Closed Bug 834995 Opened 11 years ago Closed 11 years ago

Possible race condition in mozStorageConnection.cpp

Categories

(Toolkit :: Storage, defect)

Product:
Toolkit
Component:
Storage
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla21
Project Flags:
blocking-b2g tef+
Tracking Flags:
Tracking Status
firefox19 --- wontfix
firefox20 --- fixed
firefox21 --- fixed
b2g18 --- fixed
b2g18-v1.0.0 --- fixed
b2g18-v1.0.1 --- fixed

People

(Reporter: gwagner, Assigned: gwagner)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

patch
725 bytes, patch
mak
: review+
akeybl
: approval-mozilla-aurora+
akeybl
: approval-mozilla-beta-
Details | Diff | Splinter Review 
I see some memory corruption going on with mFunctions in mozStorageConnection.cpp.
All the functions that touch mFunctions use SQLiteMutexAutoLock lockedScope(sharedDBMutex); execept Connection::Clone.
Do we miss a lock here?

(gdb) bt
#0  0x41b10976 in SearchTable (table=0x48f8df68, key=0x48d7fd30, keyHash=2323735344, op=PL_DHASH_LOOKUP)
    at /Volumes/2mac/gaia/b2g18/unagibuild/xpcom/build/pldhash.cpp:394
#1  0x41b10cec in PL_DHashTableOperate (table=0x48f8df68, key=0x48d7fd30, op=PL_DHASH_LOOKUP)
    at /Volumes/2mac/gaia/b2g18/unagibuild/xpcom/build/pldhash.cpp:587
#2  0x40a3864c in nsTHashtable<nsBaseHashtableET<nsCStringHashKey, unsigned int> >::GetEntry (this=0x48f8df68, aKey=...)
    at ../../../dist/include/nsTHashtable.h:148
#3  0x4171e736 in nsBaseHashtable<nsCStringHashKey, mozilla::storage::Connection::FunctionInfo, mozilla::storage::Connection::FunctionInfo>::Get (this=0x48f8df68, aKey=..., pData=0x0) at ../../dist/include/nsBaseHashtable.h:104
#4  0x4171df9c in mozilla::storage::Connection::RemoveFunction (this=0x48f8df40, aFunctionName=...)
    at /Volumes/2mac/gaia/b2g18/storage/src/mozStorageConnection.cpp:1344
#5  0x41235d30 in mozilla::dom::indexedDB::CommitHelper::Run (this=0x4c9f5980)
    at /Volumes/2mac/gaia/b2g18/dom/indexedDB/IDBTransaction.cpp:948
#6  0x4124a2e4 in mozilla::dom::indexedDB::TransactionThreadPool::TransactionQueue::Run (this=0x48f8dee0)
    at /Volumes/2mac/gaia/b2g18/dom/indexedDB/TransactionThreadPool.cpp:639
#7  0x41b5796a in nsThreadPool::Run (this=0x4856d740) at /Volumes/2mac/gaia/b2g18/xpcom/threads/nsThreadPool.cpp:187
#8  0x41b5589c in nsThread::ProcessNextEvent (this=0x48fcce20, mayWait=true, result=0x48d7fe97)
    at /Volumes/2mac/gaia/b2g18/xpcom/threads/nsThread.cpp:620
#9  0x41b0f592 in NS_ProcessNextEvent_P (thread=0x48fcce20, mayWait=true)
    at /Volumes/2mac/gaia/b2g18/unagibuild/xpcom/build/nsThreadUtils.cpp:237
#10 0x41b54cbe in nsThread::ThreadFunc (arg=0x48fcce20) at /Volumes/2mac/gaia/b2g18/xpcom/threads/nsThread.cpp:258
#11 0x40392254 in _pt_root (arg=0x4c3a7f90) at /Volumes/2mac/gaia/b2g18/nsprpub/pr/src/pthreads/ptthread.c:156
#12 0x40095e18 in __thread_entry (func=0x4039219d <_pt_root>, arg=0x4c3a7f90, tls=<value optimized out>)
    at bionic/libc/bionic/pthread.c:217
#13 0x4009596c in pthread_create (thread_out=<value optimized out>, attr=0xbef29158, start_routine=0x4039219d <_pt_root>, 
    arg=0x4c3a7f90) at bionic/libc/bionic/pthread.c:357
#14 0x00000000 in ?? ()
Attached patch patchSplinter Review 

    
    

    
  
Comment on attachment 706716 [details] [diff] [review]
patch

Review of attachment 706716 [details] [diff] [review]:
-----------------------------------------------------------------

Yes, mFunctions should be protected by sharedDBMutex.
Thanks!

        Attachment #706716 -
        Flags: review?(mak77) → review+

    
    

    
  
I found this bug during debugging bug 832385. Maybe they are related.
Assignee: nobody → anygregor
blocking-b2g: --- → tef?

    
  
Blocks: 832385

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/c1bd83d06914
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla21

    
    

    
  
Comment on attachment 706716 [details] [diff] [review]
patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): na
User impact if declined: random memory corruption / crashes
Testing completed (on m-c, etc.): on mc
Risk to taking this patch (and alternatives if risky): minor
String or UUID changes made by this patch: na

        Attachment #706716 -
        Flags: approval-mozilla-beta?

        Attachment #706716 -
        Flags: approval-mozilla-aurora?
blocking-b2g: tef? → tef+

    
    

    
  
Comment on attachment 706716 [details] [diff] [review]
patch

Not critical enough to fix for FF19, but I see no reason to prevent uplift to FF20 given the risk evaluation.

        Attachment #706716 -
        Flags: approval-mozilla-beta?

        Attachment #706716 -
        Flags: approval-mozilla-beta-

        Attachment #706716 -
        Flags: approval-mozilla-aurora?

        Attachment #706716 -
        Flags: approval-mozilla-aurora+

    
  
Blocks: 840831

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: