Closed Bug 1593863 Opened 5 years ago Closed 4 years ago

Crash [@ mozilla::dom::indexedDB::(anonymous namespace)::QuotaClient::ShutdownTimedOut]

Categories

(Core :: Storage: IndexedDB, defect, P2)

Product:
Core
Component:
Storage: IndexedDB
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1592336

People

(Reporter: jkratzer, Assigned: asuth)

References

(Blocks 3 open bugs)

Details

(Keywords: crash, regression, testcase)

Crash Data

Attachments

(2 files)

testcase.html
720 bytes, text/html
Details
prefs-default-e10s.js
14.62 KB, application/x-javascript
Details
Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 5647ec4ba6f2.

==22511==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f01056efab0 bp 0x7f00ec4f6090 sp 0x7f00ec4f5be0 T23)
==22511==The signal is caused by a WRITE memory access.
==22511==Hint: address points to the zero page.
    #0 0x7f01056efaaf in PersistenceTypeToText /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/quota/PersistenceType.h:47:7
    #1 0x7f01056efaaf in PersistenceTypeString /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/quota/PersistenceType.h:54:5
    #2 0x7f01056efaaf in Stringify /builds/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:17576:18
    #3 0x7f01056efaaf in Stringify /builds/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:16986:22
    #4 0x7f01056efaaf in mozilla::dom::indexedDB::(anonymous namespace)::QuotaClient::ShutdownTimedOut() /builds/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:16501:26
    #5 0x7f01056edd65 in mozilla::dom::indexedDB::(anonymous namespace)::QuotaClient::ShutdownWorkThreads()::$_25::operator()(nsITimer*, void*) const /builds/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:16399:3
    #6 0x7f01056edd45 in mozilla::dom::indexedDB::(anonymous namespace)::QuotaClient::ShutdownWorkThreads()::$_25::__invoke(nsITimer*, void*) /builds/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:16399:3
    #7 0x7f00fd082181 in nsTimerImpl::Fire(int) /builds/worker/workspace/build/src/xpcom/threads/nsTimerImpl.cpp:561:7
    #8 0x7f00fd081a19 in nsTimerEvent::Run() /builds/worker/workspace/build/src/xpcom/threads/TimerThread.cpp:260:11
    #9 0x7f00fd094a93 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1225:14
    #10 0x7f00fd09b5f1 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #11 0x7f01056e081c in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:16409:3)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:348:25
    #12 0x7f01056e081c in mozilla::dom::indexedDB::(anonymous namespace)::QuotaClient::ShutdownWorkThreads() /builds/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:16409:3
    #13 0x7f01051bef71 in mozilla::dom::quota::QuotaManager::Shutdown() /builds/worker/workspace/build/src/dom/quota/ActorsParent.cpp:3968:21
    #14 0x7f01051afbbc in mozilla::dom::quota::QuotaManager::ShutdownInstance() /builds/worker/workspace/build/src/dom/quota/ActorsParent.cpp:3554:16
    #15 0x7f01051afb18 in mozilla::dom::quota::RecvShutdownQuotaManager() /builds/worker/workspace/build/src/dom/quota/ActorsParent.cpp:2727:3
    #16 0x7f00fe263eff in mozilla::ipc::BackgroundParentImpl::RecvShutdownQuotaManager() /builds/worker/workspace/build/src/ipc/glue/BackgroundParentImpl.cpp:1045:8
    #17 0x7f00ff1668ab in mozilla::ipc::PBackgroundParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundParent.cpp:4810:28
    #18 0x7f00fe3028a6 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2208:25
    #19 0x7f00fe2fd484 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2130:9
    #20 0x7f00fe2ffad1 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1972:3
    #21 0x7f00fe300997 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2003:13
    #22 0x7f00fd094a93 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1225:14
    #23 0x7f00fd09b5f1 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #24 0x7f00fe30d2f4 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:333:5
    #25 0x7f00fe206292 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #26 0x7f00fe206292 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
    #27 0x7f00fe206292 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
    #28 0x7f00fd08e43e in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:458:11
    #29 0x7f01215d9fbd in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #30 0x7f012121f6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #31 0x7f01201fd88e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/quota/PersistenceType.h:47:7 in PersistenceTypeToText
Thread T23 (IPDL Background) created by T0 here:
    #0 0x5557e8e7589a in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:209:3
    #1 0x7f01215cc129 in _PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:458:14
    #2 0x7f01215b5e5e in PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:533:12
    #3 0x7f00fd090916 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:672:8
    #4 0x7f00fd09a75b in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /builds/worker/workspace/build/src/xpcom/threads/nsThreadManager.cpp:515:12
    #5 0x7f00fd09e4a3 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, nsIRunnable*, unsigned int) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:139:57
    #6 0x7f00fe2ab222 in NS_NewNamedThread<16> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:71:10
    #7 0x7f00fe2ab222 in (anonymous namespace)::ParentImpl::CreateBackgroundThread() /builds/worker/workspace/build/src/ipc/glue/BackgroundImpl.cpp:944:7
    #8 0x7f00fe2b196a in RunOnMainThread /builds/worker/workspace/build/src/ipc/glue/BackgroundImpl.cpp:1244:30
    #9 0x7f00fe2b196a in (anonymous namespace)::ParentImpl::CreateActorHelper::Run() /builds/worker/workspace/build/src/ipc/glue/BackgroundImpl.cpp:1263:17
    #10 0x7f00fd094a93 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1225:14
    #11 0x7f00fd09b5f1 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #12 0x7f00fd09ae6c in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThreadManager.cpp:588:36)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:348:25
    #13 0x7f00fd09ae6c in nsThreadManager::SpinEventLoopUntilInternal(nsINestedEventLoopCondition*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadManager.cpp:588:8
    #14 0x7f00fd0c3be1 in NS_InvokeByIndex /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:106
    #15 0x7f00ff4e19da in Invoke /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1642:10
    #16 0x7f00ff4e19da in Call /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1183:19
    #17 0x7f00ff4e19da in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1149:23
    #18 0x7f00ff4e7af4 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:946:10
    #19 0x7f010a4f6329 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:456:13
    #20 0x7f010a4f6329 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:548:12
    #21 0x7f010a4dee74 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:621:10
    #22 0x7f010a4dee74 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3110:16
    #23 0x7f010a4c1194 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:10
    #24 0x7f010a4f6e2e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:589:13
    #25 0x7f010a4f9139 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:634:8
    #26 0x7f010aae26d9 in js::fun_apply(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/JSFunction.cpp:1188:10
    #27 0x7f010a4f6329 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:456:13
    #28 0x7f010a4f6329 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:548:12
    #29 0x7f010a4dee74 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:621:10
    #30 0x7f010a4dee74 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3110:16
    #31 0x7f010a4c1194 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:10
    #32 0x7f010a4f6e2e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:589:13
    #33 0x7f010a4f9139 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:634:8
    #34 0x7f010a711adb in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2655:10
    #35 0x7f00ff4d20fb in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedJSClass.cpp:956:17
    #36 0x7f00fd0c52a1 in PrepareAndDispatch /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:125:37
    #37 0x7f00fd0c41aa in SharedStub (/home/forb1dden/builds/mc-asan/libxul.so+0x3b771aa)
    #38 0x7f010a264444 in nsXREDirProvider::DoStartup() /builds/worker/workspace/build/src/toolkit/xre/nsXREDirProvider.cpp:952:11
    #39 0x7f010a244459 in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4397:16
    #40 0x7f010a246e3d in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4721:8
    #41 0x7f010a248680 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4802:21
    #42 0x5557e8ebdacb in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:218:22
    #43 0x5557e8ebdacb in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:300:16
    #44 0x7f01200fdb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

==22511==ABORTING
Flags: in-testsuite?

This suggests a life-cycle problem in IDB.

Priority: -- → P2
Blocks: fuzzing-indexeddb

Can't reproduce that locally with current Nightly. Do you happen to have a Pernosco session for that?

Flags: needinfo?(jkratzer)
Crash Signature: [@ mozilla::dom::indexedDB::`anonymous namespace'::QuotaClient::ShutdownWorkThreads::<T>::__invoke]

It looks like I failed to mention that this testcase must be served via HTTP in order to reproduce (due to XHR). I'll get you a pernosco session for this bug shortly.

Flags: needinfo?(jkratzer)

Well, I served in via HTTP, but it still didn't show up. Will be happy to look into the Pernosco session once it's there :)

Attached file prefs-default-e10s.js

Unfortunately, I haven't been able to capture this bug in RR. It appears that there's a race between the XHR calls and window close that I'm unable to replicate. Simon, can you try and reproduce using the attached prefs? With these, I'm able to reproduce under gdb.

Steps to Reproduce:

  1. Start local webserver in directory containing the testcase:
    python -m SimpleHTTPServer
  2. Install ffpuppet
    pip install ffpuppet
  3. Launch target with ffpuppet
    python -m ffpuppet -p prefs-default-e10.js --xvfb ~/path/to/build/firefox -u http://localhost:8000/testcase.html
Flags: needinfo?(sgiesecke)

Thanks a lot for the hint towards ffpuppet, that's new for me :) Will try to reproduce it that way.

Bugbug thinks this bug is a regression, but please revert this change in case of error.

Keywords: regression

(In reply to Jason Kratzer [:jkratzer] from comment #7)

Unfortunately, I haven't been able to capture this bug in RR. It appears that there's a race between the XHR calls and window close that I'm unable to replicate. Simon, can you try and reproduce using the attached prefs? With these, I'm able to reproduce under gdb.

Steps to Reproduce:

  1. Start local webserver in directory containing the testcase:
    python -m SimpleHTTPServer
  2. Install ffpuppet
    pip install ffpuppet
  3. Launch target with ffpuppet
    python -m ffpuppet -p prefs-default-e10.js --xvfb ~/path/to/build/firefox -u http://localhost:8000/testcase.html

Hm, I have some trouble with getting that working, I get:

[simon@sigibln mozilla-unified]$ python -m ffpuppet -p ~/Downloads/prefs-default-e10s.js --xvfb obj-x86_64-pc-linux-gnu/dist/bin/firefox -u http://localhost:8000/1593863.html
[2020-01-28 11:47:03] Launching Firefox...
[2020-01-28 11:47:27] Running Firefox (pid: 13228)...
[2020-01-28 11:48:28] Shutting down...
[2020-01-28 11:48:28] symbols_path not found: '/home/simon/work/mozilla-unified/obj-x86_64-pc-linux-gnu/dist/bin/symbols'
[2020-01-28 11:48:28] Firefox process closed

Not sure what it expects in that symbols_path. Launch the firefox binary regularly works.

Flags: needinfo?(sgiesecke) → needinfo?(jkratzer)

Hi Simon. You'll need to either make a local build with symbols or, use the builds on taskcluster. You can use fuzzfetch (https://github.com/MozillaSecurity/fuzzfetch) to download the same builds we use for fuzzing.

pip install fuzzfetch
python -m fuzzfetch -a # For ASAN builds
Flags: needinfo?(jkratzer)
Flags: needinfo?(sgiesecke)

(In reply to Jason Kratzer [:jkratzer] from comment #11)

Hi Simon. You'll need to either make a local build with symbols or, use the builds on taskcluster. You can use fuzzfetch (https://github.com/MozillaSecurity/fuzzfetch) to download the same builds we use for fuzzing.

pip install fuzzfetch
python -m fuzzfetch -a # For ASAN builds

Sorry it took some time to try this again. I now managed to get the toolchain running, thanks!

However, I still couldn't reproduce it, neither with a current asan-opt nor asan-debug build. Will try to run it repeatedly and see if it hits the crash.

I now managed to capture a rr trace at least with an opt build. Will try to get it with a debug build as well. I fear that when submitting to Pernosco I will not have the right source files, maybe I should do a local build with ASAN and symbols. How do I enable the symbols that are required for running ffpuppet?

Flags: needinfo?(sgiesecke) → needinfo?(jkratzer)

It's my understanding that the pernosco server knows how to get symbols from taskcluster automatically, so I think you should be good to upload the trace. (At the request of the fuzzing team, even :).

As I suspected, the Pernosco session has no source files: https://pernos.co/debug/g5vVTbyljXPgxPIIpdN3CQ/index.html

@asuth the problem is that I cannot even run ffpuppet locally without the symbols as mentioned in https://bugzilla.mozilla.org/show_bug.cgi?id=1593863#c10

With a debug build I always get a timeout.

Where did the build used for that recording come from?

Flags: needinfo?(sgiesecke)

(In reply to Kyle Huey [:khuey] from comment #17)

Where did the build used for that recording come from?

The build came from fuzzfetch. But I guess when uploading to Pernosco, the source paths do not match my local paths, and so the source files don't show up on Pernosco?

Flags: needinfo?(sgiesecke)

Right but which branch?

If the build came from taskcluster your local source tree doesn't matter.

Flags: needinfo?(sgiesecke)

I now have a Pernosco with a run from a local build, which has sources here: https://pernos.co/debug/fWsgyDsIed8PqD4MmxC8eg/index.html

(In reply to Kyle Huey [:khuey] from comment #19)

Right but which branch?

If the build came from taskcluster your local source tree doesn't matter.

I am not sure what you mean, I got it via python -m fuzzfetch -a as suggested in https://bugzilla.mozilla.org/show_bug.cgi?id=1593863#c12

Flags: needinfo?(sgiesecke)

Hm, but this doesn't really help me. I don't see the sanitizer report in the Pernosco session. Locally I got one quite similar to the one reported originally:

=================================================================
==4362==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f52e887070a bp 0x7f52c13e9ed0 sp 0x7f52c13e9a20 T20)
==4362==The signal is caused by a WRITE memory access.
==4362==Hint: address points to the zero page.
    #0 0x7f52e8870709 in PersistenceTypeToText /home/simon/work/asan/objdir-ff-asan/dist/include/mozilla/dom/quota/PersistenceType.h:47:7
    #1 0x7f52e8870709 in PersistenceTypeString /home/simon/work/asan/objdir-ff-asan/dist/include/mozilla/dom/quota/PersistenceType.h:54:5
    #2 0x7f52e8870709 in Stringify /home/simon/work/asan/dom/indexedDB/ActorsParent.cpp:18251:18
    #3 0x7f52e8870709 in Stringify /home/simon/work/asan/dom/indexedDB/ActorsParent.cpp:17658:22
    #4 0x7f52e8870709 in mozilla::dom::indexedDB::(anonymous namespace)::QuotaClient::ShutdownTimedOut() /home/simon/work/asan/dom/indexedDB/ActorsParent.cpp:17174:26
    #5 0x7f52e886e9e5 in mozilla::dom::indexedDB::(anonymous namespace)::QuotaClient::ShutdownWorkThreads()::$_33::operator()(nsITimer*, void*) const /home/simon/work/asan/dom/indexedDB/ActorsParent.cpp:17070:3
    #6 0x7f52e886e9c5 in mozilla::dom::indexedDB::(anonymous namespace)::QuotaClient::ShutdownWorkThreads()::$_33::__invoke(nsITimer*, void*) /home/simon/work/asan/dom/indexedDB/ActorsParent.cpp:17070:3
    #7 0x7f52e016ef76 in nsTimerImpl::Fire(int) /home/simon/work/asan/xpcom/threads/nsTimerImpl.cpp:562:7
    #8 0x7f52e016e7b9 in nsTimerEvent::Run() /home/simon/work/asan/xpcom/threads/TimerThread.cpp:259:11
    #9 0x7f52e01812b9 in nsThread::ProcessNextEvent(bool, bool*) /home/simon/work/asan/xpcom/threads/nsThread.cpp:1220:14
    #10 0x7f52e0189e71 in NS_ProcessNextEvent(nsIThread*, bool) /home/simon/work/asan/xpcom/threads/nsThreadUtils.cpp:486:10
    #11 0x7f52e88609bc in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /home/simon/work/asan/dom/indexedDB/ActorsParent.cpp:17080:3)> /home/simon/work/asan/objdir-ff-asan/dist/
include/nsThreadUtils.h:346:25
    #12 0x7f52e88609bc in mozilla::dom::indexedDB::(anonymous namespace)::QuotaClient::ShutdownWorkThreads() /home/simon/work/asan/dom/indexedDB/ActorsParent.cpp:17080:3
    #13 0x7f52e831daf1 in mozilla::dom::quota::QuotaManager::Shutdown() /home/simon/work/asan/dom/quota/ActorsParent.cpp:3973:21
    #14 0x7f52e830e3fc in mozilla::dom::quota::QuotaManager::ShutdownInstance() /home/simon/work/asan/dom/quota/ActorsParent.cpp:3559:16
    #15 0x7f52e830e358 in mozilla::dom::quota::RecvShutdownQuotaManager() /home/simon/work/asan/dom/quota/ActorsParent.cpp:2732:3
    #16 0x7f52e15b8c06 in mozilla::ipc::BackgroundParentImpl::RecvShutdownQuotaManager() /home/simon/work/asan/ipc/glue/BackgroundParentImpl.cpp:1027:8
    #17 0x7f52e2277163 in mozilla::ipc::PBackgroundParent::OnMessageReceived(IPC::Message const&) /home/simon/work/asan/objdir-ff-asan/ipc/ipdl/PBackgroundParent.cpp:4679:28
    #18 0x7f52e1632c96 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /home/simon/work/asan/ipc/glue/MessageChannel.cpp:2215:25
    #19 0x7f52e162eb22 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /home/simon/work/asan/ipc/glue/MessageChannel.cpp:2137:9
    #20 0x7f52e1630859 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /home/simon/work/asan/ipc/glue/MessageChannel.cpp:1976:3
    #21 0x7f52e16311b7 in mozilla::ipc::MessageChannel::MessageTask::Run() /home/simon/work/asan/ipc/glue/MessageChannel.cpp:2007:13
    #22 0x7f52e01812b9 in nsThread::ProcessNextEvent(bool, bool*) /home/simon/work/asan/xpcom/threads/nsThread.cpp:1220:14
    #23 0x7f52e0189e71 in NS_ProcessNextEvent(nsIThread*, bool) /home/simon/work/asan/xpcom/threads/nsThreadUtils.cpp:486:10
    #24 0x7f52e163be53 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /home/simon/work/asan/ipc/glue/MessagePump.cpp:332:5
    #25 0x7f52e14d1b82 in RunInternal /home/simon/work/asan/ipc/chromium/src/base/message_loop.cc:315:10
    #26 0x7f52e14d1b82 in RunHandler /home/simon/work/asan/ipc/chromium/src/base/message_loop.cc:308:3
    #27 0x7f52e14d1b82 in MessageLoop::Run() /home/simon/work/asan/ipc/chromium/src/base/message_loop.cc:290:3
    #28 0x7f52e017a641 in nsThread::ThreadFunc(void*) /home/simon/work/asan/xpcom/threads/nsThread.cpp:464:10

PersistenceType.h:47 contains a MOZ_CRASH (not sure if this is supposed to trigger the sanitizer), which is the switch case when an invalid enum value is passed in. But according to Pernosco, this line is never executed.

Ok. Maybe tysmith has some idea of what needs to be done to get it to work, because he has been successfully uploading traces made from taskcluster builds for a while.

Flags: needinfo?(tylsmith)

I am still confused that the Pernosco session does not have any local variables. It's an opt build, so quite a lot of them might be optimized away, but there are none at all.

Your binaries were probably built without that debug info.

(In reply to Kyle Huey [:khuey] from comment #24)

Your binaries were probably built without that debug info.

Yes, seems so. Getting an ASAN build that is usably for this purpose is incredibly complicated. I followed the instructions on https://developer.mozilla.org/en-US/docs/Mozilla/Testing/Firefox_and_Address_Sanitizer, in particular the mozconfig from there. Probably this is due to -gline-tables-only. I didn't dig deep enough into that before. I will try building without that option...

Yeah this is why I think you should talk to tysmith, he's been doing this for a while :)

I now got a session with variable info at https://pernos.co/debug/u9VmviL7diE94m2GS1Cehg/index.html, but 1. everything useful has been optimized out, and 2. PersistenceType.h:47 is still claimed to be never executed.

Can you do an unoptimized build?

If I look at PersistenceType.h:34 I see 4 executions. If I look at ActorsParent.cpp:6573 I see 3 executions, and adding persistenceType in the print field does work. The fourth PersistenceTypeToText invocation is some shutdown path.

Debuggers fall down pretty hard on inlined functions like this, primarily because of terrible optimized compiler debug info.

Interestingly, with an unoptimized build, it doesn't crash at all. With -Og, it just triggers the MOZ_CRASH at https://searchfox.org/mozilla-central/rev/b1e51ad5613ad3d911cf42e3e525885ce2278915/dom/indexedDB/ActorsParent.cpp#17181. Maybe with further optimizations, this is still just this MOZ_CRASH, and it just appears to be at a different location due to bad debug info.

Still, it should be investigated why we get an IndexedDB shutdown timeout with an optimized build, but not with an unoptimized build.

The -Og Pernosco session is at https://pernos.co/debug/YXs3YOBGNhiCfbyAGUJBvQ/index.html

The crash annotation data shows:

FactoryOperations: 1 (PersistenceType:default|Origin:http://aaaaaaaaa:DDDD|State:DatabaseWorkVersionChange)
LiveDatabases: 1 (DirectoryLock:1|Transactions:1|OtherProcessActor:1|Origin:http://aaaaaaaaa:DDDD|PersistenceType:default|Closed:1|Invalidated:1|ActorWasAlive:1|ActorDestroyed:0)

There are quite a lot of differences between the failing and non-failing run, including various JavaScript errors, which makes it hard to identify what is causing to IndexedDB timeout in particular. When looking at the IPC messages that are lost due to channel closure, it turns out that only the BAD run has PRemoteWorkerService::Msg___delete__ affected by this. In the BAD run, one RemoterWorkerServiceParent instance is never destroyed. Maybe this holds something that blocks the IndexedDB shutdown?

Flags: needinfo?(jkratzer)

Andrew, what do you think about my hypotheses in https://bugzilla.mozilla.org/show_bug.cgi?id=1593863#c31?

In general, if these crashes are due to shutdown timeouts, do you think it is worthwhile to do anything specific on this bug?

Flags: needinfo?(tylsmith) → needinfo?(bugmail)

It does seem likely that this is a RemoteWorker life-cycle issue and thanks to your pernosco traces in comment 32 I think I can dig into these.

Assignee: nobody → bugmail
Status: NEW → ASSIGNED
Flags: needinfo?(bugmail)
Crash Signature: [@ mozilla::dom::indexedDB::`anonymous namespace'::QuotaClient::ShutdownWorkThreads::<T>::__invoke] → [@ mozilla::dom::indexedDB::`anonymous namespace'::QuotaClient::ShutdownWorkThreads::<T>::__invoke] [@ mozalloc_abort | abort | g_assertion_message]
Crash Signature: [@ mozilla::dom::indexedDB::`anonymous namespace'::QuotaClient::ShutdownWorkThreads::<T>::__invoke] [@ mozalloc_abort | abort | g_assertion_message] → [@ mozilla::dom::indexedDB::`anonymous namespace'::QuotaClient::ShutdownWorkThreads::<T>::__invoke]

Hi Andrew, can you give us an update here? Thank you!

Flags: needinfo?(bugmail)
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Flags: needinfo?(bugmail)
Resolution: --- → DUPLICATE

I accidentally cleared the NI?, I'll move it to the other bug since I dup'd this one.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: