Closed Bug 1609797 Opened 4 years ago Closed 4 years ago

Assertion failure: aGlobal, at /builds/worker/workspace/build/src/dom/file/Blob.cpp:73

Categories

(Core :: Storage: IndexedDB, defect, P2)

Product:
Core
Component:
Storage: IndexedDB
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
84 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- wontfix
firefox82 --- wontfix
firefox83 --- wontfix
firefox84 --- fixed

People

(Reporter: jkratzer, Assigned: sg)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, testcase)

Attachments

(3 files)

testcase.html
642 bytes, text/html
Details
prefs.js
14.75 KB, application/x-javascript
Details
Bug 1609797 - Ignore cursor responses after disconnecting from global. r=#dom-workers-and-storage
47 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 7e0886a94d70. Testcase must be served via a local webserver in order to reproduce.

Assertion failure: aGlobal, at /builds/worker/workspace/build/src/dom/file/Blob.cpp:73

rax = 0x0000562651ae1320   rdx = 0x0000000000000000
rcx = 0x00007f06fd6608e4   rbx = 0x00007ffe0bb27a90
rsi = 0x00007f07094728b0   rdi = 0x00007f0709471680
rbp = 0x00007ffe0bb27a00   rsp = 0x00007ffe0bb279e0
r8 = 0x00007f07094728b0    r9 = 0x00007f070a5cc780
r10 = 0x0000000000000000   r11 = 0x0000000000000000
r12 = 0x00007f06d79adf38   r13 = 0x0000000000000000
r14 = 0x00007f06d79adf18   r15 = 0x00007f06d79ae790
rip = 0x00007f06f9415676
OS|Linux|0.0.0 Linux 5.0.0-37-generic #40~18.04.1-Ubuntu SMP Thu Nov 14 12:06:39 UTC 2019 x86_64
CPU|amd64|family 6 model 158 stepping 10|12
GPU|||
Crash|SIGSEGV /SEGV_MAPERR|0x0|0
0|0|libxul.so|mozilla::dom::Blob::Create(nsIGlobalObject*, mozilla::dom::BlobImpl*)|hg:hg.mozilla.org/mozilla-central:dom/file/Blob.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|73|0x2e
0|1|libxul.so|DeserializeStructuredCloneFiles|hg:hg.mozilla.org/mozilla-central:dom/indexedDB/ActorsChild.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|539|0x9
0|2|libxul.so|DeserializeStructuredCloneReadInfo|hg:hg.mozilla.org/mozilla-central:dom/indexedDB/ActorsChild.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|634|0x5
0|3|libxul.so|void mozilla::dom::indexedDB::BackgroundCursorChild<(mozilla::dom::IDBCursorType)0>::HandleMultipleCursorResponses<mozilla::dom::indexedDB::ObjectStoreCursorResponse, mozilla::dom::indexedDB::BackgroundCursorChild<(mozilla::dom::IDBCursorType)0>::HandleResponse(nsTArray<mozilla::dom::indexedDB::ObjectStoreCursorResponse> const&)::{lambda(bool, mozilla::dom::indexedDB::ObjectStoreCursorResponse&)#1}>(nsTArray<mozilla::dom::indexedDB::ObjectStoreCursorResponse> const&, mozilla::dom::indexedDB::BackgroundCursorChild<(mozilla::dom::IDBCursorType)0>::HandleResponse(nsTArray<mozilla::dom::indexedDB::ObjectStoreCursorResponse> const&)::{lambda(bool, mozilla::dom::indexedDB::ObjectStoreCursorResponse&)#1} const&)|hg:hg.mozilla.org/mozilla-central:dom/indexedDB/ActorsChild.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|3656|0x5
0|4|libxul.so|mozilla::dom::indexedDB::BackgroundCursorChild<(mozilla::dom::IDBCursorType)0>::RecvResponse(mozilla::dom::indexedDB::CursorResponse const&)|hg:hg.mozilla.org/mozilla-central:dom/indexedDB/ActorsChild.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|3762|0x5a
0|5|libxul.so|mozilla::dom::indexedDB::PBackgroundIDBCursorChild::OnMessageReceived(IPC::Message const&)|s3:gecko-generated-sources:66b7b62d24e3c33f9525e2ccf62292c024255ed2ea8b1f1ab60652a51ba71d8ab2af7f181d8aedbd6e96a51b5a831aa3a778041cff4d4af3e5b7bf5d218d9428/ipc/ipdl/PBackgroundIDBCursorChild.cpp:|193|0x3
0|6|libxul.so|mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&)|s3:gecko-generated-sources:5579cb101527982d72096be9b6fcb46f6d93a5d14564b8f11e1f6a6e8ccd6278d0b51192bc07b23625f16d1978dd8222d850a46e5779288881548c3e9f02aad4/ipc/ipdl/PBackgroundChild.cpp:|5876|0xd
0|7|libxul.so|mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|2212|0x6
0|8|libxul.so|mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|2134|0xb
0|9|libxul.so|mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|1973|0xb
0|10|libxul.so|mozilla::ipc::MessageChannel::MessageTask::Run()|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|2004|0xc
0|11|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|1220|0xe
0|12|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|486|0x11
0|13|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|87|0xa
0|14|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|315|0x19
0|15|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|290|0x8
0|16|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|137|0xd
0|17|libxul.so|nsAppStartup::Run()|hg:hg.mozilla.org/mozilla-central:toolkit/components/startup/nsAppStartup.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|272|0x10
0|18|libxul.so|XREMain::XRE_mainRun()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|4605|0x16
0|19|libxul.so|XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|4742|0x8
0|20|libxul.so|XRE_main(int, char**, mozilla::BootstrapConfig const&)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsAppRunner.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|4823|0x5
0|21|firefox-bin|do_main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|217|0x26
0|22|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|339|0xf
0|23|libc-2.27.so||||0x21b97
0|24|firefox-bin|__cxa_throw_bad_array_new_length|hg:hg.mozilla.org/mozilla-central:build/unix/stdc++compat/stdc++compat.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|82|0x12
0|25|firefox-bin|_GLOBAL__sub_I_TimeStamp.cpp|hg:hg.mozilla.org/mozilla-central:mozglue/misc/TimeStamp.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|150|0x4b
0|26|||||0x7ffe0bb2a580
0|27|ld-2.27.so||||0x10733
0|28|libdl-2.27.so||||0x202d80
0|29|libpthread-2.27.so||||0x219bb0
0|30|firefox-bin|_GLOBAL__sub_I_TimeStamp.cpp|hg:hg.mozilla.org/mozilla-central:mozglue/misc/TimeStamp.cpp:7e0886a94d70b8696d6fc0481d9f9ae12b85c41a|150|0x4b
0|31|||||0x7ffe0bb2a580
0|32|firefox-bin|_start|||0x29
Flags: in-testsuite?
Priority: -- → P2

