Assertion failure: mSentCommitOrAbort, at src/dom/indexedDB/IDBTransaction.cpp:137
Categories
(Core :: Storage: IndexedDB, defect, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox98 | --- | affected |
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(1 file, 1 obsolete file)
484 bytes,
text/html
|
Details |
Found while fuzzing m-c 20220204-24a44838181c (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html --no-harness
Assertion failure: mSentCommitOrAbort, at src/dom/indexedDB/IDBTransaction.cpp:137
#0 0x7fe5841cd735 in mozilla::dom::IDBTransaction::~IDBTransaction() src/dom/indexedDB/IDBTransaction.cpp:137:3
#1 0x7fe5841cd8e0 in mozilla::dom::IDBTransaction::~IDBTransaction() src/dom/indexedDB/IDBTransaction.cpp:132:35
#2 0x7fe57f9ca5d8 in SnowWhiteKiller::MaybeKillObject(SnowWhiteKiller::SnowWhiteObject&) src/xpcom/base/nsCycleCollector.cpp:2419:29
#3 0x7fe57f9bd6f3 in SnowWhiteKiller::~SnowWhiteKiller() src/xpcom/base/nsCycleCollector.cpp:2406:7
#4 0x7fe57f9bcaed in nsCycleCollector::FreeSnowWhite(bool) src/xpcom/base/nsCycleCollector.cpp:2596:3
#5 0x7fe57f9c191b in nsCycleCollector::BeginCollection(mozilla::CCReason, ccIsManual, nsICycleCollectorListener*) src/xpcom/base/nsCycleCollector.cpp:3579:3
#6 0x7fe57f9c14ca in nsCycleCollector::Collect(mozilla::CCReason, ccIsManual, js::SliceBudget&, nsICycleCollectorListener*, bool) src/xpcom/base/nsCycleCollector.cpp:3402:9
#7 0x7fe57f9c125d in nsCycleCollector::ShutdownCollect() src/xpcom/base/nsCycleCollector.cpp:3343:20
#8 0x7fe57f9c2546 in nsCycleCollector::Shutdown(bool) src/xpcom/base/nsCycleCollector.cpp:3640:5
#9 0x7fe57f9c4032 in nsCycleCollector_shutdown(bool) src/xpcom/base/nsCycleCollector.cpp:3958:18
#10 0x7fe57fb0170e in mozilla::ShutdownXPCOM(nsIServiceManager*) src/xpcom/build/XPCOMInit.cpp:723:3
#11 0x7fe5868161bc in XRE_TermEmbedding() src/toolkit/xre/nsEmbedFunctions.cpp:222:3
#12 0x7fe58058cb6e in mozilla::ipc::ScopedXREEmbed::Stop() src/ipc/glue/ScopedXREEmbed.cpp:90:5
#13 0x7fe5868167e5 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:719:16
#14 0x5576b0aa5b57 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#15 0x5576b0aa5b57 in main src/browser/app/nsBrowserApp.cpp:327:18
#16 0x7fe5949510b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#17 0x5576b0a812dc in _start (/home/worker/builds/m-c-20220204092958-fuzzing-debug/firefox-bin+0x152dc)
Reporter | ||
Comment 1•3 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/wAHQAl80C1MJDn25_FD1LA/index.html
Comment 2•3 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220205014840-e8991d00a1d1.
Unable to bisect testcase (Testcase reproduces on start build!):
Start: ea0966587b4a224ef38dad7df1e9c7333948a1a4 (20210206094243)
End: 24a44838181c2e0aa5d54901766d352548dc903a (20220204092958)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)
Comment 3•3 years ago
|
||
The transaction in question is aborted but we never send the abort via IDBTransaction::SendAbort
.
IIUC this should have happened in IDBTransaction::OnRequestFinished
which however has never been called on this transaction.
I assume this does not directly break anything important in release, however we should probably understand if the assert is really important and if so, what has been missed.
Comment 4•3 years ago
|
||
Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20220204092958-24a44838181c) but not with tip (mozilla-central 20220211164352-46048399bf0f.)
The bug appears to have been fixed in the following build range:
Start: 1752964a29e0c00fa286ced15c8673fa5492a5bd (20220210105511)
End: 80590d5a58300983cb9dc4688146d2dd8494beeb (20220210125111)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=1752964a29e0c00fa286ced15c8673fa5492a5bd&tochange=80590d5a58300983cb9dc4688146d2dd8494beeb
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Comment 5•2 years ago
|
||
(In reply to Bugmon [:jkratzer for issues] from comment #4)
Start: 1752964a29e0c00fa286ced15c8673fa5492a5bd (20220210105511)
End: 80590d5a58300983cb9dc4688146d2dd8494beeb (20220210125111)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=1752964a29e0c00fa286ced15c8673fa5492a5bd&tochange=80590d5a58300983cb9dc4688146d2dd8494beeb
I cannot really see anything related to IndexedDB in that range. Anyhow, :tsmith, can you confirm this does not happen anymore? Should we just close this WORKSFORM ?
Reporter | ||
Comment 6•2 years ago
|
||
This issue was reported 13x by fuzzers between Feb 4 2022 and June 30 2022. It was last reported while fuzzing 20220630-65f99678a1ef. So I agree let's close this as WORKSFORME.
Comment 7•2 years ago
|
||
It looks like the original testcase is not the correct one for this issue. I'll update the testcase and rerun bugmon to get a bisection range.
Comment 8•2 years ago
|
||
Updated•2 years ago
|
Comment hidden (obsolete) |
Comment hidden (obsolete) |
Comment 11•2 years ago
|
||
Testcase crashes using the initial build (mozilla-central 20220204092958-24a44838181c) but not with tip (mozilla-central 20221207094527-d0cc0efe7b23.)
The bug appears to have been fixed in the following build range:
Start: f5ad3753533ca29cd790f11a95738d1142879451 (20220704103609)
End: 98c5df8bc7b1a0a689029df8102842a370d02d82 (20220704124449)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=f5ad3753533ca29cd790f11a95738d1142879451&tochange=98c5df8bc7b1a0a689029df8102842a370d02d82
tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Comment 12•2 years ago
|
||
This points clearly to bug 1777914. thanks.
Description
•