Closed Bug 1962513 Opened 1 year ago Closed 1 year ago

Assertion failure: cookiePrincipal->OriginAttributesRef().mPartitionKey.IsEmpty(), at /netwerk/cookie/CookieCommons.cpp:1013

Categories

(Core :: Networking: Cookies, defect)

Product:
Core
Component:
Networking: Cookies
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
140 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 --- unaffected
firefox138 --- unaffected
firefox139 --- fixed
firefox140 --- verified

People

(Reporter: jkratzer, Assigned: farre)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

Testcase
221 bytes, text/html
Details
Bug 1962513 - Check if the target file URI can be loaded. r=jjaschke!
48 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-beta+
Details | Review

Testcase found while fuzzing mozilla-central rev cdb7f526b187 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch --build cdb7f526b187 --debug --fuzzing  -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: cookiePrincipal->OriginAttributesRef().mPartitionKey.IsEmpty(), at /netwerk/cookie/CookieCommons.cpp:1013

    ==652812==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x74d593806b82 bp 0x7fff534e9d10 sp 0x7fff534e9cc0 T652812)
    ==652812==The signal is caused by a WRITE memory access.
    ==652812==Hint: address points to the zero page.
        #0 0x74d593806b82 in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:248:3
        #1 0x74d593806b82 in mozilla::net::CookieCommons::CheckGlobalAndRetrieveCookiePrincipals(mozilla::dom::Document*, nsIPrincipal**, nsIPrincipal**) /netwerk/cookie/CookieCommons.cpp:1012:7
        #2 0x74d5953aad93 in mozilla::dom::Document::SetCookie(nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /dom/base/Document.cpp:6829:7
        #3 0x74d5964a85b5 in mozilla::dom::Document_Binding::set_cookie(JSContext*, JS::Handle<JSObject*>, void*, JSJitSetterCallArgs) /builds/worker/workspace/obj-build/dom/bindings/./DocumentBinding.cpp:3031:24
        #4 0x74d596772a55 in bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::NormalThisPolicy>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3250:8
        #5 0x74d599f3a874 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /js/src/vm/Interpreter.cpp:494:13
        #6 0x74d599f3a0cf in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:590:12
        #7 0x74d599f3b51b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:689:8
        #8 0x74d599f3c784 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /js/src/vm/Interpreter.cpp:820:10
        #9 0x74d59a175800 in SetExistingProperty(JSContext*, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, js::PropertyResult const&, JS::ObjectOpResult&) /js/src/vm/NativeObject.cpp:2649:8
        #10 0x74d59a174712 in bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /js/src/vm/NativeObject.cpp:2684:14
        #11 0x74d59a4cea19 in js::SetPropertyIgnoringNamedGetter(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<mozilla::Maybe<JS::PropertyDescriptor>>, JS::ObjectOpResult&) /js/src/proxy/BaseProxyHandler.cpp:175:14
        #12 0x74d59678a8c4 in mozilla::dom::DOMProxyHandler::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) const /dom/bindings/DOMJSProxyHandler.cpp:248:10
        #13 0x74d59a4dd973 in js::Proxy::setInternal(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /js/src/proxy/Proxy.cpp:593:19
        #14 0x74d59a4dd572 in js::Proxy::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /js/src/proxy/Proxy.cpp:601:10
        #15 0x74d599f4701e in SetObjectElementOperation /js/src/vm/Interpreter.cpp:1583:10
        #16 0x74d599f4701e in js::Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3032:12
        #17 0x74d599f39711 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:464:13
        #18 0x74d599f3a0f5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:622:13
        #19 0x74d599f3b51b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:689:8
        #20 0x74d59a0132eb in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:119:10
        #21 0x74d596478dba in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./EventListenerBinding.cpp:62:8
        #22 0x74d59703c736 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
        #23 0x74d59703c122 in mozilla::EventListenerManager::HandleEventSingleListener(mozilla::EventListenerManager::Listener*, nsAtom*, mozilla::WidgetEvent*, mozilla::dom::Event*, mozilla::dom::EventTarget*, bool) /dom/events/EventListenerManager.cpp:1327:43
        #24 0x74d59703d3a9 in mozilla::EventListenerManager::HandleEventWithListenerArray(mozilla::EventListenerManager::ListenerArray*, nsAtom*, mozilla::EventMessage, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, bool) /dom/events/EventListenerManager.cpp:1650:12
        #25 0x74d59703cc4b in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /dom/events/EventListenerManager.cpp:1547:35
        #26 0x74d5970311fe in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:465:5
        #27 0x74d5970311fe in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:364:17
        #28 0x74d5970308cc in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:605:16
        #29 0x74d59703309c in mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /dom/events/EventDispatcher.cpp:1219:11
        #30 0x74d597035eca in mozilla::EventDispatcher::DispatchDOMEvent(mozilla::dom::EventTarget*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /dom/events/EventDispatcher.cpp
        #31 0x74d59567b1a6 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /dom/base/nsINode.cpp:1506:17
        #32 0x74d59513dac5 in nsContentUtils::DispatchEvent(mozilla::dom::Document*, mozilla::dom::EventTarget*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch, mozilla::SystemGroupOnly) /dom/base/nsContentUtils.cpp:5124:29
        #33 0x74d59513d907 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, mozilla::dom::EventTarget*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*, mozilla::SystemGroupOnly) /dom/base/nsContentUtils.cpp:5089:10
        #34 0x74d5953b7c49 in mozilla::dom::Document::DispatchContentLoadedEvents() /dom/base/Document.cpp:8466:3
        #35 0x74d59547a4e5 in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1085:18
        #36 0x74d59547a4e5 in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
        #37 0x74d59547a4e5 in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
        #38 0x74d59547a4e5 in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
        #39 0x74d59547a4e5 in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
        #40 0x74d59547a4e5 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1083:12
        #41 0x74d59547a4e5 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1134:13
        #42 0x74d59351b9e7 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:703:16
        #43 0x74d593514d6e in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:1252:20
        #44 0x74d593513aa7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:1075:15
        #45 0x74d593513f25 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:639:36
        #46 0x74d593522ab6 in operator() /xpcom/threads/TaskController.cpp:333:37
        #47 0x74d593522ab6 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /xpcom/threads/nsThreadUtils.h:548:5
        #48 0x74d593534a93 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1159:16
        #49 0x74d59353b1ff in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:480:10
        #50 0x74d5940d7bc7 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #51 0x74d594032041 in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
        #52 0x74d594032041 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
        #53 0x74d598da7348 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
        #54 0x74d598e6d4a4 in nsAppShell::Run() /widget/gtk/nsAppShell.cpp:539:33
        #55 0x74d599d9b31b in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:654:20
        #56 0x74d5940d8a74 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #57 0x74d594032041 in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
        #58 0x74d594032041 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
        #59 0x74d599d9a759 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:592:34
        #60 0x5ae03f54422e in main /browser/app/nsBrowserApp.cpp:397:22
        #61 0x74d5a3bd31c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #62 0x74d5a3bd328a in __libc_start_main csu/../csu/libc-start.c:360:3
        #63 0x5ae03f517a98 in _start (/home/jkratzer/builds/m-c-20250424092126-fuzzing-debug/firefox-bin+0x5da98) (BuildId: b5b1ef2a1886c4ab926c0a42b1d5755dcc2a76f8)
    
    ==652812==Register values:
    rax = 0x0000000000000000  rbx = 0x0000000000000000  rcx = 0x00000000000003f5  rdx = 0x000074d5a3dad563  
    rdi = 0x000074d5a3dae700  rsi = 0x0000000000000000  rbp = 0x00007fff534e9d10  rsp = 0x00007fff534e9cc0  
     r8 = 0x0000000000000000   r9 = 0x0000000000000003  r10 = 0x0000000000000000  r11 = 0x0000000000000293  
    r12 = 0x00005ae0663558e0  r13 = 0x0000000000000000  r14 = 0x00007fff534e9dd8  r15 = 0x0000000000000002  
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:248:3 in MOZ_CrashSequence
    ==652812==ABORTING
Attached file Testcase
Attachment #9480981 - Attachment filename: testcase.undefined → testcase.html
Attachment #9480981 - Attachment mime type: text/plain → text/html

Verified bug as reproducible on mozilla-central 20250424205049-0344685a2c42.
The bug appears to have been introduced in the following build range:

Start: 5db151ccad4f42bd58c28cb23c49ad6942baba63 (20250414140812)
End: f09952fe75f18b95259310e43d8026e1afdedc79 (20250414154411)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=5db151ccad4f42bd58c28cb23c49ad6942baba63&tochange=f09952fe75f18b95259310e43d8026e1afdedc79

Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

Based on the regression range I think https://hg-edge.mozilla.org/integration/autoland/rev/578f86f47e4015bdf47010e69099e7547097bb98 changed the behaviour of pushState for file URLs, which then changed the assertion's expectation:
https://searchfox.org/mozilla-central/rev/c5ed4a89fd7a8c878df552e5d53fe50e0088c15b/netwerk/cookie/CookieCommons.cpp#1013

cookiePrincipal->OriginAttributesRef().mPartitionKey.IsEmpty());

I'm not totally sure what the implications are.

Flags: needinfo?(amarchesini)
Flags: needinfo?(afarre)
Flags: needinfo?(amarchesini) → needinfo?(tihuang)

Yeah, this is mine. Patch incoming.

Assignee: nobody → afarre
Status: NEW → ASSIGNED
Flags: needinfo?(tihuang)
Flags: needinfo?(afarre)
Pushed by afarre@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/034904954a97 Check if the target file URI can be loaded. r=jjaschke

Comment on attachment 9481512 [details]
Bug 1962513 - Check if the target file URI can be loaded. r=jjaschke!

Beta/Release Uplift Approval Request

  • User impact if declined/Reason for urgency: Wrong behaviour for pushState
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): The error came from a code move and now re-aligns to old behaviour.
  • String changes made/needed:
  • Is Android affected?: Yes
Attachment #9481512 - Flags: approval-mozilla-beta?

This is moot if todays merge from central to beta gets delayed.

FYI ni to :RyanVM doing the merge.

Flags: needinfo?(ryanvm)

It was not. Is there a particularly-urgent need to get this uplifted before we build 139.0b1 or is the regular process sufficient?

Flags: needinfo?(ryanvm)

I think regular is fine.

Flags: needinfo?(ryanvm)
Flags: needinfo?(ryanvm)

https://hg.mozilla.org/mozilla-central/rev/034904954a97

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox140: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 140 Branch

Verified bug as fixed on rev mozilla-central 20250428211601-ba56f7ee5579.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox140: fixedverified
Keywords: bugmon

Based on comment #2, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.

:farre, if possible, could you fill the Regressed by field?

For more information, please visit BugBot documentation.

Flags: needinfo?(afarre)

Also, can we land a test for this?

Comment on attachment 9481512 [details]
Bug 1962513 - Check if the target file URI can be loaded. r=jjaschke!

Approved for 139.0b2.

Attachment #9481512 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Flags: needinfo?(afarre)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: