Closed Bug 1936219 Opened 3 months ago Closed 2 months ago

Assertion failure in GetTrustedTypesCompliantString with trusted types enabled: IsWorkerGlobal(globalObject->GetGlobalJSObject())

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
135 Branch
Tracking Flags:
Tracking Status
firefox135 --- fixed

People

(Reporter: mbrodesser-Igalia, Assigned: fredw)

References

(Blocks 1 open bug)

Details

Attachments

(2 files)

i.html
363 bytes, text/html
Details
Bug 1936219 - Only call GetTrustedTypesCompliantString from worker's constructor in a Window/WorkerGlobalScope context. r=smaug
48 bytes, text/x-phabricator-request
Details | Review

Happens with yesterday's Nightly mozilla-central.

STR:

  1. Download the attached <i.html> file.
  2. Set the "dom.security.trusted_types.enabled" pref to true.
  3. Open <i.html>.
[21951] Assertion failure: IsWorkerGlobal(globalObject->GetGlobalJSObject()), at /home/mirko/work/code/gecko/dom/security/trusted-types/TrustedTypeUtils.cpp:389

How undesirable :D
If you don't intend to work on this, can you provide a full backtrace?

Severity: -- → S3
Priority: -- → P3
#0  0x000071c687eecadf in __GI___clock_nanosleep (clock_id=clock_id@entry=0, flags=flags@entry=0, req=req@entry=0x7ffc089de920, rem=rem@entry=0x7ffc089de920)
    at ../sysdeps/unix/sysv/linux/clock_nanosleep.c:78
#1  0x000071c687ef9a27 in __GI___nanosleep (req=req@entry=0x7ffc089de920, rem=rem@entry=0x7ffc089de920) at ../sysdeps/unix/sysv/linux/nanosleep.c:25
#2  0x000071c687f0ec63 in __sleep (seconds=0) at ../sysdeps/posix/sleep.c:55
#3  0x000071c67efc9030 in common_crap_handler (signum=signum@entry=11, aFirstFramePC=<optimized out>) at /home/mirko/work/code/gecko/toolkit/xre/nsSigHandlers.cpp:105
#4  0x000071c67efc914e in child_ah_crap_handler (signum=11) at /home/mirko/work/code/gecko/toolkit/xre/nsSigHandlers.cpp:119
#5  0x000071c6806ef513 in WasmTrapHandler (signum=11, info=0x7ffc089deb70, context=0x7ffc089dea40) at /home/mirko/work/code/gecko/js/src/wasm/WasmSignalHandlers.cpp:794
#6  0x000071c687e45320 in <signal handler called> () at /lib/x86_64-linux-gnu/libc.so.6
#7  mozilla::dom::TrustedTypeUtils::GetTrustedTypesCompliantString<mozilla::dom::TrustedScriptURL, mozilla::dom::TrustedScriptURLOrUSVString, nsIGlobalObject>
    (aInput=..., aSink=u"Worker constructor", aSinkGroup=u"'script'", aNodeOrGlobalObject=..., aResultHolder=..., aError=...)
    at /home/mirko/work/code/gecko/dom/security/trusted-types/TrustedTypeUtils.cpp:389
#8  0x000071c67d26baba in mozilla::dom::TrustedTypeUtils::GetTrustedTypesCompliantString (aInput=..., aSink=Python Exception <class 'gdb.MemoryError'>: Cannot access memory at address 0x0
#9  0x000071c67d83b63b in mozilla::dom::Worker::Constructor
    (aGlobal=<optimized out>, aScriptURL=..., aOptions=..., aRv=...) at /home/mirko/work/code/gecko/dom/workers/Worker.cpp:52
#10 0x000071c67b071f3e in mozilla::dom::Worker_Binding::_constructor (cx_=<optimized out>, argc=<optimized out>, vp=<optimized out>) at ./WorkerBinding.cpp:1148
#11 0x000071c67f1e2fab in CallJSNative
    (cx=cx@entry=0x71c671936200, native=native@entry=0x71c67b60d220 <mozilla::dom::InterfaceObjectJSNative(JSContext*, unsigned int, JS::Value*)>, reason=reason@entry=js::CallReason::Call, args=...) at /home/mirko/work/code/gecko/js/src/vm/Interpreter.cpp:532
#12 0x000071c67f1ec83d in CallJSNativeConstructor (cx=cx@entry=0x71c671936200, native=0x71c67b60d220 <mozilla::dom::InterfaceObjectJSNative(JSContext*, unsigned int, JS::Value*)>, args=...)
    at /home/mirko/work/code/gecko/js/src/vm/Interpreter.cpp:550
#13 0x000071c67f1bd1ca in InternalConstruct (cx=cx@entry=0x71c671936200, args=..., reason=js::CallReason::Call) at /home/mirko/work/code/gecko/js/src/vm/Interpreter.cpp:756
#14 0x000071c67f1cd78a in js::ConstructFromStack (cx=0x71c671936200, args=..., reason=<optimized out>) at /home/mirko/work/code/gecko/js/src/vm/Interpreter.cpp:803
#15 js::Interpret (cx=0x71c671936200, state=...) at /home/mirko/work/code/gecko/js/src/vm/Interpreter.cpp:3323
#16 0x000071c67f1bb1aa in MaybeEnterInterpreterTrampoline (cx=0x71c688005700 <_IO_stdfile_2_lock>, cx@entry=0x71c671936200, state=...)
    at /home/mirko/work/code/gecko/js/src/vm/Interpreter.cpp:433
#17 0x000071c67f1badbb in js::RunScript (cx=cx@entry=0x71c671936200, state=...) at /home/mirko/work/code/gecko/js/src/vm/Interpreter.cpp:502
#18 0x000071c67f1bb80e in js::InternalCallOrConstruct (cx=0x71c671936200, args=..., construct=construct@entry=js::NO_CONSTRUCT, reason=js::CallReason::Call)
    at /home/mirko/work/code/gecko/js/src/vm/Interpreter.cpp:660
#19 0x000071c67f1bc648 in InternalCall (cx=<optimized out>, args=..., reason=1066617600, reason@entry=js::CallReason::Call) at /home/mirko/work/code/gecko/js/src/vm/Interpreter.cpp:695
#20 0x000071c67f1bc839 in js::Call (cx=cx@entry=0x71c671936200, fval=fval@entry=$JS::Value((JSObject *) 0x3ca30842fe08 [object Function "get workerReady/this._workerReadyPromise<"]), thisv=Python Exception <class 'gdb.error'>: value has been optimized out

   , args=..., rval=rval@entry=$JS::Value((JSObject *) 0x3ca30842fe08 [object Function "get workerReady/this._workerReadyPromise<"]), reason=reason@entry=js::CallReason::Call)
    at /home/mirko/work/code/gecko/js/src/vm/Interpreter.cpp:727
#21 0x000071c67f4ccfd8 in js::PromiseObject::create
    (cx=cx@entry=0x71c671936200, executor=executor@entry=(JSObject * const) 0x3ca30842fe08 [object Function "get workerReady/this._workerReadyPromise<"], proto=proto@entry=0x0, needsWrapping=<optimized out>) at /home/mirko/work/code/gecko/js/src/builtin/Promise.cpp:2871
#22 0x000071c67f4cc4ea in PromiseConstructor (cx=cx@entry=0x71c671936200, argc=<optimized out>, vp=<optimized out>) at /home/mirko/work/code/gecko/js/src/builtin/Promise.cpp:2776
#23 0x000071c67f1e2fab in CallJSNative
    (cx=cx@entry=0x71c671936200, native=native@entry=0x71c67f4cc2b0 <PromiseConstructor(JSContext*, unsigned int, JS::Value*)>, reason=reason@entry=js::CallReason::Call, args=...)
    at /home/mirko/work/code/gecko/js/src/vm/Interpreter.cpp:532
#24 0x000071c67f1ec83d in CallJSNativeConstructor (cx=cx@entry=0x71c671936200, native=0x71c67f4cc2b0 <PromiseConstructor(JSContext*, unsigned int, JS::Value*)>, args=...)
    at /home/mirko/work/code/gecko/js/src/vm/Interpreter.cpp:550
#25 0x000071c67f1bd1ca in InternalConstruct (cx=cx@entry=0x71c671936200, args=..., reason=js::CallReason::Call) at /home/mirko/work/code/gecko/js/src/vm/Interpreter.cpp:756
--Type <RET> for more, q to quit, c to continue without paging--
#26 0x000071c67f1cd78a in js::ConstructFromStack (cx=0x71c671936200, args=..., reason=<optimized out>) at /home/mirko/work/code/gecko/js/src/vm/Interpreter.cpp:803
#27 js::Interpret (cx=0x71c671936200, state=...) at /home/mirko/work/code/gecko/js/src/vm/Interpreter.cpp:3323
#28 0x000071c67f1bb1aa in MaybeEnterInterpreterTrampoline (cx=0x71c688005700 <_IO_stdfile_2_lock>, cx@entry=0x71c671936200, state=...)
    at /home/mirko/work/code/gecko/js/src/vm/Interpreter.cpp:433
#29 0x000071c67f1badbb in js::RunScript (cx=cx@entry=0x71c671936200, state=...) at /home/mirko/work/code/gecko/js/src/vm/Interpreter.cpp:502
#30 0x000071c67f1bb80e in js::InternalCallOrConstruct (cx=0x71c671936200, args=..., construct=construct@entry=js::NO_CONSTRUCT, reason=js::CallReason::Getter)
    at /home/mirko/work/code/gecko/js/src/vm/Interpreter.cpp:660
#31 0x000071c67f1bc648 in InternalCall (cx=<optimized out>, args=..., reason=1066617600, reason@entry=js::CallReason::Getter) at /home/mirko/work/code/gecko/js/src/vm/Interpreter.cpp:695
#32 0x000071c67f1bc839 in js::Call
    (cx=cx@entry=0x71c671936200, fval=fval@entry=$JS::Value((JSObject *) 0x3ca30842f8e8 [object Function "get workerReady"]), thisv=thisv@entry=$JS::Value((JSObject *) 0x3ca30842f7e8 [object Object]), args=..., rval=rval@entry=$JS::UndefinedValue(), reason=reason@entry=js::CallReason::Getter) at /home/mirko/work/code/gecko/js/src/vm/Interpreter.cpp:727
#33 0x000071c67f1bde74 in js::CallGetter
    (cx=cx@entry=0x71c671936200, thisv=thisv@entry=$JS::Value((JSObject *) 0x3ca30842f7e8 [object Object]), getter=getter@entry=$JS::Value((JSObject *) 0x3ca30842f8e8 [object Function "get workerReady"]), rval=rval@entry=$JS::UndefinedValue()) at /home/mirko/work/code/gecko/js/src/vm/Interpreter.cpp:849
#34 0x000071c67f4844bb in CallGetter (cx=<optimized out>, obj=Python Exception <class 'gdb.error'>: value has been optimized out
, receiver=Python Exception <class 'gdb.error'>: value has been optimized out
, id=Python Exception <class 'gdb.error'>: value has been optimized out
, prop=..., vp=Python Exception <class 'gdb.error'>: value has been optimized out
) at /home/mirko/work/code/gecko/js/src/vm/NativeObject.cpp:2149
#35 GetExistingProperty<(js::AllowGC)1>
    (cx=cx@entry=0x71c671936200, receiver=receiver@entry=$JS::Value((JSObject *) 0x3ca30842f7e8 [object Object]), obj=obj@entry=(js::NativeObject * const) 0x3ca30842f7e8 [object Object], id=id@entry=$jsid("workerReady"), prop=..., vp=vp@entry=$JS::UndefinedValue()) at /home/mirko/work/code/gecko/js/src/vm/NativeObject.cpp:2177
#36 0x000071c67f484dda in NativeGetPropertyInline<(js::AllowGC)1> (cx=0x71c671936200, obj=Python Exception <class 'gdb.error'>: value has been optimized out

   , receiver=$JS::Value((JSObject *) 0x3ca30842f7e8 [object Object]), id=$jsid("workerReady"), nameLookup=NotNameLookup, vp=$JS::UndefinedValue())
    at /home/mirko/work/code/gecko/js/src/vm/NativeObject.cpp:2330
#37 0x000071c67f1a1d94 in js::GetProperty
    (cx=0x71c671936200, obj=(JSObject * const) 0x3ca30842f7e8 [object Object], receiver=$JS::Value((JSObject *) 0x3ca30842f7e8 [object Object]), name=<optimized out>, vp=$JS::UndefinedValue()) at /home/mirko/work/code/gecko/js/src/vm/ObjectOperations-inl.h:124
#38 0x000071c67f1dde19 in js::GetProperty (cx=cx@entry=0x71c671936200, v=v@entry=$JS::Value((JSObject *) 0x3ca30842f7e8 [object Object]), name=Python Exception <class 'gdb.error'>: value has been optimized out
, 
    name@entry="workerReady", vp=vp@entry=$JS::UndefinedValue()) at /home/mirko/work/code/gecko/js/src/vm/Interpreter.cpp:4774
#39 0x000071c67f1c9193 in GetPropertyOperation (cx=0x71c671936200, vp=$JS::UndefinedValue(), name=Python Exception <class 'gdb.error'>: value has been optimized out
, lval=Python Exception <class 'gdb.error'>: value has been optimized out
) at /home/mirko/work/code/gecko/js/src/vm/Interpreter.cpp:285
#40 js::Interpret (cx=0x71c671936200, state=...) at /home/mirko/work/code/gecko/js/src/vm/Interpreter.cpp:2993
#41 0x000071c67f1bb1aa in MaybeEnterInterpreterTrampoline (cx=0x71c688005700 <_IO_stdfile_2_lock>, cx@entry=0x71c671936200, state=...)
    at /home/mirko/work/code/gecko/js/src/vm/Interpreter.cpp:433
#42 0x000071c67f1badbb in js::RunScript (cx=cx@entry=0x71c671936200, state=...) at /home/mirko/work/code/gecko/js/src/vm/Interpreter.cpp:502
#43 0x000071c67f1bb80e in js::InternalCallOrConstruct (cx=0x71c671936200, args=..., construct=construct@entry=js::NO_CONSTRUCT, reason=js::CallReason::Call)
    at /home/mirko/work/code/gecko/js/src/vm/Interpreter.cpp:660
#44 0x000071c67f1bc648 in InternalCall (cx=<optimized out>, args=..., reason=1066617600, reason@entry=js::CallReason::Call) at /home/mirko/work/code/gecko/js/src/vm/Interpreter.cpp:695
#45 0x000071c67f1bc839 in js::Call
    (cx=cx@entry=0x71c671936200, fval=fval@entry=$JS::Value((JSObject *) 0x8cd9d113d80 [object Function "AsyncFunctionNext"]), thisv=thisv@entry=$JS::Value((JSObject *) 0x3ca30842e7c0 [object AsyncFunctionGenerator]), args=..., rval=rval@entry=$JS::Value((JSObject *) 0x3ca30842e7c0 [object AsyncFunctionGenerator]), reason=reason@entry=js::CallReason::Call)
    at /home/mirko/work/code/gecko/js/src/vm/Interpreter.cpp:727
#46 0x000071c67f5a57c8 in js::CallSelfHostedFunction
    (cx=cx@entry=0x71c671936200, name="AsyncFunctionNext", thisv=thisv@entry=$JS::Value((JSObject *) 0x3ca30842e7c0 [object AsyncFunctionGenerator]), args=..., rval=rval@entry=$JS::Value((JSObject *) 0x3ca30842e7c0 [object AsyncFunctionGenerator])) at /home/mirko/work/code/gecko/js/src/vm/SelfHosting.cpp:1578
#47 0x000071c67f27eba2 in AsyncFunctionResume
--Type <RET> for more, q to quit, c to continue without paging--
    (cx=cx@entry=0x71c671936200, generator=(js::AsyncFunctionGeneratorObject * const) 0x3ca30842e7c0 [object AsyncFunctionGenerator], kind=kind@entry=ResumeKind::Normal, valueOrReason=$JS::Value((JSObject *) 0x3f713cff61c8 [object Proxy])) at /home/mirko/work/code/gecko/js/src/vm/AsyncFunction.cpp:156
#48 0x000071c67f27e85c in js::AsyncFunctionAwaitedFulfilled (cx=0x71c688005700 <_IO_stdfile_2_lock>, 
    cx@entry=0x71c671936200, generator=<error reading variable: Cannot access memory at address 0x0>, value=$JS::DoubleValue(6.1806217272591e-310))
    at /home/mirko/work/code/gecko/js/src/vm/AsyncFunction.cpp:197
#49 0x000071c67f4e8456 in AsyncFunctionPromiseReactionJob (cx=0x71c671936200, reaction=(PromiseReactionRecord * const) 0x3ca30842ea40 [object PromiseReactionRecord])
    at /home/mirko/work/code/gecko/js/src/builtin/Promise.cpp:2112
#50 PromiseReactionJob (cx=cx@entry=0x71c671936200, argc=<optimized out>, vp=<optimized out>) at /home/mirko/work/code/gecko/js/src/builtin/Promise.cpp:2175
#51 0x000071c67f1e2fab in CallJSNative
    (cx=cx@entry=0x71c671936200, native=0x71c67f4e7c00 <PromiseReactionJob(JSContext*, unsigned int, JS::Value*)>, reason=reason@entry=js::CallReason::Call, args=...)
    at /home/mirko/work/code/gecko/js/src/vm/Interpreter.cpp:532
#52 0x000071c67f1bb924 in js::InternalCallOrConstruct (cx=0x71c671936200, args=..., construct=construct@entry=js::NO_CONSTRUCT, reason=js::CallReason::Call)
    at /home/mirko/work/code/gecko/js/src/vm/Interpreter.cpp:628
#53 0x000071c67f1bc648 in InternalCall (cx=<optimized out>, args=..., reason=1066617600, reason@entry=js::CallReason::Call) at /home/mirko/work/code/gecko/js/src/vm/Interpreter.cpp:695
#54 0x000071c67f1bc839 in js::Call (cx=cx@entry=0x71c671936200, fval=Python Exception <class 'gdb.error'>: value has been optimized out
, thisv=Python Exception <class 'gdb.error'>: value has been optimized out
, args=..., rval=rval@entry=$JS::UndefinedValue(), reason=reason@entry=js::CallReason::Call)
    at /home/mirko/work/code/gecko/js/src/vm/Interpreter.cpp:727
#55 0x000071c67f2bd4bc in JS::Call
    (cx=0x71c671936200, thisv=$JS::UndefinedValue(), fval=$JS::Value((JSObject *) 0x3ca30842f3f0 [object Function ""]), args=..., rval=rval@entry=$JS::UndefinedValue())
    at /home/mirko/work/code/gecko/js/src/vm/CallAndConstruct.cpp:119
#56 0x000071c67a85d591 in mozilla::dom::PromiseJobCallback::Call (this=<optimized out>, cx=..., aThisVal=$JS::UndefinedValue(), aRv=...) at ./PromiseBinding.cpp:83
#57 0x000071c678060386 in mozilla::dom::PromiseJobCallback::Call
    (this=this@entry=0x71c671866240, aRv=..., aExecutionReason=0x71c672d3e13e "promise callback", aExceptionHandling=aExceptionHandling@entry=mozilla::dom::CallbackObject::eReportExceptions, aRealm=aRealm@entry=0x0) at /home/mirko/work/code/gecko/obj-ff-dbg/dist/include/mozilla/dom/PromiseBinding.h:198
#58 0x000071c67805fb40 in mozilla::dom::PromiseJobCallback::Call (this=0x71c671866240, aExecutionReason=0x71c688004563 <_IO_2_1_stderr_+131> "")
    at /home/mirko/work/code/gecko/obj-ff-dbg/dist/include/mozilla/dom/PromiseBinding.h:211
#59 mozilla::PromiseJobRunnable::Run (this=0x71c670b39610, aAso=...) at /home/mirko/work/code/gecko/xpcom/base/CycleCollectedJSContext.cpp:209
#60 0x000071c67803ceb9 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint (this=0x71c671833000, aForce=<optimized out>)
    at /home/mirko/work/code/gecko/xpcom/base/CycleCollectedJSContext.cpp:768
#61 0x000071c67b61e52b in mozilla::CycleCollectedJSContext::LeaveMicroTask (this=0x71c674c3ab58) at /home/mirko/work/code/gecko/obj-ff-dbg/dist/include/mozilla/CycleCollectedJSContext.h:241
#62 mozilla::dom::CallbackObject::CallSetup::~CallSetup (this=0x7ffc089e1aa0) at /home/mirko/work/code/gecko/dom/bindings/CallbackObject.cpp:394
#63 0x000071c679f9486b in mozilla::dom::IdleRequestCallback::Call
    (this=0x71c6721c3900, deadline=..., aRv=..., aExecutionReason=0x71c6743d521e "requestIdleCallback handler", aExceptionHandling=mozilla::dom::CallbackObject::eReportExceptions, aRealm=0x0) at /home/mirko/work/code/gecko/obj-ff-dbg/dist/include/mozilla/dom/WindowBinding.h:391
#64 0x000071c67a0ca37a in mozilla::dom::IdleRequestCallback::Call (this=0x71c6721c3900, deadline=..., aExecutionReason=0x5d763f934b00 <gMozCrashReason> "X\253\303t\306q")
    at /home/mirko/work/code/gecko/obj-ff-dbg/dist/include/mozilla/dom/WindowBinding.h:403
#65 mozilla::dom::IdleRequest::IdleRun
    (this=<optimized out>, aWindow=<optimized out>, aDeadline=<error reading variable: That operation is not available on integers of more than 8 bytes.>, aDidTimeout=false)
    at /home/mirko/work/code/gecko/dom/base/IdleRequest.cpp:57
#66 0x000071c679ecaee1 in nsGlobalWindowInner::RunIdleRequest
    (this=this@entry=0x71c670b7a400, aRequest=aRequest@entry=0x71c6721c3e80, aDeadline=<error reading variable: That operation is not available on integers of more than 8 bytes.>, 
    aDeadline@entry=1343.7139220000001, aDidTimeout=false) at /home/mirko/work/code/gecko/dom/base/nsGlobalWindowInner.cpp:739
#67 0x000071c679eca496 in nsGlobalWindowInner::ExecuteIdleRequest (this=this@entry=0x71c670b7a400, aDeadline=...) at /home/mirko/work/code/gecko/dom/base/nsGlobalWindowInner.cpp:767
--Type <RET> for more, q to quit, c to continue without paging--
#68 0x000071c679eca324 in IdleRequestExecutor::Run (this=0x71c6721c22e0) at /home/mirko/work/code/gecko/dom/base/nsGlobalWindowInner.cpp:608
#69 0x000071c67817c9c8 in mozilla::RunnableTask::Run (this=0x71c670b34a00) at /home/mirko/work/code/gecko/xpcom/threads/TaskController.cpp:688
#70 0x000071c67816f1be in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal (this=this@entry=0x71c687c17400, aProofOfLock=...)
    at /home/mirko/work/code/gecko/xpcom/threads/TaskController.cpp:1015
#71 0x000071c67816dd4b in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal (this=this@entry=0x71c687c17400, aProofOfLock=...)
    at /home/mirko/work/code/gecko/xpcom/threads/TaskController.cpp:880
#72 0x000071c67816e066 in mozilla::TaskController::ProcessPendingMTTask (this=0x71c687c17400, aMayWait=false) at /home/mirko/work/code/gecko/xpcom/threads/TaskController.cpp:624
#73 0x000071c678173c97 in mozilla::TaskController::TaskController()::$_0::operator()() const (this=<optimized out>) at /home/mirko/work/code/gecko/xpcom/threads/TaskController.cpp:336
#74 mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() (this=<optimized out>) at /home/mirko/work/code/gecko/xpcom/threads/nsThreadUtils.h:548
#75 0x000071c678199545 in nsThread::ProcessNextEvent (this=0x71c6721102c0, aMayWait=<optimized out>, aResult=0x7ffc089e246f) at /home/mirko/work/code/gecko/xpcom/threads/nsThread.cpp:1159
#76 0x000071c67819fa20 in NS_ProcessNextEvent (aThread=0x71c688005700 <_IO_stdfile_2_lock>, aThread@entry=0x71c6721102c0, aMayWait=false)
    at /home/mirko/work/code/gecko/xpcom/threads/nsThreadUtils.cpp:480
#77 0x000071c678d53291 in mozilla::ipc::MessagePump::Run (this=0x71c687c8df60, aDelegate=0x7ffc089e2660) at /home/mirko/work/code/gecko/ipc/glue/MessagePump.cpp:85
#78 0x000071c678c890a2 in MessageLoop::RunHandler (this=0x71c688005700 <_IO_stdfile_2_lock>) at /home/mirko/work/code/gecko/ipc/chromium/src/base/message_loop.cc:362
#79 MessageLoop::Run (this=0x71c688005700 <_IO_stdfile_2_lock>) at /home/mirko/work/code/gecko/ipc/chromium/src/base/message_loop.cc:344
#80 0x000071c67de49699 in nsBaseAppShell::Run (this=0x71c672115e80) at /home/mirko/work/code/gecko/widget/nsBaseAppShell.cpp:148
#81 0x000071c67df16e19 in nsAppShell::Run (this=0x71c672115e80) at /home/mirko/work/code/gecko/widget/gtk/nsAppShell.cpp:469
#82 0x000071c67efc451c in XRE_RunAppShell () at /home/mirko/work/code/gecko/toolkit/xre/nsEmbedFunctions.cpp:646
#83 0x000071c678d53c7d in mozilla::ipc::MessagePumpForChildProcess::Run (this=0x71c688005700 <_IO_stdfile_2_lock>, aDelegate=0x7ffc089e2660)
    at /home/mirko/work/code/gecko/ipc/glue/MessagePump.cpp:235
#84 0x000071c678c890a2 in MessageLoop::RunHandler (this=0x71c688005700 <_IO_stdfile_2_lock>) at /home/mirko/work/code/gecko/ipc/chromium/src/base/message_loop.cc:362
#85 MessageLoop::Run (this=0x71c688005700 <_IO_stdfile_2_lock>) at /home/mirko/work/code/gecko/ipc/chromium/src/base/message_loop.cc:344
#86 0x000071c67efc3d17 in XRE_InitChildProcess (aArgc=19, aArgv=<optimized out>, aChildData=<optimized out>) at /home/mirko/work/code/gecko/toolkit/xre/nsEmbedFunctions.cpp:584
#87 0x00005d763f87bb9f in main (argc=27, argv=0x71c687c44b60, envp=0x7ffc089e3b30) at /home/mirko/work/code/gecko/browser/app/nsBrowserApp.cpp:397
(gdb)

