Closed
Bug 343850
Opened 19 years ago
Closed 19 years ago
Crash [@ nsHTMLSharedObjectElement::StartObjectLoad] [@ nsObjectLoadingContent::LoadObject]
Categories
(Core Graveyard :: Plug-ins, defect)
Core Graveyard
Plug-ins
Tracking
(Not tracked)
RESOLVED
FIXED
mozilla1.9alpha1
People
(Reporter: jruderman, Assigned: bzbarsky)
References
Details
(Keywords: crash, testcase, Whiteboard: [sg:critical] post-1.8 regression?)
Crash Data
Attachments
(5 files, 1 obsolete file)
|
423 bytes,
application/xhtml+xml
|
Details | |
|
11.30 KB,
text/plain
|
Details | |
|
9.94 KB,
text/plain
|
Details | |
|
10.28 KB,
patch
|
Biesinger
:
review-
|
Details | Diff | Splinter Review |
|
6.43 KB,
patch
|
darin.moz
:
review+
jst
:
superreview+
|
Details | Diff | Splinter Review |
Loading the testcase makes Firefox crash. Based on some stack traces having random addresses on top, this is [sg:critical].
|
Reporter | |
Comment 1•19 years ago
|
||
|
|
Reporter | |
Updated•19 years ago
|
Flags: blocking1.9a1?
Whiteboard: [sg:critical]
|
|
Reporter | |
Comment 2•19 years ago
|
||
This is why I said this is [sg:critical]. The testcase I attached is simpler and usually makes it look like a null deref.
|
||
Comment 3•19 years ago
|
||
Wow, first time I've ever tripped WinXP's Data Execution Protection from one of these memory corruption crashes. I was beginning to think DEP didn't work :-)
If you're getting different crashes maybe the "related testcase" should be attached as well? Getting stopped by DEP is plenty evidence that *this* testcase is exploitable, I just worry maybe there's a second bug hiding in your other testcase.
Didn't crash in Bon Echo, is this a 1.9-only regression?
Whiteboard: [sg:critical] → [sg:critical] post-1.8 regression?
|
||
Comment 4•19 years ago
|
||
|
|
||
Comment 5•19 years ago
|
||
We save a raw pointer to the channel here:
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/content/base/src/nsObjectLoadingContent.cpp&rev=1.33&root=/cvsroot&mark=977#926
This doesn't work well with nsJSChannel:
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/dom/src/jsurl/nsJSProtocolHandler.cpp&rev=1.128&root=/cvsroot&mark=534,546,598#529
which only temporarily is part of the load group, but later "delegates" the
request to its |mStreamChannel|. The problem with this is that there is no
strong ref on the nsJSChannel object itself so when |chan| goes out of
scope in nsObjectLoadingContent::LoadObject it is destroyed and |mChannel|
is a stray pointer.
OS: Mac OS X 10.4 → All
Hardware: Macintosh → All
|
|
||
Comment 6•19 years ago
|
||
I don't know this code very well, but this fixes the crash.
Instead of saving |mChannel| in LoadObject() we do it in
OnStartRequest() where the |aRequest| is the |mStreamChannel|
that nsJSChannel delegated the request to.
|
|
||
Comment 7•19 years ago
|
||
Get rid of 'mChannel', this should make the code more robust I think.
Attachment #228488 -
Attachment is obsolete: true
Attachment #228601 -
Flags: review?(cbiesinger)
|
||
Comment 8•19 years ago
|
||
I really don't like this fix... what's wrong with the existing code?
|
Assignee | |
Comment 10•19 years ago
|
||
Yeah, this is a bug in the channel impl, as I understand the channel API. There should be an OnChannelRedirect notification sent here or something...
That said, nsIChannel doesn't explicitly say that the channel itself is passed to the On*Request methods of the nsIStreamListener, does it? It probably should.
|
|
||
Comment 11•19 years ago
|
||
nsJSChannel does lots of things to violate the nsIChannel API, like calling nsILoadGroup::RemoveRequest from AsyncOpen :-(
|
|
Assignee | |
Comment 12•19 years ago
|
||
Right. I'm saying we should fix those. And document more clearly that these _are_ violations of the API.
|
|
||
Comment 13•19 years ago
|
||
> Right. I'm saying we should fix those. And document more clearly that these
> _are_ violations of the API.
I tried once, and it caused loads of regressions. The problem is that javascript: evaluation can cause nsDocShell::LoadURI to be called, and evaluation has to happen during AsyncOpen for some reason. There's really not much hope of implementing a sane nsJSChannel IMO :-/ It almost seems like javascript: shouldn't be implemented as a nsIChannel.
|
|
Assignee | |
Comment 14•19 years ago
|
||
Evaluation "has" to happen during AsyncOpen because script expects setting something's URI to javascript: to synchronously run the script. :(
If we can make it not be an nsIChannel, that would be great, but the problem is that it can return data that should then be loaded....
All that said, maybe we can make this suck a little less in a slightly less painful way. Lemme give it a shot.
|
|
Assignee | |
Comment 15•19 years ago
|
||
Better document the requirements on nsIChannel and make nsJSChannel closer to those by having it be the listener for the stream channel. The one issue I see here is mention of the unfrozen nsIChannelEventSink interface in nsIChannel. I'm really not sure how to document the expected behavior without that, though. :(
Attachment #229388 -
Flags: review?(darin)
|
|
||
Comment 16•19 years ago
|
||
Comment on attachment 228601 [details] [diff] [review]
Patch rev. 2
I'll mark this r- for now because I don't think this is the way to go.
Attachment #228601 -
Flags: review?(cbiesinger) → review-
|
||
Comment 17•19 years ago
|
||
I don't crash on the testcase with a recent 1.8.0.5 build nor with a recent 1.8.1 build.
|
|
||
Comment 18•19 years ago
|
||
Comment on attachment 229388 [details] [diff] [review]
Attempted fix to nsJSChannel
"If the notification callbacks do not provide an nsIChannelEventSink" ... you should probably also mention the nsILoadGroup's notification callbacks to be clear.
This patch makes sense to me. r=darin
Attachment #229388 -
Flags: review?(darin) → review+
|
|
Assignee | |
Updated•19 years ago
|
Attachment #229388 -
Flags: superreview?(jst)
|
||
Comment 19•19 years ago
|
||
Comment on attachment 229388 [details] [diff] [review]
Attempted fix to nsJSChannel
sr=jst
Attachment #229388 -
Flags: superreview?(jst) → superreview+
|
|
Assignee | |
Comment 20•19 years ago
|
||
Changed that paragraph to:
* If the channel's and loadgroup's notification callbacks do not provide
* an nsIChannelEventSink when onChannelRedirect would be called, that's
* equivalent to having called onChannelRedirect.
and fixed on trunk.
Assignee: nobody → bzbarsky
Target Milestone: --- → mozilla1.9alpha
|
|
Assignee | |
Updated•19 years ago
|
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
|
|
||
Comment 21•19 years ago
|
||
sorry for commenting late, but:
+ // Make sure to drop our ref to mListener
+ nsCOMPtr<nsIStreamListener> listener;
+ listener.swap(mListener);
+
+ NS_ENSURE_TRUE(aRequest == mStreamChannel, NS_ERROR_UNEXPECTED);
shouldn't the NS_ENSURE_TRUE be above the listener swapping?
|
|
Assignee | |
Comment 22•19 years ago
|
||
No, that's where the "Make sure to drop our ref to mListener" thing comes in... Though we probably _should_ null-check |listener| before calling things on it. I'll check in that change.
|
|
Assignee | |
Comment 23•19 years ago
|
||
Actually, I guess if we want this to work in the face of someone maliciously calling random methods on the nsJSChannel while it's loading we do need to change the order...
|
|
Assignee | |
Comment 24•19 years ago
|
||
Made the order change.
|
|
||
Updated•18 years ago
|
Group: security
Flags: wanted1.8.1.x-
Flags: wanted1.8.0.x-
Flags: blocking1.9a1?
|
||
Updated•14 years ago
|
Crash Signature: [@ nsHTMLSharedObjectElement::StartObjectLoad]
[@ nsObjectLoadingContent::LoadObject]
|
||
Updated•3 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•