Closed
Bug 1170746
Opened 9 years ago
Closed 9 years ago
Getting mutable files over a cursor crashes the browser
Categories
(Core :: Storage: IndexedDB, defect)
Core
Storage: IndexedDB
Tracking
()
RESOLVED
FIXED
mozilla41
People
(Reporter: janv, Assigned: janv)
Details
(Keywords: crash)
Attachments
(1 file)
4.76 KB,
patch
|
bent.mozilla
:
review+
lmandel
:
approval-mozilla-beta+
Sylvestre
:
approval-mozilla-release-
|
Details | Diff | Splinter Review |
Steps to reproduce: 1. Run current nightly 2. File -> Open New Non-e10s Window 3. Go to https://www.peer5.com/downloader/crashFF.html 4. Click on "Run Sample" 5. Wait until approximately 50% is downloaded 6. Reload the page At this point the browser crashes with following stack trace: Assertion failure: aDatabase, at /Users/varga/Sources/Inbound/dom/indexedDB/IDBObjectStore.cpp:581 #01: JSStructuredCloneReader::read(JS::MutableHandle<JS::Value>)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x3ecaa72] #02: JS_ReadStructuredClone(JSContext*, unsigned long long*, unsigned long, unsigned int, JS::MutableHandle<JS::Value>, JSStructuredCloneCallbacks const*, void*)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x3ed0abd] #03: mozilla::dom::indexedDB::IDBObjectStore::DeserializeValue(JSContext*, mozilla::dom::indexedDB::StructuredCloneReadInfo&, JS::MutableHandle<JS::Value>)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x252df0f] #04: mozilla::dom::indexedDB::IDBCursor::GetValue(JSContext*, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x252dcfd] #05: mozilla::dom::IDBCursorWithValueBinding::get_value(JSContext*, JS::Handle<JSObject*>, mozilla::dom::indexedDB::IDBCursor*, JSJitGetterCallArgs)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x1ca37a2] #06: mozilla::dom::GenericBindingGetter(JSContext*, unsigned int, JS::Value*)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x1d4c30b] #07: js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x3d5838d] #08: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x3d3c5b4] #09: bool GetExistingProperty<(js::AllowGC)1>(JSContext*, js::MaybeRooted<JSObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<js::Shape*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JS::Value[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x3d96b49] #10: bool NativeGetPropertyInline<(js::AllowGC)1>(JSContext*, js::MaybeRooted<js::NativeObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JSObject*, (js::AllowGC)1>::HandleType, js::MaybeRooted<jsid, (js::AllowGC)1>::HandleType, IsNameLookup, js::MaybeRoot[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x3d9738c] #11: js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, js::PropertyName*, JS::MutableHandle<JS::Value>)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x3db84a4] #12: js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x3d84068] #13: Interpret(JSContext*, js::RunState&)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x3d73879] #14: js::RunScript(JSContext*, js::RunState&)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x3d69755] #15: js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x3d583b1] #16: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x3d3c5b4] #17: JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x431e4ba] #18: mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x1b23a88] #19: mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x1f291d9] #20: mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x1f0c1dd] #21: mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x1f0cba7] #22: mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x1f0e963] #23: mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x1f058ff] #24: mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x1f07194] #25: mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x1ef77d3] #26: mozilla::DOMEventTargetHelper::DispatchEvent(nsIDOMEvent*, bool*)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x1ef7673] #27: mozilla::dom::indexedDB::(anonymous namespace)::DispatchSuccessEvent(mozilla::dom::indexedDB::(anonymous namespace)::ResultHelper*, nsIDOMEvent*)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x251db01] #28: mozilla::dom::indexedDB::BackgroundCursorChild::HandleResponse(mozilla::dom::indexedDB::ObjectStoreCursorResponse const&)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x2527cb5] #29: mozilla::dom::indexedDB::BackgroundCursorChild::RecvResponse(mozilla::dom::indexedDB::CursorResponse const&)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x252a458] #30: mozilla::dom::indexedDB::PBackgroundIDBCursorChild::OnMessageReceived(IPC::Message const&)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x50384a] #31: mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x4efab0] #32: mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x4b6c5f] #33: mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message const&)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x4b57a1] #34: mozilla::ipc::MessageChannel::OnMaybeDequeueOne()[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x4afc6e] #35: MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x48606d] #36: MessageLoop::DoWork()[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x4863eb] #37: mozilla::ipc::DoWorkRunnable::Run()[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x4ba4e5] #38: nsThread::ProcessNextEvent(bool, bool*)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0xe84e5] #39: NS_ProcessPendingEvents(nsIThread*, unsigned int)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x121def] #40: nsBaseAppShell::NativeEventCallback()[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x285bc97] #41: nsAppShell::ProcessGeckoEvents(void*)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x28b39de] #42: __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__[/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation +0x80a01] #43: __CFRunLoopDoSources0[/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation +0x72b8d] #44: __CFRunLoopRun[/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation +0x721bf] #45: CFRunLoopRunSpecific[/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation +0x71bd8] #46: RunCurrentEventLoopInMode[/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox +0x3256f] #47: ReceiveNextEventCommon[/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox +0x322ea] #48: _BlockUntilNextEventMatchingListInModeWithFilter[/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox +0x3212b] #49: _DPSNextEvent[/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit +0x919bb] #50: -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:][/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit +0x90f68] #51: -[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:][/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x28b2c66] #52: -[NSApplication run][/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit +0x86bf3] #53: nsAppShell::Run()[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x28b40d0] #54: nsAppStartup::Run()[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x33cab69] #55: XREMain::XRE_mainRun()[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x3449784] #56: XREMain::XRE_main(int, char**, nsXREAppData const*)[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x3449fc8] #57: XRE_main[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/XUL +0x344a4ab] #58: main[/Users/varga/Sources/Inbound/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/./firefox +0x20fb]
Assignee | ||
Comment 1•9 years ago
|
||
Assignee: nobody → Jan.Varga
Status: NEW → ASSIGNED
Attachment #8614272 -
Flags: review?(bent.mozilla)
Attachment #8614272 -
Flags: review?(bent.mozilla) → review+
Backed out in https://hg.mozilla.org/integration/mozilla-inbound/rev/7466fbbe72ac for test_filehandle_getFile.html orange: https://treeherder.mozilla.org/logviewer.html#?job_id=10618370&repo=mozilla-inbound
Flags: needinfo?(Jan.Varga)
Assignee | ||
Comment 5•9 years ago
|
||
(In reply to Wes Kocher (:KWierso) from comment #3) > Backed out in > https://hg.mozilla.org/integration/mozilla-inbound/rev/7466fbbe72ac for > test_filehandle_getFile.html orange: > > https://treeherder.mozilla.org/logviewer.html#?job_id=10618370&repo=mozilla- > inbound mochitest.ini wasn't updated correctly
Flags: needinfo?(Jan.Varga)
https://hg.mozilla.org/mozilla-central/rev/1c9478931a94
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla41
Assignee | ||
Comment 7•9 years ago
|
||
Comment on attachment 8614272 [details] [diff] [review] patch Approval Request Comment [Feature/regressing bug #]: I think it was IndexedDB on PBackground which regressed this crash. [User impact if declined]: Consumers of FileHandle API are not able to retrieve mutable files using cursors. www.peer5.com had to disable firefox support because of this crash. [Describe test coverage new/current, TreeHerder]: A new test has been added to catch this crash in future. [Risks and why]: The patch is very simple and safe. It's been on m-c since 2015-06-11. Aurora now has this fix too. [String/UUID change made/needed]: None Requesting approval-mozilla-release too, just in case there will be a point release, so it would contain this crash fix too.
Attachment #8614272 -
Flags: approval-mozilla-release?
Attachment #8614272 -
Flags: approval-mozilla-beta?
Updated•9 years ago
|
Comment 8•9 years ago
|
||
Comment on attachment 8614272 [details] [diff] [review] patch As stated, this fix has been on 41 for several weeks already. Let's get this stability fix on Beta. Beta+ I have left the release? so that we can consider this as a ride along in any 39 point release.
Attachment #8614272 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Comment 9•9 years ago
|
||
https://hg.mozilla.org/releases/mozilla-beta/rev/48a7360bf797
Flags: in-testsuite+
Comment 10•9 years ago
|
||
Comment on attachment 8614272 [details] [diff] [review] patch We might do a dot release of 39, taking it in case we do it.
Attachment #8614272 -
Flags: approval-mozilla-release? → approval-mozilla-release+
Comment 11•9 years ago
|
||
Comment on attachment 8614272 [details] [diff] [review] patch Is it possible to have a crash signature? For now, it doesn't seem it is a top crash. So, I will revert my approval for now.
Flags: needinfo?(kairo)
Attachment #8614272 -
Flags: approval-mozilla-release+ → approval-mozilla-release?
Assignee | ||
Comment 12•9 years ago
|
||
(In reply to Sylvestre Ledru [:sylvestre] PTO => July 10th from comment #11) > Comment on attachment 8614272 [details] [diff] [review] > patch > > Is it possible to have a crash signature? For now, it doesn't seem it is a > top crash. So, I will revert my approval for now. Well this API is not used a lot across the web, but at least one site (peer5.com) depends on this fix heavily.
Comment 13•9 years ago
|
||
Yes. We are actually the ones that found the bug. Since then (~ 3-4 months) we stopped using IndexedDB in our production environment. We are really waiting for this fix to be released and we would really appreciate if it would be released as soon as possible. Thanks, Guy
Comment 14•9 years ago
|
||
*stopped using indexedDB in Firefox that is - So Firefox at the moment is not really supported as it should be for our many users.
Comment 15•9 years ago
|
||
(In reply to Sylvestre Ledru [:sylvestre] PTO => August 1st from comment #11) > Is it possible to have a crash signature? Could be something like those: https://crash-stats.mozilla.com/search/?product=Firefox&signature=~JSStructuredCloneReader%3A%3Aread&_facets=signature&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-signature All very low volume though, and the above is just a guess based on the stack posted in this bug.
Flags: needinfo?(kairo)
Comment 16•9 years ago
|
||
Comment on attachment 8614272 [details] [diff] [review] patch 40 is going to be released with the fix soon. Not approving for release.
Attachment #8614272 -
Flags: approval-mozilla-release? → approval-mozilla-release-
You need to log in
before you can comment on or make changes to this bug.
Description
•