com/report/list?signature=nsExternalResourceMap%3A%3AAddExternalResource%28nsIURI%2A%2C+nsIContentViewer%2A%2C+nsILoadGroup%2A%2C+nsIDocument%2A%29&product=Firefox&query_type=contains&range_unit=weeks&process_type=any&hang_type=any&date=2013-10-16+16%3A00%3A00&range_value=4#reports

Comment 3

[Chris Peterson [:cpeterson]]

This Australis page, too:
https://people.mozilla.org/~shorlander/mockups-interactive/australis-interactive-mockups/windows8.html

Comment 4

[marco_pal]

Someone contacted the EFF team or filed a bug with them?

Comment 5

[Chris Peterson [:cpeterson]]

I did not file a bug with the EFF's HTTPS Everywhere bug tracker [1] because I assumed this was a Firefox bug because a JS addon should not crash the browser.

[1] https://trac.torproject.org/projects/tor/report/19

Comment 7

[VEG]

There is I've provided a short JS code that easily crashes Firefox in the same function: https://bugzilla.mozilla.org/show_bug.cgi?id=1150617

Comment 9

[Benjamin Smedberg]

Precise STR for this bug are in bug 1150617, and the cause is that the addon is changing channel.URI.path from http-on-modify-request.

I think that this is probably wrong: if you want to modify the request it's probably right to instead use nsIHttpChannel.redirectTo. But also, this indicates that the HTTP channel is opened with a mutable nsIURL object, which is bad.

Can we make it so that opening a channel makes its URLs immutable? (Aside, I don't understand why we still have mutable URL objects at all. Can we stop that?).

Comment 10

[BugBot [:suhaib / :marco/ :calixte]]

Crash volume for signature 'nsExternalResourceMap::AddExternalResource':
 - nightly (version 50): 2 crashes from 2016-06-06.
 - aurora  (version 49): 3 crashes from 2016-06-07.
 - beta    (version 48): 40 crashes from 2016-06-06.
 - release (version 47): 201 crashes from 2016-05-31.
 - esr     (version 45): 36 crashes from 2016-04-07.

Crash volume on the last weeks:
             Week N-1   Week N-2   Week N-3   Week N-4   Week N-5   Week N-6   Week N-7
 - nightly          0          1          0          0          1          0          0
 - aurora           0          1          0          2          0          0          0
 - beta             9          5          8          4          6          1          0
 - release         23         16         23         34         36         39         18
 - esr              3          1          0          5          2         18          0

Affected platforms: Windows, Mac OS X, Linux

Comment 11

[Firefox Bug Husbandry Bot]

Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258

Comment 12

[Firefox Bug Husbandry Bot]

Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258

Comment 13

[BugBot [:suhaib / :marco/ :calixte]]

Closing because no crashes reported for 12 weeks.