Assertion failure: aDocShell, at dom/base/Location.cpp:57

RESOLVED FIXED in Firefox 57

Status

()

P3
normal
RESOLVED FIXED
2 years ago
a year ago

People

(Reporter: bc, Assigned: freesamael)

Tracking

(Blocks: 1 bug, {assertion})

55 Branch
mozilla57
assertion
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox-esr52 wontfix, firefox55 wontfix, firefox56 wontfix, firefox57 fixed)

Details

(Whiteboard: [fuzzblocker], URL)

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
1. http://www.yad2.co.il/Nadlan/ViewImage.php?CatID=2&SubCatID=5&RecordID=1625606

2. Assertion failure: aDocShell, at /mozilla/builds/nightly/mozilla/dom/base/Location.cpp:57

Assertion failure: aDocShell, at /home/worker/workspace/build/src/dom/base/Location.cpp:57
#01: nsGlobalWindow::GetLocation [mfbt/RefPtr.h:53]
#02: mozilla::dom::WindowBinding::get_location [obj-firefox/dom/bindings/WindowBinding.cpp:1352]
#03: mozilla::dom::WindowBinding::genericCrossOriginGetter [obj-firefox/dom/bindings/WindowBinding.cpp:15834]
Priority: -- → P3
We are seeing this a lot while fuzzing
Whiteboard: [fuzzblocker]
That would indicate the outer nsGlobalWindow::mDocShell was nullptr, which should imply it was after nsDocShell::Destroy(). So... script can still be run after docshell destroyed?
Sure. Just have an iframe, take reference to iframe.contentWindow.location in the parent window, then remove iframe and try to use location.
Or take reference to iframe.contentWindow, remove iframe, and then try to access contentWindow.location.
Looks like a wrong assertion, but need to check that Location can handle null docshell.
Comment hidden (mozreview-request)
(In reply to Olli Pettay [:smaug] from comment #3)
> need to check that Location can handle null docshell.

Location is using a nsWeakPtr to hold docshell, and I checked that all references to it has nullptr check on docshell and/or the queryInterface'd webNav:

http://searchfox.org/mozilla-central/search?q=symbol:F_%3CT_mozilla%3A%3Adom%3A%3ALocation%3E_4&redirect=false
Assignee: nobody → sawang

Comment 6

a year ago
mozreview-review
Comment on attachment 8901731 [details]
Bug 1368327 - Do not assert aDocShell in Location, since it's actually possible to be nullptr.

https://reviewboard.mozilla.org/r/173162/#review178506
Attachment #8901731 - Flags: review?(bugs) → review+
Keywords: checkin-needed

Comment 7

a year ago
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/294dae9f3f01
Do not assert aDocShell in Location, since it's actually possible to be nullptr. r=smaug
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/294dae9f3f01
Status: NEW → RESOLVED
Last Resolved: a year ago
status-firefox57: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla57
Doubtful there's a user impact here that justifies backport consideration. Feel free to set the status for 56 back to affected and nominate for approval if you feel otherwise, though.
status-firefox55: --- → wontfix
status-firefox56: --- → wontfix
status-firefox-esr52: --- → wontfix
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.