Closed Bug 1792245 Opened 2 years ago Closed 2 years ago

Assertion failure: data (Cycle collected object used on a thread without a cycle collector.), at /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3771

Categories

(Core :: DOM: File, defect, P1)

Product:
Core
Component:
DOM: File
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
108 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox106 --- disabled
firefox107 --- disabled
firefox108 --- fixed

People

(Reporter: tsmith, Assigned: janv)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, Whiteboard: [fuzzblocker])

Attachments

(2 files)

Bug 1792245 - Improve FileSystemManager shutdown; r=#dom-storage
48 bytes, text/x-phabricator-request
Details | Review
Bug 1792245 - Add ErrorResult to FileSystemRequestHandler methods; r=#dom-storage
48 bytes, text/x-phabricator-request
Details | Review

Found while fuzzing 20220923-df40645f791d (--enable-address-sanitizer --enable-fuzzing)

A reliable test case is not available but this issue is triggered frequently by the fuzzers.

A Pernosco session is available here: https://pernos.co/debug/rHEOzSmvIyO3cq0U-9322Q/index.html

Assertion failure: data (Cycle collected object used on a thread without a cycle collector.), at /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3771

==9551==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f0a99b7002e bp 0x7f0a850b8070 sp 0x7f0a850b7fa0 T13)
==9551==The signal is caused by a WRITE memory access.
==9551==Hint: address points to the zero page.
    #0 0x7f0a99b7002e in NS_CycleCollectorSuspect3 /gecko/xpcom/base/nsCycleCollector.cpp:3769:3
    #1 0x7f0a9f9e9554 in incr<&NS_CycleCollectorSuspect3> /builds/worker/workspace/obj-build/dist/include/nsISupportsImpl.h:248:7
    #2 0x7f0a9f9e9554 in incr<&NS_CycleCollectorSuspect3> /builds/worker/workspace/obj-build/dist/include/nsISupportsImpl.h:234:12
    #3 0x7f0a9f9e9554 in mozilla::DOMEventTargetHelper::AddRef() /gecko/dom/events/DOMEventTargetHelper.cpp:81:1
    #4 0x7f0aa22dfc3f in nsCOMPtr /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:525:7
    #5 0x7f0aa22dfc3f in ScriptSettingsStackEntry /gecko/dom/script/ScriptSettings.cpp:138:7
    #6 0x7f0aa22dfc3f in mozilla::dom::AutoJSAPI::AutoJSAPI(nsIGlobalObject*, bool, mozilla::dom::ScriptSettingsStackEntry::Type) /gecko/dom/script/ScriptSettings.cpp:391:7
    #7 0x7f0aa22df8de in mozilla::dom::AutoEntryScript::AutoEntryScript(nsIGlobalObject*, char const*, bool) /gecko/dom/script/AutoEntryScript.cpp:66:7
    #8 0x7f0a99f4f4aa in MaybeSomething<mozilla::ErrorResult> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Promise.h:386:21
    #9 0x7f0a99f4f4aa in mozilla::dom::Promise::MaybeReject(mozilla::ErrorResult&&) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Promise.h:106:5
    #10 0x7f0a9fc69833 in MaybeRejectWithUnknownError /builds/worker/workspace/obj-build/dist/include/mozilla/dom/DOMExceptionNames.h:45:1
    #11 0x7f0a9fc69833 in MaybeRejectWithUnknownError<41> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/DOMExceptionNames.h:45:1
    #12 0x7f0a9fc69833 in operator() /gecko/dom/fs/api/FileSystemManager.cpp:107:22
    #13 0x7f0a9fc69833 in InvokeMethod<(lambda at /builds/worker/checkouts/gecko/dom/fs/api/FileSystemManager.cpp:106:11), void ((lambda at /builds/worker/checkouts/gecko/dom/fs/api/FileSystemManager.cpp:106:11)::*)(nsresult) const, const nsresult &> /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:630:12
    #14 0x7f0a9fc69833 in InvokeCallbackMethod<false, (lambda at /builds/worker/checkouts/gecko/dom/fs/api/FileSystemManager.cpp:106:11), void ((lambda at /builds/worker/checkouts/gecko/dom/fs/api/FileSystemManager.cpp:106:11)::*)(nsresult) const, const nsresult &, RefPtr<mozilla::MozPromise<bool, nsresult, false>::Private> > /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:661:5
    #15 0x7f0a9fc69833 in mozilla::MozPromise<bool, nsresult, false>::ThenValue<mozilla::dom::FileSystemManager::GetDirectory(mozilla::ErrorResult&)::$_2, mozilla::dom::FileSystemManager::GetDirectory(mozilla::ErrorResult&)::$_3>::DoResolveOrRejectInternal(mozilla::MozPromise<bool, nsresult, false>::ResolveOrRejectValue&) /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:850:9
    #16 0x7f0a9acb4e4e in mozilla::MozPromise<bool, nsresult, false>::ThenValueBase::ResolveOrRejectRunnable::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:487:21
    #17 0x7f0aa1eac781 in mozilla::dom::(anonymous namespace)::ExternalRunnableWrapper::Cancel() /gecko/dom/workers/WorkerPrivate.cpp:221:13
    #18 0x7f0aa1e9b24f in mozilla::dom::WorkerRunnable::Run() /gecko/dom/workers/WorkerRunnable.cpp:247:5
    #19 0x7f0a99d4b22e in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1199:16
