Crash in [@ InvalidArrayIndex_CRASH | mozilla::dom::quota::QuotaManager::GetUsageForClient]
Categories
(Core :: Storage: Quota Manager, defect, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr78 | --- | unaffected |
firefox90 | --- | verified |
firefox91 | --- | verified |
firefox92 | --- | verified |
People
(Reporter: gsvelto, Assigned: janv)
References
Details
(Keywords: crash)
Crash Data
Attachments
(2 files)
48 bytes,
text/x-phabricator-request
|
pascalc
:
approval-mozilla-beta+
jcristau
:
approval-mozilla-release+
|
Details | Review |
48 bytes,
text/x-phabricator-request
|
pascalc
:
approval-mozilla-beta+
jcristau
:
approval-mozilla-release+
|
Details | Review |
This bug is for crash report bp-15409535-80bd-4247-bdbc-11f7c0191027.
Top 10 frames of crashing thread:
0 libxul.so InvalidArrayIndex_CRASH xpcom/ds/nsTArray.cpp:27
1 libxul.so mozilla::dom::quota::QuotaManager::GetUsageForClient dom/quota/ActorsParent.cpp:4139
2 libxul.so mozilla::dom:: dom/localstorage/ActorsParent.cpp:7807
3 libxul.so mozilla::dom:: dom/localstorage/ActorsParent.cpp:6726
4 libxul.so nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1225
5 libxul.so <name omitted> xpcom/threads/nsThreadUtils.cpp:486
6 libxul.so mozilla::ipc::MessagePumpForNonMainThreads::Run ipc/glue/MessagePump.cpp:303
7 libxul.so MessageLoop::Run ipc/chromium/src/base/message_loop.cc:290
8 libxul.so nsThread::ThreadFunc xpcom/threads/nsThread.cpp:458
9 libnspr4.so _pt_root nsprpub/pr/src/pthreads/ptthread.c:201
The raw crash reason is ElementAt(aIndex = 3, aLength = 3)
.
The unwinding hides the real line where we're crashing, looking at the frames it appears to be this one:
Updated•5 years ago
|
Assignee | ||
Updated•5 years ago
|
Comment 1•4 years ago
|
||
So OriginInfo
contains ClientUsageArray mClientUsages;
, which is initialized to have length:
static Type TypeMax() {
if (CachedNextGenLocalStorageEnabled()) {
return TYPE_MAX;
}
return LS;
}
and never touched afterwards in terms of length until destruction. I see two possible reasons:
- We changed the pref driving
CachedNextGenLocalStorageEnabled()
during runtime to false, creating thus smallermClientUsages
but somewhere in our code we still expect to have the longer variant. In any case it looks a bit odd, that the memory layout of an array of a probably serialized object depends on a pref, that might flip anytime. - We try to access
mClientUsages
after that it has been deconstructed (which probably means, the underlyingOriginInfo
has been freed).
Updated•4 years ago
|
Comment 2•3 years ago
|
||
I got a crash (id: bp-522ee260-3be6-4d7c-a0b2-f78a80210330) with the same signature after I had flipped the pref for LSNG and had reloaded a tab.
Comment 3•3 years ago
|
||
(In reply to Tom Tung [:tt, :ttung] from comment #2)
I got a crash (id: bp-522ee260-3be6-4d7c-a0b2-f78a80210330) with the same signature after I had flipped the pref for LSNG and had reloaded a tab.
Hi Tom, so you are saying this does reproduce?
Comment 4•3 years ago
•
|
||
(In reply to Jens Stutte [:jstutte] from comment #3)
(In reply to Tom Tung [:tt, :ttung] from comment #2)
I got a crash (id: bp-522ee260-3be6-4d7c-a0b2-f78a80210330) with the same signature after I had flipped the pref for LSNG and had reloaded a tab.
Hi Tom, so you are saying this does reproduce?
(Edited: the step for reloading a tab without an LSNG storage is not needed to reproduce this crash)
Yes, at least, I reproduced it through:
0. Daily use Nightly (dom.storage.next_gen
is true
)
- Turn the pref to
false
. - Restart Nightly.
- Turn the pref to
true
. - Reload a tab with an LSNG storage (In my case, a Bugzilla page).
I will see if I can provide more details. And I am happy to share my profile if it's needed. :)
The second crash report (https://crash-stats.mozilla.org/report/index/d58648d8-54e5-4387-a652-8e6010210330).
Interestingly, the second time, my Nightly hangs for minutes but I terminated it by Ctrl+c. Not sure some other issue is involved or not.
Comment 5•3 years ago
|
||
This crash signature is also reproducible with the steps from https://bugzilla.mozilla.org/show_bug.cgi?id=1719453#c1.
Assignee | ||
Comment 6•3 years ago
|
||
Updated•3 years ago
|
Assignee | ||
Comment 7•3 years ago
|
||
Depends on D119710
Updated•3 years ago
|
Assignee | ||
Comment 9•3 years ago
|
||
Updated•3 years ago
|
Comment 10•3 years ago
|
||
Pushed by jvarga@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/78cabff7b610 Forbid creation of PBackgroundLSRequest/PBackgroundLSSimpleRequest actors in the parent process if LSNG is not enabled; r=dom-storage-reviewers,jstutte https://hg.mozilla.org/integration/autoland/rev/3b175989fe8c Share the same cached pref value of dom.storage.next_gen across all relevant processes; r=dom-storage-reviewers,jstutte
Comment 11•3 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/78cabff7b610
https://hg.mozilla.org/mozilla-central/rev/3b175989fe8c
Assignee | ||
Comment 12•3 years ago
|
||
Comment on attachment 9230861 [details]
Bug 1591877 - Share the same cached pref value of dom.storage.next_gen across all relevant processes; r=#dom-storage
Beta/Release Uplift Approval Request
- User impact if declined: We would like to start an experiment in 91 which enables LSNG for some users. We can't do that without this crash fix.
- Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): The changes are rather small and well tested locally.
- String changes made/needed: None
Assignee | ||
Updated•3 years ago
|
Comment 13•3 years ago
|
||
Comment on attachment 9230861 [details]
Bug 1591877 - Share the same cached pref value of dom.storage.next_gen across all relevant processes; r=#dom-storage
Crash fix, approved for 91 beta 3, thanks.
Updated•3 years ago
|
Comment 14•3 years ago
|
||
bugherder uplift |
https://hg.mozilla.org/releases/mozilla-beta/rev/1656e86faf04
https://hg.mozilla.org/releases/mozilla-beta/rev/d6af2879a42b
Updated•3 years ago
|
Assignee | ||
Comment 15•3 years ago
|
||
Comment on attachment 9230861 [details]
Bug 1591877 - Share the same cached pref value of dom.storage.next_gen across all relevant processes; r=#dom-storage
Beta/Release Uplift Approval Request
- User impact if declined: We would like to start an experiment in 90 which enables LSNG for some users. We can't do that without this crash fix.
- Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): The changes are rather small and well tested locally.
- String changes made/needed: None
Assignee | ||
Updated•3 years ago
|
Comment 16•3 years ago
•
|
||
Verified-fixed on the latest Firefox Nightly 92.0a1 (BuildID: 20210715215249) and on the latest Beta 91.0b3 on Windows 7/10, MacOS 10.15 and Ubuntu 20.04.
We were able to reproduce the crashes on the affected builds with all the scenarios provided in this bug and from the duplicates as well.
On the fixed builds, the crashes did not occur anymore.
Comment 17•3 years ago
|
||
Comment on attachment 9230861 [details]
Bug 1591877 - Share the same cached pref value of dom.storage.next_gen across all relevant processes; r=#dom-storage
approved for 90.0.1
Updated•3 years ago
|
Comment 18•3 years ago
|
||
bugherder uplift |
Comment 19•3 years ago
|
||
Verified fixed on the latest dot Release 90.0.1 on Windows 7/10, MacOS 10.15 and Ubuntu 20.04.
Updated•3 years ago
|
Description
•