crash in CreateNativeGlobalForInner starting on 2014-04-11

VERIFIED FIXED in Firefox 30

Status

()

defect
--
critical
VERIFIED FIXED
5 years ago
3 months ago

People

(Reporter: ashughes, Assigned: gkrizsanits)

Tracking

({crash, regression})

31 Branch
mozilla31
x86
Windows NT
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox30 verified, firefox31 verified)

Details

(crash signature)

Attachments

(3 attachments)

This bug was filed from the Socorro interface and is 
report bp-ff4242d5-e8f9-42f9-9b78-afbf22140411.
=============================================================
0 	xul.dll 	CreateNativeGlobalForInner 	dom/base/nsGlobalWindow.cpp
1 	xul.dll 	nsGlobalWindow::SetNewDocument(nsIDocument *,nsISupports *,bool) 	dom/base/nsGlobalWindow.cpp
2 	xul.dll 	nsDocumentViewer::InitInternal(nsIWidget *,nsISupports *,nsIntRect const &,bool,bool,bool) 	layout/base/nsDocumentViewer.cpp
3 	xul.dll 	nsDocumentViewer::Init(nsIWidget *,nsIntRect const &) 	layout/base/nsDocumentViewer.cpp
4 	xul.dll 	nsDocShell::SetupNewViewer(nsIContentViewer *) 	docshell/base/nsDocShell.cpp
5 	xul.dll 	nsDocShell::Embed(nsIContentViewer *,char const *,nsISupports *) 	docshell/base/nsDocShell.cpp
6 	xul.dll 	nsDocShell::CreateAboutBlankContentViewer(nsIPrincipal *,nsIURI *,bool) 	docshell/base/nsDocShell.cpp
7 	xul.dll 	nsDocShell::CreateAboutBlankContentViewer(nsIPrincipal *) 	docshell/base/nsDocShell.cpp
8 	xul.dll 	nsGlobalWindow::SetInitialPrincipalToSubject() 	dom/base/nsGlobalWindow.cpp
9 	xul.dll 	nsWindowWatcher::OpenWindowInternal(nsIDOMWindow *,char const *,char const *,char const *,bool,bool,bool,nsIArray *,nsIDOMWindow * *) 	embedding/components/windowwatcher/src/nsWindowWatcher.cpp
10 	xul.dll 	nsWindowWatcher::OpenWindow2(nsIDOMWindow *,char const *,char const *,char const *,bool,bool,bool,nsISupports *,nsIDOMWindow * *) 	embedding/components/windowwatcher/src/nsWindowWatcher.cpp
11 	xul.dll 	nsGlobalWindow::OpenInternal(nsAString_internal const &,nsAString_internal const &,nsAString_internal const &,bool,bool,bool,bool,bool,nsIArray *,nsISupports *,nsIPrincipal *,JSContext *,nsIDOMWindow * *) 	dom/base/nsGlobalWindow.cpp
12 	xul.dll 	nsGlobalWindow::OpenInternal(nsAString_internal const &,nsAString_internal const &,nsAString_internal const &,bool,bool,bool,bool,bool,nsIArray *,nsISupports *,nsIPrincipal *,JSContext *,nsIDOMWindow * *) 	dom/base/nsGlobalWindow.cpp
13 	xul.dll 	nsGlobalWindow::OpenJS(nsAString_internal const &,nsAString_internal const &,nsAString_internal const &,nsIDOMWindow * *) 	dom/base/nsGlobalWindow.cpp
14 	xul.dll 	NS_InvokeByIndex 	xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp
15 	xul.dll 	XPC_WN_CallMethod(JSContext *,unsigned int,JS::Value *) 	js/xpconnect/src/XPCWrappedNativeJSOps.cpp
16 	mozjs.dll 	js::Invoke(JSContext *,JS::CallArgs,js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
17 	mozjs.dll 	js::Invoke(JSContext *,JS::Value const &,JS::Value const &,unsigned int,JS::Value const *,JS::MutableHandle<JS::Value>) 	js/src/vm/Interpreter.cpp
18 	mozjs.dll 	JS::Call(JSContext *,JS::Handle<JS::Value>,JS::Handle<JS::Value>,JS::HandleValueArray const &,JS::MutableHandle<JS::Value>) 	js/src/jsapi.cpp
19 	xul.dll 	xpc::SandboxCallableProxyHandler::call(JSContext *,JS::Handle<JSObject *>,JS::CallArgs const &) 	js/xpconnect/src/Sandbox.cpp
20 	mozjs.dll 	js::Invoke(JSContext *,JS::CallArgs,js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
21 	mozjs.dll 	Interpret 	js/src/vm/Interpreter.cpp
22 	mozjs.dll 	js::RunScript(JSContext *,js::RunState &) 	js/src/vm/Interpreter.cpp
23 	mozjs.dll 	js::Invoke(JSContext *,JS::CallArgs,js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
24 	mozjs.dll 	js_fun_apply(JSContext *,unsigned int,JS::Value *) 	js/src/jsfun.cpp
25 	mozjs.dll 	js::Invoke(JSContext *,JS::CallArgs,js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
26 	mozjs.dll 	js::Invoke(JSContext *,JS::Value const &,JS::Value const &,unsigned int,JS::Value const *,JS::MutableHandle<JS::Value>) 	js/src/vm/Interpreter.cpp
27 	mozjs.dll 	js::jit::DoCallFallback 	js/src/jit/BaselineIC.cpp
28 		@0x2c2552f5 	
29 		@0x9ed7dc8 	
30 		@0x911bd4e 	
31 		@0x1b8b9fd8 	
32 		@0x2c2508f4 	
33 	mozjs.dll 	EnterBaseline 	js/src/jit/BaselineJIT.cpp
34 	mozjs.dll 	js::jit::EnterBaselineMethod(JSContext *,js::RunState &) 	js/src/jit/BaselineJIT.cpp
35 	mozjs.dll 	js::RunScript(JSContext *,js::RunState &) 	js/src/vm/Interpreter.cpp
36 	mozjs.dll 	js::Invoke(JSContext *,JS::CallArgs,js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
37 	mozjs.dll 	js::Invoke(JSContext *,JS::Value const &,JS::Value const &,unsigned int,JS::Value const *,JS::MutableHandle<JS::Value>) 	js/src/vm/Interpreter.cpp
38 	mozjs.dll 	JS::Call(JSContext *,JS::Handle<JS::Value>,JS::Handle<JS::Value>,JS::HandleValueArray const &,JS::MutableHandle<JS::Value>) 	js/src/jsapi.cpp
39 	xul.dll 	mozilla::dom::EventListener::HandleEvent(JSContext *,JS::Handle<JS::Value>,mozilla::dom::Event &,mozilla::ErrorResult &) 	obj-firefox/dom/bindings/EventListenerBinding.cpp
40 	xul.dll 	mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget *>(mozilla::dom::EventTarget * const &,mozilla::dom::Event &,mozilla::ErrorResult &,mozilla::dom::CallbackObject::ExceptionHandling) 	obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h
41 	xul.dll 	mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener *,nsIDOMEvent *,mozilla::dom::EventTarget *) 	dom/events/EventListenerManager.cpp
42 	xul.dll 	mozilla::EventListenerManager::HandleEventInternal(nsPresContext *,mozilla::WidgetEvent *,nsIDOMEvent * *,mozilla::dom::EventTarget *,nsEventStatus *) 	dom/events/EventListenerManager.cpp
43 	xul.dll 	mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem> &,mozilla::EventChainPostVisitor &,mozilla::EventDispatchingCallback *,mozilla::ELMCreationDetector &) 	dom/events/EventDispatcher.cpp
44 	xul.dll 	mozilla::EventDispatcher::Dispatch(nsISupports *,nsPresContext *,mozilla::WidgetEvent *,nsIDOMEvent *,nsEventStatus *,mozilla::EventDispatchingCallback *,nsCOMArray<mozilla::dom::EventTarget> *) 	dom/events/EventDispatcher.cpp
45 	xul.dll 	PresShell::HandleEventInternal(mozilla::WidgetEvent *,nsEventStatus *) 	layout/base/nsPresShell.cpp
46 	xul.dll 	PresShell::HandleEventWithTarget(mozilla::WidgetEvent *,nsIFrame *,nsIContent *,nsEventStatus *) 	layout/base/nsPresShell.cpp
47 	xul.dll 	mozilla::EventStateManager::CheckForAndDispatchClick(nsPresContext *,mozilla::WidgetMouseEvent *,nsEventStatus *) 	dom/events/EventStateManager.cpp
48 	xul.dll 	mozilla::EventStateManager::PostHandleEvent(nsPresContext *,mozilla::WidgetEvent *,nsIFrame *,nsEventStatus *) 	dom/events/EventStateManager.cpp
49 	xul.dll 	PresShell::HandleEventInternal(mozilla::WidgetEvent *,nsEventStatus *) 	layout/base/nsPresShell.cpp
50 	xul.dll 	PresShell::HandlePositionedEvent(nsIFrame *,mozilla::WidgetGUIEvent *,nsEventStatus *) 	layout/base/nsPresShell.cpp
51 	xul.dll 	PresShell::HandleEvent(nsIFrame *,mozilla::WidgetGUIEvent *,bool,nsEventStatus *) 	layout/base/nsPresShell.cpp
52 	xul.dll 	nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent *,nsView *,nsEventStatus *) 	view/src/nsViewManager.cpp
53 	xul.dll 	nsView::HandleEvent(mozilla::WidgetGUIEvent *,bool) 	view/src/nsView.cpp
54 	xul.dll 	nsWindow::DispatchEvent(mozilla::WidgetGUIEvent *,nsEventStatus &) 	widget/windows/nsWindow.cpp
55 	xul.dll 	nsWindow::DispatchWindowEvent(mozilla::WidgetGUIEvent *) 	widget/windows/nsWindow.cpp
56 	xul.dll 	nsWindow::DispatchMouseEvent(unsigned int,unsigned int,long,bool,short,unsigned short) 	widget/windows/nsWindow.cpp
57 	xul.dll 	nsWindow::ProcessMessage(unsigned int,unsigned int &,long &,long *) 	widget/windows/nsWindow.cpp
58 	xul.dll 	nsWindow::WindowProcInternal(HWND__ *,unsigned int,unsigned int,long) 	widget/windows/nsWindow.cpp
59 	xul.dll 	CallWindowProcCrashProtected 	xpcom/base/nsCrashOnException.cpp
60 	xul.dll 	nsWindow::WindowProc(HWND__ *,unsigned int,unsigned int,long) 	widget/windows/nsWindow.cpp
61 	user32.dll 	user32.dll@0x7834 	
62 	user32.dll 	user32.dll@0x7a9a 	
63 	user32.dll 	user32.dll@0x988e 	
64 	user32.dll 	user32.dll@0x98f1 	
65 	xul.dll 	nsAppShell::ProcessNextNativeEvent(bool) 	widget/windows/nsAppShell.cpp
66 	xul.dll 	nsBaseAppShell::OnProcessNextEvent(nsIThreadInternal *,bool,unsigned int) 	widget/xpwidgets/nsBaseAppShell.cpp
67 	xul.dll 	nsThread::ProcessNextEvent(bool,bool *) 	xpcom/threads/nsThread.cpp
68 	xul.dll 	NS_ProcessNextEvent(nsIThread *,bool) 	xpcom/glue/nsThreadUtils.cpp
69 	xul.dll 	mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate *) 	ipc/glue/MessagePump.cpp
70 	xul.dll 	MessageLoop::RunHandler() 	ipc/chromium/src/base/message_loop.cc
71 	xul.dll 	MessageLoop::Run() 	ipc/chromium/src/base/message_loop.cc
72 	xul.dll 	nsBaseAppShell::Run() 	widget/xpwidgets/nsBaseAppShell.cpp
73 	xul.dll 	nsAppShell::Run() 	widget/windows/nsAppShell.cpp
74 	xul.dll 	nsAppStartup::Run() 	toolkit/components/startup/nsAppStartup.cpp
75 	xul.dll 	XREMain::XRE_mainRun() 	toolkit/xre/nsAppRunner.cpp
76 	xul.dll 	XREMain::XRE_main(int,char * * const,nsXREAppData const *) 	toolkit/xre/nsAppRunner.cpp
77 	xul.dll 	XRE_main 	toolkit/xre/nsAppRunner.cpp
78 	firefox.exe 	do_main 	browser/app/nsBrowserApp.cpp
79 	firefox.exe 	NS_internal_main(int,char * *) 	browser/app/nsBrowserApp.cpp
80 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp
81 	firefox.exe 	__tmainCRTStartup 	f:/dd/vctools/crt_bld/self_x86/crt/src/crtexe.c
82 	kernel32.dll 	kernel32.dll@0x1919f 	
83 	ntdll.dll 	ntdll.dll@0x4a8cb 	
84 	ntdll.dll 	ntdll.dll@0x4a8a1 	
=============================================================

More reports:
https://crash-stats.mozilla.com/report/list?signature=CreateNativeGlobalForInner

This is pretty low volume right now but it first showed up on 2014-04-11 so I'm calling this a regression. One comment mentions "Tweet right add-on fails with latest Nightly build; crashes browser immediately." Looking at the version history for this add-on, it hasn't been updated since June 2013 and only has a 618 users, so this may be a red herring.

https://addons.mozilla.org/en-US/firefox/addon/tweetright/

Pushlog:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=690c810c8e3e&tochange=d8c1b10c3a3d

Adding QAWANTED to see if we can reproduce this and get a narrower pushlog.
(In reply to Anthony Hughes, QA Mentor (:ashughes) from comment #0)
> Adding QAWANTED to see if we can reproduce this and get a narrower pushlog.

Paul, can you please work on this?
QA Contact: paul.silaghi
We're apparently hitting this assertion:

>2192   // DOMWindow with nsEP is not supported, we have to make sure
>2193   // no one creates one accidentally.
>2194   nsCOMPtr<nsIExpandedPrincipal> nsEP = do_QueryInterface(aPrincipal);
>2195   MOZ_RELEASE_ASSERT(!nsEP, "DOMWindow with nsEP is not supported");
Component: General → DOM

Comment 3

5 years ago
I crash with this signature every time I click on the "invite friends to passwordbox" link in the Passwordbox extension.
using nightly build
Assignee

Updated

5 years ago
Assignee: nobody → gkrizsanits
Assignee

Comment 4

5 years ago
I'm not sure why we want to create about:blank with anything else than nullprincipal... I guess the fix here would be to change http://mxr.mozilla.org/mozilla-central/source/dom/base/nsGlobalWindow.cpp#2028 to use null instead of the subject principal in case of expanded principals too. Does that sound the right thing to do?
Flags: needinfo?(bzbarsky)
Good work, Paul. It looks like this is caused by bug 821809.
Blocks: 821809
Flags: needinfo?(gijskruitbosch+bugs)
Sorry, :gijs, that was an erroneous needinfo.
Flags: needinfo?(gijskruitbosch+bugs)
> I'm not sure why we want to create about:blank with anything else than nullprincipal

Because if a web page has <iframe src="about:blank"> it then expects to be able to script that subframe.  Similarly, if a web page does |var win = window.open()| it then expects to be able to script |win|.

> Does that sound the right thing to do?

Yes.
Flags: needinfo?(bzbarsky)
We may want to add a new function on nsIPrincipal that returns true for system and expanded principals, since we now need this check in at least two places, right?
Flags: needinfo?(bobbyholley)
(In reply to Boris Zbarsky [:bz] from comment #10)
> We may want to add a new function on nsIPrincipal that returns true for
> system and expanded principals, since we now need this check in at least two
> places, right?

Yeah. nsContentUtils::IsSystemOrExpandedPrincipal(aPrin)?
Flags: needinfo?(bobbyholley)
Assignee

Comment 13

5 years ago
(In reply to Bobby Holley (:bholley) from comment #11)
> (In reply to Boris Zbarsky [:bz] from comment #10)
> > We may want to add a new function on nsIPrincipal that returns true for
> > system and expanded principals, since we now need this check in at least two
> > places, right?
> 
> Yeah. nsContentUtils::IsSystemOrExpandedPrincipal(aPrin)?

I would keep them separated (system/expanded). In fact I would prefer some kind of GetType function on nsIPrincipal so we can avoid having to QI all the time. We do nsEP check at more and more places, and sooner or later we might do it at some hot code too (and then we could avoid the QI at least in the common case). But for now I would go for nsContentUtils::IsExpandedPrincipal as we already have IsSystemPrincipal there.
Assignee

Comment 14

5 years ago
Attachment #8407549 - Flags: review?(bzbarsky)
Assignee

Updated

5 years ago
Attachment #8407549 - Attachment description: IsSystemOrExpandedPrincipal → part1: IsSystemOrExpandedPrincipal
Comment on attachment 8407549 [details] [diff] [review]
part1: IsSystemOrExpandedPrincipal

r=me
Attachment #8407549 - Flags: review?(bzbarsky) → review+
Assignee

Comment 16

5 years ago
This part is just an optional clean up...
Attachment #8407550 - Flags: review?(bzbarsky)
Assignee

Comment 17

5 years ago
Attachment #8407551 - Flags: review?(bzbarsky)
Comment on attachment 8407550 [details] [diff] [review]
part2: minor cleanup in docshell

r=me
Attachment #8407550 - Flags: review?(bzbarsky) → review+
Comment on attachment 8407551 [details] [diff] [review]
part3: nsEP check for window.open

>+        ok(false);

Needs a description.

>+        ok(/Permission denied/.exec(e.message));

Likewise.

Might be good to set the finishTest member before doing the open() call, so we're not depending on that being async.

r=me with those fixed.
Attachment #8407551 - Flags: review?(bzbarsky) → review+
Assignee

Comment 22

5 years ago
Comment on attachment 8407551 [details] [diff] [review]
part3: nsEP check for window.open

I would also like to uplift part1 and part2, those patches do not contain any functional change.

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 821809
User impact if declined: Calling window.open from content-script of add-ons causes a crash.
Testing completed (on m-c, etc.): Just have pushed to inbound with a test
Risk to taking this patch (and alternatives if risky): I don't know about any, it's a simple patch.
String or IDL/UUID changes made by this patch: none
Attachment #8407551 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/13ddfc1637df
https://hg.mozilla.org/mozilla-central/rev/0f5ced1716d7
https://hg.mozilla.org/mozilla-central/rev/8cbd6019a24a
Status: NEW → RESOLVED
Closed: 5 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla31
Duplicate of this bug: 997450
Attachment #8407551 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
(In reply to Paul Silaghi, QA [:pauly] from comment #5)
> STR:
> 1. Install https://addons.mozilla.org/en-US/firefox/addon/tweetright/
> 2. Right click on any text/Share on Twitter
Verified fixed 31.0a1 (2014-04-22), 30.0a2 (2014-04-22) Win 7 x64
Status: RESOLVED → VERIFIED
My add-on has stopped working in recent nightlies (between April 10 and 20).

My add-on does the following in a content script:

var win = open('');
win.document.body.innerHTML = '...';
and so on, to open a window with information about the current page.

This does not work anymore with this error message in the browser console:
Permission denied to access property 'document'

In the nightlies between when it worked and when it failed with this message, this code made Firefox crash with a reference to this bug.

Is my problem caused by this bug? What should I do to ensure my add-on continues to work?

(The reason why I open a blank page and then manipulate it via the DOM is that bug 792479 prevents me from opening a page that is part of my add-on)
Flags: needinfo?(gkrizsanits)
Assignee

Comment 28

5 years ago
Bobby, what do you think? This is a pretty annoying side effect of the fix...But don't really know what else could we do.

Jesper, you could use evalInWindow or unsafeWindow.eval for "open('')" as a workaround in the meanwhile. It is available in content-scripts without Components.utils.
Flags: needinfo?(gkrizsanits) → needinfo?(bobbyholley)
Hm. It seems like for document.open from chrome/nsEP, we shouldn't try to inherit the owner at all, and just keep using the principal of the page. Boris, does that make sense?
Flags: needinfo?(bobbyholley) → needinfo?(bzbarsky)
For document.open(), I agree.

But the steps in comment 27 don't involve document.open() right?  I mean, we could try inheriting the principal of the window that had open() called there...
Flags: needinfo?(bzbarsky)
(In reply to Boris Zbarsky [:bz] from comment #30)
> For document.open(), I agree.
> 
> But the steps in comment 27 don't involve document.open() right?

Oh, I totally misread that. My bad.

> I mean, we
> could try inheriting the principal of the window that had open() called
> there...

Right, that we be the analogue of my suggestion in this case.
Assignee

Comment 32

5 years ago
Let's take this to a new Bug 1006044. I will give it a try in the near future and we'll see how it works out.
(In reply to Gabor Krizsanits [:krizsa :gabor] from comment #28)
> Jesper, you could use evalInWindow or unsafeWindow.eval for "open('')" as a
> workaround in the meanwhile. It is available in content-scripts without
> Components.utils.

Thanks, I ended up with this to make it work (in both Firefox and Chrome):

var win = (window.unsafeWindow || window).open('');
win.document.body.innerHTML = '...';
Note that this will allow the web page to change your open() call do to whatever the heck it wants and return any window it wants....
(In reply to Jesper Kristensen from comment #33)
> (In reply to Gabor Krizsanits [:krizsa :gabor] from comment #28)
> > Jesper, you could use evalInWindow or unsafeWindow.eval for "open('')" as a
> > workaround in the meanwhile. It is available in content-scripts without
> > Components.utils.
> 
> Thanks, I ended up with this to make it work (in both Firefox and Chrome):
> 
> var win = (window.unsafeWindow || window).open('');
> win.document.body.innerHTML = '...';

I had to modify this. It turns out that unsafeWindow.open('') breaks event listeners in the new window. I fixed it using new XPCNativeWrapper(unsafeWindow.open('')) instead.
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.