Closed Bug 1614360 Opened 4 years ago Closed 4 years ago

Assertion failure: mOffset == mSize, at /builds/worker/workspace/build/src/dom/filehandle/ActorsParent.cpp:1915

Categories

(Core :: Storage: IndexedDB, defect, P2)

Product:
Core
Component:
Storage: IndexedDB
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla75
Tracking Flags:
Tracking Status
firefox-esr68 --- wontfix
firefox73 --- wontfix
firefox74 --- wontfix
firefox75 --- fixed

People

(Reporter: jkratzer, Assigned: sg)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, testcase, Whiteboard: idb-mutablefile)

Attachments

(4 files)

testcase.html
530 bytes, text/html
Details
prefs.js
14.58 KB, application/x-javascript
Details
Bug 1614360 - Signal error to child on attempts to read beyond EOF instead of asserting. r=#dom-workers-and-storage
47 bytes, text/x-phabricator-request
Details | Review
Bug 1614360 - Added test case. r=#dom-workers-and-storage
47 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Testcase found while fuzzing mozilla-central rev d3aa4a9e4dfd (built with --enable-debug).

Assertion failure: mOffset == mSize, at /builds/worker/workspace/build/src/dom/filehandle/ActorsParent.cpp:1915

rax = 0x000055a6531b9340   rdx = 0x0000000000000000
rcx = 0x00007f6fc7c68941   rbx = 0x00007f6f9db1c660
rsi = 0x00007f6fd38a08b0   rdi = 0x00007f6fd389f680
rbp = 0x00007f6f9cffe470   rsp = 0x00007f6f9cff63f0
r8 = 0x00007f6fd38a08b0    r9 = 0x00007f6f9cfff700
r10 = 0x0000000000000002   r11 = 0x0000000000000000
r12 = 0x00007f6f9cff6430   r13 = 0x00007f6f9cff6418
r14 = 0x00007f6f9cff6420   r15 = 0x0000000000000000
rip = 0x00007f6fc37a6e58
OS|Linux|0.0.0 Linux 5.3.0-28-generic #30~18.04.1-Ubuntu SMP Fri Jan 17 06:14:09 UTC 2020 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|68
68|0|libxul.so|mozilla::dom::CopyFileHandleOp::DoFileWork(mozilla::dom::FileHandle*)|hg:hg.mozilla.org/mozilla-central:dom/filehandle/ActorsParent.cpp:d3aa4a9e4dfd20e2be232a415a705a250aa17f63|1853|0x33
Flags: in-testsuite?
Attached file prefs.js
Assignee: nobody → sgiesecke
Whiteboard: idb-mutablefile
Status: NEW → ASSIGNED
Priority: -- → P2
Pushed by sgiesecke@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/52e508d90f64
Signal error to child on attempts to read beyond EOF instead of asserting. r=dom-workers-and-storage-reviewers,ttung
https://hg.mozilla.org/integration/autoland/rev/ead20b8c74f3
Added test case. r=dom-workers-and-storage-reviewers,ttung

https://hg.mozilla.org/mozilla-central/rev/52e508d90f64
https://hg.mozilla.org/mozilla-central/rev/ead20b8c74f3

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox75: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla75
status-firefox73: --- → wontfix
status-firefox74: --- → wontfix
status-firefox-esr68: --- → wontfix
Flags: in-testsuite? → in-testsuite+
BugMon: Verified bug as fixed on rev 7f41334e1044
Blocks: fuzzing-indexeddb
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: