Assertion failure: !aNew || !aEntry || mApplicationCacheForWrite, atsrc/netwerk/protocol/http/nsHttpChannel.cpp:3056

RESOLVED FIXED in mozilla27

Status

()

RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: gwagner, Assigned: mayhemer)

Tracking

unspecified
mozilla27
x86
Mac OS X
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
Seen on b2g-desktop debug build during zooming in maps.google.com

Assertion failure: !aNew || !aEntry || mApplicationCacheForWrite, at /Volumes/mac/code/src/netwerk/protocol/http/nsHttpChannel.cpp:3056

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000000
mozilla::net::nsHttpChannel::OnOfflineCacheEntryAvailable (this=<value temporarily unavailable, due to optimizations>, aEntry=<value temporarily unavailable, due to optimizations>, aNew=<value temporarily unavailable, due to optimizations>, aAppCache=<value temporarily unavailable, due to optimizations>, aEntryStatus=NS_OK) at /Volumes/mac/code/src/netwerk/protocol/http/nsHttpChannel.cpp:3055
3055	    MOZ_ASSERT(!mApplicationCache || aAppCache == mApplicationCache);
(gdb) bt
#0  mozilla::net::nsHttpChannel::OnOfflineCacheEntryAvailable (this=<value temporarily unavailable, due to optimizations>, aEntry=<value temporarily unavailable, due to optimizations>, aNew=<value temporarily unavailable, due to optimizations>, aAppCache=<value temporarily unavailable, due to optimizations>, aEntryStatus=NS_OK) at /Volumes/mac/code/src/netwerk/protocol/http/nsHttpChannel.cpp:3055
#1  0x000000010171d095 in mozilla::net::nsHttpChannel::OnCacheEntryAvailableInternal (this=0x144e76800, entry=0xafa00000afa00, aNew=<value temporarily unavailable, due to optimizations>, aAppCache=0x7fff5fbfd2e0, status=8288) at /Volumes/mac/code/src/netwerk/protocol/http/nsHttpChannel.cpp:2983
#2  0x000000010171cf36 in mozilla::net::nsHttpChannel::OnCacheEntryAvailable (this=0x144e76800, entry=0x117fba460, aNew=true, aAppCache=0x10d41cc80, status=NS_OK) at /Volumes/mac/code/src/netwerk/protocol/http/nsHttpChannel.cpp:2959
#3  0x000000010171d1a3 in non-virtual thunk to mozilla::net::nsHttpChannel::OnCacheEntryAvailable(nsICacheEntry*, bool, nsIApplicationCache*, tag_nsresult) (this=<value temporarily unavailable, due to optimizations>, entry=0xafa00000afa00, aNew=<value temporarily unavailable, due to optimizations>, aAppCache=0x7fff5fbfd2e0, status=8288) at /Volumes/mac/code/src/netwerk/protocol/http/nsHttpChannel.cpp:2966
#4  0x00000001016bcb4e in mozilla::net::_OldCacheLoad::Run (this=0x1164dd4a0) at /Volumes/mac/code/src/netwerk/cache2/OldWrappers.cpp:569
#5  0x0000000103156e9f in nsThread::ProcessNextEvent (this=0x100523760, mayWait=<value temporarily unavailable, due to optimizations>, result=0x7fff5fbfd507) at /Volumes/mac/code/src/xpcom/threads/nsThread.cpp:622
#6  0x00000001030f393b in NS_ProcessPendingEvents (thread=<value temporarily unavailable, due to optimizations>, timeout=20) at nsThreadUtils.cpp:188
#7  0x00000001029ad70a in nsBaseAppShell::NativeEventCallback (this=0x107fd6340) at /Volumes/mac/code/src/widget/xpwidgets/nsBaseAppShell.cpp:95
#8  0x00000001029436bf in nsAppShell::ProcessGeckoEvents (aInfo=0x107fd6340) at /Volumes/mac/code/src/widget/cocoa/nsAppShell.mm:388
#9  0x00007fff83dddb31 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ ()
#10 0x00007fff83ddd455 in __CFRunLoopDoSources0 ()
#11 0x00007fff83e007f5 in __CFRunLoopRun ()
#12 0x00007fff83e000e2 in CFRunLoopRunSpecific ()
#13 0x00007fff840aceb4 in RunCurrentEventLoopInMode ()
#14 0x00007fff840acb94 in ReceiveNextEventCommon ()
#15 0x00007fff840acae3 in BlockUntilNextEventMatchingListInMode ()
#16 0x00007fff8a4c0533 in _DPSNextEvent ()
#17 0x00007fff8a4bfdf2 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#18 0x0000000102942736 in -[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (self=0x1082da1a0, _cmd=<value temporarily unavailable, due to optimizations>, mask=18446744073709551615, expiration=0x422d63c37f00000d, mode=0x7fff71e7c1c0, flag=1 '\001') at /Volumes/mac/code/src/widget/cocoa/nsAppShell.mm:165
#19 0x00007fff8a4b71a3 in -[NSApplication run] ()
#20 0x0000000102943cfe in nsAppShell::Run (this=<value temporarily unavailable, due to optimizations>) at /Volumes/mac/code/src/widget/cocoa/nsAppShell.mm:742
#21 0x0000000102797972 in nsAppStartup::Run (this=0x107f905b0) at /Volumes/mac/code/src/toolkit/components/startup/nsAppStartup.cpp:269
#22 0x00000001014e785e in XREMain::XRE_mainRun (this=<value temporarily unavailable, due to optimizations>) at /Volumes/mac/code/src/toolkit/xre/nsAppRunner.cpp:3868
#23 0x00000001014e7e75 in XREMain::XRE_main (this=0x7fff5fbff000, argc=<value temporarily unavailable, due to optimizations>, argv=<value temporarily unavailable, due to optimizations>, aAppData=<value temporarily unavailable, due to optimizations>) at /Volumes/mac/code/src/toolkit/xre/nsAppRunner.cpp:3936
#24 0x00000001014e8216 in XRE_main (argc=0, argv=0xffffffffffffffff, aAppData=0x422d63c37f00000d, aFlags=<value temporarily unavailable, due to optimizations>) at /Volumes/mac/code/src/toolkit/xre/nsAppRunner.cpp:4138
#25 0x0000000100000ed4 in main (argc=<value temporarily unavailable, due to optimizations>, argv=<value temporarily unavailable, due to optimizations>) at /Volumes/mac/code/src/b2g/app/nsBrowserApp.cpp:168
(Reporter)

Updated

5 years ago
blocking-b2g: --- → koi?
(Assignee)

Comment 1

5 years ago
Which of the two assertions is the one?

"!mApplicationCache || aAppCache == mApplicationCache" or
"!aNew || !aEntry || mApplicationCacheForWrite"

It's not clear from the report, since bt refers the first one.
(Reporter)

Comment 2

5 years ago
Seems like the 2nd one:
(gdb) p aNew
$1 = true
(gdb) p mApplicationCache
$2 = {
  mRawPtr = 0x14e6a7580
}
(gdb) p aAppCache
$3 = (nsApplicationCache *) 0x14e6a7580
(gdb) p aEntry   
$4 = ('mozilla::net::_OldCacheEntryWrapper' *) 0x147eb6ee0
(gdb) mApplicationCacheForWrite
Undefined command: "mApplicationCacheForWrite".  Try "help".
(gdb) p mApplicationCacheForWrite
$5 = {
  mRawPtr = 0x0
}
(Assignee)

Comment 3

5 years ago
Gregor, can you reproduce the issue?  If so, could you please produce 'NSPR_LOG_MODULES=nsHttp:5,cache:5,cache2:5' log?
(Assignee)

Updated

5 years ago
Blocks: 924112
(Assignee)

Comment 4

5 years ago
(not for me: m-c@aceb8d1e6eba)
(Assignee)

Comment 5

5 years ago
Created attachment 814580 [details] [diff] [review]
920802-drop-OPEN_TRUNCATE-for-appcache-loads.patch

- drop OPEN_TRUNCATE when opening an entry from appcache for read
  - 1. when we have an appcache assigned (inherited)
  - 2. when the cache load mechanism finds an appcache via appCacheService->ChooseApplicationCache

This patch is in parity with pre-cache2 http channel code.

This should go in ASAP.


Thanks Gregor for his help!
Assignee: nobody → honzab.moz
Status: NEW → ASSIGNED
Attachment #814580 - Flags: review?(michal.novotny)
(Assignee)

Comment 6

5 years ago
Regression from landing cache2 disabled.
Blocks: 913807
No longer blocks: 924112
Status: ASSIGNED → NEW
(Reporter)

Comment 7

5 years ago
This was introduced after the 1.2 branch.
blocking-b2g: koi? → ---
Attachment #814580 - Flags: review?(michal.novotny) → review+
(Assignee)

Comment 8

5 years ago
Comment on attachment 814580 [details] [diff] [review]
920802-drop-OPEN_TRUNCATE-for-appcache-loads.patch

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

Which older supported branches are affected by this flaw?

If not all supported branches, which bug introduced the flaw?

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

How likely is this patch to cause regressions; how much testing does it need?

https://hg.mozilla.org/integration/mozilla-inbound/rev/4d274b1da6e2
Attachment #814580 - Flags: checkin+
https://hg.mozilla.org/mozilla-central/rev/4d274b1da6e2
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla27
You need to log in before you can comment on or make changes to this bug.