Closed Bug 1450171 Opened 2 years ago Closed 2 years ago

Assertion failure: nsContentUtils::IsSafeToRunScript(), at src/dom/base/nsGlobalWindowInner.cpp:870

Categories

(Core :: DOM: Core & HTML, defect)

61 Branch
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla61
Tracking Status
firefox-esr52 --- unaffected
firefox59 --- unaffected
firefox60 --- wontfix
firefox61 --- fixed

People

(Reporter: tsmith, Assigned: mconley)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, sec-other, testcase, Whiteboard: [adv-main61-][post-critsmash-triage])

Attachments

(2 files)

Attached file testcase.html
This assertion looks bad marking as s-s.

mozilla-central:
BuildID=20180329220707
SourceStamp=dcd10220d55aea46db212314c46d25a96a7be243

[4402, Main Thread] WARNING: Failed to retarget HTML data delivery to the parser thread.: file src/parser/html/nsHtml5StreamParser.cpp, line 998
++DOMWINDOW == 20 (0x619001139680) [pid = 4402] [serial = 20] [outer = 0x616000130e80]
[4402, Main Thread] ###!!! ASSERTION: This is unsafe: 'nsContentUtils::IsSafeToRunScript()', file src/layout/base/nsDocumentViewer.cpp, line 1191
[4402, Main Thread] ###!!! ASSERTION: This is unsafe! Fix the caller!: 'Error', file src/dom/events/EventDispatcher.cpp, line 757
Assertion failure: nsContentUtils::IsSafeToRunScript(), at src/dom/base/nsGlobalWindowInner.cpp:870

#0 PromiseDocumentFlushedResolver::Call() src/dom/base/nsGlobalWindowInner.cpp:874:16
#1 nsGlobalWindowInner::PromiseDocumentFlushed(mozilla::dom::PromiseDocumentFlushedCallback&, mozilla::ErrorResult&) src/dom/base/nsGlobalWindowInner.cpp:7568:20
#2 mozilla::dom::WindowBinding::promiseDocumentFlushed(JSContext*, JS::Handle<JSObject*>, nsGlobalWindowInner*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/WindowBinding.cpp:6796:45
#3 mozilla::dom::WindowBinding::promiseDocumentFlushed_promiseWrapper(JSContext*, JS::Handle<JSObject*>, nsGlobalWindowInner*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/WindowBinding.cpp:6810:13
#4 mozilla::dom::WindowBinding::genericPromiseReturningMethod(JSContext*, unsigned int, JS::Value*) src/obj-firefox/dom/bindings/WindowBinding.cpp:16167:13
#5 js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/vm/JSContext-inl.h:290:15
#6 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:467:16
#7 InternalCall(JSContext*, js::AnyInvokeArgs const&) src/js/src/vm/Interpreter.cpp:516:12
#8 Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3084:18
#9 js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:417:12
#10 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:489:15
#11 InternalCall(JSContext*, js::AnyInvokeArgs const&) src/js/src/vm/Interpreter.cpp:516:12
#12 Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3084:18
#13 js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:417:12
#14 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:489:15
#15 InternalCall(JSContext*, js::AnyInvokeArgs const&) src/js/src/vm/Interpreter.cpp:516:12
#16 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:535:10
#17 JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2943:12
#18 nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJSClass.cpp:1257:23
#19 PrepareAndDispatch src/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:120:28
#20 SharedStub (/home/user/workspace/browsers/m-c-1522361227-asan-debug/libxul.so+0x3910a6a)
#21 nsBrowserStatusFilter::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/toolkit/components/statusfilter/nsBrowserStatusFilter.cpp:184:27
#22 nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) src/uriloader/base/nsDocLoader.cpp:1315:3
#23 nsDocLoader::FireOnStateChange(nsIWebProgress*, nsIRequest*, int, nsresult) src/uriloader/base/nsDocLoader.cpp:1278:14
#24 nsDocLoader::doStartDocumentLoad() src/uriloader/base/nsDocLoader.cpp:773:3
#25 nsDocLoader::OnStartRequest(nsIRequest*, nsISupports*) src/uriloader/base/nsDocLoader.cpp:456:9
#26 non-virtual thunk to nsDocLoader::OnStartRequest(nsIRequest*, nsISupports*) src/uriloader/base/nsDocLoader.cpp
#27 mozilla::net::nsLoadGroup::AddRequest(nsIRequest*, nsISupports*) src/netwerk/base/nsLoadGroup.cpp:510:28
#28 nsBaseChannel::AsyncOpen(nsIStreamListener*, nsISupports*) src/netwerk/base/nsBaseChannel.cpp:736:17
#29 nsBaseChannel::AsyncOpen2(nsIStreamListener*) src/netwerk/base/nsBaseChannel.cpp:752:10
#30 nsURILoader::OpenURI(nsIChannel*, unsigned int, nsIInterfaceRequestor*) src/uriloader/base/nsURILoader.cpp:867:19
#31 nsDocShell::DoChannelLoad(nsIChannel*, nsIURILoader*, bool) src/docshell/base/nsDocShell.cpp:11270:20
#32 nsDocShell::DoURILoad(nsIURI*, nsIURI*, mozilla::Maybe<nsCOMPtr<nsIURI> > const&, bool, bool, bool, bool, nsIURI*, bool, unsigned int, nsIPrincipal*, nsIPrincipal*, char const*, nsTSubstring<char16_t> const&, nsIInputStream*, long, nsIInputStream*, bool, nsIDocShell**, nsIRequest**, bool, bool, bool, nsTSubstring<char16_t> const&, nsIURI*, unsigned int) src/docshell/base/nsDocShell.cpp:11052:8
#33 nsDocShell::InternalLoad(nsIURI*, nsIURI*, mozilla::Maybe<nsCOMPtr<nsIURI> > const&, bool, nsIURI*, unsigned int, nsIPrincipal*, nsIPrincipal*, unsigned int, nsTSubstring<char16_t> const&, char const*, nsTSubstring<char16_t> const&, nsIInputStream*, long, nsIInputStream*, unsigned int, nsISHEntry*, bool, nsTSubstring<char16_t> const&, nsIDocShell*, nsIURI*, nsIDocShell**, nsIRequest**) src/docshell/base/nsDocShell.cpp:10375:8
#34 nsDocShell::OnLinkClickSync(nsIContent*, nsIURI*, char16_t const*, nsTSubstring<char16_t> const&, nsIInputStream*, long, nsIInputStream*, bool, nsIDocShell**, nsIRequest**, nsIPrincipal*) src/docshell/base/nsDocShell.cpp:13743:17
#35 mozilla::dom::HTMLFormElement::SubmitSubmission(mozilla::dom::HTMLFormSubmission*) src/dom/html/HTMLFormElement.cpp:782:23
#36 mozilla::dom::HTMLFormElement::FlushPendingSubmission() src/dom/html/HTMLFormElement.cpp:1577:5
#37 mozilla::dom::HTMLFormElement::BeforeSetAttr(int, nsAtom*, nsAttrValueOrString const*, bool) src/dom/html/HTMLFormElement.cpp:186:9
#38 mozilla::dom::Element::SetAttr(int, nsAtom*, nsAtom*, nsTSubstring<char16_t> const&, nsIPrincipal*, bool) src/dom/base/Element.cpp:2548:17
#39 mozilla::dom::Element::SetAttr(int, nsAtom*, nsAtom*, nsTSubstring<char16_t> const&, bool) src/obj-firefox/dist/include/mozilla/dom/Element.h:820:12
#40 mozilla::dom::Element::SetAttr(nsAtom*, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) src/obj-firefox/dist/include/mozilla/dom/Element.h:1577:14
#41 mozilla::dom::HTMLFormElementBinding::set_target(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLFormElement*, JSJitSetterCallArgs) src/obj-firefox/dom/bindings/HTMLFormElementBinding.cpp:664:9
#42 mozilla::dom::GenericBindingSetter(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:2993:8
#43 js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/vm/JSContext-inl.h:290:15
#44 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:467:16
#45 InternalCall(JSContext*, js::AnyInvokeArgs const&) src/js/src/vm/Interpreter.cpp:516:12
#46 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:535:10
#47 js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) src/js/src/vm/Interpreter.cpp:664:12
#48 SetExistingProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyResult>, JS::ObjectOpResult&) src/js/src/vm/NativeObject.cpp:2786:10
#49 bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) src/js/src/vm/NativeObject.cpp:2814:20
#50 js::SetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) src/js/src/vm/NativeObject.h:1657:12
#51 js::SetPropertyIgnoringNamedGetter(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyDescriptor>, JS::ObjectOpResult&) src/js/src/proxy/BaseProxyHandler.cpp:182:20
#52 mozilla::dom::DOMProxyHandler::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) const src/dom/bindings/DOMJSProxyHandler.cpp:221:10
#53 js::Proxy::setInternal(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) src/js/src/proxy/Proxy.cpp:403:21
#54 js::Proxy::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) src/js/src/proxy/Proxy.cpp:413:12
#55 JSObject::nonNativeSetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) src/js/src/vm/JSObject.cpp:1082:12
#56 js::SetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) src/js/src/vm/NativeObject.h:1656:16
#57 SetPropertyOperation(JSContext*, JSOp, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::Handle<JS::Value>) src/js/src/vm/Interpreter.cpp:264:12
#58 Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:2881:10
#59 js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:417:12
#60 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:489:15
#61 InternalCall(JSContext*, js::AnyInvokeArgs const&) src/js/src/vm/Interpreter.cpp:516:12
#62 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:535:10
#63 JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:3002:12
#64 mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:260:37
#65 void mozilla::dom::EventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JSCompartment*) src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
#66 mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) src/dom/events/JSEventHandler.cpp:215:12
#67 mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1090:51
#68 mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) src/dom/events/EventListenerManager.cpp:1259:20
#69 mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:347:17
#70 mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:559:14
#71 mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:917:9
#72 nsGenericHTMLElement::Click(mozilla::dom::CallerType) src/dom/html/nsGenericHTMLElement.cpp:2458:3
#73 mozilla::dom::HTMLElementBinding::click(JSContext*, JS::Handle<JSObject*>, nsGenericHTMLElement*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/HTMLElementBinding.cpp:441:9
#74 mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3032:13
#75 js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/vm/JSContext-inl.h:290:15
#76 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:467:16
#77 InternalCall(JSContext*, js::AnyInvokeArgs const&) src/js/src/vm/Interpreter.cpp:516:12
#78 Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3084:18
#79 js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:417:12
#80 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:489:15
#81 InternalCall(JSContext*, js::AnyInvokeArgs const&) src/js/src/vm/Interpreter.cpp:516:12
#82 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:535:10
#83 JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:3002:12
#84 mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventListenerBinding.cpp:47:8
#85 void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JSCompartment*) src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
#86 mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1087:9
#87 mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) src/dom/events/EventListenerManager.cpp:1259:20
#88 mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:347:17
#89 mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:559:14
#90 mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:917:9
#91 mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) src/dom/events/EventDispatcher.cpp:996:12
#92 nsINode::DispatchEvent(nsIDOMEvent*, bool*) src/dom/base/nsINode.cpp:1174:5
#93 mozilla::AsyncEventDispatcher::Run() src/dom/events/AsyncEventDispatcher.cpp:70:12
#94 nsContentUtils::RemoveScriptBlocker() src/dom/base/nsContentUtils.cpp:5653:15
#95 nsDocument::EndUpdate(unsigned int) src/dom/base/nsDocument.cpp:5086:3
#96 nsHTMLDocument::EndUpdate(unsigned int) src/dom/html/nsHTMLDocument.cpp:2121:15
#97 mozAutoDocUpdate::~mozAutoDocUpdate() src/dom/base/mozAutoDocUpdate.h:40:18
#98 mozilla::dom::Element::SetAttr(int, nsAtom*, nsAtom*, nsTSubstring<char16_t> const&, nsIPrincipal*, bool) src/dom/base/Element.cpp:2564:1
#99 mozilla::dom::Element::SetAttr(int, nsAtom*, nsTSubstring<char16_t> const&, nsIPrincipal*, bool) src/obj-firefox/dist/include/mozilla/dom/Element.h:825:12
#100 mozilla::dom::Element::SetAttribute(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsIPrincipal*, mozilla::ErrorResult&) src/dom/base/Element.cpp:1318:14
#101 mozilla::dom::ElementBinding::setAttribute(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/ElementBinding.cpp:1197:9
#102 mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3032:13
#103 js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/vm/JSContext-inl.h:290:15
#104 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:467:16
#105 InternalCall(JSContext*, js::AnyInvokeArgs const&) src/js/src/vm/Interpreter.cpp:516:12
#106 Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3084:18
#107 js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:417:12
#108 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:489:15
