Closed Bug 938297 Opened 12 years ago Closed 11 years ago

Crash reading history.state from removed iframe

Categories

(Core :: DOM: Navigation, defect)

Product:
Core
Component:
DOM: Navigation
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla28

People

(Reporter: jruderman, Unassigned, NeedInfo)

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(3 files)

testcase (crashes Firefox)
503 bytes, text/html
Details
stack (gdb)
20.97 KB, text/plain
Details
Stop using GetContextFromDocument in GetStateObject. v1
2.51 KB, patch
bzbarsky
: review+
Details | Diff | Splinter Review
For reasons I don't understand, the testcase requires user_pref("security.fileuri.strict_origin_policy", false);
Attached file stack (gdb)
Nightly: bp-ad49b607-1fb7-4d24-a049-e7c612131113
green.
Comment on attachment 831864 [details] [diff] [review] Stop using GetContextFromDocument in GetStateObject. v1 r=me
Attachment #831864 - Flags: review?(bzbarsky) → review+
Anyone know why security.fileuri.strict_origin_policy is required?
(In reply to Jesse Ruderman from comment #6) > Anyone know why security.fileuri.strict_origin_policy is required? I didn't look at the testcase in any detail. I just looked at the crash site.
https://hg.mozilla.org/mozilla-central/rev/96a4652daf8c
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
Keywords: verifyme
I couldn't reproduce the crash on Nightly from 2013-11-13 on Mac OS X 10.8 (2 different machines) nor Mac OS X 10.9 with the user pref set to false. Am I missing something? Thanks in advance!
Flags: needinfo?(jruderman)
Alexandra, did you save the testcase locally and run it from a file:// URI?
Flags: needinfo?(alexandra.lucinet)
(In reply to Boris Zbarsky [:bz] from comment #11) > Alexandra, did you save the testcase locally and run it from a file:// URI? Already did that, maybe I've mistyped something. I'll look into it again tomorrow. Thanks.
Flags: needinfo?(alexandra.lucinet)
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:28.0) Gecko/20100101 Firefox/28.0 I've managed to crash Nightly from 2013-11-13, but with a different signature: https://crash-stats.mozilla.com/report/index/26da1ece-7dd3-4c7c-ae52-20dea2140207 and reproducible every time. On Firefox 28 beta 1 (Build ID:20140205162153) I get the following results: - the iframe is visible without the pref from comment 1 set to false - iframe not displayed with pref set to false; in the Console I get: "The character encoding of a framed document was not declared. The document may appear different if viewed without the document framing it." Note: tried both locally saved testcase and the testcase's link pasted in url bar. In Socorro, there are no crashes in the last month for: - [@ js::IsInRequest]: http://goo.gl/W1Nc9A - [@ JS_ReadStructuredClone(JSContext*, unsigned long long*, unsigned long, unsigned int, JS::MutableHandle<JS::Value>, JSStructuredCloneCallbacks const*, void*)]: http://goo.gl/7GVhto For [@ nsStructuredCloneContainer::DeserializeToVariant] signature there 3 Firefox 26 crashes: http://goo.gl/3cq9RN
Keywords: verifyme
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: