Assertion failure: false (mAttributes->PopulateFromOrigin(mOrigin, mOriginNoSuffix)), at /builds/worker/workspace/build/src/dom/quota/OriginScope.h:56

RESOLVED FIXED in Firefox 68

Status

()

defect
P2
normal
RESOLVED FIXED
3 months ago
7 days ago

People

(Reporter: jkratzer, Assigned: janv)

Tracking

(Blocks 2 bugs, {assertion, testcase})

unspecified
mozilla68
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox-esr60 unaffected, firefox67 wontfix, firefox68 fixed)

Details

Attachments

(3 attachments)

Reporter

Description

3 months ago
Posted file testcase.html

Testcase found while fuzzing mozilla-central rev ab709310d23f.

Testcase must be served via a local webserver in order to reproduce.

Assertion failure: false (mAttributes->PopulateFromOrigin(mOrigin, mOriginNoSuffix)), at /builds/worker/workspace/build/src/dom/quota/OriginScope.h:56

rax = 0x000055e030f66e40 rdx = 0x0000000000000000
rcx = 0x00007f624ef7cdb9 rbx = 0x00007f625b770570
rsi = 0x00007f625bba08b0 rdi = 0x00007f625bb9f680
rbp = 0x00007f625b770560 rsp = 0x00007f625b770550
r8 = 0x00007f625bba08b0 r9 = 0x00007f625b771700
r10 = 0x0000000000000002 r11 = 0x0000000000000000
r12 = 0x00007f6226a3d3d0 r13 = 0x00007f625b7705f8
r14 = 0x00007f622af1b100 r15 = 0x00007f625b7705f0
rip = 0x00007f624b2efaf3
OS|Linux|0.0.0 Linux 4.18.0-16-generic #17~18.04.1-Ubuntu SMP Tue Feb 12 13:35:51 UTC 2019 x86_64
CPU|amd64|family 6 model 94 stepping 3|1
GPU|||
Crash|SIGSEGV /SEGV_MAPERR|0x0|31
31|0|libxul.so|mozilla::dom::quota::OriginScope::Origin::InitMembers()|hg:hg.mozilla.org/mozilla-central:dom/quota/OriginScope.h:ab709310d23f9b7b17ba50731c63666aaf67945b|55|0x0
31|1|libxul.so|mozilla::dom::quota::OriginScope::FromOrigin(nsTSubstring<char> const&)|hg:hg.mozilla.org/mozilla-central:dom/quota/OriginScope.h:ab709310d23f9b7b17ba50731c63666aaf67945b|121|0x5
31|2|libxul.so|mozilla::dom::quota::QuotaManager::OpenDirectory(mozilla::dom::quota::PersistenceType, nsTSubstring<char> const&, nsTSubstring<char> const&, mozilla::dom::quota::Client::Type, bool, mozilla::dom::quota::OpenDirectoryListener*)|hg:hg.mozilla.org/mozilla-central:dom/quota/ActorsParent.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|4874|0x5
31|3|libxul.so|PrepareDatastoreOp::OpenDirectory|hg:hg.mozilla.org/mozilla-central:dom/localstorage/ActorsParent.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|6022|0x17
31|4|libxul.so|PrepareDatastoreOp::BeginDatastorePreparationInternal|hg:hg.mozilla.org/mozilla-central:dom/localstorage/ActorsParent.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|5972|0x8
31|5|libxul.so|PrepareDatastoreOp::CheckClosingDatastoreInternal|hg:hg.mozilla.org/mozilla-central:dom/localstorage/ActorsParent.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|5928|0x8
31|6|libxul.so|PrepareDatastoreOp::NestedRun|hg:hg.mozilla.org/mozilla-central:dom/localstorage/ActorsParent.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|5885|0x8
31|7|libxul.so|LSRequestBase::Run|hg:hg.mozilla.org/mozilla-central:dom/localstorage/ActorsParent.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|5684|0x6
31|8|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|1179|0x15
31|9|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|482|0x11
31|10|libxul.so|mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|303|0xa
31|11|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:ab709310d23f9b7b17ba50731c63666aaf67945b|315|0x17
31|12|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:ab709310d23f9b7b17ba50731c63666aaf67945b|308|0x8
31|13|libxul.so|nsThread::ThreadFunc(void*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|454|0x8
31|14|libnspr4.so|_pt_root|hg:hg.mozilla.org/mozilla-central:nsprpub/pr/src/pthreads/ptthread.c:ab709310d23f9b7b17ba50731c63666aaf67945b|201|0x7
31|15|libpthread-2.27.so||||0x76db
31|16|libc-2.27.so||||0x12188f

Flags: in-testsuite?

The priority flag is not set for this bug and there is no activity for 2 weeks.
:overholt, could you have a look please?

Flags: needinfo?(overholt)

Jan: some unicode characters and slashes in a .location call in the STR here; related to your changes to MozURL?

Flags: needinfo?(overholt) → needinfo?(jvarga)
Priority: -- → P2
Assignee

Comment 3

3 months ago

This is probably a bug in PopulateFromOrigin.

Blocks: 1540402
Flags: needinfo?(jvarga)
Assignee

Updated

2 months ago
Blocks: 1539835

Tom, can you take this one?

Flags: needinfo?(shes050117)

In the test, mOrigin is "http://xn--^12-iha3vy23o" and mOriginNoSuffix is "http://xn--"

Assignee: nobody → shes050117
Status: NEW → ASSIGNED
Flags: needinfo?(shes050117)

we actually return false at [1] while the decodedName is "12-iha3vy23o" and the decodedValue is empty.

[1] https://searchfox.org/mozilla-central/rev/ec489aa170b6486891cf3625717d6fa12bcd11c1/dom/url/URLSearchParams.cpp#195

I guess the question is whether "http://xn--^12-iha3vy23o" is a valid URL and whether should we assert we could always get an attribute from the origin.

That origin is using "^" which is our symbol for the origin attribute.

Assignee

Comment 8

Last month

It seems this is not an issue anymore:

[Parent 61607, Main Thread] WARNING: 'NS_FAILED(rv)', file /Users/varga/Sources/Mozilla0/dom/quota/ActorsParent.cpp, line 6068
[Parent 61607, Main Thread] WARNING: A URL https://xn--^-q10i/ is not recognized by MozURL: file /Users/varga/Sources/Mozilla0/dom/quota/ActorsParent.cpp, line 6069
[Parent 61607, Main Thread] WARNING: '!QuotaManager::IsPrincipalInfoValid(aPrincipalInfo)', file /Users/varga/Sources/Mozilla0/dom/localstorage/LocalStorageManager2.cpp, line 152
[Parent 61607, Main Thread] WARNING: 'NS_FAILED(rv)', file /Users/varga/Sources/Mozilla0/dom/localstorage/LocalStorageManager2.cpp, line 276
[Parent 61607, Main Thread] WARNING: Failed to preload local storage!: file /Users/varga/Sources/Mozilla0/dom/ipc/ContentParent.cpp, line 5389

MozURL/rust-url now refuses to parse it, so we catch it early and don't crash in OriginScope::InitMembers.

Tom, can you verify ?

In the last mozilla-inbound (536353:c1b13e664eb4 dvarga tip inbound Merge mozilla-central to mozilla-inbound. a=merge), I still get:

Assertion failure: false (mAttributes->PopulateFromOrigin(mOrigin, mOriginNoSuffix)), at /Users/tomtung/Work/mozilla-central/dom/quota/OriginScope.h:56
#01: mozilla::dom::quota::OriginScope::Origin::InitMembers()[/Users/tomtung/Work/mozilla-central/objdir/dist/NightlyDebug.app/Contents/MacOS/XUL +0x5778ccd]
#02: mozilla::dom::quota::OriginScope::Origin::Origin(nsTSubstring<char> const&)[/Users/tomtung/Work/mozilla-central/objdir/dist/NightlyDebug.app/Contents/MacOS/XUL +0x5778bf8]
#03: mozilla::dom::quota::OriginScope::Origin::Origin(nsTSubstring<char> const&)[/Users/tomtung/Work/mozilla-central/objdir/dist/NightlyDebug.app/Contents/MacOS/XUL +0x5778b5d]
#04: mozilla::dom::quota::OriginScope::FromOrigin(nsTSubstring<char> const&)[/Users/tomtung/Work/mozilla-central/objdir/dist/NightlyDebug.app/Contents/MacOS/XUL +0x574e375]
#05: mozilla::dom::quota::QuotaManager::CreateDirectoryLock(mozilla::dom::quota::PersistenceType, nsTSubstring<char> const&, nsTSubstring<char> const&, mozilla::dom::quota::Client::Type, bool, mozilla::dom::quota::OpenDirectoryListener*)[/Users/tomtung/Work/mozilla-central/objdir/dist/NightlyDebug.app/Contents/MacOS/XUL +0x5761f6d]
#06: mozilla::dom::(anonymous namespace)::PrepareDatastoreOp::OpenDirectory()[/Users/tomtung/Work/mozilla-central/objdir/dist/NightlyDebug.app/Contents/MacOS/XUL +0x61a75fb]
#07: mozilla::dom::(anonymous namespace)::PrepareDatastoreOp::BeginDatastorePreparationInternal()[/Users/tomtung/Work/mozilla-central/objdir/dist/NightlyDebug.app/Contents/MacOS/XUL +0x61a6eeb]
#08: mozilla::dom::(anonymous namespace)::PrepareDatastoreOp::CheckClosingDatastoreInternal()[/Users/tomtung/Work/mozilla-central/objdir/dist/NightlyDebug.app/Contents/MacOS/XUL +0x61a649e]
#09: mozilla::dom::(anonymous namespace)::PrepareDatastoreOp::CheckExistingOperations()[/Users/tomtung/Work/mozilla-central/objdir/dist/NightlyDebug.app/Contents/MacOS/XUL +0x61a339d]
#10: mozilla::dom::(anonymous namespace)::PrepareDatastoreOp::NestedRun()[/Users/tomtung/Work/mozilla-central/objdir/dist/NightlyDebug.app/Contents/MacOS/XUL +0x61a03ab]
#11: mozilla::dom::(anonymous namespace)::LSRequestBase::Run()[/Users/tomtung/Work/mozilla-central/objdir/dist/NightlyDebug.app/Contents/MacOS/XUL +0x619fe81

(In reply to Tom Tung [:tt, :ttung] from comment #7)

That origin is using "^" which is our symbol for the origin attribute.

I checked the URL spec (https://url.spec.whatwg.org/), and the caret symbol is allowed for an URL. I should and will check if URL with that symbol can be in normal word.

Assignee

Comment 10

Last month

I tried the attached testcase by opening as a file and also via a local web server and I still can't reproduce the assertion.

Tom, did you test on Mac or Linux ?

(In reply to Jan Varga [:janv] from comment #10)

I tried the attached testcase by opening as a file and also via a local web server and I still can't reproduce the assertion.

Tom, did you test on Mac or Linux ?

Yes, on the Mac and using localhost. I'm going to try it again with a clean build.

Assignee

Comment 12

Last month
Posted patch xpcshell testSplinter Review

This test passes for me.

(In reply to Jan Varga [:janv] from comment #12)

Created attachment 9065325 [details] [diff] [review]
xpcshell test

This test passes for me.

I can also pass the test and see:
0:02.02 pid:45073 [45073, Main Thread] WARNING: 'NS_FAILED(rv)', file /Users/tomtung/Work/mozilla-central/dom/quota/ActorsParent.cpp, line 6068
0:02.02 pid:45073 [45073, Main Thread] WARNING: A URL https://xn--^-q10i/ is not recognized by MozURL: file /Users/tomtung/Work/mozilla-central/dom/quota/ActorsParent.cpp, line 6069
0:02.02 pid:45073 [45073, Main Thread] WARNING: '!QuotaManager::IsPrincipalInfoValid(*storagePrincipalInfo)', file /Users/tomtung/Work/mozilla-central/dom/localstorage/LSObject.cpp, line 382
0:02.02 pid:45073 [45073, Main Thread] WARNING: 'NS_FAILED(rv)', file /Users/tomtung/Work/mozilla-central/dom/localstorage/LocalStorageManager2.cpp, line 208

But, I still get a crash while running the testcase.html and the difference I found is the URL "http://xn--^12-iha3vy23o".

Assignee

Comment 14

Last month

Ok, so this is a bug in MozURL and nsIPrincipal origin calculation. Resulting origin string shouldn't contain the "^" character.
I verified that IndexedDB hits the same assertion.

Assignee

Comment 15

Last month

See this comment:
https://searchfox.org/mozilla-central/rev/11cfa0462a6b5d8c5e2111b8cfddcf78098f0141/caps/ContentPrincipal.cpp#188

It says that nsIStandarlURL should escape the "^" character in the spec. However I checked Spec and HostPort for "http://example.com^123" and the "^" is not escaped.

Assignee

Updated

Last month
Assignee: shes050117 → jvarga

Comment 17

Last month
Pushed by jvarga@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/dd5c42327e22
QM: Treat origins containg the '^' character as invalid; r=asuth
Assignee

Comment 18

Last month

Filed bug 1552234.

Comment 19

Last month
bugherder
Status: ASSIGNED → RESOLVED
Closed: Last month
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.