Open Bug 1578794 Opened 7 months ago Updated 6 months ago

Assertion failure: bc->GetOpenerId() == parentBC, at src/dom/ipc/ContentChild.cpp:1118

Categories

(Core :: DOM: Content Processes, defect, P3)

defect

Tracking

()

Tracking Status
firefox70 --- fix-optional
firefox71 --- fix-optional

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(4 keywords)

Attachments

(1 file)

Attached file testcase.html

This was first found by fuzzers using m-c 20190831-b3cc8963e871.
Reduced with m-c:
BuildID=20190904094319
SourceStamp=174361d152923aea2b24226a57cde3099509ed6a

The attached testcase requires dom.disable_open_during_load=false to trigger the issue.

Assertion failure: bc->GetOpenerId() == parentBC, at src/dom/ipc/ContentChild.cpp:1118

#0 mozilla::dom::ContentChild::ProvideWindowCommon(mozilla::dom::BrowserChild*, mozIDOMWindowProxy*, bool, unsigned int, bool, bool, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, bool, nsDocShellLoadState*, bool*, mozilla::dom::BrowsingContext**)::$_0::operator()(mozilla::dom::CreatedWindowInfo const&) const src/dom/ipc/ContentChild.cpp:1116:9
#1 mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PContentChild.cpp:12364:27
#2 mozilla::dom::ContentChild::OnMessageReceived(IPC::Message const&) src/dom/ipc/ContentChild.cpp:3800:25
#3 mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2185:25
#4 mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2109:9
#5 mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1954:3
#6 mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1985:13
#7 nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1225:14
#8 NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:486:10
#9 bool mozilla::SpinEventLoopUntil<(mozilla::ProcessFailureBehavior)1, mozilla::dom::ContentChild::ProvideWindowCommon(mozilla::dom::BrowserChild*, mozIDOMWindowProxy*, bool, unsigned int, bool, bool, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, bool, nsDocShellLoadState*, bool*, mozilla::dom::BrowsingContext**)::$_4>(mozilla::dom::ContentChild::ProvideWindowCommon(mozilla::dom::BrowserChild*, mozIDOMWindowProxy*, bool, unsigned int, bool, bool, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, bool, nsDocShellLoadState*, bool*, mozilla::dom::BrowsingContext**)::$_4&&, nsIThread*) src/obj-firefox/dist/include/nsThreadUtils.h:348:25
#10 mozilla::dom::ContentChild::ProvideWindowCommon(mozilla::dom::BrowserChild*, mozIDOMWindowProxy*, bool, unsigned int, bool, bool, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, bool, nsDocShellLoadState*, bool*, mozilla::dom::BrowsingContext**) src/dom/ipc/ContentChild.cpp:1225:5
#11 mozilla::dom::BrowserChild::ProvideWindow(mozIDOMWindowProxy*, unsigned int, bool, bool, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, bool, nsDocShellLoadState*, bool*, mozilla::dom::BrowsingContext**) src/dom/ipc/BrowserChild.cpp:947:14
#12 nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, bool, bool, bool, nsDocShellLoadState*, mozilla::dom::BrowsingContext**) src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:781:24
#13 nsWindowWatcher::OpenWindow2(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsISupports*, bool, bool, bool, nsDocShellLoadState*, mozilla::dom::BrowsingContext**) src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:377:10
#14 nsGlobalWindowOuter::OpenInternal(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, bool, bool, bool, bool, bool, nsIArray*, nsISupports*, nsDocShellLoadState*, bool, mozilla::dom::BrowsingContext**) src/dom/base/nsGlobalWindowOuter.cpp:7269:21
#15 nsGlobalWindowOuter::OpenJS(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::dom::BrowsingContext**) src/dom/base/nsGlobalWindowOuter.cpp:5751:10
#16 nsGlobalWindowOuter::OpenOuter(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) src/dom/base/nsGlobalWindowOuter.cpp:5724:12
#17 nsGlobalWindowInner::Open(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) src/dom/base/nsGlobalWindowInner.cpp:3742:3
#18 mozilla::dom::Window_Binding::open(JSContext*, JS::Handle<JSObject*>, nsGlobalWindowInner*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/WindowBinding.cpp:2868:59
#19 bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeGlobalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3168:13
#20 CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/vm/Interpreter.cpp:447:13
#21 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:539:12
#22 InternalCall(JSContext*, js::AnyInvokeArgs const&) src/js/src/vm/Interpreter.cpp:594:10
#23 Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3084:16
#24 js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:424:10
#25 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:567:13
#26 InternalCall(JSContext*, js::AnyInvokeArgs const&) src/js/src/vm/Interpreter.cpp:594:10
#27 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:610:8
#28 JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2723:10
#29 mozilla::dom::MessageListener::ReceiveMessage(JSContext*, JS::Handle<JS::Value>, mozilla::dom::ReceiveMessageArgument const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/MessageManagerBinding.cpp:7043:8
#30 void mozilla::dom::MessageListener::ReceiveMessage<JS::Rooted<JS::Value> >(JS::Rooted<JS::Value> const&, mozilla::dom::ReceiveMessageArgument const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) src/obj-firefox/dist/include/mozilla/dom/MessageManagerBinding.h:776:12
#31 nsFrameMessageManager::ReceiveMessage(nsISupports*, nsFrameLoader*, bool, nsTSubstring<char16_t> const&, bool, mozilla::dom::ipc::StructuredCloneData*, mozilla::jsipc::CpowHolder*, nsIPrincipal*, nsTArray<mozilla::dom::ipc::StructuredCloneData>*, mozilla::ErrorResult&) src/dom/base/nsFrameMessageManager.cpp:763:25
#32 nsFrameMessageManager::ReceiveMessage(nsISupports*, nsFrameLoader*, nsTSubstring<char16_t> const&, bool, mozilla::dom::ipc::StructuredCloneData*, mozilla::jsipc::CpowHolder*, nsIPrincipal*, nsTArray<mozilla::dom::ipc::StructuredCloneData>*, mozilla::ErrorResult&) src/dom/base/nsFrameMessageManager.h:245:5
#33 mozilla::dom::BrowserChild::RecvAsyncMessage(nsTString<char16_t> const&, nsTArray<mozilla::jsipc::CpowEntry>&&, nsIPrincipal*, mozilla::dom::ClonedMessageData const&) src/dom/ipc/BrowserChild.cpp:2224:7
#34 mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBrowserChild.cpp:3956:56
#35 mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PContentChild.cpp:7864:32
#36 mozilla::dom::ContentChild::OnMessageReceived(IPC::Message const&) src/dom/ipc/ContentChild.cpp:3800:25
#37 mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2185:25
#38 mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2109:9
#39 mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1954:3
#40 mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1985:13
#41 mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:295:32
#42 nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1225:14
#43 NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:486:10
#44 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:110:5
#45 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:315:10
#46 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290:3
#47 nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#48 XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:934:20
#49 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:238:9
#50 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:315:10
#51 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290:3
#52 XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:769:34
#53 content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#54 main src/browser/app/nsBrowserApp.cpp:272:18
Flags: in-testsuite?
Flags: needinfo?(jmathies)
Flags: needinfo?(jmathies)
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.