Closed Bug 1633446 Opened 4 years ago Closed 4 years ago

Assertion failure: IsArrayBuffer(obj), at /builds/worker/checkouts/gecko/js/src/vm/ArrayBufferObject.cpp:1801

Categories

(Core :: Storage: IndexedDB, defect, P2)

defect

Tracking

()

VERIFIED FIXED
mozilla78
Tracking Status
firefox-esr68 --- wontfix
firefox75 --- wontfix
firefox76 --- wontfix
firefox77 --- wontfix
firefox78 --- verified

People

(Reporter: jkratzer, Assigned: sg)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files, 1 obsolete file)

Attached file testcase.html (obsolete) —

Testcase found while fuzzing mozilla-central rev c9955025d4a5 (built with --enable-debug).

Assertion failure: IsArrayBuffer(obj), at /builds/worker/checkouts/gecko/js/src/vm/ArrayBufferObject.cpp:1801

rax = 0x00007fa5ffe1de09   rdx = 0x0000000000000000
rcx = 0x000055e20549aa48   rbx = 0x0000000000000000
rsi = 0x00007fa6107608b0   rdi = 0x00007fa61075f680
rbp = 0x00007ffc8b5119d0   rsp = 0x00007ffc8b5119a0
r8 = 0x00007fa6107608b0    r9 = 0x00007fa6118c6780
r10 = 0x0000000000000000   r11 = 0x0000000000000000
r12 = 0x00007ffc8b511bd0   r13 = 0x0000000000000000
r14 = 0x00007ffc8b5119f0   r15 = 0x00007ffc8b511b58
rip = 0x00007fa5fbd0081a
OS|Linux|0.0.0 Linux 5.3.0-46-generic #38~18.04.1-Ubuntu SMP Tue Mar 31 04:17:56 UTC 2020 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|JS::GetArrayBufferLengthAndData(JSObject*, unsigned int*, bool*, unsigned char**)|hg:hg.mozilla.org/mozilla-central:js/src/vm/ArrayBufferObject.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|1801|0x9b
0|1|libxul.so|mozilla::dom::indexedDB::Key::EncodeBinary(JSObject*, bool, unsigned char, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/indexedDB/Key.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|772|0x8
0|2|libxul.so|mozilla::dom::indexedDB::Key::EncodeJSValInternal(JSContext*, JS::Handle<JS::Value>, unsigned char, unsigned short, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/indexedDB/Key.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|369|0x1a
0|3|libxul.so|mozilla::dom::indexedDB::Key::SetFromJSVal(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/indexedDB/Key.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|832|0x1d
0|4|libxul.so|mozilla::dom::IDBFactory::Cmp(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, mozilla::ErrorResult&)|hg:hg.mozilla.org/mozilla-central:dom/indexedDB/IDBFactory.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|447|0x1e
0|5|libxul.so|mozilla::dom::IDBFactory_Binding::cmp(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&)|s3:gecko-generated-sources:9ccb9ee4962034f9b2ace79e2eba66275acad12289571973ac9d2e442e0d567b3dd49172bd7f2e1748575b54e2f197ec62705e8e92d3127cf5a7d266a7803e3e/dom/bindings/IDBFactoryBinding.cpp:|341|0xb
0|6|libxul.so|bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|3203|0x21
0|7|libxul.so|CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|492|0x12
0|8|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|584|0xe
0|9|libxul.so|<name omitted>|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|664|0xb
0|10|libxul.so|js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const|hg:hg.mozilla.org/mozilla-central:js/src/proxy/Wrapper.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|162|0x25
0|11|libxul.so|js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const|hg:hg.mozilla.org/mozilla-central:js/src/proxy/CrossCompartmentWrapper.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|238|0x12
0|12|libxul.so|js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/proxy/Proxy.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|491|0x16
0|13|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|558|0xb
0|14|libxul.so|Interpret(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|651|0xa
0|15|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|464|0xb
0|16|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|619|0x8
0|17|libxul.so|<name omitted>|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|664|0xb
0|18|libxul.so|JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|2807|0x23
0|19|libxul.so|mozilla::dom::Function::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&)|s3:gecko-generated-sources:e1b4e4cc33e7b0d89c05155298fabe650071ceecb2d762b5e176a870c3090b87377a846cd26b1af06573d0c39be355f717cfa4eba916206f8b22172a9046cbab/dom/bindings/FunctionBinding.cpp:|43|0x15
0|20|libxul.so|void mozilla::dom::Function::Call<nsCOMPtr<nsIGlobalObject> >(nsCOMPtr<nsIGlobalObject> const&, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*)|s3:gecko-generated-sources:84e03935fdea6287f0d6a93c3773f53d63702c33eff1dc7fa1beeb370d1cda84415dec66ac541edf01d400fc11986cda3c1ea3516669f568ec58173017beff94/dist/include/mozilla/dom/FunctionBinding.h:|73|0x28
0|21|libxul.so|mozilla::dom::CallbackTimeoutHandler::Call(char const*)|hg:hg.mozilla.org/mozilla-central:dom/base/TimeoutHandler.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|167|0x2b
0|22|libxul.so|nsGlobalWindowInner::RunTimeoutHandler(mozilla::dom::Timeout*, nsIScriptContext*)|hg:hg.mozilla.org/mozilla-central:dom/base/nsGlobalWindowInner.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|5917|0x18
0|23|libxul.so|mozilla::dom::TimeoutManager::RunTimeout(mozilla::TimeStamp const&, mozilla::TimeStamp const&, bool)|hg:hg.mozilla.org/mozilla-central:dom/base/TimeoutManager.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|891|0x8
0|24|libxul.so|mozilla::dom::TimeoutExecutor::MaybeExecute()|hg:hg.mozilla.org/mozilla-central:dom/base/TimeoutExecutor.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|179|0x15
0|25|libxul.so|non-virtual thunk to mozilla::dom::TimeoutExecutor::Notify(nsITimer*)|hg:hg.mozilla.org/mozilla-central:dom/base/TimeoutExecutor.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|0|0x13
0|26|libxul.so|nsTimerImpl::Fire(int)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsTimerImpl.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|564|0xe
0|27|libxul.so|nsTimerEvent::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/TimerThread.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|250|0x14
0|28|libxul.so|mozilla::ThrottledEventQueue::Inner::ExecuteRunnable()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/ThrottledEventQueue.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|253|0xe
0|29|libxul.so|mozilla::ThrottledEventQueue::Inner::Executor::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/ThrottledEventQueue.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|81|0x11
0|30|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|1200|0x11
0|31|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|481|0xc
0|32|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|109|0x14
0|33|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|315|0x17
0|34|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|290|0x8
0|35|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|137|0xd
0|36|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|909|0xe
0|37|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|237|0x5
0|38|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|315|0x17
0|39|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|290|0x8
0|40|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|740|0x5
0|41|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|56|0x11
0|42|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|303|0x20
0|43|libc.so.6||||0x21b97
0|44|firefox-bin|<name omitted>|hg:hg.mozilla.org/mozilla-central:mfbt/UniquePtr.h:17aa41e3cb7cdff3b94e26e351e29cc8b9bab18a|253|0x17
Flags: in-testsuite?

Interesting, Key::EncodeJSValInternal should already have checked the same condition here: https://searchfox.org/mozilla-central/rev/55a4faa52f72918efa51150d127aebdc057dc6cf/dom/indexedDB/Key.cpp#367

Can the JSObject have changed in between that check and the assertion? Probably it shouldn't.

The test case itself doesn't make any use of IndexedDB, so I guess this is not well-reproducible?

Attached file testcase.html

My apologies. Looks like I attached the wrong testcase. The attached testcase does reproduce this issue reliably.

Attachment #9143679 - Attachment is obsolete: true

Ah, makes much more sense now :) Thanks for fixing the test case! Will check that out.

Assignee: nobody → sgiesecke

I reproduced this locally and have a Pernosco session at https://pernos.co/debug/ZjuMpE7Qashf-agbw8WCeA/index.html

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200428100141-a99c73301874.
Failed to bisect testcase (Start build crashes!):
> Start: f3c2a7206699cc369fbfdfcff2dc4685cfdd079e (20190430034604)
> End: c9955025d4a5353568a56a1048292c665312fa95 (20200427094322)
> BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False)
Priority: -- → P2
Pushed by sgiesecke@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/01abb93ee69e
Fix handling of wrapped ArrayBuffer objects. r=dom-workers-and-storage-reviewers,janv
Severity: normal → S2
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla78

The patch landed in nightly and beta is affected.
:sg, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(sgiesecke)
Status: RESOLVED → VERIFIED
Keywords: bugmon
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200518152416-a627b6676824.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
Flags: needinfo?(sgiesecke)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: