Closed Bug 1951536 Opened 9 days ago Closed 1 day ago

Assertion failure: false, at /builds/worker/checkouts/gecko/netwerk/cookie/CookieServiceChild.cpp:319

Categories

(Core :: Networking: Cookies, defect, P2)

Product:
Core
Component:
Networking: Cookies
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
138 Branch
Tracking Flags:
Tracking Status
firefox138 --- fixed

People

(Reporter: tsmith, Assigned: timhuang)

References

(Blocks 1 open bug,
URL
)

Details

(Keywords: assertion, pernosco, Whiteboard: [necko-triaged])

Attachments

(2 files)

Bug 1951536 - Part 1: Add a test. r?bvandersloot!
48 bytes, text/x-phabricator-request
Details | Review
Bug 1951536 - Part 2: Initial about:blank page inherits third-party state from the parent document. r?bvandersloot!
48 bytes, text/x-phabricator-request
Details | Review

Found with m-c 20250209-e71782bd0a2a (--enable-debug)

This was found by visiting a live website with a debug build.

STR:

  • Launch browser and visit site

This issue was triggered by visiting http://www.adjarabet.com/. A Pernosco session is available here: https://pernos.co/debug/ndwPjLegkutkHBwH7IK9AA/index.html

Assertion failure: false, at /builds/worker/checkouts/gecko/netwerk/cookie/CookieServiceChild.cpp:319

#0 0x7fffe7c4e3b8 in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:263:3
#1 0x7fffe7c4e3b8 in mozilla::net::CookieServiceChild::RecordDocumentCookie(mozilla::net::Cookie*, mozilla::OriginAttributes const&) /builds/worker/checkouts/gecko/netwerk/cookie/CookieServiceChild.cpp:319:5
#2 0x7fffe7c502fe in mozilla::net::CookieServiceChild::AddCookieFromDocument(mozilla::net::CookieParser&, nsTSubstring<char> const&, mozilla::OriginAttributes const&, mozilla::net::Cookie&, long, nsIURI*, bool, mozilla::dom::Document*) /builds/worker/checkouts/gecko/netwerk/cookie/CookieServiceChild.cpp:623:7
#3 0x7fffe97e883a in mozilla::dom::Document::SetCookie(nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:6821:12
#4 0x7fffea852fe2 in mozilla::dom::Document_Binding::set_cookie(JSContext*, JS::Handle<JSObject*>, void*, JSJitSetterCallArgs) /builds/worker/workspace/obj-build/dom/bindings/./DocumentBinding.cpp:3030:24
#5 0x7fffeaaeb9d5 in bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::NormalThisPolicy>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3250:8
#6 0x7fffee29d634 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:532:13
#7 0x7fffee29cf08 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:628:12
#8 0x7fffee29e4bd in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:727:8
#9 0x7fffee29fa89 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:858:10
#10 0x7fffee4f17a8 in SetExistingProperty(JSContext*, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, js::PropertyResult const&, JS::ObjectOpResult&) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2661:8
#11 0x7fffee4f0592 in bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2696:14
#12 0x7fffee863a18 in js::SetPropertyIgnoringNamedGetter(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<mozilla::Maybe<JS::PropertyDescriptor>>, JS::ObjectOpResult&) /builds/worker/checkouts/gecko/js/src/proxy/BaseProxyHandler.cpp:175:14
#13 0x7fffeab03aa4 in mozilla::dom::DOMProxyHandler::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) const /builds/worker/checkouts/gecko/dom/bindings/DOMJSProxyHandler.cpp:248:10
#14 0x7fffee873e30 in js::Proxy::setInternal(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /builds/worker/checkouts/gecko/js/src/proxy/Proxy.cpp:593:19
#15 0x7fffee87395b in js::Proxy::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /builds/worker/checkouts/gecko/js/src/proxy/Proxy.cpp:601:10
#16 0x7fffee2ab141 in SetObjectElementOperation /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:1650:10
#17 0x7fffee2ab141 in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3084:12
#18 0x7fffee29c3d1 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:502:13
#19 0x7fffee29cdf3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:660:13
#20 0x7fffee29e4bd in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:727:8
#21 0x7fffee5e5617 in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/SelfHosting.cpp:1541:10
#22 0x7fffeefa7106 in js::jit::InterpretResume(JSContext*, JS::Handle<JSObject*>, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/VMFunctions.cpp:1140:10
#23 0x3b905d2302b9  ([anon:js-executable-memory]+0x122b9)
Severity: -- → S3
Flags: needinfo?(tihuang)
Priority: -- → P2
Whiteboard: [necko-triaged]

Ahh, this is an interesting one. It only happens if the top-level is loaded using HTTP but not HTTPS. In this case, we will use partitioned cookies if an iframe is the same domain in a secure context. By definition, the iframe has to be considered third-party because HTTP and HTTPS are not the same site, even if the domain is the same.

Our CookieCommons::IsFirstPartyPartitionedCookieWithoutCHIPS() only checks the domain. I think we should update it to also consider the scheme.

Flags: needinfo?(tihuang)
Assignee: nobody → tihuang
Status: NEW → ASSIGNED

After the investigation, we don't consider scheme when determining third-partyness. So, a context with the same base domain but a different scheme is considered first-party. Therefore, the cookie shouldn't be set with partitionKey because it's first-party.

I will do more investigation to see how to fix this issue.

Pushed by tihuang@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/dc265e1eb5c3 Part 1: Add a test. r=bvandersloot,anti-tracking-reviewers https://hg.mozilla.org/integration/autoland/rev/2bdba30cf75d Part 2: Initial about:blank page inherits third-party state from the parent document. r=bvandersloot,anti-tracking-reviewers

https://hg.mozilla.org/mozilla-central/rev/dc265e1eb5c3
https://hg.mozilla.org/mozilla-central/rev/2bdba30cf75d

Status: ASSIGNED → RESOLVED
Closed: 1 day ago
status-firefox138: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 138 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: