Open Bug 1380146 Opened 3 years ago Updated 2 years ago

Assertion failure: question > 0 [@/home/worker/workspace/build/src/dom/security/SRIMetadata.cpp:54]

Categories

(Core :: DOM: Security, defect, P3)

defect

Tracking

()

Tracking Status
firefox-esr52 --- wontfix
firefox56 --- wontfix
firefox57 --- wontfix
firefox58 --- wontfix
firefox59 --- ?

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [domsecurity-backlog1])

Attachments

(1 file)

Attached file trigger.html
Testcase found while fuzzing mozilla-central rev 20170710-91c943f73737.

Assertion failure: question > 0, at /home/worker/workspace/build/src/dom/security/SRIMetadata.cpp:54

ASAN:DEADLYSIGNAL
=================================================================
==32708==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f88d54cf25f bp 0x7ffc94e46eb0 sp 0x7ffc94e46d80 T0)
==32708==The signal is caused by a WRITE memory access.
==32708==Hint: address points to the zero page.
    #0 0x7f88d54cf25e in mozilla::dom::SRIMetadata::SRIMetadata(nsACString const&) /home/worker/workspace/build/src/dom/security/SRIMetadata.cpp:54:5
    #1 0x7f88d54ca720 in mozilla::dom::SRICheck::IntegrityMetadata(nsAString const&, nsACString const&, nsIConsoleReportCollector*, mozilla::dom::SRIMetadata*) /home/worker/workspace/build/src/dom/security/SRICheck.cpp:127:17
    #2 0x7f88d5d7f057 in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /home/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1266:11
    #3 0x7f88d5d7e143 in mozilla::dom::ScriptElement::MaybeProcessScript() /home/worker/workspace/build/src/dom/script/ScriptElement.cpp:149:18
    #4 0x7f88d5d7dc20 in non-virtual thunk to mozilla::dom::ScriptElement::AttributeChanged(nsIDocument*, mozilla::dom::Element*, int, nsIAtom*, int, nsAttrValue const*) /home/worker/workspace/build/src/dom/script/ScriptElement.cpp:89:16
    #5 0x7f88d3048867 in nsNodeUtils::AttributeChanged(mozilla::dom::Element*, int, nsIAtom*, int, nsAttrValue const*) /home/worker/workspace/build/src/dom/base/nsNodeUtils.cpp:145:3
    #6 0x7f88d2dc035c in mozilla::dom::Element::SetAttrAndNotify(int, nsIAtom*, nsIAtom*, nsAttrValue const*, nsAttrValue&, unsigned char, bool, bool, bool, nsIDocument*, mozAutoDocUpdate const&) /home/worker/workspace/build/src/dom/base/Element.cpp:2632:5
    #7 0x7f88d2dbf899 in mozilla::dom::Element::SetAttr(int, nsIAtom*, nsIAtom*, nsAString const&, bool) /home/worker/workspace/build/src/dom/base/Element.cpp:2468:10
    #8 0x7f88d4c0d27e in mozilla::dom::HTMLScriptElement::SetSrc(nsAString const&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/html/HTMLScriptElement.cpp:174:8
    #9 0x7f88d45778a6 in mozilla::dom::HTMLScriptElementBinding::set_src(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLScriptElement*, JSJitSetterCallArgs) /home/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLScriptElementBinding.cpp:50:9
    #10 0x7f88d46b1d9c in mozilla::dom::GenericBindingSetter(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2996:8
    #11 0x7f88d95ac021 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /home/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
    #12 0x7f88d95abb3d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:470:16
    #13 0x7f88d95aca65 in InternalCall(JSContext*, js::AnyInvokeArgs const&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:515:12
    #14 0x7f88d95acc7c in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:534:10
    #15 0x7f88d95ae173 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:663:12
(In reply to Jason Kratzer [:jkratzer] from comment #0)
> Created attachment 8885445 [details]
> trigger.html
> 
> Testcase found while fuzzing mozilla-central rev 20170710-91c943f73737.
> 
> Assertion failure: question > 0, at
> /home/worker/workspace/build/src/dom/security/SRIMetadata.cpp:54

I guess if the '?' is at index 0, then the assertion
> MOZ_ASSERT(question > 0);
still fires.

Francois, wanna update?
Flags: needinfo?(francois)
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]
Flags: needinfo?(francois)
Assertion goes back more than a year, which is the furthest back mozregression can bisect debug builds.
Has Regression Range: --- → no
You need to log in before you can comment on or make changes to this bug.