1600645 - Assertion failure: mIndex > -1, at /builds/worker/workspace/build/src/docshell/shistory/nsSHistory.cpp:1384

Status: RESOLVED DUPLICATE of bug 1594850

(Core :: DOM: Navigation, defect, P3)

Description

[Jason Kratzer [:jkratzer]]

Attachment: testcase.html

Testcase found while fuzzing mozilla-central rev caf55914ccdd.

Assertion failure: mIndex > -1, at /builds/worker/workspace/build/src/docshell/shistory/nsSHistory.cpp:1384

rax = 0x000056325398c340   rdx = 0x0000000000000000
rcx = 0x00007fb4a3fcc374   rbx = 0x00007fb4826cfc40
rsi = 0x00007fb4af6e48b0   rdi = 0x00007fb4af6e3680
rbp = 0x00007ffd23a1f710   rsp = 0x00007ffd23a1f6f0
r8 = 0x00007fb4af6e48b0    r9 = 0x00007fb4b084d780
r10 = 0x0000000000000000   r11 = 0x0000000000000000
r12 = 0x00000000ffffffff   r13 = 0x00007fb47be64e20
r14 = 0x00007fb47d15d300   r15 = 0x00007fb4802cb880
rip = 0x00007fb4a0c46ed4
OS|Linux|0.0.0 Linux 5.0.0-35-generic #38~18.04.1-Ubuntu SMP Mon Nov 11 09:16:10 UTC 2019 x86_64
CPU|amd64|family 6 model 94 stepping 3|1
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|nsSHistory::EnsureCorrectEntryAtCurrIndex(nsISHEntry*)|hg:hg.mozilla.org/mozilla-central:docshell/shistory/nsSHistory.cpp:caf55914ccddba34d462a1206530d7868b6c4992|1384|0x0
0|1|libxul.so|nsDocShell::OnNewURI(nsIURI*, nsIChannel*, nsIPrincipal*, nsIPrincipal*, nsIPrincipal*, unsigned int, nsIContentSecurityPolicy*, bool, bool, bool)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:caf55914ccddba34d462a1206530d7868b6c4992|10813|0x20
0|2|libxul.so|nsDocShell::OnLoadingSite(nsIChannel*, bool, bool)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:caf55914ccddba34d462a1206530d7868b6c4992|10868|0x1b
0|3|libxul.so|nsDocShell::CreateContentViewer(nsTSubstring<char> const&, nsIRequest*, nsIStreamListener**)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDocShell.cpp:caf55914ccddba34d462a1206530d7868b6c4992|7916|0x5
0|4|libxul.so|nsDSURIContentListener::DoContent(nsTSubstring<char> const&, bool, nsIRequest*, nsIStreamListener**, bool*)|hg:hg.mozilla.org/mozilla-central:docshell/base/nsDSURIContentListener.cpp:caf55914ccddba34d462a1206530d7868b6c4992|184|0x17
0|5|libxul.so|nsDocumentOpenInfo::TryContentListener(nsIURIContentListener*, nsIChannel*)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsURILoader.cpp:caf55914ccddba34d462a1206530d7868b6c4992|742|0x2
0|6|libxul.so|nsDocumentOpenInfo::DispatchContent(nsIRequest*, nsISupports*)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsURILoader.cpp:caf55914ccddba34d462a1206530d7868b6c4992|413|0x18
0|7|libxul.so|nsDocumentOpenInfo::OnStartRequest(nsIRequest*)|hg:hg.mozilla.org/mozilla-central:uriloader/base/nsURILoader.cpp:caf55914ccddba34d462a1206530d7868b6c4992|292|0xd
0|8|libxul.so|nsBaseChannel::OnStartRequest(nsIRequest*)|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsBaseChannel.cpp:caf55914ccddba34d462a1206530d7868b6c4992|830|0x19
0|9|libxul.so|nsInputStreamPump::OnStateStart()|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsInputStreamPump.cpp:caf55914ccddba34d462a1206530d7868b6c4992|487|0x15
0|10|libxul.so|nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*)|hg:hg.mozilla.org/mozilla-central:netwerk/base/nsInputStreamPump.cpp:caf55914ccddba34d462a1206530d7868b6c4992|396|0x8
0|11|libxul.so|nsInputStreamReadyEvent::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/io/nsStreamUtils.cpp:caf55914ccddba34d462a1206530d7868b6c4992|91|0x15
0|12|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:caf55914ccddba34d462a1206530d7868b6c4992|1225|0x15
0|13|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:caf55914ccddba34d462a1206530d7868b6c4992|486|0x11
0|14|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:caf55914ccddba34d462a1206530d7868b6c4992|88|0xa
0|15|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:caf55914ccddba34d462a1206530d7868b6c4992|315|0x17
0|16|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:caf55914ccddba34d462a1206530d7868b6c4992|290|0x8
0|17|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:caf55914ccddba34d462a1206530d7868b6c4992|137|0xd
0|18|libxul.so|nsAppStartup::Run()|hg:hg.mozilla.org/mozilla-central:toolkit/components/startup/nsAppStartup.cpp:caf55914ccddba34d462a1206530d7868b6c4992|276|0xe
0|19|libxul.so|XREMain::XRE_mainRun()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:caf55914ccddba34d462a1206530d7868b6c4992|4586|0x11
0|20|libxul.so|XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:caf55914ccddba34d462a1206530d7868b6c4992|4721|0x8
0|21|libxul.so|XRE_main(int, char**, mozilla::BootstrapConfig const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:caf55914ccddba34d462a1206530d7868b6c4992|4802|0x5
0|22|firefox-bin|do_main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:caf55914ccddba34d462a1206530d7868b6c4992|218|0x26
0|23|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:caf55914ccddba34d462a1206530d7868b6c4992|300|0xf
0|24|libc-2.27.so||||0x21b97
0|25|firefox-bin|MOZ_ReportCrash|hg:hg.mozilla.org/mozilla-central:mfbt/Assertions.h:caf55914ccddba34d462a1206530d7868b6c4992|203|0x5

Comment 1

[Anny Gakhokidze [:annyG]]

A crash with this signature was fixed in bug 1594850. The revision caf55914ccdd used here is from Nov 8, whereas my fix came in on Nov 14, so this version of firefox did not have my fix. Closing this.