Found while fuzzing m-c 20220201-4bff0b888cd9 (--enable-debug --enable-fuzzing)

A reduced testcase is not available. A Pernosco session will be attached shortly.

Assertion failure: !aIID.Equals((nsISupports::COMTypeInfo<nsISupports, void>::kIID)), at src/dom/media/mediasession/MediaSession.cpp:47

#0 0x7f9425a5a164 in mozilla::dom::MediaSession::QueryInterface(nsID const&, void**) src/dom/media/mediasession/MediaSession.cpp:47:1
#1 0x7f94219b3144 in operator() src/xpcom/base/nsCOMPtr.cpp:13:23
#2 0x7f94219b3144 in nsCOMPtr_base::assign_from_qi(nsQueryInterfaceISupports, nsID const&) src/xpcom/base/nsCOMPtr.cpp:46:7
#3 0x7f9422e2da66 in nsCOMPtr /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:949:5
#4 0x7f9422e2da66 in ReflectorToISupports(JSObject*) src/js/xpconnect/src/nsXPConnect.cpp:717:7
#5 0x7f9422e2d99e in xpc::ReflectorToISupportsStatic(JSObject*) src/js/xpconnect/src/nsXPConnect.cpp:724:10
#6 0x7f9423a67ae8 in mozilla::dom::StructuredCloneHolder::CustomWriteHandler(JSContext*, JSStructuredCloneWriter*, JS::Handle<JSObject*>, bool*) src/dom/base/StructuredCloneHolder.cpp:1108:34
#7 0x7f9428964cb5 in JSStructuredCloneWriter::startWrite(JS::Handle<JS::Value>) src/js/src/vm/StructuredClone.cpp:1874:12
#8 0x7f942895eb33 in JSStructuredCloneWriter::write(JS::Handle<JS::Value>) src/js/src/vm/StructuredClone.cpp:2079:8
#9 0x7f942895e5e4 in WriteStructuredClone(JSContext*, JS::Handle<JS::Value>, JSStructuredCloneData*, JS::StructuredCloneScope, JS::CloneDataPolicy const&, JSStructuredCloneCallbacks const*, void*, JS::Value const&) src/js/src/vm/StructuredClone.cpp:684:10
#10 0x7f9428972ae5 in JS_WriteStructuredClone(JSContext*, JS::Handle<JS::Value>, JSStructuredCloneData*, JS::StructuredCloneScope, JS::CloneDataPolicy const&, JSStructuredCloneCallbacks const*, void*, JS::Handle<JS::Value>) src/js/src/vm/StructuredClone.cpp:3408:10
#11 0x7f94289741ef in JSAutoStructuredCloneBuffer::write(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::CloneDataPolicy const&, JSStructuredCloneCallbacks const*, void*) src/js/src/vm/StructuredClone.cpp:3540:13
#12 0x7f9423a63375 in mozilla::dom::StructuredCloneHolderBase::Write(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::CloneDataPolicy const&) src/dom/base/StructuredCloneHolder.cpp:265:17
#13 0x7f9423a63b1c in mozilla::dom::StructuredCloneHolder::Write(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::CloneDataPolicy const&, mozilla::ErrorResult&) src/dom/base/StructuredCloneHolder.cpp:352:35
#14 0x7f94262c7b2d in mozilla::dom::ipc::StructuredCloneData::Write(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::CloneDataPolicy const&, mozilla::ErrorResult&) src/dom/ipc/StructuredCloneData.cpp:130:26
#15 0x7f94262c20c5 in mozilla::dom::ipc::StructuredCloneData::Write(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) src/dom/ipc/StructuredCloneData.cpp:121:3
#16 0x7f942385eb87 in nsStructuredCloneContainer::InitFromJSVal(JS::Handle<JS::Value>, JSContext*) src/dom/base/nsStructuredCloneContainer.cpp:54:3
#17 0x7f942814b33d in nsDocShell::AddState(JS::Handle<JS::Value>, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, bool, JSContext*) src/docshell/base/nsDocShell.cpp:11070:23
#18 0x7f9423b626c7 in nsHistory::PushOrReplaceState(JSContext*, JS::Handle<JS::Value>, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::dom::CallerType, mozilla::ErrorResult&, bool) src/dom/base/nsHistory.cpp:294:19
#19 0x7f9423b62498 in nsHistory::PushState(JSContext*, JS::Handle<JS::Value>, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::dom::CallerType, mozilla::ErrorResult&) src/dom/base/nsHistory.cpp:245:3
#20 0x7f9424e5f737 in mozilla::dom::History_Binding::pushState(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/HistoryBinding.cpp:394:24
#21 0x7f9424e749a8 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3306:13
#22 0x7f94289389bf in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) src/js/src/vm/Interpreter.cpp:425:13
#23 0x7f94289380bd in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:512:12
#24 0x7f9428939b9e in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:572:10
#25 0x7f9428939da1 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:589:8
#26 0x7f9428aaee96 in js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const src/js/src/proxy/Wrapper.cpp:166:10
#27 0x7f9428a94c0e in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const src/js/src/proxy/CrossCompartmentWrapper.cpp:227:19
#28 0x7f9428a9dcc8 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) src/js/src/proxy/Proxy.cpp:654:19
#29 0x7f9428938433 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:492:14
#30 0x7f9428939b9e in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:572:10
#31 0x7f942892f456 in CallFromStack src/js/src/vm/Interpreter.cpp:576:10
#32 0x7f942892f456 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3309:16
#33 0x7f9428926353 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:394:13
#34 0x7f942893b1f5 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:767:13
#35 0x7f94289b6b0f in EvalKernel(JSContext*, JS::Handle<JS::Value>, EvalType, js::AbstractFramePtr, JS::Handle<JSObject*>, unsigned char*, JS::MutableHandle<JS::Value>) src/js/src/builtin/Eval.cpp:360:10
#36 0x7f94289b7b54 in js::DirectEval(JSContext*, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) src/js/src/builtin/Eval.cpp:387:10
#37 0x7f94293fae01 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) src/js/src/jit/BaselineIC.cpp:1581:10
#38 0x8ecd91b0672  (<unknown module>)

I think the QI for MediaSession is missing an entry like NS_INTERFACE_MAP_ENTRY(nsISupports)

A Pernosco session is available here: https://pernos.co/debug/D4mFhjK1u9lqzEHOSgr27w/index.html

(In reply to Andrew McCreight [:mccr8] from comment #1)

I think the QI for MediaSession is missing an entry like NS_INTERFACE_MAP_ENTRY(nsISupports)

Thanks. Will fix this up.

A test case may still be useful to confirm the fix, but I'll get something uploaded.

Without this entry in the interface map querying to nsISupports on MediaSessions
will fail. It's not clear if this causes issues in normal usage, but can be
annoying for developer ergonomics and fuzzing.

From the stack, it looks like the test case involves doing a history pushState with a MediaSession, which causes the MediaSession to be put through the StructuredClone code. StructuredClone has special handling for nsIInputStream that apparently first extracts an nsISupports object from a JS object, and I guess that's where this falls over. I wonder if we should add an assert for this in a less obscure location.

I understood some of that :) Do I understand correctly that you're saying we're pushing some state into the history (i.e. window.history/browser history), and that kicks of cloning some aspects of our objects, triggering this?

pushState is this API: https://developer.mozilla.org/en-US/docs/Web/API/History/pushState

You can save some data along with the history entry. It looks like the serialization actually happens as part of the spec.

https://hg.mozilla.org/mozilla-central/rev/983ec74706bc