Closed Bug 1629395 Opened 5 years ago Closed 5 years ago

Assertion failure: mIntegrity.IsEmpty(), at /builds/worker/workspace/obj-build/dist/include/mozilla/dom/InternalRequest.h:244

Categories

(Core :: DOM: Networking, defect)

defect
Not set
normal

Tracking

()

VERIFIED FIXED
mozilla77
Tracking Status
firefox77 --- verified

People

(Reporter: jkratzer, Assigned: baku)

References

(Blocks 1 open bug)

Details

(Keywords: testcase, Whiteboard: [bugmon:confirm])

Attachments

(2 files)

Attached file testcase.zip

Testcase found while fuzzing mozilla-central rev e1342040e7eb (built with --enable-debug).

Assertion failure: mIntegrity.IsEmpty(), at /builds/worker/workspace/obj-build/dist/include/mozilla/dom/InternalRequest.h:244

rax = 0x000056031e2d0380   rdx = 0x0000000000000000
rcx = 0x00007fa820bf8478   rbx = 0x00007fa8117b6340
rsi = 0x00007fa82c8558b0   rdi = 0x00007fa82c854680
rbp = 0x00007fa810bfb9b0   rsp = 0x00007fa810bfb650
r8 = 0x00007fa82c8558b0    r9 = 0x00007fa810bff700
r10 = 0x0000000000000002   r11 = 0x0000000000000000
r12 = 0x00007fa810bfb6f8   r13 = 0x00000000217f6c04
r14 = 0x00007fa810bfbe88   r15 = 0x00007fa810bfbda8
rip = 0x00007fa81c7f1ddf
OS|Linux|0.0.0 Linux 5.3.0-45-generic #37~18.04.1-Ubuntu SMP Fri Mar 27 15:58:10 UTC 2020 x86_64
CPU|amd64|family 6 model 158 stepping 10|12
GPU|||
Crash|SIGSEGV /SEGV_MAPERR|0x0|31
31|0|libxul.so|mozilla::dom::Request::Constructor(mozilla::dom::GlobalObject const&, mozilla::dom::RequestOrUSVString const&, mozilla::dom::RequestInit const&, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/fetch/Request.cpp:e1342040e7eb59de587efc614980577d53e591da|468|0x2d
31|1|libxul.so|mozilla::dom::FetchRequest(nsIGlobalObject*, mozilla::dom::RequestOrUSVString const&, mozilla::dom::RequestInit const&, mozilla::dom::CallerType, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/fetch/Fetch.cpp:e1342040e7eb59de587efc614980577d53e591da|453|0x1f
31|2|libxul.so|mozilla::dom::WorkerGlobalScope::Fetch(mozilla::dom::RequestOrUSVString const&, mozilla::dom::RequestInit const&, mozilla::dom::CallerType, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/workers/WorkerScope.cpp:e1342040e7eb59de587efc614980577d53e591da|456|0x5
31|3|libxul.so|mozilla::dom::WorkerGlobalScope_Binding::fetch|s3:gecko-generated-sources:3a1f6c4ad480cd0dc7b28a93e0bf2816061e1c571c5dd3d5336d79f0a468be3106be9eab831316f53f710be2b6092c673211f499d0a7841e5b9252e3e4ba063a/dom/bindings/WorkerGlobalScopeBinding.cpp:|1730|0x40
31|4|libxul.so|mozilla::dom::WorkerGlobalScope_Binding::fetch_promiseWrapper|s3:gecko-generated-sources:3a1f6c4ad480cd0dc7b28a93e0bf2816061e1c571c5dd3d5336d79f0a468be3106be9eab831316f53f710be2b6092c673211f499d0a7841e5b9252e3e4ba063a/dom/bindings/WorkerGlobalScopeBinding.cpp:|1746|0x5
31|5|libxul.so|bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeGlobalThisPolicy, mozilla::dom::binding_detail::ConvertExceptionsToPromises>(JSContext*, unsigned int, JS::Value*)|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:e1342040e7eb59de587efc614980577d53e591da|3205|0x21
31|6|libxul.so|CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:e1342040e7eb59de587efc614980577d53e591da|476|0x19
31|7|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:e1342040e7eb59de587efc614980577d53e591da|568|0x12
31|8|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:e1342040e7eb59de587efc614980577d53e591da|631|0x10
31|9|libxul.so|Interpret|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:e1342040e7eb59de587efc614980577d53e591da|3027|0x16
31|10|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:e1342040e7eb59de587efc614980577d53e591da|409|0x152
31|11|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:e1342040e7eb59de587efc614980577d53e591da|603|0xf
31|12|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:e1342040e7eb59de587efc614980577d53e591da|631|0x10
31|13|libxul.so|js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:e1342040e7eb59de587efc614980577d53e591da|648|0x8
