Assertion failure: aSize.Value() != (18446744073709551615UL) (Passed wrong size!), at /builds/worker/workspace/build/src/dom/indexedDB/IDBFileHandle.cpp:307
Categories
(Core :: Storage: IndexedDB, defect, P3)
Tracking
()
People
(Reporter: jkratzer, Assigned: sg)
References
(Blocks 2 open bugs)
Details
(Keywords: assertion, testcase, Whiteboard: idb-mutablefile)
Attachments
(3 files)
Testcase found while fuzzing mozilla-central rev 4d585c7edc76.
Assertion failure: aSize.Value() != (18446744073709551615UL) (Passed wrong size!), at /builds/worker/workspace/build/src/dom/indexedDB/IDBFileHandle.cpp:307
rax = 0x000055dfdc37c340 rdx = 0x0000000000000000
rcx = 0x00007fabc4bfcca9 rbx = 0x00007fabb6064580
rsi = 0x00007fabd05738b0 rdi = 0x00007fabd0572680
rbp = 0x00007ffe8d987b50 rsp = 0x00007ffe8d987a30
r8 = 0x00007fabd05738b0 r9 = 0x00007fabd16dc780
r10 = 0x0000000000000000 r11 = 0x0000000000000000
r12 = 0x00007ffe8d987bc8 r13 = 0x00007ffe8d987b90
r14 = 0x00007ffe8d987c60 r15 = 0x00007ffe8d987ba8
rip = 0x00007fabc0c62533
OS|Linux|0.0.0 Linux 5.0.0-31-generic #33~18.04.1-Ubuntu SMP Tue Oct 1 10:20:39 UTC 2019 x86_64
CPU|amd64|family 6 model 94 stepping 3|1
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|mozilla::dom::IDBFileHandle::Truncate(mozilla::dom::Optional<unsigned long> const&, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/indexedDB/IDBFileHandle.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|307|0x37
0|1|libxul.so|mozilla::dom::IDBFileHandle_Binding::truncate|s3:gecko-generated-sources:14238768ee1623471bbbf183fb34313fe982253f6425ac7af7af746c6a17680bc1f517644ab5dc741d11ac9c78a2ed9d6f26ac1dfbb588e54b2ff8e46fda60d5/dom/bindings/IDBFileHandleBinding.cpp:|1032|0x15
0|2|libxul.so|bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|3218|0x24
0|3|libxul.so|CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|456|0x15
0|4|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|548|0x15
0|5|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|617|0x10
0|6|libxul.so|Interpret|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|621|0x15
0|7|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|423|0xb
0|8|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|589|0x13
0|9|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|617|0x10
0|10|libxul.so|js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|634|0x8
0|11|libxul.so|JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|2718|0x1f
0|12|libxul.so|mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&)|s3:gecko-generated-sources:07034a91c20d743b6b1cb0050fb45856e506111933106e79effdb8dcee60d394334ccec99923dca240d02a8a2423627e46882951c1689b39a2e7f0665bac7e9b/dom/bindings/EventHandlerBinding.cpp:|267|0x5
0|13|libxul.so|mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*)|hg:hg.mozilla.org/mozilla-central:dom/events/JSEventHandler.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|205|0x155
0|14|libxul.so|mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|1039|0xc
0|15|libxul.so|mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|1231|0x19
0|16|libxul.so|mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|351|0x6
0|17|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|551|0x12
0|18|libxul.so|mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|1050|0x1a
0|19|libxul.so|mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|1150|0x19
0|20|libxul.so|mozilla::DOMEventTargetHelper::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/events/DOMEventTargetHelper.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|170|0x5
0|21|libxul.so|mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventTarget.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|184|0x2d
0|22|libxul.so|DispatchSuccessEvent|hg:hg.mozilla.org/mozilla-central:dom/indexedDB/ActorsChild.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|764|0x16
0|23|libxul.so|mozilla::dom::indexedDB::BackgroundDatabaseRequestChild::HandleResponse(mozilla::dom::indexedDB::CreateFileRequestResponse const&)|hg:hg.mozilla.org/mozilla-central:dom/indexedDB/ActorsChild.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|2146|0x8
0|24|libxul.so|mozilla::dom::indexedDB::BackgroundDatabaseRequestChild::Recv__delete__(mozilla::dom::indexedDB::DatabaseRequestResponse const&)|hg:hg.mozilla.org/mozilla-central:dom/indexedDB/ActorsChild.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|2166|0x18
0|25|libxul.so|mozilla::dom::indexedDB::PBackgroundIDBDatabaseRequestChild::OnMessageReceived(IPC::Message const&)|s3:gecko-generated-sources:53904798f2163c7b2e6916f0b68ca034339c0aa88d2da74a60236276b28276dc0e008378e6e2527153ad4db8864ea972f50306e7f4ef5c3d69a336752a0b38b7/ipc/ipdl/PBackgroundIDBDatabaseRequestChild.cpp:|106|0xc
0|26|libxul.so|mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&)|s3:gecko-generated-sources:5579cb101527982d72096be9b6fcb46f6d93a5d14564b8f11e1f6a6e8ccd6278d0b51192bc07b23625f16d1978dd8222d850a46e5779288881548c3e9f02aad4/ipc/ipdl/PBackgroundChild.cpp:|5876|0x19
0|27|libxul.so|mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|2208|0x6
0|28|libxul.so|mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|2130|0xb
0|29|libxul.so|mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|1972|0xb
0|30|libxul.so|mozilla::ipc::MessageChannel::MessageTask::Run()|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|2003|0xc
0|31|libxul.so|mozilla::SchedulerGroup::Runnable::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|295|0x15
0|32|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|1225|0x15
0|33|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|486|0x11
0|34|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|88|0xa
0|35|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|315|0x17
0|36|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|290|0x8
0|37|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|137|0xd
0|38|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|934|0x11
0|39|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|238|0x5
0|40|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|315|0x17
0|41|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|290|0x8
0|42|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|769|0xc
0|43|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|56|0x14
0|44|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|272|0x12
0|45|libc-2.27.so||||0x21b97
0|46|firefox-bin|MOZ_ReportCrash|hg:hg.mozilla.org/mozilla-central:mfbt/Assertions.h:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|203|0x5
Updated•4 years ago
|
Reporter | ||
Updated•4 years ago
|
Assignee | ||
Comment 1•4 years ago
|
||
I have a Pernosco session for this here: https://pernos.co/debug/fLJomk99qUT9mYF6fSTtQg/index.html
Assignee | ||
Comment 2•4 years ago
|
||
Ok, turns out that this is much more obvious than requiring Pernosco for insight.
Passing -1
is converted into uint64_t
as UINT64_MAX
(but the user code might also specify the value of UINT64_MAX
, so the conversion is not relevant to the problem).
The assertion that is hit is at https://searchfox.org/mozilla-central/rev/cfd1cc461f1efe0d66c2fdc17c024a203d5a2fd8/dom/indexedDB/IDBFileHandle.cpp#298
This assertion was originally introduced in Bug 761159 via https://hg.mozilla.org/mozilla-central/rev/0ee6b0ed0446915fba4333c9cb51cb9580dbc980
While I didn't check this, probably at this point, there was no JS binding which exposed the argument, which would explain the preceding comment. Now that JS exposes it, the assertion should be changed into a proper ErrorResult, since user code might pass it.
Assignee | ||
Comment 3•4 years ago
|
||
Updated•4 years ago
|
Assignee | ||
Comment 4•4 years ago
|
||
:baku, given you mentioned that we want to get rid of IDBFileHandle
entirely, do you think it's reasonable to close this as WONTFIX? While the immediate issue is easy to fix (see patch), quite some cleanup should be done around it if we kept it.
Assignee | ||
Updated•4 years ago
|
Comment 5•4 years ago
|
||
(In reply to Simon Giesecke [:sg] [he/him] from comment #4)
:baku, given you mentioned that we want to get rid of
IDBFileHandle
entirely, do you think it's reasonable to close this as WONTFIX? While the immediate issue is easy to fix (see patch), quite some cleanup should be done around it if we kept it.
I'm not sure when IDBFileHandle will be removed. Maybe we can talk about this during the all-hands and come out with a concrete plan?
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 6•4 years ago
|
||
Updated•4 years ago
|
Pushed by sgiesecke@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/fa530204c864 Added assertThrowsInstanceOf function to helpers.js. r=dom-workers-and-storage-reviewers,ttung https://hg.mozilla.org/integration/autoland/rev/25f97ecb6578 Do not assert on unsupported size value passed to IDBFileHandle.truncate from script. r=dom-workers-and-storage-reviewers,ttung
Comment 8•4 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/fa530204c864
https://hg.mozilla.org/mozilla-central/rev/25f97ecb6578
Updated•4 years ago
|
Description
•