#109 InternalCall(JSContext*, js::AnyInvokeArgs const&) src/js/src/vm/Interpreter.cpp:516:12
#110 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:535:10
#111 JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:3002:12
#112 mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:260:37
#113 void mozilla::dom::EventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JSCompartment*) src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
#114 mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) src/dom/events/JSEventHandler.cpp:215:12
#115 mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1090:51
#116 mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) src/dom/events/EventListenerManager.cpp:1259:20
#117 mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:347:17
#118 mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:527:16
#119 mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:917:9
#120 nsDocumentViewer::LoadComplete(nsresult) src/layout/base/nsDocumentViewer.cpp:1066:7
#121 nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) src/docshell/base/nsDocShell.cpp:7292:21
#122 nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp:7085:7
#123 non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp
#124 nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) src/uriloader/base/nsDocLoader.cpp:1315:3
#125 nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:858:14
#126 nsDocLoader::DocLoaderIsEmpty(bool) src/uriloader/base/nsDocLoader.cpp:747:9
#127 nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp:632:5
#128 non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp
#129 mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:629:28
#130 imgRequestProxy::RemoveFromLoadGroup() src/image/imgRequestProxy.cpp:446:15
#131 imgRequestProxy::OnLoadComplete(bool) src/image/imgRequestProxy.cpp:1131:7
#132 void mozilla::image::ImageObserverNotifier<mozilla::image::ObserverTable const*>::operator()<void mozilla::image::SyncNotifyInternal<mozilla::image::ObserverTable const*>(mozilla::image::ObserverTable const* const&, bool, unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&)::{lambda(mozilla::image::IProgressObserver*)#7}>(void mozilla::image::SyncNotifyInternal<mozilla::image::ObserverTable const*>(mozilla::image::ObserverTable const* const&, bool, unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&)::{lambda(mozilla::image::IProgressObserver*)#7}) src/image/ProgressTracker.cpp:295:9
#133 void mozilla::image::SyncNotifyInternal<mozilla::image::ObserverTable const*>(mozilla::image::ObserverTable const* const&, bool, unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) src/image/ProgressTracker.cpp:369:5
#134 mozilla::image::ProgressTracker::SyncNotifyProgress(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&)::$_1::operator()(mozilla::image::ObserverTable const*) const src/image/ProgressTracker.cpp:390:5
#135 _ZNK7mozilla5image11CopyOnWriteINS0_13ObserverTableEE4ReadIZNS0_15ProgressTracker18SyncNotifyProgressEjRKNS_3gfx12IntRectTypedINS6_12UnknownUnitsEEEE3$_1EEDTclfp_scPKS2_LDnEEET_ src/image/CopyOnWrite.h:154:12
#136 mozilla::image::ProgressTracker::SyncNotifyProgress(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) src/image/ProgressTracker.cpp:389:14
#137 mozilla::image::RasterImage::NotifyProgress(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::Maybe<unsigned int> const&, mozilla::image::DecoderFlags, mozilla::image::SurfaceFlags) src/image/RasterImage.cpp:1695:28
#138 mozilla::image::RasterImage::NotifyForLoadEvent(unsigned int) src/image/RasterImage.cpp:978:3
#139 mozilla::image::RasterImage::NotifyDecodeComplete(mozilla::image::DecoderFinalStatus const&, mozilla::image::ImageMetadata const&, mozilla::image::DecoderTelemetry const&, unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::Maybe<unsigned int> const&, mozilla::image::DecoderFlags, mozilla::image::SurfaceFlags) src/image/RasterImage.cpp:1782:7
#140 mozilla::image::IDecodingTask::NotifyDecodeComplete(mozilla::NotNull<mozilla::image::RasterImage*>, mozilla::NotNull<mozilla::image::Decoder*>)::$_2::operator()() const src/image/IDecodingTask.cpp:130:12
#141 mozilla::detail::RunnableFunction<mozilla::image::IDecodingTask::NotifyDecodeComplete(mozilla::NotNull<mozilla::image::RasterImage*>, mozilla::NotNull<mozilla::image::Decoder*>)::$_2>::Run() src/xpcom/threads/nsThreadUtils.h:551:5
#142 nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1096:14
#143 NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10
#144 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
#145 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:326:10
#146 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299:3
#147 nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:157:27
#148 nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:290:30
#149 XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:4766:22
#150 XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:4911:8
#151 XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:5003:21
#152 do_main(int, char**, char**) src/browser/app/nsBrowserApp.cpp:231:22
#153 main src/browser/app/nsBrowserApp.cpp:304:16
#154 __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#155 _start (firefox+0x423444)
Flags: in-testsuite?
Flags: needinfo?(emilio)
Flags: needinfo?(mconley)
I can reproduce this with e10s disabled, and have a capture in rr. I'm looking at it now.
Flags: needinfo?(mconley)
The nsContentUtils::IsSafeToRunScript() assertion really makes no sense. I originally added it because for some reason, I thought that nsContentUtils::IsSafeToRunScript() means that it's asserting that it's safe to run _any_ kind of script. In actuality, this is only checking that it's safe to run _content_ script[1].

Content script isn't even involved here. promiseDocumentFlushed is a ChromeOnly API. It really doesn't matter if content script is safe to run or not.

I'm going to remove the assertion.

[1]: https://searchfox.org/mozilla-central/rev/f5fb323246bf22a3a3b4185882a1c5d8a2c02996/dom/base/nsContentUtils.h#1986-1994
Flags: needinfo?(emilio)
Whoops - sorry, didn't mean to remove your ni? emilio!
Flags: needinfo?(emilio)
Attached patch bug1450171.diffSplinter Review
Assignee: nobody → mconley
No problem, I didn't get to poke at it, but glad you looked into it :)
Flags: needinfo?(emilio)
Comment on attachment 8964557 [details] [diff] [review]
bug1450171.diff

This removes the non-sensical assertion. I think originally I was being paranoid because I wanted to make doubly sure that only chrome code could use this API. Maybe that's unnecessary because of the way that promiseDocumentFlushed is defined in Window.webidl.

Just in case, I've added a MOZ_RELEASE_ASSERT(nsContentUtils::IsCallerChrome()); to the top of PromiseDocumentFlushed. If that's redundant, I can get rid of it.
Attachment #8964557 - Flags: review?(bzbarsky)
> I thought that nsContentUtils::IsSafeToRunScript() means that it's asserting that it's safe to run _any_ kind of script.

It _can_ be ok to run script when !IsSafeToRunScript, but only if that script is _extremely_ careful about what it does.  If it's not, it can easily cause crashes, including exploitable ones.  Obviously we can assume that "content script" will not only not be careful but will be actively malicious.  But assuming that "chrome script" will be careful is a fantasy.  For one thing, you would be hard-pressed to find anyone who can reliably tell you whether a given script is being careful or not!

Anyway, upshot is that we should in fact be asserting IsSafeToRunScript() before we run any script.  Bug 1181918 tracks that.  Sadly right now the browser doesn't even start if we do that...

Taking out the assertion is probably OK-is for the moment; in the stack above we've already lost at the point when we call into JS for onStateChange in frame 18.  I filed bug 1450989 on fixing things so we won't end up in that situation...

That said, some of the things that are _definitely_ not in the "being careful" bucket is performing modification of the DOM or generally asking for layout information.  And the promiseDocumentFlushed callback is expressly designed for doing that last.  With any luck the fact that the shell doesn't need a flush when it runs means that asking for layout information won't have the side-effects that make it unsafe to do when !IsSafeToRunScript.

The other exciting thing here, of course, is the "This is unsafe! Fix the caller!" assertion.  _That_ means we are firing a DOM event, on a node that is _not_ a chrome node, while !IsSafeToRunScript().  Which means it will cause content event listeners to run.  I'm going to look into what stack _that_ has, since that's clearly even worse.
Comment on attachment 8964557 [details] [diff] [review]
bug1450171.diff

IsCallerChrome is deprecated.  See bug 1316480.

In general, having this be [ChromeOnly] promises the caller will only be chrome when coming from bindings.  Of course a C++ caller could do whatever...

I think you should just take out the IsCallerChrome.  If you really want to prevent C++ callers from calling this thing blindly, you can add [NeedsCallerType] in the IDL (in addition to the [ChromeOnly] already there) and ad a SystemCallerGuarantee arg to your function.
Attachment #8964557 - Flags: review?(bzbarsky) → review+
Hey tsmith,

Are the fuzzing team only filing bugs for fatal assertions? I ask, because the more interesting problem in the stack was the one that bz mentioned in comment 7 towards the end. Appearance of "This is unsafe! Fix the caller!" is currently non-fatal, but something we should probably be trying to burn down. Is it possible to add that warning to the list of things that the fuzzer team looks for?
Flags: needinfo?(twsmith)
(In reply to Mike Conley (:mconley) (:⚙️) (Totally backlogged on reviews and needinfos) from comment #10)
> Hey tsmith,
> 
> Are the fuzzing team only filing bugs for fatal assertions? I ask, because
> the more interesting problem in the stack was the one that bz mentioned in
> comment 7 towards the end. Appearance of "This is unsafe! Fix the caller!"
> is currently non-fatal, but something we should probably be trying to burn
> down. Is it possible to add that warning to the list of things that the
> fuzzer team looks for?

In general when fuzzing you look for process termination (crash, abort due to fatal assertion or UBSan or some other debugging tool). So the best way to get any logic issue detected by fuzzing is asset (otherwise things get very complicated quickly in terms of framework). IMO if something insecure or unsafe could happen and we can detect it we should always have a fatal assertion on debug builds (really on release build too but performance and other issues due come into play here). We (the fuzzing team) fuzz ASan opt and debug builds at the moment.

So short answer yes but please let's not, let's add a fatal assert instead if possible :)
Flags: needinfo?(twsmith)
Is fatal asserting on "This is unsafe! Fix the caller!" something we'd be willing to do?
Flags: needinfo?(bzbarsky)
Flags: needinfo?(bzbarsky) → needinfo?(bugs)
yes. IIRC that assertion, well, NS_ERROR, predates MOZ_*ASSERT.
Flags: needinfo?(bugs)
Okay. Filed bug 1451108 for that. Didn't seem necessary to make it a security bug - I hope that's alright.
https://hg.mozilla.org/mozilla-central/rev/2aa535696812
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
If this is just a spurious assert, does it need to be marked s-s? I'm also thinking we don't need to backport this.
Blocks: 1434376
Flags: needinfo?(mconley)
There's no point backporting unless it's interfering with fuzzing.

In terms of unmarking this s-s, the stack in comment 0 is probably security-sensitive, as is the analysis in comment 7 and the mentions of it in comment 9.

As in, this assert is not "spurious".  It's highlighting what is likely a security problem; just not one it itself is responsible for.
It's not getting in my way so no need to do it for fuzzing.
Keywords: sec-other
Flags: needinfo?(mconley)
Group: dom-core-security → core-security-release
Whiteboard: [adv-main61-]
Flags: qe-verify-
Whiteboard: [adv-main61-] → [adv-main61-][post-critsmash-triage]
Component: DOM → DOM: Core & HTML
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.