Closed Bug 1594138 Opened 5 months ago Closed 1 month ago

Assertion failure: aSize.Value() != (18446744073709551615UL) (Passed wrong size!), at /builds/worker/workspace/build/src/dom/indexedDB/IDBFileHandle.cpp:307

Categories

(Core :: Storage: IndexedDB, defect, P3)

defect

Tracking

()

RESOLVED FIXED
mozilla75
Tracking Status
firefox-esr68 --- wontfix
firefox72 --- wontfix
firefox73 --- wontfix
firefox74 --- wontfix
firefox75 --- fixed

People

(Reporter: jkratzer, Assigned: sg)

References

(Depends on 1 open bug, Blocks 2 open bugs)

Details

(Keywords: assertion, testcase, Whiteboard: idb-mutablefile)

Attachments

(3 files)

Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 4d585c7edc76.

Assertion failure: aSize.Value() != (18446744073709551615UL) (Passed wrong size!), at /builds/worker/workspace/build/src/dom/indexedDB/IDBFileHandle.cpp:307

rax = 0x000055dfdc37c340   rdx = 0x0000000000000000
rcx = 0x00007fabc4bfcca9   rbx = 0x00007fabb6064580
rsi = 0x00007fabd05738b0   rdi = 0x00007fabd0572680
rbp = 0x00007ffe8d987b50   rsp = 0x00007ffe8d987a30
r8 = 0x00007fabd05738b0    r9 = 0x00007fabd16dc780
r10 = 0x0000000000000000   r11 = 0x0000000000000000
r12 = 0x00007ffe8d987bc8   r13 = 0x00007ffe8d987b90
r14 = 0x00007ffe8d987c60   r15 = 0x00007ffe8d987ba8
rip = 0x00007fabc0c62533
OS|Linux|0.0.0 Linux 5.0.0-31-generic #33~18.04.1-Ubuntu SMP Tue Oct 1 10:20:39 UTC 2019 x86_64
CPU|amd64|family 6 model 94 stepping 3|1
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|mozilla::dom::IDBFileHandle::Truncate(mozilla::dom::Optional<unsigned long> const&, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/indexedDB/IDBFileHandle.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|307|0x37
0|1|libxul.so|mozilla::dom::IDBFileHandle_Binding::truncate|s3:gecko-generated-sources:14238768ee1623471bbbf183fb34313fe982253f6425ac7af7af746c6a17680bc1f517644ab5dc741d11ac9c78a2ed9d6f26ac1dfbb588e54b2ff8e46fda60d5/dom/bindings/IDBFileHandleBinding.cpp:|1032|0x15
0|2|libxul.so|bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|3218|0x24
0|3|libxul.so|CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|456|0x15
0|4|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|548|0x15
0|5|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|617|0x10
0|6|libxul.so|Interpret|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|621|0x15
0|7|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|423|0xb
0|8|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|589|0x13
0|9|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|617|0x10
0|10|libxul.so|js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|634|0x8
0|11|libxul.so|JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|2718|0x1f
0|12|libxul.so|mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&)|s3:gecko-generated-sources:07034a91c20d743b6b1cb0050fb45856e506111933106e79effdb8dcee60d394334ccec99923dca240d02a8a2423627e46882951c1689b39a2e7f0665bac7e9b/dom/bindings/EventHandlerBinding.cpp:|267|0x5
0|13|libxul.so|mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*)|hg:hg.mozilla.org/mozilla-central:dom/events/JSEventHandler.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|205|0x155
0|14|libxul.so|mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|1039|0xc
0|15|libxul.so|mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|1231|0x19
0|16|libxul.so|mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|351|0x6
0|17|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|551|0x12
0|18|libxul.so|mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|1050|0x1a
0|19|libxul.so|mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|1150|0x19
0|20|libxul.so|mozilla::DOMEventTargetHelper::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/events/DOMEventTargetHelper.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|170|0x5
0|21|libxul.so|mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventTarget.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|184|0x2d
0|22|libxul.so|DispatchSuccessEvent|hg:hg.mozilla.org/mozilla-central:dom/indexedDB/ActorsChild.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|764|0x16
0|23|libxul.so|mozilla::dom::indexedDB::BackgroundDatabaseRequestChild::HandleResponse(mozilla::dom::indexedDB::CreateFileRequestResponse const&)|hg:hg.mozilla.org/mozilla-central:dom/indexedDB/ActorsChild.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|2146|0x8
0|24|libxul.so|mozilla::dom::indexedDB::BackgroundDatabaseRequestChild::Recv__delete__(mozilla::dom::indexedDB::DatabaseRequestResponse const&)|hg:hg.mozilla.org/mozilla-central:dom/indexedDB/ActorsChild.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|2166|0x18
0|25|libxul.so|mozilla::dom::indexedDB::PBackgroundIDBDatabaseRequestChild::OnMessageReceived(IPC::Message const&)|s3:gecko-generated-sources:53904798f2163c7b2e6916f0b68ca034339c0aa88d2da74a60236276b28276dc0e008378e6e2527153ad4db8864ea972f50306e7f4ef5c3d69a336752a0b38b7/ipc/ipdl/PBackgroundIDBDatabaseRequestChild.cpp:|106|0xc
0|26|libxul.so|mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&)|s3:gecko-generated-sources:5579cb101527982d72096be9b6fcb46f6d93a5d14564b8f11e1f6a6e8ccd6278d0b51192bc07b23625f16d1978dd8222d850a46e5779288881548c3e9f02aad4/ipc/ipdl/PBackgroundChild.cpp:|5876|0x19
0|27|libxul.so|mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|2208|0x6
0|28|libxul.so|mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|2130|0xb
0|29|libxul.so|mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|1972|0xb
0|30|libxul.so|mozilla::ipc::MessageChannel::MessageTask::Run()|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|2003|0xc
0|31|libxul.so|mozilla::SchedulerGroup::Runnable::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|295|0x15
0|32|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|1225|0x15
0|33|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|486|0x11
0|34|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|88|0xa
0|35|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|315|0x17
0|36|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|290|0x8
0|37|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|137|0xd
0|38|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|934|0x11
0|39|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|238|0x5
0|40|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|315|0x17
0|41|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|290|0x8
0|42|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|769|0xc
0|43|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|56|0x14
0|44|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|272|0x12
0|45|libc-2.27.so||||0x21b97
0|46|firefox-bin|MOZ_ReportCrash|hg:hg.mozilla.org/mozilla-central:mfbt/Assertions.h:4d585c7edc7683e4b35eca6b18c9a646a1b8a78d|203|0x5

Flags: in-testsuite?
Priority: -- → P3

I have a Pernosco session for this here: https://pernos.co/debug/fLJomk99qUT9mYF6fSTtQg/index.html

Ok, turns out that this is much more obvious than requiring Pernosco for insight.

Passing -1 is converted into uint64_t as UINT64_MAX (but the user code might also specify the value of UINT64_MAX, so the conversion is not relevant to the problem).

The assertion that is hit is at https://searchfox.org/mozilla-central/rev/cfd1cc461f1efe0d66c2fdc17c024a203d5a2fd8/dom/indexedDB/IDBFileHandle.cpp#298

This assertion was originally introduced in Bug 761159 via https://hg.mozilla.org/mozilla-central/rev/0ee6b0ed0446915fba4333c9cb51cb9580dbc980

While I didn't check this, probably at this point, there was no JS binding which exposed the argument, which would explain the preceding comment. Now that JS exposes it, the assertion should be changed into a proper ErrorResult, since user code might pass it.

Assignee: nobody → sgiesecke
Status: NEW → ASSIGNED

:baku, given you mentioned that we want to get rid of IDBFileHandle entirely, do you think it's reasonable to close this as WONTFIX? While the immediate issue is easy to fix (see patch), quite some cleanup should be done around it if we kept it.

Flags: needinfo?(amarchesini)
Depends on: 1500343

(In reply to Simon Giesecke [:sg] [he/him] from comment #4)

:baku, given you mentioned that we want to get rid of IDBFileHandle entirely, do you think it's reasonable to close this as WONTFIX? While the immediate issue is easy to fix (see patch), quite some cleanup should be done around it if we kept it.

I'm not sure when IDBFileHandle will be removed. Maybe we can talk about this during the all-hands and come out with a concrete plan?

Flags: needinfo?(amarchesini)
Whiteboard: idb-mutablefile
Attachment #9126456 - Attachment description: Bug 1594138 - Added assertThrowsInstanceOf function to helpers.js. → Bug 1594138 - Added assertThrowsInstanceOf function to helpers.js. r=#dom-workers-and-storage
Pushed by sgiesecke@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/fa530204c864
Added assertThrowsInstanceOf function to helpers.js. r=dom-workers-and-storage-reviewers,ttung
https://hg.mozilla.org/integration/autoland/rev/25f97ecb6578
Do not assert on unsupported size value passed to IDBFileHandle.truncate from script. r=dom-workers-and-storage-reviewers,ttung
Status: ASSIGNED → RESOLVED
Closed: 1 month ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla75
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.