Closed
Bug 1845924
Opened 2 years ago
Closed 2 years ago
Assertion failure: !mChildSessionHistory, at docshell/base/BrowsingContext.cpp:3440
Categories
(Core :: DOM: Navigation, defect)
Tracking
()
RESOLVED
FIXED
118 Branch
People
(Reporter: decoder, Assigned: smaug)
Details
(Keywords: assertion, testcase)
Attachments
(3 files)
In experimental IPC fuzzing, we found the following crash on mozilla-central revision 5eb0c339e4a6+ (fuzzing-asan-nyx-opt build):
Assertion failure: !mChildSessionHistory, at docshell/base/BrowsingContext.cpp:3440
==1145123==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7ff3f7f71adb bp 0x7ffe2b42bff0 sp 0x7ffe2b42bfc0 T0)
==1145123==The signal is caused by a WRITE memory access.
==1145123==Hint: address points to the zero page.
#0 0x7fa7e3e8cadb in mozilla::dom::BrowsingContext::CreateChildSHistory() docshell/base/BrowsingContext.cpp:3440:3
#1 0x7fa7e3eb15ce in mozilla::dom::BrowsingContext::DidSet(std::integral_constant<unsigned long, 50ul>, bool) docshell/base/BrowsingContext.cpp:3462:5
#2 0x7fa7e405234e in auto mozilla::dom::syncedcontext::Transaction<mozilla::dom::BrowsingContext>::Apply(mozilla::dom::BrowsingContext*, bool)::'lambda'(auto)::operator()<std::integral_constant<unsigned long, 50ul>>(auto) const dist/include/mozilla/dom/SyncedContextInlines.h:223:15
#3 0x7fa7e40495f9 in void mozilla::dom::syncedcontext::FieldValues<mozilla::dom::BrowsingContext::BaseFieldValues, 70ul>::EachIndexInner<mozilla::dom::syncedcontext::Transaction<mozilla::dom::BrowsingContext>::Apply(mozilla::dom::BrowsingContext*, bool)::'lambda'(auto)&, ..., auto&&) dist/include/mozilla/dom/SyncedContext.h:168:6
#4 0x7fa7e4049414 in void mozilla::dom::syncedcontext::FieldValues<mozilla::dom::BrowsingContext::BaseFieldValues, 70ul>::EachIndex<mozilla::dom::syncedcontext::Transaction<mozilla::dom::BrowsingContext>::Apply(mozilla::dom::BrowsingContext*, bool)::'lambda'(auto)&>(auto&&) dist/include/mozilla/dom/SyncedContext.h:154:5
#5 0x7fa7e3fb65b4 in void mozilla::dom::syncedcontext::Transaction<mozilla::dom::BrowsingContext>::EachIndex<mozilla::dom::syncedcontext::Transaction<mozilla::dom::BrowsingContext>::Apply(mozilla::dom::BrowsingContext*, bool)::'lambda'(auto)>(auto&&) dist/include/mozilla/dom/SyncedContext.h:128:5
#6 0x7fa7e3fb4347 in mozilla::dom::syncedcontext::Transaction<mozilla::dom::BrowsingContext>::Apply(mozilla::dom::BrowsingContext*, bool) dist/include/mozilla/dom/SyncedContextInlines.h:217:3
#7 0x7fa7e3fb4a73 in mozilla::dom::syncedcontext::Transaction<mozilla::dom::BrowsingContext>::CommitFromIPC(mozilla::dom::MaybeDiscarded<mozilla::dom::BrowsingContext> const&, mozilla::dom::ContentParent*) dist/include/mozilla/dom/SyncedContextInlines.h:170:3
#8 0x7fa7da3c0dd4 in mozilla::dom::ContentParent::RecvCommitBrowsingContextTransaction(mozilla::dom::MaybeDiscarded<mozilla::dom::BrowsingContext> const&, mozilla::dom::syncedcontext::Transaction<mozilla::dom::BrowsingContext>&&, unsigned long) dom/ipc/ContentParent.cpp:7734:23
#9 0x7fa7da6eafce in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) ipc/ipdl/PContentParent.cpp:14849:81
[...]
#32 0x55d64506c173 in do_main(int, char**, char**) browser/app/nsBrowserApp.cpp:227:22
#33 0x55d64506b1fc in main browser/app/nsBrowserApp.cpp:445:16
The issue reproduces locally and crashes both parent and child with the same diagnostic assert as far as I can see from the logs. Is this assert harmless and should I disable it for IPC fuzzing?
|
Reporter | |
Comment 1•2 years ago
|
||
|
|
Reporter | |
Comment 2•2 years ago
|
||
|
||
Updated•2 years ago
|
Component: DOM: Content Processes → DOM: Navigation
|
|
||
Comment 3•2 years ago
|
||
FWIW, I don't see any crashes where the crash reason contains mChildSessionHistory, nor any crashes with CreateChildSHistory in the signature, so maybe this could be an assert instead of a diagnostic assert, if it is benign.
|
Assignee | |
Comment 4•2 years ago
|
||
Ah, because of bug 1765951 being fixed, it should be safe now to just replace mChildSessionHistory.
So, switching to MOZ_ASSERT should be fine
|
|
Assignee | |
Comment 5•2 years ago
|
||
|
||
Updated•2 years ago
|
Assignee: nobody → smaug
Status: NEW → ASSIGNED
Pushed by opettay@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/bccf049147b8
no need for DIAGNOSTIC_ASSERT, r=peterv
|
||
Comment 7•2 years ago
|
||
Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox118:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 118 Branch
|
||
Comment 8•2 years ago
|
||
The patch landed in nightly and beta is affected.
:smaug, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox117towontfix.
For more information, please visit BugBot documentation.
Flags: needinfo?(smaug)
|
|
Assignee | |
Comment 9•2 years ago
|
||
I don't think we do ipc fuzzing on beta/release, so this isn't needed.
Flags: needinfo?(smaug)
|
||
Updated•2 years ago
|
status-firefox116:
--- → wontfix
status-firefox-esr102:
--- → wontfix
status-firefox-esr115:
--- → wontfix
|
|
||
Updated•2 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•