Do you happen to have a Pernosco session for this?

Flags: needinfo?(jkratzer)
Attached file prefs.js

I'm working on getting a trace for this now. Looking into it a bit deeper, it appears that it only affects builds with --enable-fuzzing and e10s disabled. Not sure exactly why as the testcase doesn't leverage the standard FuzzingFunctions exposed by --enable-fuzzing.

Flags: needinfo?(jkratzer)
Blocks: fuzzing-indexeddb
Severity: normal → S3

A Pernosco session is available here: https://pernos.co/debug/VGlkRruGg4lDl4TbIjU0Dg/index.html

Flags: needinfo?(sgiesecke)

This issue is also hit fairly frequently by the fuzzer.

Thanks for the Pernosco session, I will look into that!

See Also: → 1543154

Probably we should check already in BackgroundCursorChild<>::HandleResponse or BackgroundCursorChild<>::RecvResponse if we were disconnected from the owner, and return early in that case.

Assignee: nobody → sgiesecke
Status: NEW → ASSIGNED
Pushed by sgiesecke@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/df3b944e4f3f
Ignore cursor responses after disconnecting from global. r=dom-workers-and-storage-reviewers,asuth

https://hg.mozilla.org/mozilla-central/rev/df3b944e4f3f

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox84: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 84 Branch

As I can't reproduce the original problem, can you verify if it's fixed in the fuzzing setup?

Flags: needinfo?(sgiesecke) → needinfo?(twsmith)

(In reply to Simon Giesecke [:sg] [he/him] from comment #10)

As I can't reproduce the original problem, can you verify if it's fixed in the fuzzing setup?

Of course! Verified with m-c 20201112-9a0fb6731557 that the issue is no longer reproducible.

Also thanks for fixing this, the fuzzers were constantly tripping over it.

Status: RESOLVED → VERIFIED
Flags: needinfo?(twsmith)
status-firefox82: --- → wontfix
status-firefox83: --- → wontfix
status-firefox-esr78: --- → wontfix
Flags: in-testsuite? → in-testsuite-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: