Assertion failure: false (mAttributes->PopulateFromOrigin(mOrigin, mOriginNoSuffix)), at /builds/worker/workspace/build/src/dom/quota/OriginScope.h:56
Categories
(Core :: Storage: Quota Manager, defect, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox67 | --- | wontfix |
| firefox68 | --- | fixed |
People
(Reporter: jkratzer, Assigned: janv)
References
(Blocks 2 open bugs)
Details
(Keywords: assertion, testcase)
Attachments
(3 files)
Testcase found while fuzzing mozilla-central rev ab709310d23f.
Testcase must be served via a local webserver in order to reproduce.
Assertion failure: false (mAttributes->PopulateFromOrigin(mOrigin, mOriginNoSuffix)), at /builds/worker/workspace/build/src/dom/quota/OriginScope.h:56
rax = 0x000055e030f66e40 rdx = 0x0000000000000000
rcx = 0x00007f624ef7cdb9 rbx = 0x00007f625b770570
rsi = 0x00007f625bba08b0 rdi = 0x00007f625bb9f680
rbp = 0x00007f625b770560 rsp = 0x00007f625b770550
r8 = 0x00007f625bba08b0 r9 = 0x00007f625b771700
r10 = 0x0000000000000002 r11 = 0x0000000000000000
r12 = 0x00007f6226a3d3d0 r13 = 0x00007f625b7705f8
r14 = 0x00007f622af1b100 r15 = 0x00007f625b7705f0
rip = 0x00007f624b2efaf3
OS|Linux|0.0.0 Linux 4.18.0-16-generic #17~18.04.1-Ubuntu SMP Tue Feb 12 13:35:51 UTC 2019 x86_64
CPU|amd64|family 6 model 94 stepping 3|1
GPU|||
Crash|SIGSEGV /SEGV_MAPERR|0x0|31
31|0|libxul.so|mozilla::dom::quota::OriginScope::Origin::InitMembers()|hg:hg.mozilla.org/mozilla-central:dom/quota/OriginScope.h:ab709310d23f9b7b17ba50731c63666aaf67945b|55|0x0
31|1|libxul.so|mozilla::dom::quota::OriginScope::FromOrigin(nsTSubstring<char> const&)|hg:hg.mozilla.org/mozilla-central:dom/quota/OriginScope.h:ab709310d23f9b7b17ba50731c63666aaf67945b|121|0x5
31|2|libxul.so|mozilla::dom::quota::QuotaManager::OpenDirectory(mozilla::dom::quota::PersistenceType, nsTSubstring<char> const&, nsTSubstring<char> const&, mozilla::dom::quota::Client::Type, bool, mozilla::dom::quota::OpenDirectoryListener*)|hg:hg.mozilla.org/mozilla-central:dom/quota/ActorsParent.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|4874|0x5
31|3|libxul.so|PrepareDatastoreOp::OpenDirectory|hg:hg.mozilla.org/mozilla-central:dom/localstorage/ActorsParent.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|6022|0x17
31|4|libxul.so|PrepareDatastoreOp::BeginDatastorePreparationInternal|hg:hg.mozilla.org/mozilla-central:dom/localstorage/ActorsParent.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|5972|0x8
31|5|libxul.so|PrepareDatastoreOp::CheckClosingDatastoreInternal|hg:hg.mozilla.org/mozilla-central:dom/localstorage/ActorsParent.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|5928|0x8
31|6|libxul.so|PrepareDatastoreOp::NestedRun|hg:hg.mozilla.org/mozilla-central:dom/localstorage/ActorsParent.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|5885|0x8
31|7|libxul.so|LSRequestBase::Run|hg:hg.mozilla.org/mozilla-central:dom/localstorage/ActorsParent.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|5684|0x6
31|8|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|1179|0x15
31|9|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|482|0x11
31|10|libxul.so|mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|303|0xa
31|11|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:ab709310d23f9b7b17ba50731c63666aaf67945b|315|0x17
31|12|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:ab709310d23f9b7b17ba50731c63666aaf67945b|308|0x8
31|13|libxul.so|nsThread::ThreadFunc(void*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:ab709310d23f9b7b17ba50731c63666aaf67945b|454|0x8
31|14|libnspr4.so|_pt_root|hg:hg.mozilla.org/mozilla-central:nsprpub/pr/src/pthreads/ptthread.c:ab709310d23f9b7b17ba50731c63666aaf67945b|201|0x7
31|15|libpthread-2.27.so||||0x76db
31|16|libc-2.27.so||||0x12188f
|
||
Comment 1•5 years ago
|
||
The priority flag is not set for this bug and there is no activity for 2 weeks.
:overholt, could you have a look please?
|
||
Comment 2•5 years ago
|
||
Jan: some unicode characters and slashes in a .location call in the STR here; related to your changes to MozURL?
|
Assignee | |
Comment 3•5 years ago
|
||
This is probably a bug in PopulateFromOrigin.
|
||
Comment 5•5 years ago
|
||
In the test, mOrigin is "http://xn--^12-iha3vy23o" and mOriginNoSuffix is "http://xn--"
|
|
||
Comment 6•5 years ago
|
||
we actually return false at [1] while the decodedName is "12-iha3vy23o" and the decodedValue is empty.
|
|
||
Comment 7•5 years ago
|
||
I guess the question is whether "http://xn--^12-iha3vy23o" is a valid URL and whether should we assert we could always get an attribute from the origin.
That origin is using "^" which is our symbol for the origin attribute.
|
|
Assignee | |
Comment 8•5 years ago
|
||
It seems this is not an issue anymore:
[Parent 61607, Main Thread] WARNING: 'NS_FAILED(rv)', file /Users/varga/Sources/Mozilla0/dom/quota/ActorsParent.cpp, line 6068
[Parent 61607, Main Thread] WARNING: A URL https://xn--^-q10i/ is not recognized by MozURL: file /Users/varga/Sources/Mozilla0/dom/quota/ActorsParent.cpp, line 6069
[Parent 61607, Main Thread] WARNING: '!QuotaManager::IsPrincipalInfoValid(aPrincipalInfo)', file /Users/varga/Sources/Mozilla0/dom/localstorage/LocalStorageManager2.cpp, line 152
[Parent 61607, Main Thread] WARNING: 'NS_FAILED(rv)', file /Users/varga/Sources/Mozilla0/dom/localstorage/LocalStorageManager2.cpp, line 276
[Parent 61607, Main Thread] WARNING: Failed to preload local storage!: file /Users/varga/Sources/Mozilla0/dom/ipc/ContentParent.cpp, line 5389
MozURL/rust-url now refuses to parse it, so we catch it early and don't crash in OriginScope::InitMembers.
Tom, can you verify ?
|
|
||
Comment 9•5 years ago
|
||
In the last mozilla-inbound (536353:c1b13e664eb4 dvarga tip inbound Merge mozilla-central to mozilla-inbound. a=merge), I still get:
Assertion failure: false (mAttributes->PopulateFromOrigin(mOrigin, mOriginNoSuffix)), at /Users/tomtung/Work/mozilla-central/dom/quota/OriginScope.h:56
#01: mozilla::dom::quota::OriginScope::Origin::InitMembers()[/Users/tomtung/Work/mozilla-central/objdir/dist/NightlyDebug.app/Contents/MacOS/XUL +0x5778ccd]
#02: mozilla::dom::quota::OriginScope::Origin::Origin(nsTSubstring<char> const&)[/Users/tomtung/Work/mozilla-central/objdir/dist/NightlyDebug.app/Contents/MacOS/XUL +0x5778bf8]
#03: mozilla::dom::quota::OriginScope::Origin::Origin(nsTSubstring<char> const&)[/Users/tomtung/Work/mozilla-central/objdir/dist/NightlyDebug.app/Contents/MacOS/XUL +0x5778b5d]
#04: mozilla::dom::quota::OriginScope::FromOrigin(nsTSubstring<char> const&)[/Users/tomtung/Work/mozilla-central/objdir/dist/NightlyDebug.app/Contents/MacOS/XUL +0x574e375]
#05: mozilla::dom::quota::QuotaManager::CreateDirectoryLock(mozilla::dom::quota::PersistenceType, nsTSubstring<char> const&, nsTSubstring<char> const&, mozilla::dom::quota::Client::Type, bool, mozilla::dom::quota::OpenDirectoryListener*)[/Users/tomtung/Work/mozilla-central/objdir/dist/NightlyDebug.app/Contents/MacOS/XUL +0x5761f6d]
#06: mozilla::dom::(anonymous namespace)::PrepareDatastoreOp::OpenDirectory()[/Users/tomtung/Work/mozilla-central/objdir/dist/NightlyDebug.app/Contents/MacOS/XUL +0x61a75fb]
#07: mozilla::dom::(anonymous namespace)::PrepareDatastoreOp::BeginDatastorePreparationInternal()[/Users/tomtung/Work/mozilla-central/objdir/dist/NightlyDebug.app/Contents/MacOS/XUL +0x61a6eeb]
#08: mozilla::dom::(anonymous namespace)::PrepareDatastoreOp::CheckClosingDatastoreInternal()[/Users/tomtung/Work/mozilla-central/objdir/dist/NightlyDebug.app/Contents/MacOS/XUL +0x61a649e]
#09: mozilla::dom::(anonymous namespace)::PrepareDatastoreOp::CheckExistingOperations()[/Users/tomtung/Work/mozilla-central/objdir/dist/NightlyDebug.app/Contents/MacOS/XUL +0x61a339d]
#10: mozilla::dom::(anonymous namespace)::PrepareDatastoreOp::NestedRun()[/Users/tomtung/Work/mozilla-central/objdir/dist/NightlyDebug.app/Contents/MacOS/XUL +0x61a03ab]
#11: mozilla::dom::(anonymous namespace)::LSRequestBase::Run()[/Users/tomtung/Work/mozilla-central/objdir/dist/NightlyDebug.app/Contents/MacOS/XUL +0x619fe81
(In reply to Tom Tung [:tt, :ttung] from comment #7)
That origin is using "^" which is our symbol for the origin attribute.
I checked the URL spec (https://url.spec.whatwg.org/), and the caret symbol is allowed for an URL. I should and will check if URL with that symbol can be in normal word.
|
|
Assignee | |
Comment 10•5 years ago
|
||
I tried the attached testcase by opening as a file and also via a local web server and I still can't reproduce the assertion.
Tom, did you test on Mac or Linux ?
|
|
||
Comment 11•5 years ago
|
||
(In reply to Jan Varga [:janv] from comment #10)
I tried the attached testcase by opening as a file and also via a local web server and I still can't reproduce the assertion.
Tom, did you test on Mac or Linux ?
Yes, on the Mac and using localhost. I'm going to try it again with a clean build.
|
|
Assignee | |
Comment 12•5 years ago
|
||
This test passes for me.
|
|
||
Comment 13•5 years ago
|
||
(In reply to Jan Varga [:janv] from comment #12)
Created attachment 9065325 [details] [diff] [review]
xpcshell testThis test passes for me.
I can also pass the test and see:
0:02.02 pid:45073 [45073, Main Thread] WARNING: 'NS_FAILED(rv)', file /Users/tomtung/Work/mozilla-central/dom/quota/ActorsParent.cpp, line 6068
0:02.02 pid:45073 [45073, Main Thread] WARNING: A URL https://xn--^-q10i/ is not recognized by MozURL: file /Users/tomtung/Work/mozilla-central/dom/quota/ActorsParent.cpp, line 6069
0:02.02 pid:45073 [45073, Main Thread] WARNING: '!QuotaManager::IsPrincipalInfoValid(*storagePrincipalInfo)', file /Users/tomtung/Work/mozilla-central/dom/localstorage/LSObject.cpp, line 382
0:02.02 pid:45073 [45073, Main Thread] WARNING: 'NS_FAILED(rv)', file /Users/tomtung/Work/mozilla-central/dom/localstorage/LocalStorageManager2.cpp, line 208
But, I still get a crash while running the testcase.html and the difference I found is the URL "http://xn--^12-iha3vy23o".
|
|
Assignee | |
Comment 14•5 years ago
|
||
Ok, so this is a bug in MozURL and nsIPrincipal origin calculation. Resulting origin string shouldn't contain the "^" character.
I verified that IndexedDB hits the same assertion.
|
|
Assignee | |
Comment 15•5 years ago
|
||
See this comment:
https://searchfox.org/mozilla-central/rev/11cfa0462a6b5d8c5e2111b8cfddcf78098f0141/caps/ContentPrincipal.cpp#188
It says that nsIStandarlURL should escape the "^" character in the spec. However I checked Spec and HostPort for "http://example.com^123" and the "^" is not escaped.
|
|
Assignee | |
Comment 16•5 years ago
|
||
|
|
Assignee | |
Updated•5 years ago
|
|
||
Comment 17•5 years ago
|
||
Pushed by jvarga@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/dd5c42327e22 QM: Treat origins containg the '^' character as invalid; r=asuth
|
|
Assignee | |
Comment 18•5 years ago
|
||
Filed bug 1552234.
|
||
Comment 19•5 years ago
|
||
| bugherder | ||
|
||
Updated•5 years ago
|
Description
•