1619307 - Assertion failure: IsAborted(), at /builds/worker/workspace/build/src/dom/indexedDB/IDBTransaction.cpp:997

Status: RESOLVED FIXED

(Core :: Storage: IndexedDB, defect, P1)

Description

[Jason Kratzer [:jkratzer]]

Attachment: testcase.html

Testcase found while fuzzing mozilla-central rev 51efc4b931f7 (built with --enable-debug). Testcase must be served over HTTP in order to reproduce.

Assertion failure: IsAborted(), at /builds/worker/workspace/build/src/dom/indexedDB/IDBTransaction.cpp:997

rax = 0x0000562524b87380   rdx = 0x0000000000000000
rcx = 0x00007efc2c5b4d85   rbx = 0x00007efc1e9f0a40
rsi = 0x00007efc380828b0   rdi = 0x00007efc38081680
rbp = 0x00007ffc6e55d5e0   rsp = 0x00007ffc6e55d5d0
r8 = 0x00007efc380828b0    r9 = 0x00007efc391e8780
r10 = 0x0000000000000000   r11 = 0x0000000000000000
r12 = 0x00007ffc6e55d610   r13 = 0x00007efc1fe09000
r14 = 0x00000000ffffffff   r15 = 0x00007ffc6e55d618
rip = 0x00007efc2857e4fa
OS|Linux|0.0.0 Linux 5.3.0-28-generic #30~18.04.1-Ubuntu SMP Fri Jan 17 06:14:09 UTC 2020 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|mozilla::dom::IDBTransaction::Run()|hg:hg.mozilla.org/mozilla-central:dom/indexedDB/IDBTransaction.cpp:51efc4b931f748899be0fa3c9603fc4e07b668b6|1002|0x32
0|1|libxul.so|mozilla::CycleCollectedJSContext::CleanupIDBTransactions(unsigned int)|hg:hg.mozilla.org/mozilla-central:xpcom/base/CycleCollectedJSContext.cpp:51efc4b931f748899be0fa3c9603fc4e07b668b6|428|0x3
0|2|libxul.so|mozilla::CycleCollectedJSContext::AfterProcessMicrotasks()|hg:hg.mozilla.org/mozilla-central:xpcom/base/CycleCollectedJSContext.cpp:51efc4b931f748899be0fa3c9603fc4e07b668b6|482|0x12
0|3|libxul.so|mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool)|hg:hg.mozilla.org/mozilla-central:xpcom/base/CycleCollectedJSContext.cpp:51efc4b931f748899be0fa3c9603fc4e07b668b6|585|0x5
0|4|libxul.so|mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:51efc4b931f748899be0fa3c9603fc4e07b668b6|1068|0x1c
0|5|libxul.so|mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool)|hg:hg.mozilla.org/mozilla-central:dom/events/EventListenerManager.cpp:51efc4b931f748899be0fa3c9603fc4e07b668b6|1271|0x1c
0|6|libxul.so|mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:51efc4b931f748899be0fa3c9603fc4e07b668b6|326|0x6b
0|7|libxul.so|mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:51efc4b931f748899be0fa3c9603fc4e07b668b6|558|0x12
0|8|libxul.so|mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:51efc4b931f748899be0fa3c9603fc4e07b668b6|1055|0x1a
0|9|libxul.so|mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*)|hg:hg.mozilla.org/mozilla-central:dom/events/EventDispatcher.cpp:51efc4b931f748899be0fa3c9603fc4e07b668b6|1160|0x16
0|10|libxul.so|mozilla::DOMEventTargetHelper::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/events/DOMEventTargetHelper.cpp:51efc4b931f748899be0fa3c9603fc4e07b668b6|169|0x5
0|11|libxul.so|mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/events/EventTarget.cpp:51efc4b931f748899be0fa3c9603fc4e07b668b6|184|0x34
0|12|libxul.so|DispatchSuccessEvent|hg:hg.mozilla.org/mozilla-central:dom/indexedDB/ActorsChild.cpp:51efc4b931f748899be0fa3c9603fc4e07b668b6|766|0x1a
0|13|libxul.so|mozilla::dom::indexedDB::BackgroundFactoryRequestChild::HandleResponse(mozilla::dom::indexedDB::OpenDatabaseRequestResponse const&)|hg:hg.mozilla.org/mozilla-central:dom/indexedDB/ActorsChild.cpp:51efc4b931f748899be0fa3c9603fc4e07b668b6|1602|0xa
0|14|libxul.so|mozilla::dom::indexedDB::BackgroundFactoryRequestChild::Recv__delete__(mozilla::dom::indexedDB::FactoryRequestResponse const&)|hg:hg.mozilla.org/mozilla-central:dom/indexedDB/ActorsChild.cpp:51efc4b931f748899be0fa3c9603fc4e07b668b6|1657|0x18
0|15|libxul.so|mozilla::dom::indexedDB::PBackgroundIDBFactoryRequestChild::OnMessageReceived(IPC::Message const&)|s3:gecko-generated-sources:10f92afe42fc3c8d7856822b7f59ea82cc969636540369cffb07844a766884eeb514660835c4b3c03067c2c55b1fb711191106bc73cf103a846c59fef0e4016b/ipc/ipdl/PBackgroundIDBFactoryRequestChild.cpp:|124|0xc
0|16|libxul.so|mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&)|s3:gecko-generated-sources:cce82ef9958f07d24145abfc8fbd44c8dfb101fa779e0048b9b01db83062962b0955a0a884e9aed0796b343cbf54ef0440a287f24507c3a024e769711d64dae2/ipc/ipdl/PBackgroundChild.cpp:|5812|0xd
0|17|libxul.so|mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:51efc4b931f748899be0fa3c9603fc4e07b668b6|2187|0x6
0|18|libxul.so|mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:51efc4b931f748899be0fa3c9603fc4e07b668b6|2111|0xe
0|19|libxul.so|mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:51efc4b931f748899be0fa3c9603fc4e07b668b6|1959|0xb
0|20|libxul.so|mozilla::ipc::MessageChannel::MessageTask::Run()|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:51efc4b931f748899be0fa3c9603fc4e07b668b6|1990|0xc
0|21|libxul.so|mozilla::SchedulerGroup::Runnable::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/SchedulerGroup.cpp:51efc4b931f748899be0fa3c9603fc4e07b668b6|282|0x14
0|22|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:51efc4b931f748899be0fa3c9603fc4e07b668b6|1220|0xe
0|23|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:51efc4b931f748899be0fa3c9603fc4e07b668b6|481|0x11
0|24|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:51efc4b931f748899be0fa3c9603fc4e07b668b6|87|0xa
0|25|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:51efc4b931f748899be0fa3c9603fc4e07b668b6|315|0x19
0|26|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:51efc4b931f748899be0fa3c9603fc4e07b668b6|290|0x8
0|27|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:51efc4b931f748899be0fa3c9603fc4e07b668b6|137|0xd
0|28|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:51efc4b931f748899be0fa3c9603fc4e07b668b6|926|0x6
0|29|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:51efc4b931f748899be0fa3c9603fc4e07b668b6|237|0x5
0|30|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:51efc4b931f748899be0fa3c9603fc4e07b668b6|315|0x19
0|31|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:51efc4b931f748899be0fa3c9603fc4e07b668b6|290|0x8
0|32|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:51efc4b931f748899be0fa3c9603fc4e07b668b6|761|0x8
0|33|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:51efc4b931f748899be0fa3c9603fc4e07b668b6|56|0x14
0|34|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:51efc4b931f748899be0fa3c9603fc4e07b668b6|303|0x13
0|35|libc-2.27.so||||0x21b97
0|36|firefox-bin|__cxa_throw_bad_array_new_length|hg:hg.mozilla.org/mozilla-central:build/unix/stdc++compat/stdc++compat.cpp:51efc4b931f748899be0fa3c9603fc4e07b668b6|82|0x12
0|37|firefox-bin||||0x10b20
0|38|ld-2.27.so||||0x10733
0|39|libdl-2.27.so||||0x202d80
0|40|libpthread-2.27.so||||0x219bb0
0|41|firefox-bin||||0x10b20
0|42|firefox-bin|_start|||0x29