Happened with a local build on Ubuntu 24.04.

Seems to be the "Worker constructor" sink added in bug 1931295. I can debug when I'm back to work tomorrow, but feel free to take it before.

Summary: Assertion violated with trusted types pref enabled → Assertion failure in GetTrustedTypesCompliantString with trusted types enabled: IsWorkerGlobal(globalObject->GetGlobalJSObject())

GetTrustedTypesCompliantString assumes the global object received corresponds to Window or WorkerGlobalScope DOM objects, but in the testcase it's a BackstagePass object created here:

#0  BackstagePass::BackstagePass (this=0x7d9741e27fc0) at /home/fred/src-obj/mozilla-unified/js/xpconnect/src/XPCRuntimeService.cpp:25
#1  0x00007d972b676062 in mozilla::MakeRefPtr<BackstagePass> () at /home/fred/src-obj/mozilla-unified/obj-x86_64-pc-linux-gnu-debug/dist/include/mozilla/RefPtr.h:631
#2  0x00007d972b6f2330 in mozJSModuleLoader::CreateLoaderGlobal (this=0x7d9741ed81c0, aCx=0x7d971ef36200, aLocation="shared JSM global", aGlobal=0x0) at /home/fred/src-obj/mozilla-unified/js/xpconnect/loader/mozJSModuleLoader.cpp:638
#3  0x00007d972b6f0f18 in mozJSModuleLoader::InitSharedGlobal (this=0x7d9741ed81c0, aCx=0x7d971ef36200) at /home/fred/src-obj/mozilla-unified/js/xpconnect/loader/mozJSModuleLoader.cpp:698
#4  0x00007d972b6f0dcf in mozJSModuleLoader::InitStatics () at /home/fred/src-obj/mozilla-unified/js/xpconnect/loader/mozJSModuleLoader.cpp:461
#5  0x00007d972b7e6ba2 in nsXPConnect::InitJSContext () at /home/fred/src-obj/mozilla-unified/js/xpconnect/src/nsXPConnect.cpp:100
#6  0x00007d972b7e6bd9 in xpc::InitializeJSContext () at /home/fred/src-obj/mozilla-unified/js/xpconnect/src/nsXPConnect.cpp:108
#7  0x00007d972a495471 in NS_InitXPCOM (aResult=0x0, aBinDirectory=0x7d9741e85880, aAppFileLocationProvider=0x7d9741e2e520, aInitJSContext=true) at /home/fred/src-obj/mozilla-unified/xpcom/build/XPCOMInit.cpp:511
#8  0x00007d973283a53b in mozilla::dom::ContentProcess::InfallibleInit (this=0x7d9741e2e000, aArgc=10, aArgv=0x7d9741ea8700) at /home/fred/src-obj/mozilla-unified/dom/ipc/ContentProcess.cpp:160
#9  0x00007d9732839d83 in mozilla::dom::ContentProcess::Init (this=0x7d9741e2e000, aArgc=19, aArgv=0x7d9741ea8700) at /home/fred/src-obj/mozilla-unified/dom/ipc/ContentProcess.cpp:66
#10 0x00007d9734b9de5b in XRE_InitChildProcess (aArgc=19, aArgv=0x7d9741ea8700, aChildData=0x7fffe4a4179c) at /home/fred/src-obj/mozilla-unified/toolkit/xre/nsEmbedFunctions.cpp:555
#11 0x00007d9734bab947 in mozilla::BootstrapImpl::XRE_InitChildProcess (this=0x7d9741e03760, argc=29, argv=0x7d9741ea8700, aChildData=0x7fffe4a4179c) at /home/fred/src-obj/mozilla-unified/toolkit/xre/Bootstrap.cpp:64
#12 0x000063644fba4b1a in main (argc=29, argv=0x7d9741ea8700, envp=0x7fffe4a41970) at /home/fred/src-obj/mozilla-unified/browser/app/nsBrowserApp.cpp:397

I'm not exactly sure what this object is about, but it seems an internal stuff. It also looks we more non-DOM objects that can be global objects: https://searchfox.org/mozilla-central/rev/d6ba5401121104ae242ca18efa6a5672af9cae0f/dom/bindings/BindingUtils.cpp#2487

I don't know which of these could end up calling the worker constructor, but I assume we don't want to do the trusted type check in that case.

Here are the subclasses of nsIGlobalObject we implement: https://searchfox.org/mozilla-central/search?q=symbol:T_nsIGlobalObject&redirect=false

The HTML spec defines three objects where Worker constructor are exposed, and the correspondinig global is either a Window or (deriving from) WorkerGlobalScope global: https://html.spec.whatwg.org/multipage/workers.html#dedicated-workers-and-the-worker-interface

So it looks OK to me if we just add a globalObject->GetAsInnerWindow() || IsWorkerGlobal(globalObject->GetGlobalJSObject() check, but maybe that's too much...

Assignee: nobody → fwang

Oh, I also forgot to mention I'm not able to reproduce the issue when running the testcase as a WPT crash test, but I can when running Firefox with ./mach run. I guess the BackstagePass is not created when running WPT tests. Not sure how we could write a non-regression test then.

The spec only mentions Window/WorkerGlobalScope contexts [1] but we also
call the worker constructor for other nsIGlobalObject such as
BackstagePass. See [2] for details.

[1] https://html.spec.whatwg.org/multipage/workers.html#dedicated-workers-and-the-worker-interface
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1936219#c6

(In reply to Mirko Brodesser (:mbrodesser-Igalia) from comment #5)

When changing code about global objects w.r.t. trusted types, be aware that https://searchfox.org/mozilla-central/rev/d6ba5401121104ae242ca18efa6a5672af9cae0f/testing/web-platform/tests/trusted-types/Element-setAttribute-respects-Elements-node-documents-globals-CSP.html still fails.

Sorry, can you elaborate ? I don't understand how is connected to this assertion failure.

(In reply to Frédéric Wang (:fredw) from comment #9)

(In reply to Mirko Brodesser (:mbrodesser-Igalia) from comment #5)

When changing code about global objects w.r.t. trusted types, be aware that https://searchfox.org/mozilla-central/rev/d6ba5401121104ae242ca18efa6a5672af9cae0f/testing/web-platform/tests/trusted-types/Element-setAttribute-respects-Elements-node-documents-globals-CSP.html still fails.

Sorry, can you elaborate ? I don't understand how is connected to this assertion failure.

It might be unconnected to the assertion failure. I didn't know what kind of fix the assertion failure required; the linked failing test seemed possibly distantly related because it deals with global objects.

Pushed by fwang@igalia.com: https://hg.mozilla.org/integration/autoland/rev/5dc607c18a73 Only call GetTrustedTypesCompliantString from worker's constructor in a Window/WorkerGlobalScope context. r=smaug

Backed out for causing bp-nu build bustages in Worker.cpp.

Flags: needinfo?(fwang)

Backed out for causing bp-nu build bustages in Worker.cpp.

Indeed, TrustedScriptURL was missing, should be fixed now:
https://treeherder.mozilla.org/jobs?repo=try&revision=6e91848520fd8784aacf834a4f93a6737512c202

Flags: needinfo?(fwang)
Pushed by fwang@igalia.com: https://hg.mozilla.org/integration/autoland/rev/4e4979262812 Only call GetTrustedTypesCompliantString from worker's constructor in a Window/WorkerGlobalScope context. r=smaug

https://hg.mozilla.org/mozilla-central/rev/4e4979262812

Status: NEW → RESOLVED
Closed: 2 months ago
status-firefox135: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 135 Branch
Flags: qe-verify+
Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: