Closed Bug 1170746 Opened 9 years ago Closed 9 years ago

Getting mutable files over a cursor crashes the browser

Categories

(Core :: Storage: IndexedDB, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla41
Tracking Status
firefox39 --- affected
firefox40 --- fixed
firefox41 --- fixed

People

(Reporter: janv, Assigned: janv)

Details

(Keywords: crash)

Attachments

(1 file)

Steps to reproduce:
1. Run current nightly
2. File -> Open New Non-e10s Window
3. Go to https://www.peer5.com/downloader/crashFF.html
4. Click on "Run Sample"
5. Wait until approximately 50% is downloaded
6. Reload the page

At this point the browser crashes with following stack trace:
Assertion failure: aDatabase, at /Users/varga/Sources/Inbound/dom/indexedDB/IDBObjectStore.cpp:581
#01: JSStructuredCloneReader::read(JS::MutableHandle<JS::Value>)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x3ecaa72]
#02: JS_ReadStructuredClone(JSContext*, unsigned long long*, unsigned long, unsigned int, JS::MutableHandle<JS::Value>, JSStructuredCloneCallbacks const*, void*)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x3ed0abd]
#03: mozilla::dom::indexedDB::IDBObjectStore::DeserializeValue(JSContext*, mozilla::dom::indexedDB::StructuredCloneReadInfo&, JS::MutableHandle<JS::Value>)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x252df0f]
#04: mozilla::dom::indexedDB::IDBCursor::GetValue(JSContext*, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x252dcfd]
#05: mozilla::dom::IDBCursorWithValueBinding::get_value(JSContext*, JS::Handle<JSObject*>, mozilla::dom::indexedDB::IDBCursor*, JSJitGetterCallArgs)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x1ca37a2]
#06: mozilla::dom::GenericBindingGetter(JSContext*, unsigned int, JS::Value*)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x1d4c30b]
#07: js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x3d5838d]
#08: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x3d3c5b4]
#09: bool GetExistingProperty<(js::AllowGC)1>(JSContext*, js::MaybeRooted<JSObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::Shape*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x3d96b49]
#10: bool NativeGetPropertyInline<(js::AllowGC)1>(JSContext*, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JSObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<jsid, (js::AllowGC)1>::HandleType, IsNameLookup, js::MaybeRoot[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x3d9738c]
#11: js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, js::PropertyName*, JS::MutableHandle<JS::Value>)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x3db84a4]
#12: js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x3d84068]
#13: Interpret(JSContext*, js::RunState&)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x3d73879]
#14: js::RunScript(JSContext*, js::RunState&)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x3d69755]
#15: js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x3d583b1]
#16: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x3d3c5b4]
#17: JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x431e4ba]
#18: mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x1b23a88]
#19: mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x1f291d9]
#20: mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x1f0c1dd]
#21: mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x1f0cba7]
#22: mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x1f0e963]
#23: mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x1f058ff]
#24: mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x1f07194]
#25: mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x1ef77d3]
#26: mozilla::DOMEventTargetHelper::DispatchEvent(nsIDOMEvent*, bool*)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x1ef7673]
#27: mozilla::dom::indexedDB::(anonymous namespace)::DispatchSuccessEvent(mozilla::dom::indexedDB::(anonymous namespace)::ResultHelper*, nsIDOMEvent*)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x251db01]
#28: mozilla::dom::indexedDB::BackgroundCursorChild::HandleResponse(mozilla::dom::indexedDB::ObjectStoreCursorResponse const&)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x2527cb5]
#29: mozilla::dom::indexedDB::BackgroundCursorChild::RecvResponse(mozilla::dom::indexedDB::CursorResponse const&)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x252a458]
#30: mozilla::dom::indexedDB::PBackgroundIDBCursorChild::OnMessageReceived(IPC::Message const&)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x50384a]
#31: mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x4efab0]
#32: mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x4b6c5f]
#33: mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message const&)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x4b57a1]
#34: mozilla::ipc::MessageChannel::OnMaybeDequeueOne()[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x4afc6e]
#35: MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x48606d]
#36: MessageLoop::DoWork()[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x4863eb]
#37: mozilla::ipc::DoWorkRunnable::Run()[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x4ba4e5]
#38: nsThread::ProcessNextEvent(bool, bool*)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0xe84e5]
#39: NS_ProcessPendingEvents(nsIThread*, unsigned int)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x121def]
#40: nsBaseAppShell::NativeEventCallback()[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x285bc97]
#41: nsAppShell::ProcessGeckoEvents(void*)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x28b39de]
#42: __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__[/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation +0x80a01]
#43: __CFRunLoopDoSources0[/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation +0x72b8d]
#44: __CFRunLoopRun[/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation +0x721bf]
#45: CFRunLoopRunSpecific[/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation +0x71bd8]
#46: RunCurrentEventLoopInMode[/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox +0x3256f]
#47: ReceiveNextEventCommon[/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox +0x322ea]
#48: _BlockUntilNextEventMatchingListInModeWithFilter[/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox +0x3212b]
#49: _DPSNextEvent[/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit +0x919bb]
#50: -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:][/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit +0x90f68]
#51: -[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:][/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x28b2c66]
#52: -[NSApplication run][/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit +0x86bf3]
#53: nsAppShell::Run()[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x28b40d0]
#54: nsAppStartup::Run()[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x33cab69]
#55: XREMain::XRE_mainRun()[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x3449784]
#56: XREMain::XRE_main(int, char**, nsXREAppData const*)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x3449fc8]
#57: XRE_main[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x344a4ab]
#58: main[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/./firefox +0x20fb]
Attached patch patchSplinter Review
Assignee: nobody → Jan.Varga
Status: NEW → ASSIGNED
Attachment #8614272 - Flags: review?(bent.mozilla)
Attachment #8614272 - Flags: review?(bent.mozilla) → review+
(In reply to Wes Kocher (:KWierso) from comment #3)
> Backed out in
> https://hg.mozilla.org/integration/mozilla-inbound/rev/7466fbbe72ac for
> test_filehandle_getFile.html orange:
> 
> https://treeherder.mozilla.org/logviewer.html#?job_id=10618370&repo=mozilla-
> inbound

mochitest.ini wasn't updated correctly
Flags: needinfo?(Jan.Varga)
https://hg.mozilla.org/mozilla-central/rev/1c9478931a94
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla41
Comment on attachment 8614272 [details] [diff] [review]
patch

Approval Request Comment
[Feature/regressing bug #]: I think it was IndexedDB on PBackground which regressed this crash.

[User impact if declined]: Consumers of FileHandle API are not able to retrieve mutable files using cursors. www.peer5.com had to disable firefox support because of this crash.

[Describe test coverage new/current, TreeHerder]: A new test has been added to catch this crash in future.

[Risks and why]: The patch is very simple and safe. It's been on m-c since 2015-06-11. Aurora now has this fix too.

[String/UUID change made/needed]: None



Requesting approval-mozilla-release too, just in case there will be a point release, so it would contain this crash fix too.
Attachment #8614272 - Flags: approval-mozilla-release?
Attachment #8614272 - Flags: approval-mozilla-beta?
Comment on attachment 8614272 [details] [diff] [review]
patch

As stated, this fix has been on 41 for several weeks already. Let's get this stability fix on Beta. Beta+

I have left the release? so that we can consider this as a ride along in any 39 point release.
Attachment #8614272 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Comment on attachment 8614272 [details] [diff] [review]
patch

We might do a dot release of 39, taking it in case we do it.
Attachment #8614272 - Flags: approval-mozilla-release? → approval-mozilla-release+
Comment on attachment 8614272 [details] [diff] [review]
patch

Is it possible to have a crash signature? For now, it doesn't seem it is a top crash. So, I will revert my approval for now.
Flags: needinfo?(kairo)
Attachment #8614272 - Flags: approval-mozilla-release+ → approval-mozilla-release?
(In reply to Sylvestre Ledru [:sylvestre] PTO => July 10th from comment #11)
> Comment on attachment 8614272 [details] [diff] [review]
> patch
> 
> Is it possible to have a crash signature? For now, it doesn't seem it is a
> top crash. So, I will revert my approval for now.

Well this API is not used a lot across the web, but at least one site (peer5.com) depends on this fix heavily.
Yes. We are actually the ones that found the bug. Since then (~ 3-4 months) we stopped using IndexedDB in our production environment.

We are really waiting for this fix to be released and we would really appreciate if it would be released as soon as possible.

Thanks,
Guy
*stopped using indexedDB in Firefox that is - So Firefox at the moment is not really supported as it should be for our many users.
(In reply to Sylvestre Ledru [:sylvestre] PTO => August 1st from comment #11)
> Is it possible to have a crash signature?

Could be something like those:
https://crash-stats.mozilla.com/search/?product=Firefox&signature=~JSStructuredCloneReader%3A%3Aread&_facets=signature&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-signature

All very low volume though, and the above is just a guess based on the stack posted in this bug.
Flags: needinfo?(kairo)
Comment on attachment 8614272 [details] [diff] [review]
patch

40 is going to be released with the fix soon. Not approving for release.
Attachment #8614272 - Flags: approval-mozilla-release? → approval-mozilla-release-
You need to log in before you can comment on or make changes to this bug.