Closed
Bug 1179396
Opened 9 years ago
Closed 9 years ago
Assert/Crash running "fetch-csp.https.html" wpt service worker test in Nightly
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
DUPLICATE
of bug 1184557
Tracking | Status | |
---|---|---|
firefox42 | --- | affected |
People
(Reporter: noemi, Assigned: baku)
References
Details
Attachments
(1 file)
108.62 KB,
text/rtf
|
Details |
A Nightly crash occurs when executing "fetch-csp.https.html" wpt test such as |./mach web-platform-tests _mozilla/service-workers/service-worker/fetch-csp.https.html| with today's (7/1) master build The assertion failure shown is as follows: "Assertion failure: false (unknown ownership), at /Users/noef/Documents/mozilla-central/js/src/vm/StructuredClone.cpp:430" Please find attached the crash report corresponding to this
Comment 1•9 years ago
|
||
This is hitting the "unknown ownership" assertion in DiscardTransferables. Steve, can you please take a look? To reproduce, run the following command in a debug build: $ ./mach web-platform-tests testing/web-platform/mozilla/tests/service-workers/service-worker/fetch-csp.https.html Thanks!
Component: DOM: Service Workers → JavaScript Engine
Flags: needinfo?(sphink)
Reporter | ||
Comment 2•9 years ago
|
||
Hi, Just adding that the same assertion/crash occurs while executing "fetch-request-xhr.https.html" test.
Reporter | ||
Comment 3•9 years ago
|
||
(In reply to Noemí Freire (:noemi) from comment #2) > Hi, > > Just adding that the same assertion/crash occurs while executing > "fetch-request-xhr.https.html" test. and also when running "fetch-response-xhr.https.html" test
Reporter | ||
Comment 4•9 years ago
|
||
(In reply to Noemí Freire (:noemi) from comment #3) > (In reply to Noemí Freire (:noemi) from comment #2) > > Hi, > > > > Just adding that the same assertion/crash occurs while executing > > "fetch-request-xhr.https.html" test. > > and also when running "fetch-response-xhr.https.html" test and also when running: * "invalid-blobtype.https.html" test * "referer.https.html" test
Comment 5•9 years ago
|
||
:baku is fixing a very similar problem in WorkerPrivate.cpp. I'm not sure whether he'll be adding the JSAutoStructuredCloneBuffer.setCallbacks() call we were discussing, or if he'll fix it by using the constructor instead (which is currently the only way to set the callbacks.) But whatever he does there will probably be relevant here too. What is happening is that you have a JSAutoStructuredCloneBuffer that was created without having any nondefault data type handlers set. If you read the data out of it, then you'll be fine because the read call takes in a callback pointer. But if the buffer just dies (due to an error or something, so the read is not invoked), then the JSAutoStructuredCloneBuffer destructor will try to free any Transferables in the buffer, but it won't have the callbacks it needs to recognize what's in there. So it'll throw the above assertion. I know this API is awful. I have a long-abandoned patch in bug 991857 to clean up the handler registration API. But in the meantime, there are two options: (1) arrange for your buffer to be constructed with the needed callbacks, or (2) add a setCallbacks method so that you can fix up a clone buffer after the fact. Both may require fixing JSAutoStructuredCloneBuffer's copy constructors to copy over the callbacks, I'm not sure. Or rather, in your case I'm pretty sure that doesn't matter, but in baku's case it might. In your case, the clone buffer is the mBuffer field of PostMessageEvent. It is constructed with the default constructor. If you constructed it with &sPostMessageCallbacks then this would all be happier. Except that I'm not sure how the 'closure' arg is handled. It looks like you need it for freeing these guys (it force-closes a port), but it needs to contain the event, and I don't follow the code well enough to understand when that is or is not available. This is feeling a little shaky -- PostMessageEvent contains a JSAutoStructuredCloneBuffer, which means that destroying the PME will destroy the buffer, but the buffer's destruction requires a pointer to the event. Perhaps the event should be stored in the buffer itself, via the 64 bits of "extraData" available? It's unpleasant, I know, but if you need multiple pieces of information then you can heap-allocate a struct and manage its lifetime within the callbacks.
Flags: needinfo?(sphink)
Assignee | ||
Comment 7•9 years ago
|
||
Yes. I'm working on a more generic solution. But, yes I can take this.
Assignee: nobody → amarchesini
Flags: needinfo?(amarchesini)
Assignee | ||
Comment 8•9 years ago
|
||
The patch is ready in bug 1184557. I'm planning to replace all the custom JSStructuredCloneBuffer callback implementations with a more generic StructuredCloneHelper.
Depends on: 1184557
Assignee | ||
Comment 9•9 years ago
|
||
I close this bug as duplicate of bug 1184557.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
Reporter | ||
Comment 10•9 years ago
|
||
Hi, just checked on m-c Nightly debug (d3228c82badd revision) and the result when running "fetch-csp.https.html" test is Timeout, please see the details below: Harness status: Timeout Found 1 test 1 Timeout *Timeout: Verify CSP control of fetch() in a Service Worker Adding this test to Bug 1180622. Thanks!
Reporter | ||
Comment 11•9 years ago
|
||
Hi, just checked on m-c (fcef8ded8221 revision) and the test successfully runs. Thanks for fixing it!. Summary Harness status: OK Found 1 tests 1 Pass Details Result Test Name Pass Verify CSP control of fetch() in a Service Worker
You need to log in
before you can comment on or make changes to this bug.
Description
•