1502101 - Assertion failure: uint64_t(aDest) >= uint64_t(aArg), at /builds/worker/workspace/build/src/dom/quota/ActorsParent.cpp:1485

Status: RESOLVED DUPLICATE of bug 1626973

(Core :: Storage: IndexedDB, defect, P3)

Description

[Jason Kratzer [:jkratzer]]

Attachment: testcase.html

Testcase found while fuzzing mozilla-central rev 3cc04ee79005.  Please note that the testcase must be served via a local webserver.

Assertion failure: uint64_t(aDest) >= uint64_t(aArg), at /builds/worker/workspace/build/src/dom/quota/ActorsParent.cpp:1485

rax = 0x0000000000000000   rdx = 0x0000000000000000
rcx = 0x0000000000000b40   rbx = 0x000000009e3910ce
rsi = 0x00007f6b1584b8b0   rdi = 0x00007f6b1584a680
rbp = 0x00007f6ae9b7c2d0   rsp = 0x00007f6ae9b7c2d0
r8 = 0x00007f6b1584b8b0    r9 = 0x00007f6ae9b7d700
r10 = 0x0000000000000002   r11 = 0x0000000000000000
r12 = 0x00007f6ae237a700   r13 = 0x00007f6ae9b7c330
r14 = 0x0000000000000002   r15 = 0x00007f6ae234cdc8
rip = 0x00007f6b05a8ace6
OS|Linux|0.0.0 Linux 4.15.0-36-generic #39-Ubuntu SMP Mon Sep 24 16:19:09 UTC 2018 x86_64
CPU|amd64|family 6 model 78 stepping 3|1
GPU|||
Crash|SIGSEGV /SEGV_MAPERR|0x0|44
44|0|libxul.so|AssertNoUnderflow<long unsigned int, long unsigned int>|hg:hg.mozilla.org/mozilla-central:dom/quota/ActorsParent.cpp:3cc04ee79005058d817daf66da7963dfac3f0a3a|1485|0x5
44|1|libxul.so|mozilla::dom::quota::OriginInfo::LockedDecreaseUsage(long)|hg:hg.mozilla.org/mozilla-central:dom/quota/ActorsParent.cpp:3cc04ee79005058d817daf66da7963dfac3f0a3a|1485|0xa
44|2|libxul.so|mozilla::dom::quota::QuotaManager::DecreaseUsageForOrigin(mozilla::dom::quota::PersistenceType, nsTSubstring<char> const&, nsTSubstring<char> const&, long)|hg:hg.mozilla.org/mozilla-central:dom/quota/ActorsParent.cpp:3cc04ee79005058d817daf66da7963dfac3f0a3a|3776|0x14
44|3|libxul.so|DeleteDatabaseOp::VersionChangeOp::RunOnIOThread|hg:hg.mozilla.org/mozilla-central:dom/indexedDB/ActorsParent.cpp:3cc04ee79005058d817daf66da7963dfac3f0a3a|23129|0x19
44|4|libxul.so|DeleteDatabaseOp::VersionChangeOp::Run|hg:hg.mozilla.org/mozilla-central:dom/indexedDB/ActorsParent.cpp:3cc04ee79005058d817daf66da7963dfac3f0a3a|23229|0x5
44|5|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:3cc04ee79005058d817daf66da7963dfac3f0a3a|1245|0x15
44|6|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:3cc04ee79005058d817daf66da7963dfac3f0a3a|530|0x11
44|7|libxul.so|mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:3cc04ee79005058d817daf66da7963dfac3f0a3a|364|0xd
44|8|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:3cc04ee79005058d817daf66da7963dfac3f0a3a|325|0x17
44|9|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:3cc04ee79005058d817daf66da7963dfac3f0a3a|318|0x8
44|10|libxul.so|nsThread::ThreadFunc(void*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:3cc04ee79005058d817daf66da7963dfac3f0a3a|505|0x8
44|11|libnspr4.so|_pt_root|hg:hg.mozilla.org/mozilla-central:nsprpub/pr/src/pthreads/ptthread.c:3cc04ee79005058d817daf66da7963dfac3f0a3a|201|0x7
44|12|libpthread-2.27.so||||0x76db
44|13|libc-2.27.so||||0x12188f

Comment 2

[Bugmon [:jkratzer for issues]]

Bugmon Analysis:
The bug appears to have been fixed in the following build range:

Start: 9d9d5c5c498cd98566dba6de3d435bdbf6695ec9 (20200406135313)
End: 28074399b8d4ef1830336067f026ce94fb5cc531 (20200406135735)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=9d9d5c5c498cd98566dba6de3d435bdbf6695ec9&tochange=28074399b8d4ef1830336067f026ce94fb5cc531