Closed Bug 1329669 Opened 5 years ago Closed 5 years ago

Crash in mozilla::dom::cache::CacheOpChild::Recv__delete__


(Core :: DOM: Core & HTML, defect)

Windows 7
Not set



Tracking Status
firefox-esr45 --- wontfix
firefox50 --- wontfix
firefox51 --- fixed
firefox52 --- fixed
firefox53 --- fixed


(Reporter: bkelly, Assigned: bkelly)



(Keywords: crash)

Crash Data


(1 file, 1 obsolete file)

This bug was filed from the Socorro interface and is 
report bp-e4251650-8df6-472e-8ec3-7c7492170106.

When the parent side fails to open the storage we return a nullptr actor back to the child.  The child, however, tries to use the actor without checking for nullptr.  I think that is causing this low frequency crash.
Well, in theory we should be sending an error code in this case, but it seems we sometimes still have a nullptr actor.
Assignee: nobody → bkelly
This patch tries to verify the actor pointer provided in the OpenStorageResult is valid before using it.  In theory this should not happen when we have a successful result code, so the patch also does a MOZ_DIAGNOSTIC_ASSERT().  For release builds, though, we reject with a generic TypeError message.
Attachment #8825079 - Flags: review?(bugmail)
Comment on attachment 8825079 [details] [diff] [review]
Gracefully handle nullptr Cache actor in CacheStorage::Open() result. r=asuth

Review of attachment 8825079 [details] [diff] [review]:

Wow, this is a weird error!  Anyways, I think it probably also makes sense to add:
- MOZ_DIAGNOSTIC_ASSERT(mCacheId != INVALID_CACHE_ID) just before both of the success "return rv" paths in Manager::StorageOpenAction::RunSyncWithDBOnTarget to ensure nothing insane is happening in those methods.  These seem unlikely to screw up, but make the next assertion more useful...
- Add MOZ_DIAGNOSTIC_ASSERT(aRv.Failed() || mCacheId != INVALID_CACHE_ID) before the aListener->OnOpComplete call.  This should ideally help verify that no code screwed up and invoked Resolve(NS_OK) somehow, somewhere.  (And because this is literally the only call-site to construct a StorageOpenResult() and CacheOpChild is switching on the discriminated union type, it should guarantee this assertion gets a chance to do its thing and cause an early explosion closer to the point of failure than the diagnostic in the child.)
Attachment #8825079 - Flags: review?(bugmail) → review+
Attachment #8825079 - Attachment is obsolete: true
Attachment #8825423 - Flags: review+
Pushed by
Gracefully handle nullptr Cache actor in CacheStorage::Open() result. r=asuth
Comment on attachment 8825423 [details] [diff] [review]

Approval Request Comment
[Feature/Bug causing the regression]: Service workers
[User impact if declined]: About 10 crashes per week in release and beta channels.
[Is this code covered by automated tests?]: Yes, but it did not catch this rare corner case.
[Has the fix been verified in Nightly?]: We don't have exact steps to reproduce so it cannot be manually verified.
[Needs manual test from QE? If yes, steps to reproduce]: None
[List of other uplifts needed for the feature/fix]: None
[Is the change risky?]: No
[Why is the change risky/not risky?]: The patch only adds a nullptr check and some diagnostic assertions.
[String changes made/needed]: None
Attachment #8825423 - Flags: approval-mozilla-beta?
Attachment #8825423 - Flags: approval-mozilla-aurora?
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
Comment on attachment 8825423 [details] [diff] [review]

Fix a crash. Beta51+ & Aurora52+. Should be in 51 beta 14.
Attachment #8825423 - Flags: approval-mozilla-beta?
Attachment #8825423 - Flags: approval-mozilla-beta+
Attachment #8825423 - Flags: approval-mozilla-aurora?
Attachment #8825423 - Flags: approval-mozilla-aurora+
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.