IDBTransaction crash on ServiceWorkers

RESOLVED DUPLICATE of bug 1152026

Status

()

Core
DOM: IndexedDB
RESOLVED DUPLICATE of bug 1152026
3 years ago
2 years ago

People

(Reporter: nsm, Unassigned)

Tracking

({sec-moderate})

Trunk
sec-moderate
Points:
---

Firefox Tracking Flags

(firefox42 affected)

Details

STR:
1) Enable serviceworkers (dom.serviceWorkers.enabled) and push notifications (dom.push.enabled) in a Nightly build.
2) Visit https://johnme-gcm.appspot.com/ and enter the chat room with a username
3) Using another browser, for example Chromium, visit the same URL and enter the room as another user.
4) Send a message to the Firefox user using '@<username> <message>'
5) Firefox receives a push notification and the serviceworker script - https://johnme-gcm.appspot.com/chat/sw.js uses localforage to save the list of messages. localforage uses IDB internally. After a few seconds there is a crash when CC happens.

IDBTransaction is being released on the main thread when it was created on the worker. I had to unwrap the DOMEventTargetHelper release macro [1] to trace the failure to the owning thread assertion.

[1]: https://dxr.mozilla.org/mozilla-central/source/dom/events/DOMEventTargetHelper.cpp?from=DOMEventTargetHelper.cpp&case=true#80

I don't understand why IDBTransaction inherits nsIRunnable. Runnables may be destroyed on any thread, while DOMEventTargetHelper may not.

#0  0x00007fffe57b3f5a in mozilla::DOMEventTargetHelper::Release (this=0x7fffc6fb7860)
    at /home/nikhil/mozilla-central-notification/dom/events/DOMEventTargetHelper.cpp:86
#1  0x00007fffe6062aaf in mozilla::dom::indexedDB::IDBWrapperCache::Release (this=0x7fffc6fb7860)
    at /home/nikhil/mozilla-central-notification/dom/indexedDB/IDBWrapperCache.cpp:45
#2  0x00007fffe607fc2f in mozilla::dom::indexedDB::IDBTransaction::Release (this=0x7fffc6fb7860)
    at /home/nikhil/mozilla-central-notification/dom/indexedDB/IDBTransaction.cpp:970
#3  0x00007fffe607fc7c in non-virtual thunk to mozilla::dom::indexedDB::IDBTransaction::Release() ()
    at /home/nikhil/mozilla-central-notification/dom/indexedDB/IDBTransaction.cpp:970
#4  0x00007fffe2c9a77b in nsCOMPtr<nsIRunnable>::~nsCOMPtr (this=0x7fffb4241908) at ../../dist/include/nsCOMPtr.h:391
#5  0x00007fffe61f3e0a in mozilla::dom::workers::WorkerPrivate::PreemptingRunnableInfo::~PreemptingRunnableInfo (this=0x7fffb4241908)
    at /home/nikhil/mozilla-central-notification/dom/workers/WorkerPrivate.cpp:2765
#6  0x00007fffe61f3dc5 in nsTArrayElementTraits<mozilla::dom::workers::WorkerPrivate::PreemptingRunnableInfo>::Destruct (aE=0x7fffb4241908)
    at ../../dist/include/nsTArray.h:523
#7  0x00007fffe61f3d66 in nsTArray_Impl<mozilla::dom::workers::WorkerPrivate::PreemptingRunnableInfo, nsTArrayInfallibleAllocator>::DestructRange (
    this=0x7fffc55454b0, aStart=0, aCount=1) at ../../dist/include/nsTArray.h:1999
#8  0x00007fffe61f3cda in nsTArray_Impl<mozilla::dom::workers::WorkerPrivate::PreemptingRunnableInfo, nsTArrayInfallibleAllocator>::RemoveElementsAt (
    this=0x7fffc55454b0, aStart=0, aCount=1) at ../../dist/include/nsTArray.h:1641
#9  0x00007fffe61e086f in nsTArray_Impl<mozilla::dom::workers::WorkerPrivate::PreemptingRunnableInfo, nsTArrayInfallibleAllocator>::Clear (this=0x7fffc55454b0)
    at ../../dist/include/nsTArray.h:1650
#10 0x00007fffe6205729 in nsTArray_Impl<mozilla::dom::workers::WorkerPrivate::PreemptingRunnableInfo, nsTArrayInfallibleAllocator>::~nsTArray_Impl (
    this=0x7fffc55454b0) at ../../dist/include/nsTArray.h:827
#11 0x00007fffe61dfa85 in nsTArray<mozilla::dom::workers::WorkerPrivate::PreemptingRunnableInfo>::~nsTArray (this=0x7fffc55454b0)
    at ../../dist/include/nsIHttpChannelInternal.h:17
#12 0x00007fffe61aaad1 in mozilla::dom::workers::WorkerPrivate::~WorkerPrivate (this=0x7fffc5545000)
    at /home/nikhil/mozilla-central-notification/dom/workers/WorkerPrivate.cpp:4796
#13 0x00007fffe61aabd9 in mozilla::dom::workers::WorkerPrivate::~WorkerPrivate (this=0x7fffc5545000)
    at /home/nikhil/mozilla-central-notification/dom/workers/WorkerPrivate.cpp:4795
#14 0x00007fffe57b4081 in mozilla::DOMEventTargetHelper::DeleteCycleCollectable (this=0x7fffc5545000)
    at /home/nikhil/mozilla-central-notification/dom/events/DOMEventTargetHelper.cpp:122
#15 0x00007fffe44f4b65 in mozilla::DOMEventTargetHelper::cycleCollection::DeleteCycleCollectable (
    this=0x7fffeb8d7f58 <mozilla::dom::workers::WorkerPrivateParent<mozilla::dom::workers::WorkerPrivate>::_cycleCollectorGlobal>, p=0x7fffc5545000)
    at ../../dist/include/mozilla/DOMEventTargetHelper.h:64
#16 0x00007fffe2c8e4ae in SnowWhiteKiller::~SnowWhiteKiller (this=0x7fffffffbda0) at /home/nikhil/mozilla-central-notification/xpcom/base/nsCycleCollector.cpp:2638
#17 0x00007fffe2c8053d in nsCycleCollector::FreeSnowWhite (this=0x7fffde2f2000, aUntilNoSWInPurpleBuffer=false)
    at /home/nikhil/mozilla-central-notification/xpcom/base/nsCycleCollector.cpp:2806
#18 0x00007fffe2c84939 in nsCycleCollector_doDeferredDeletion () at /home/nikhil/mozilla-central-notification/xpcom/base/nsCycleCollector.cpp:4084
#19 0x00007fffe3bf7606 in AsyncFreeSnowWhite::Run (this=0x7fffde1b7900) at /home/nikhil/mozilla-central-notification/js/xpconnect/src/XPCJSRuntime.cpp:140
#20 0x00007fffe2d58cfc in nsThread::ProcessNextEvent (this=0x7fffde2d77c0, aMayWait=false, aResult=0x7fffffffc07e)
    at /home/nikhil/mozilla-central-notification/xpcom/threads/nsThread.cpp:867
#21 0x00007fffe2dc2997 in NS_ProcessNextEvent (aThread=0x7fffde2d77c0, aMayWait=false) at /home/nikhil/mozilla-central-notification/xpcom/glue/nsThreadUtils.cpp:277
#22 0x00007fffe33ae8ce in mozilla::ipc::MessagePump::Run (this=0x7fffde263140, aDelegate=0x7ffff6ba2880)
    at /home/nikhil/mozilla-central-notification/ipc/glue/MessagePump.cpp:95
Jan, Kyle, any ideas?
Flags: needinfo?(khuey)
Flags: needinfo?(Jan.Varga)
Group: core-security
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Flags: needinfo?(khuey)
Flags: needinfo?(Jan.Varga)
Resolution: --- → DUPLICATE
Duplicate of bug: 1152026

Updated

3 years ago
Group: core-security → core-security-release
Group: core-security-release
Keywords: sec-moderate
You need to log in before you can comment on or make changes to this bug.