Comment 1

[Jason Kratzer [:jkratzer]]

Attachment: prefs.js

Comment 2

[Simon Giesecke [:sg] [he/him]]

I have been able to reproduce this, and have a Pernosco session for this at https://pernos.co/debug/VvAv68-tMWWw6iavY7XZgw/index.html#f{m[Ac8G,HEA_,t[AU4,HJw_,f{e[Ac8G,Guc_,s{afxRdClAA,bAYU,oEc4oOw,uEbvojQ___

Comment 3

[Simon Giesecke [:sg] [he/him]]

Attachment: Bug 1619307 - Fixed assertion in IDBTransaction::Run. r=#dom-workers-and-storage

Comment 4

[Simon Giesecke [:sg] [he/him]]

It seems that the assertion is simply the wrong one here. I fixed it in the attached patch. However, I wonder why this isn't hit by the existing test cases.

The attached test case uses mozGetAll, but that's only an alias for the regular getAll, and so it shouldn't make any difference.

Comment 5

[Pulsebot]

Pushed by sgiesecke@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/4834fa607562
Fixed assertion in IDBTransaction::Run. r=dom-workers-and-storage-reviewers,janv

Comment 6

[Noemi Erli[:noemi_erli]]

https://hg.mozilla.org/mozilla-central/rev/4834fa607562