31|14|libxul.so|JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:e1342040e7eb59de587efc614980577d53e591da|2790|0x1f
31|15|libxul.so|mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&)|s3:gecko-generated-sources:472e6b4c149aec851331f3270ac379288b605db6333ed8d57ec6569a563ee6856829df390ff1946c7608f6f81346a1fa9e7268c1d56b1571931db5e2d52f361f/dom/bindings/EventHandlerBinding.cpp:|276|0x5
31|16|libxul.so|mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*)|hg:hg.mozilla.org/mozilla-central:dom/events/JSEventHandler.cpp:e1342040e7eb59de587efc614980577d53e591da|201|0x14e
31|17|libxul.so|mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:e1342040e7eb59de587efc614980577d53e591da|1079|0xc
31|18|libxul.so|mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:e1342040e7eb59de587efc614980577d53e591da|1271|0x1c
31|19|libxul.so|mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:e1342040e7eb59de587efc614980577d53e591da|326|0x6b
31|20|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:e1342040e7eb59de587efc614980577d53e591da|558|0x12
31|21|libxul.so|mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:e1342040e7eb59de587efc614980577d53e591da|1055|0x1a
31|22|libxul.so|mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:e1342040e7eb59de587efc614980577d53e591da|1160|0x16
31|23|libxul.so|mozilla::DOMEventTargetHelper::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/events/DOMEventTargetHelper.cpp:e1342040e7eb59de587efc614980577d53e591da|169|0x5
31|24|libxul.so|mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventTarget.cpp:e1342040e7eb59de587efc614980577d53e591da|178|0x34
31|25|libxul.so|mozilla::dom::MessageEventRunnable::DispatchDOMEvent(JSContext*, mozilla::dom::WorkerPrivate*, mozilla::DOMEventTargetHelper*, bool)|hg:hg.mozilla.org/mozilla-central:dom/workers/MessageEventRunnable.cpp:e1342040e7eb59de587efc614980577d53e591da|106|0xb
31|26|libxul.so|mozilla::dom::WorkerRunnable::Run()|hg:hg.mozilla.org/mozilla-central:dom/workers/WorkerRunnable.cpp:e1342040e7eb59de587efc614980577d53e591da|369|0x10
31|27|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:e1342040e7eb59de587efc614980577d53e591da|1220|0xe
31|28|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:e1342040e7eb59de587efc614980577d53e591da|481|0x11
31|29|libxul.so|mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*)|hg:hg.mozilla.org/mozilla-central:dom/workers/WorkerPrivate.cpp:e1342040e7eb59de587efc614980577d53e591da|2912|0xe
31|30|libxul.so|WorkerThreadPrimaryRunnable::Run|hg:hg.mozilla.org/mozilla-central:dom/workers/RuntimeService.cpp:e1342040e7eb59de587efc614980577d53e591da|2302|0xc
31|31|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:e1342040e7eb59de587efc614980577d53e591da|1220|0xe
31|32|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:e1342040e7eb59de587efc614980577d53e591da|481|0x11
31|33|libxul.so|mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:e1342040e7eb59de587efc614980577d53e591da|332|0xd
31|34|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:e1342040e7eb59de587efc614980577d53e591da|315|0x19
31|35|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:e1342040e7eb59de587efc614980577d53e591da|290|0x8
31|36|libxul.so|nsThread::ThreadFunc(void*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:e1342040e7eb59de587efc614980577d53e591da|464|0x8
31|37|libnspr4.so|_pt_root|hg:hg.mozilla.org/mozilla-central:nsprpub/pr/src/pthreads/ptthread.c:e1342040e7eb59de587efc614980577d53e591da|201|0x7
31|38|libpthread-2.27.so||||0x76db
31|39|libc-2.27.so||||0x12188f```
Flags: in-testsuite?

Baku, who should look at this?

Flags: needinfo?(amarchesini)
Assignee: nobody → amarchesini
Flags: needinfo?(amarchesini)
Pushed by amarchesini@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/d4e23c883c75 Overwrite integrity attribute in fetch() is allowed, r=smaug
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla77
Status: RESOLVED → VERIFIED
Keywords: bugmon
Bugmon Analysis: Verified bug as fixed on rev mozilla-central 20200423095248-47426d145e24. Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: