Closed Bug 1684077 Opened 3 years ago Closed 3 years ago

Assertion failure: false (This should never fail!), at /builds/worker/checkouts/gecko/dom/xhr/XMLHttpRequestWorker.cpp:1314

Categories

(Core :: DOM: Networking, defect, P2)

Product:
Core
Component:
DOM: Networking
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
88 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- wontfix
firefox86 --- wontfix
firefox87 --- wontfix
firefox88 --- verified

People

(Reporter: jkratzer, Assigned: kershaw)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed][necko-triaged])

Attachments

(2 files)

testcase.zip
3.27 KB, application/zip
Details
Bug 1684077 - Early return in SendRunnable::RunOnMainThread() when the XHR is already disconnected
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.zip

Testcase found while fuzzing mozilla-central rev f725a528bb4c (built with --enable-debug). Testcase must be served over HTTP. Further, testcase may require up to a minute to reproduce.

Assertion failure: false (This should never fail!), at /builds/worker/checkouts/gecko/dom/xhr/XMLHttpRequestWorker.cpp:1314

    #0 0x7f6dfe19f6e6 in mozilla::dom::SendRunnable::RunOnMainThread(mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/xhr/XMLHttpRequestWorker.cpp:1314:7
    #1 0x7f6dfe19eeb5 in mozilla::dom::WorkerThreadProxySyncRunnable::MainThreadRun() /builds/worker/checkouts/gecko/dom/xhr/XMLHttpRequestWorker.cpp:1186:3
    #2 0x7f6dfdfd5a3a in mozilla::dom::WorkerMainThreadRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/WorkerRunnable.cpp:584:20
    #3 0x7f6df9e0a54c in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /builds/worker/checkouts/gecko/xpcom/threads/ThrottledEventQueue.cpp:254:22
    #4 0x7f6df9e05a71 in mozilla::ThrottledEventQueue::Inner::Executor::Run() /builds/worker/checkouts/gecko/xpcom/threads/ThrottledEventQueue.cpp:81:15
    #5 0x7f6df9ddf43f in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:459:16
    #6 0x7f6df9ddda3a in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:739:26
    #7 0x7f6df9ddcae4 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:598:15
    #8 0x7f6df9ddcc97 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:382:36
    #9 0x7f6df9de2ce6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:123:37
    #10 0x7f6df9de2ce6 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
    #11 0x7f6df9df42d5 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1200:14
    #12 0x7f6df9dfa38a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
    #13 0x7f6dfa7017c6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
    #14 0x7f6dfa66d983 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #15 0x7f6dfa66d89d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #16 0x7f6dfa66d89d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #17 0x7f6dfe3e4378 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #18 0x7f6dffbebd73 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:902:20
    #19 0x7f6dfa7026a9 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:237:9
    #20 0x7f6dfa66d983 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #21 0x7f6dfa66d89d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #22 0x7f6dfa66d89d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #23 0x7f6dffbeb958 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:733:34
    #24 0x555a334d7e07 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #25 0x555a334d7e07 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:305:18
    #26 0x7f6e0fd1d0b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16
Flags: in-testsuite?

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20201223212750-d6081a1bef2d.
Failed to bisect testcase (Testcase reproduces on start build!):

Start: bd3843488a457fa721807dfe6d5f443b1c6d40f0 (20191226092613)
End: f725a528bb4cdee5eb7e7d019fd347a840065134 (20201223092736)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False)

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Severity: -- → S3
Priority: -- → P2
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed][necko-triaged]

FWIW, it seems that ComputeWantsUntrusted can fail here. There are five implementations of ComputeDefaultWantsUntrusted.

It looks like we cannot really rely on being infallible here but should handle possible errors more gracefully?

Flags: needinfo?(kershaw)

(In reply to Jens Stutte [:jstutte] from comment #2)

FWIW, it seems that ComputeWantsUntrusted can fail here. There are five implementations of ComputeDefaultWantsUntrusted.

It looks like we cannot really rely on being infallible here but should handle possible errors more gracefully?

I think this assertion means the XHR here is already disconnected, so the best we can do is probably returning earlier in SendRunnable::RunOnMainThread.

Flags: needinfo?(kershaw)
Assignee: nobody → kershaw
Status: NEW → ASSIGNED
Pushed by kjang@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/79bc082cccb4
Early return in SendRunnable::RunOnMainThread() when the XHR is already disconnected r=baku

https://hg.mozilla.org/mozilla-central/rev/79bc082cccb4

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox88: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 88 Branch

Since the status are different for nightly and release, what's the status for beta?
For more information, please visit auto_nag documentation.

status-firefox87: --- → ?

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210303041649-c45b1e6bcd01.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox88: fixedverified
Keywords: bugmon

I do not see how 87 could not be affected, given the bisection range tested.

status-firefox87: ?affected

The patch landed in nightly and beta is affected.
:kershaw, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(kershaw)

No need to uplift this.

status-firefox86: affectedwontfix
status-firefox87: affectedwontfix
Flags: needinfo?(kershaw)

:kershaw, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(kershaw)

Sorry, bug in the bot.

Flags: needinfo?(kershaw)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: