Crash in mozilla::dom::cache::CacheOpChild::Recv__delete__

RESOLVED FIXED in Firefox 51

Status

()

defect
--
critical
RESOLVED FIXED
3 years ago
3 months ago

People

(Reporter: bkelly, Assigned: bkelly)

Tracking

(Blocks 1 bug, {crash})

unspecified
mozilla53
x86
Windows 7
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox-esr45 wontfix, firefox50 wontfix, firefox51 fixed, firefox52 fixed, firefox53 fixed)

Details

(crash signature)

Attachments

(1 attachment, 1 obsolete attachment)

This bug was filed from the Socorro interface and is 
report bp-e4251650-8df6-472e-8ec3-7c7492170106.
=============================================================

When the parent side fails to open the storage we return a nullptr actor back to the child.  The child, however, tries to use the actor without checking for nullptr.  I think that is causing this low frequency crash.
Well, in theory we should be sending an error code in this case, but it seems we sometimes still have a nullptr actor.
Assignee: nobody → bkelly
Status: NEW → ASSIGNED
This patch tries to verify the actor pointer provided in the OpenStorageResult is valid before using it.  In theory this should not happen when we have a successful result code, so the patch also does a MOZ_DIAGNOSTIC_ASSERT().  For release builds, though, we reject with a generic TypeError message.
Attachment #8825079 - Flags: review?(bugmail)
Comment on attachment 8825079 [details] [diff] [review]
Gracefully handle nullptr Cache actor in CacheStorage::Open() result. r=asuth

Review of attachment 8825079 [details] [diff] [review]:
-----------------------------------------------------------------

Wow, this is a weird error!  Anyways, I think it probably also makes sense to add:
- MOZ_DIAGNOSTIC_ASSERT(mCacheId != INVALID_CACHE_ID) just before both of the success "return rv" paths in Manager::StorageOpenAction::RunSyncWithDBOnTarget to ensure nothing insane is happening in those methods.  These seem unlikely to screw up, but make the next assertion more useful...
- Add MOZ_DIAGNOSTIC_ASSERT(aRv.Failed() || mCacheId != INVALID_CACHE_ID) before the aListener->OnOpComplete call.  This should ideally help verify that no code screwed up and invoked Resolve(NS_OK) somehow, somewhere.  (And because this is literally the only call-site to construct a StorageOpenResult() and CacheOpChild is switching on the discriminated union type, it should guarantee this assertion gets a chance to do its thing and cause an early explosion closer to the point of failure than the diagnostic in the child.)
Attachment #8825079 - Flags: review?(bugmail) → review+
Attachment #8825079 - Attachment is obsolete: true
Attachment #8825423 - Flags: review+

Comment 5

3 years ago
Pushed by bkelly@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/ba05b37f1dd9
Gracefully handle nullptr Cache actor in CacheStorage::Open() result. r=asuth
Comment on attachment 8825423 [details] [diff] [review]
bug1329669_openfailed.patch

Approval Request Comment
[Feature/Bug causing the regression]: Service workers
[User impact if declined]: About 10 crashes per week in release and beta channels.
[Is this code covered by automated tests?]: Yes, but it did not catch this rare corner case.
[Has the fix been verified in Nightly?]: We don't have exact steps to reproduce so it cannot be manually verified.
[Needs manual test from QE? If yes, steps to reproduce]: None
[List of other uplifts needed for the feature/fix]: None
[Is the change risky?]: No
[Why is the change risky/not risky?]: The patch only adds a nullptr check and some diagnostic assertions.
[String changes made/needed]: None
Attachment #8825423 - Flags: approval-mozilla-beta?
Attachment #8825423 - Flags: approval-mozilla-aurora?

Comment 7

3 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/ba05b37f1dd9
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
Comment on attachment 8825423 [details] [diff] [review]
bug1329669_openfailed.patch

Fix a crash. Beta51+ & Aurora52+. Should be in 51 beta 14.
Attachment #8825423 - Flags: approval-mozilla-beta?
Attachment #8825423 - Flags: approval-mozilla-beta+
Attachment #8825423 - Flags: approval-mozilla-aurora?
Attachment #8825423 - Flags: approval-mozilla-aurora+
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.