    #20 0x7f0a99d43a87 in NS_ProcessPendingEvents(nsIThread*, unsigned int) /gecko/xpcom/threads/nsThreadUtils.cpp:430:19
    #21 0x7f0aa1e8851a in mozilla::dom::WorkerPrivate::ClearMainEventQueue(mozilla::dom::WorkerPrivate::WorkerRanOrNot) /gecko/dom/workers/WorkerPrivate.cpp:3831:5
    #22 0x7f0aa1e75314 in mozilla::dom::WorkerPrivate::ScheduleDeletion(mozilla::dom::WorkerPrivate::WorkerRanOrNot) /gecko/dom/workers/WorkerPrivate.cpp:3650:3
    #23 0x7f0aa1e5a8dc in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /gecko/dom/workers/RuntimeService.cpp:2116:19
    #24 0x7f0a99d4b22e in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1199:16
    #25 0x7f0a99d54e84 in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:465:10
    #26 0x7f0a9b4f0525 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:300:20
    #27 0x7f0a9b36d9e1 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #28 0x7f0a9b36d9e1 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #29 0x7f0a9b36d9e1 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #30 0x7f0a99d42378 in nsThread::ThreadFunc(void*) /gecko/xpcom/threads/nsThread.cpp:384:10
    #31 0x7f0ac1b96b7e in _pt_root /gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #32 0x7f0ac24d7608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
    #33 0x7f0ac209e132 in __clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /gecko/xpcom/base/nsCycleCollector.cpp:3769:3 in NS_CycleCollectorSuspect3
Thread T13 (DOM Worker) created by T0 (Isolated Servic) here:
    #0 0x560b7837343c in __interceptor_pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:208:3
    #1 0x7f0ac1b86c2c in _PR_CreateThread /gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
    #2 0x7f0ac1b77fce in PR_CreateThread /gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
    #3 0x7f0a99d452f5 in nsThread::Init(nsTSubstring<char> const&) /gecko/xpcom/threads/nsThread.cpp:618:18
    #4 0x7f0aa1ea9ffa in mozilla::dom::WorkerThread::Create(mozilla::dom::WorkerThreadFriendKey const&) /gecko/dom/workers/WorkerThread.cpp:102:7
    #5 0x7f0aa1e355a5 in mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(mozilla::dom::WorkerPrivate&) /gecko/dom/workers/RuntimeService.cpp:1323:37
    #6 0x7f0aa1e34409 in mozilla::dom::workerinternals::RuntimeService::RegisterWorker(mozilla::dom::WorkerPrivate&) /gecko/dom/workers/RuntimeService.cpp:1205:19
    #7 0x7f0aa1e7dc57 in mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerKind, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&, nsTString<char16_t>) /gecko/dom/workers/WorkerPrivate.cpp:2588:24
    #8 0x7f0aa1eb9c39 in mozilla::dom::RemoteWorkerChild::ExecWorkerOnMainThread(mozilla::dom::RemoteWorkerData&&) /gecko/dom/workers/remoteworkers/RemoteWorkerChild.cpp:450:41
    #9 0x7f0aa1eee7da in operator() /gecko/dom/workers/remoteworkers/RemoteWorkerChild.cpp:306:29
    #10 0x7f0aa1eee7da in mozilla::detail::RunnableFunction<mozilla::dom::RemoteWorkerChild::ExecWorker(mozilla::dom::RemoteWorkerData const&)::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
    #11 0x7f0a99d15d8f in mozilla::SchedulerGroup::Runnable::Run() /gecko/xpcom/threads/SchedulerGroup.cpp:140:20
    #12 0x7f0a99d68e82 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:538:16
    #13 0x7f0a99d296cd in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:851:26
    #14 0x7f0a99d26838 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:683:15
    #15 0x7f0a99d26f60 in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:461:36
    #16 0x7f0a99d71de4 in operator() /gecko/xpcom/threads/TaskController.cpp:190:37
    #17 0x7f0a99d71de4 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
    #18 0x7f0a99d4aa07 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1205:16
    #19 0x7f0a99d54e84 in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:465:10
    #20 0x7f0a9b4eee74 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:107:5
    #21 0x7f0a9b36d9e1 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #22 0x7f0a9b36d9e1 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #23 0x7f0a9b36d9e1 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #24 0x7f0aa27a2887 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:150:27
    #25 0x7f0aa792e3a7 in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:880:20
    #26 0x7f0a9b36d9e1 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #27 0x7f0a9b36d9e1 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #28 0x7f0a9b36d9e1 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #29 0x7f0aa792d28c in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:739:34
    #30 0x560b783c7575 in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #31 0x560b783c79c7 in main /gecko/browser/app/nsBrowserApp.cpp:359:18
    #32 0x7f0ac1fa3082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

@tsmith Thanks!

This is caused by a storage.getDirectory() call that was made right before a worker shuts down. The CreateFileSystemManagerChild() call ends up failing, and causes a MozPromise rejection to run, and to reject the DOM Promise. However, the runnable to do this rejection runs during the cleareventqueue during Worker Shutdown, and this is after CycleCollection is shut down (and thus the assertion).

We need to implement something to kill requests earlier in nsIGlobalObject shutdown, preferably immediately after leaving the main runloop. I have a patch to add such a callback (which I had recently abandoned, since the reason I added it was mooted by moving to sub-protocols for SyncAccessHandle/etc)

Blocks: OPFS
Assignee: nobody → jvarga
Severity: -- → S2
Status: NEW → ASSIGNED
Priority: -- → P1

Changes:

  • new MozPromise requests are not created after shutdown
  • existing MozPromise requests are disconnected during shutdown
Pushed by jvarga@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/214c4d6bf7f9
Add ErrorResult to FileSystemRequestHandler methods; r=dom-storage-reviewers,jesup
https://hg.mozilla.org/integration/autoland/rev/a1c3f1590850
Improve FileSystemManager shutdown; r=dom-storage-reviewers,jesup

https://hg.mozilla.org/mozilla-central/rev/214c4d6bf7f9
https://hg.mozilla.org/mozilla-central/rev/a1c3f1590850

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox108: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 108 Branch

The patch landed in nightly and beta is affected.
:janv, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox107 to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(jvarga)

:jvarga this seems like a large change to uplift to 107 beta.
Setting status-firefox107 to wontfix - if you disagree please let me know.

status-firefox107: affectedwontfix

Jan, I'd assume that status-firefox107 can be set to disabled ?

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: