firefox segfaults on first-time page access

Question

firefox segfaults on first-time page access

sergeev917 opened this issue 6 years ago · comments

Alexander Sergeyev commented 6 years ago

"Your tab just crashed" with umatrix enabled on the first time accessing a specific page.

Steps to reproduce:

install firefox 58.0.1
make sure no prior profile data is present (move or delete ~/.mozilla)
open the browser, navigate to about:config and set the following prefs:

    privacy.sanitize.sanitizeOnShutdown = true
    privacy.sanitize.timeSpan = 0

navigate to about:addons; install umatrix extension (1.3.2)
click preferences on umatrix addon and load the following ruleset:

    https-strict: behind-the-scene false
    matrix-off: about-scheme true
    matrix-off: behind-the-scene true
    matrix-off: chrome-extension-scheme true
    matrix-off: chrome-scheme true
    matrix-off: moz-extension-scheme true
    matrix-off: opera-scheme true
    matrix-off: wyciwyg-scheme true
    noscript-spoof: * true
    referrer-spoof: * true
    referrer-spoof: behind-the-scene false
    * * * block
    * * css allow
    * * frame block
    * * image allow
    * 1st-party * allow
    * 1st-party frame allow
    felixcloutier.com 1st-party * inherit
    www.felixcloutier.com 1st-party frame inherit

commit the ruleset
navigate to http://www.felixcloutier.com/x86/CPUID.xml
observe "Gah. Your tab just crashed"

Note that the crash happens only the first time you open the page. Since sanitize settings are enabled, the behaviour is still reproducable after the browser restart.

The stacktrace from firefox process crash follows (essentially caused by a null ponter):

#0  0x0000704240b234ee in RefPtr<mozilla::dom::NodeInfo>::get (this=0x20) at /var/tmp/portage/www-client/firefox-58.0.1/work/firefox-58.0.1/ff/dist/include/mozilla/RefPtr.h:287
#1  0x0000704240b23438 in RefPtr<mozilla::dom::NodeInfo>::operator-> (this=0x20) at /var/tmp/portage/www-client/firefox-58.0.1/work/firefox-58.0.1/ff/dist/include/mozilla/RefPtr.h:319
#2  0x0000704240b20996 in nsINode::OwnerDoc (this=0x0) at /var/tmp/portage/www-client/firefox-58.0.1/work/firefox-58.0.1/ff/dist/include/nsINode.h:529
#3  0x0000704243b932d4 in URIUtils::ResetWithSource (aNewDoc=0x70422f2eb000, aSourceNode=0x0) at /var/tmp/portage/www-client/firefox-58.0.1/work/firefox-58.0.1/dom/xslt/base/txURIUtils.cpp:48
#4  0x0000704243bcd7e0 in txMozillaXSLTProcessor::notifyError (this=0x70422f270390) at /var/tmp/portage/www-client/firefox-58.0.1/work/firefox-58.0.1/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:1122
#5  0x0000704243bcaa6e in txMozillaXSLTProcessor::SetSourceContentModel (this=0x70422f270390, aDocument=0x70422f37a000, aSource=...)
    at /var/tmp/portage/www-client/firefox-58.0.1/work/firefox-58.0.1/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:384
#6  0x0000704243b87e7f in nsXMLContentSink::DidBuildModel (this=0x70422fc7f000, aTerminated=false) at /var/tmp/portage/www-client/firefox-58.0.1/work/firefox-58.0.1/dom/xml/nsXMLContentSink.cpp:297
#7  0x0000704241a49833 in nsParser::DidBuildModel (this=0x70422f3b7b00, anErrorCode=nsresult::NS_OK) at /var/tmp/portage/www-client/firefox-58.0.1/work/firefox-58.0.1/parser/htmlparser/nsParser.cpp:491
#8  0x0000704241a4abea in nsParser::ResumeParse (this=0x70422f3b7b00, allowIteration=true, aIsFinalChunk=true, aCanInterrupt=true)
    at /var/tmp/portage/www-client/firefox-58.0.1/work/firefox-58.0.1/parser/htmlparser/nsParser.cpp:1101
#9  0x0000704241a4b9ae in nsParser::OnStopRequest (this=0x70422f3b7b00, request=0x70422f366068, aContext=0x0, status=nsresult::NS_OK)
    at /var/tmp/portage/www-client/firefox-58.0.1/work/firefox-58.0.1/parser/htmlparser/nsParser.cpp:1475
#10 0x00007042419ebc93 in nsDocumentOpenInfo::OnStopRequest (this=0x70422f324e20, request=0x70422f366068, aCtxt=0x0, aStatus=nsresult::NS_OK)
    at /var/tmp/portage/www-client/firefox-58.0.1/work/firefox-58.0.1/uriloader/base/nsURILoader.cpp:357
#11 0x0000704240f17ff8 in mozilla::net::HttpChannelChild::DoOnStopRequest (this=0x70422f366000, aRequest=0x70422f366068, aChannelStatus=nsresult::NS_OK, aContext=0x0)
    at /var/tmp/portage/www-client/firefox-58.0.1/work/firefox-58.0.1/netwerk/protocol/http/HttpChannelChild.cpp:1236
#12 0x0000704240f179b2 in mozilla::net::HttpChannelChild::OnStopRequest (this=0x70422f366000, channelStatus=@0x70422f5ef720: nsresult::NS_OK, timing=...)
    at /var/tmp/portage/www-client/firefox-58.0.1/work/firefox-58.0.1/netwerk/protocol/http/HttpChannelChild.cpp:1116
#13 0x0000704240f173d5 in mozilla::net::StopRequestEvent::Run (this=0x70422f5ef710) at /var/tmp/portage/www-client/firefox-58.0.1/work/firefox-58.0.1/netwerk/protocol/http/HttpChannelChild.cpp:1004
#14 0x000070424100f5b3 in mozilla::net::ChannelEventQueue::FlushQueue (this=0x70422f31b600) at /var/tmp/portage/www-client/firefox-58.0.1/work/firefox-58.0.1/netwerk/ipc/ChannelEventQueue.cpp:93
#15 0x0000704240e8e6a7 in mozilla::net::ChannelEventQueue::MaybeFlushQueue (this=0x70422f31b600)
    at /var/tmp/portage/www-client/firefox-58.0.1/work/firefox-58.0.1/ff/dist/include/mozilla/net/ChannelEventQueue.h:324
#16 0x000070424100f2cb in mozilla::net::ChannelEventQueue::CompleteResume (this=0x70422f31b600) at /var/tmp/portage/www-client/firefox-58.0.1/work/firefox-58.0.1/netwerk/ipc/ChannelEventQueue.h:306
#17 0x000070424100f7cc in mozilla::net::ChannelEventQueue::CompleteResumeRunnable::Run (this=0x70422f2a6430)
    at /var/tmp/portage/www-client/firefox-58.0.1/work/firefox-58.0.1/netwerk/ipc/ChannelEventQueue.cpp:160
#18 0x0000704240a95958 in mozilla::SchedulerGroup::Runnable::Run (this=0x70422e214300) at /var/tmp/portage/www-client/firefox-58.0.1/work/firefox-58.0.1/xpcom/threads/SchedulerGroup.cpp:396
#19 0x0000704240ab2166 in nsThread::ProcessNextEvent (this=0x704250a268e0, aMayWait=true, aResult=0x7fffd97258d7) at /var/tmp/portage/www-client/firefox-58.0.1/work/firefox-58.0.1/xpcom/threads/nsThread.cpp:1037
#20 0x0000704240ac706e in NS_ProcessNextEvent (aThread=0x704250a268e0, aMayWait=true) at /var/tmp/portage/www-client/firefox-58.0.1/work/firefox-58.0.1/xpcom/threads/nsThreadUtils.cpp:513
#21 0x0000704241127866 in mozilla::ipc::MessagePump::Run (this=0x704250aa12e0, aDelegate=0x7fffd9725bf0) at /var/tmp/portage/www-client/firefox-58.0.1/work/firefox-58.0.1/ipc/glue/MessagePump.cpp:125
#22 0x0000704241127ed2 in mozilla::ipc::MessagePumpForChildProcess::Run (this=0x704250aa12e0, aDelegate=0x7fffd9725bf0)
    at /var/tmp/portage/www-client/firefox-58.0.1/work/firefox-58.0.1/ipc/glue/MessagePump.cpp:301
#23 0x00007042410cc254 in MessageLoop::RunInternal (this=0x7fffd9725bf0) at /var/tmp/portage/www-client/firefox-58.0.1/work/firefox-58.0.1/ipc/chromium/src/base/message_loop.cc:326
#24 0x00007042410cc220 in MessageLoop::RunHandler (this=0x7fffd9725bf0) at /var/tmp/portage/www-client/firefox-58.0.1/work/firefox-58.0.1/ipc/chromium/src/base/message_loop.cc:319
#25 0x00007042410cc1e4 in MessageLoop::Run (this=0x7fffd9725bf0) at /var/tmp/portage/www-client/firefox-58.0.1/work/firefox-58.0.1/ipc/chromium/src/base/message_loop.cc:299
#26 0x0000704243da378f in nsBaseAppShell::Run (this=0x704234e1bca0) at /var/tmp/portage/www-client/firefox-58.0.1/work/firefox-58.0.1/widget/nsBaseAppShell.cpp:159
#27 0x000070424586e42a in XRE_RunAppShell () at /var/tmp/portage/www-client/firefox-58.0.1/work/firefox-58.0.1/toolkit/xre/nsEmbedFunctions.cpp:877
#28 0x0000704241127e53 in mozilla::ipc::MessagePumpForChildProcess::Run (this=0x704250aa12e0, aDelegate=0x7fffd9725bf0)
    at /var/tmp/portage/www-client/firefox-58.0.1/work/firefox-58.0.1/ipc/glue/MessagePump.cpp:269
#29 0x00007042410cc254 in MessageLoop::RunInternal (this=0x7fffd9725bf0) at /var/tmp/portage/www-client/firefox-58.0.1/work/firefox-58.0.1/ipc/chromium/src/base/message_loop.cc:326
#30 0x00007042410cc220 in MessageLoop::RunHandler (this=0x7fffd9725bf0) at /var/tmp/portage/www-client/firefox-58.0.1/work/firefox-58.0.1/ipc/chromium/src/base/message_loop.cc:319
#31 0x00007042410cc1e4 in MessageLoop::Run (this=0x7fffd9725bf0) at /var/tmp/portage/www-client/firefox-58.0.1/work/firefox-58.0.1/ipc/chromium/src/base/message_loop.cc:299
#32 0x000070424586e2be in XRE_InitChildProcess (aArgc=19, aArgv=0x7fffd9725f78, aChildData=0x7fffd9725e33) at /var/tmp/portage/www-client/firefox-58.0.1/work/firefox-58.0.1/toolkit/xre/nsEmbedFunctions.cpp:703
#33 0x000070424586ecea in mozilla::BootstrapImpl::XRE_InitChildProcess (this=0x704250a29630, argc=20, argv=0x7fffd9725f78, aChildData=0x7fffd9725e33)
    at /var/tmp/portage/www-client/firefox-58.0.1/work/firefox-58.0.1/toolkit/xre/Bootstrap.cpp:69
#34 0x00005df1849ed7c4 in content_process_main (bootstrap=0x704250a29630, argc=20, argv=0x7fffd9725f78)
    at /var/tmp/portage/www-client/firefox-58.0.1/work/firefox-58.0.1/browser/app/../../ipc/contentproc/plugin-container.cpp:63
#35 0x00005df1849ede1c in main (argc=21, argv=0x7fffd9725f78, envp=0x7fffd9726028) at /var/tmp/portage/www-client/firefox-58.0.1/work/firefox-58.0.1/browser/app/nsBrowserApp.cpp:280

Raymond Hill · Answer 1 · Sun Feb 11 2018 20:28:14 GMT+0800 (China Standard Time)

Report such browser crashes to Firefox devs. uMatrix is HTML/CSS/JS, it's not supposed to crash.