1708705 - Assertion failure: mOwner.mReadyState == TemporaryState, at /builds/worker/workspace/obj-build/dist/include/mozilla/dom/IDBTransaction.h:226

Status: RESOLVED FIXED

(Core :: Storage: IndexedDB, defect, P2)

Description

[Jason Kratzer [:jkratzer]]

Attachment: testcase.html

Testcase found while fuzzing mozilla-central rev b5b42ed4d6a0 (built with --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build b5b42ed4d6a0 --debug --fuzzing -n mc-debug
$ python -m grizzly.replay --xvfb ./mc-debug/firefox ./testcase.html

Assertion failure: mOwner.mReadyState == TemporaryState, at /builds/worker/workspace/obj-build/dist/include/mozilla/dom/IDBTransaction.h:226

    #0 0x7f5e559c9255 in ~AutoRestoreState /builds/worker/checkouts/gecko/dom/indexedDB/IDBTransaction.h:226:7
    #1 0x7f5e559c9255 in mozilla::dom::IDBObjectStore::AddOrPut(JSContext*, mozilla::dom::IDBObjectStore::ValueWrapper&, JS::Handle<JS::Value>, bool, bool, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/indexedDB/IDBObjectStore.cpp:781:3
    #2 0x7f5e559ebcd8 in mozilla::dom::IDBObjectStore::Put(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/indexedDB/IDBObjectStore.cpp:1011:10
    #3 0x7f5e548dbae8 in mozilla::dom::IDBObjectStore_Binding::put(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/IDBObjectStoreBinding.cpp:417:77
    #4 0x7f5e548fb627 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3232:13
    #5 0x7f5e579c5050 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:437:13
    #6 0x7f5e579c47b2 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:522:12
    #7 0x7f5e579c5fd9 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:582:10
    #8 0x7f5e579bab8c in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:586:10
    #9 0x7f5e579bab8c in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3248:16
    #10 0x7f5e579b2335 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:406:13
    #11 0x7f5e579c47cf in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:554:13
    #12 0x7f5e579c5fd9 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:582:10
    #13 0x7f5e579c6211 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:599:8
    #14 0x7f5e57f5a77b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2849:10
    #15 0x7f5e5454ac29 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:279:37
    #16 0x7f5e54ccff85 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:365:12
    #17 0x7f5e54ccf069 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:201:12
    #18 0x7f5e54cb1f5b in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1114:22
    #19 0x7f5e54cb2bb8 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1305:17
    #20 0x7f5e54ca7f55 in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:390:5
    #21 0x7f5e54ca7f55 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:354:17
    #22 0x7f5e54ca74ff in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:556:16
    #23 0x7f5e54caa0c0 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1099:11
    #24 0x7f5e54cacb46 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp
    #25 0x7f5e54c8306b in mozilla::DOMEventTargetHelper::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/events/DOMEventTargetHelper.cpp:181:17
    #26 0x7f5e54cb8a92 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/events/EventTarget.cpp:183:13
    #27 0x7f5e559fa0e1 in mozilla::dom::indexedDB::(anonymous namespace)::detail::DispatchSuccessEvent(mozilla::NotNull<RefPtr<mozilla::dom::IDBRequest> > const&, mozilla::SafeRefPtr<mozilla::dom::IDBTransaction> const&, RefPtr<mozilla::dom::Event> const&) /builds/worker/checkouts/gecko/dom/indexedDB/ActorsChild.cpp:628:13
    #28 0x7f5e559b06c0 in void mozilla::dom::indexedDB::(anonymous namespace)::SetResultAndDispatchSuccessEvent<mozilla::dom::IDBDatabase>(mozilla::NotNull<RefPtr<mozilla::dom::IDBRequest> > const&, mozilla::SafeRefPtr<mozilla::dom::IDBTransaction> const&, mozilla::dom::IDBDatabase&, RefPtr<mozilla::dom::Event>) /builds/worker/checkouts/gecko/dom/indexedDB/ActorsChild.cpp:602:3
    #29 0x7f5e559b328b in mozilla::dom::indexedDB::BackgroundDatabaseChild::RecvPBackgroundIDBVersionChangeTransactionConstructor(mozilla::dom::indexedDB::PBackgroundIDBVersionChangeTransactionChild*, unsigned long const&, unsigned long const&, long const&, long const&) /builds/worker/checkouts/gecko/dom/indexedDB/ActorsChild.cpp:1776:3
    #30 0x7f5e527756b9 in mozilla::dom::indexedDB::PBackgroundIDBDatabaseChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundIDBDatabaseChild.cpp:863:78
    #31 0x7f5e525b758c in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6008:32
    #32 0x7f5e52272d6e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2152:25
    #33 0x7f5e5226f1ed in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2076:9
    #34 0x7f5e52270712 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1924:3
    #35 0x7f5e5227148b in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1955:13
    #36 0x7f5e5193bd52 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:143:20
    #37 0x7f5e5196703e in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:482:16
    #38 0x7f5e51944969 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:766:26
    #39 0x7f5e519438c4 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:621:15
    #40 0x7f5e51943a53 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:405:36
    #41 0x7f5e5196a6f6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:138:37
    #42 0x7f5e5196a6f6 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
    #43 0x7f5e519566ef in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1159:16
    #44 0x7f5e5195d3aa in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
    #45 0x7f5e52278676 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
    #46 0x7f5e521e26c7 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #47 0x7f5e521e25e2 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #48 0x7f5e521e25e2 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #49 0x7f5e55fb7928 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #50 0x7f5e5788fdd3 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:906:20
    #51 0x7f5e5227956a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
    #52 0x7f5e521e26c7 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #53 0x7f5e521e25e2 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #54 0x7f5e521e25e2 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #55 0x7f5e5788f9ee in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:738:34
    #56 0x55e7264f2b36 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #57 0x55e7264f2b36 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:309:18
    #58 0x7f5e680590b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

Comment 1

[Bugmon [:jkratzer for issues]]

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210430153451-0db412525773.
Failed to bisect testcase (Testcase reproduces on start build!):

Start: 29e888a9270c6d38ffaa30efd0d297f5163613f1 (20200501094247)
End: b5b42ed4d6a06a23fb206f996229844c83a7dd93 (20210430092829)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False)

Comment 2

[Masayuki Nakano [:masayuki] (he/him)(JST, +0900)]

Simon, the assertion was introduced by https://hg.mozilla.org/mozilla-central/rev/ebf5f725d0b3268b3d2a96e58c02c7740b4653b2

Could you take a look?

Comment 3

[Jari Jalkanen]

Maybe a race condition? In the stack trace, /builds/worker/checkouts/gecko/dom/indexedDB/ActorsChild.cpp:602:3 and /builds/worker/checkouts/gecko/dom/indexedDB/IDBObjectStore.cpp:781:3 are both flipping mReadyState which is not protected and the scope safe guard of IDBObjectStore and the check in ActorsChild would not work.

Comment 4

[Jari Jalkanen]

(In reply to Jason Kratzer [:jkratzer] from comment #0)

Created attachment 9219545 [details]
testcase.html

Testcase found while fuzzing mozilla-central rev b5b42ed4d6a0 (built with --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build b5b42ed4d6a0 --debug --fuzzing -n mc-debug
$ python -m grizzly.replay --xvfb ./mc-debug/firefox ./testcase.html

I really appreciate all the steps and measures that you have taken to make the fuzzing findings reproducible. It makes bug hunting so much more deterministic, reliable and systematic.

However, it appears that on Windows, the essential dependency ffpuppet is not yet supported (see the attachment) and on WSL Ubuntu 20.04, there is an incompatibility of the pci_init function in the dynamically loaded libpci.so library which prevents the application from starting under the test setup (see the attached logs). Somehow, without the test instrumentation, the mc-setup/firefox application manages to start. I am using libpci3 version 1:3.6.4-1ubuntu0.20.04.1 .

Would you by any chance have any docker or virtual machine images where the application environment is fixed? Alternatively, a full manifest of the supported OS and application dependency versions would be helpful for letting me reproduce this event on my side, or even better, if there is somewhere an instruction for how to reproduce the issue with a TreeHerder job.

Comment 5

[Jari Jalkanen]

Attachment: ffpuppet on Windows

Comment 6

[Jari Jalkanen]

Attachment: Test instrumentation on WSL

Comment 7

[Jason Kratzer [:jkratzer]]

I spoke to :tyson and he mentioned that you got this working. Feel free to NI again if you're still having issues.

Comment 8

[Jari Jalkanen]

The issue was resolved and bug reproduced successfully on Windows, thanks a lot!

Comment 9

[Jari Jalkanen]

Attachment: Bug 1708705 - Handle transaction abort during value clone. r=#dom-storage-reviewers

Comment 10

[Pulsebot]

Pushed by jjalkanen@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/9b990a82db17
Handle transaction abort during value clone. r=dom-storage-reviewers,jstutte

Comment 11

[Jari Jalkanen]

Attachment: Bug 1708705 - Check new requests are rejected during structured cloning. r=#dom-storage-reviewers

The check is restored from the previous implementation.

Comment 12

[Natalia Csoregi [:nataliaCs]]

https://hg.mozilla.org/mozilla-central/rev/9b990a82db17

Comment 13

[Pulsebot]

Pushed by jjalkanen@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/d0764afccaff
Check new requests are rejected during structured cloning. r=dom-storage-reviewers,janv

Comment 14

[Iulian Moraru]

https://hg.mozilla.org/mozilla-central/rev/d0764afccaff

Comment 15

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20210430092829-b5b42ed4d6a0) but not with tip (mozilla-central 20220205014840-e8991d00a1d1.)
The bug appears to have been fixed in the following build range:

Start: db30af103b55aad5152d11870849b61bc7c4e909 (20220202114407)
End: 82085e71004296ecde5f16d6f5463fc6224678a4 (20220202214623)
Pushlog: https://hg.mozilla.org/mozilla-unified/pushloghtml?fromchange=db30af103b55aad5152d11870849b61bc7c4e909&tochange=82085e71004296ecde5f16d6f5463fc6224678a4
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 16

[BugBot [:suhaib / :marco/ :calixte]]

:jjalkanen, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Comment 17

[Marco Castelluccio [:marco]]

Sorry, bug in the bot.