Closed Bug 1809759 Opened 1 year ago Closed 1 year ago

Assertion failure: mShutdown, at /builds/worker/checkouts/gecko/dom/fs/api/FileSystemManager.cpp:33

Categories

(Core :: DOM: File, defect, P1)

Product:
Core
Component:
DOM: File
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
110 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox109 --- disabled
firefox110 --- verified

People

(Reporter: tsmith, Assigned: janv)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

testcase.html
265 bytes, text/html
Details
Bug 1809759 - Shutdown FileSystemManager before releasing it; r=#dom-storage
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Found while fuzzing m-c 20221124-e12f31999d33 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: mShutdown, at /builds/worker/checkouts/gecko/dom/fs/api/FileSystemManager.cpp:33

#0 0x7f3be6ba1308 in mozilla::dom::FileSystemManager::~FileSystemManager() /builds/worker/checkouts/gecko/dom/fs/api/FileSystemManager.cpp:33:43
#1 0x7f3be6ba13a0 in mozilla::dom::FileSystemManager::~FileSystemManager() /builds/worker/checkouts/gecko/dom/fs/api/FileSystemManager.cpp:33:41
#2 0x7f3be3244c58 in SnowWhiteKiller::MaybeKillObject(SnowWhiteKiller::SnowWhiteObject&) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:2444:29
#3 0x7f3be3249c7b in SnowWhiteKiller::Visit(nsPurpleBuffer&, nsPurpleBufferEntry*) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:2469:9
#4 0x7f3be323820e in void nsPurpleBuffer::VisitEntries<SnowWhiteKiller>(SnowWhiteKiller&) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:939:23
#5 0x7f3be3238ac9 in nsCycleCollector::FreeSnowWhiteWithBudget(js::SliceBudget&) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:2637:14
#6 0x7f3be40f4261 in AsyncFreeSnowWhite::Run() /builds/worker/checkouts/gecko/js/xpconnect/src/XPCJSRuntime.cpp:154:9
#7 0x7f3be334682f in IdleRunnableWrapper::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:320:22
#8 0x7f3be3319175 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:539:16
#9 0x7f3be331474c in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:852:26
#10 0x7f3be331347e in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:726:15
#11 0x7f3be3313675 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:462:36
#12 0x7f3be331ca76 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:188:37
#13 0x7f3be331ca76 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
#14 0x7f3be3332315 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1197:16
#15 0x7f3be333885d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:476:10
#16 0x7f3be3f2a853 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#17 0x7f3be3e4e6d8 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#18 0x7f3be3e4e5e1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#19 0x7f3be3e4e5e1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#20 0x7f3be838d9e8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#21 0x7f3bea5be0fb in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:743:20
#22 0x7f3be3f2b719 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#23 0x7f3be3e4e6d8 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#24 0x7f3be3e4e5e1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#25 0x7f3be3e4e5e1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#26 0x7f3bea5bdc58 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:676:34
#27 0x55cea679bca0 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#28 0x55cea679bca0 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:359:18
#29 0x7f3bf6994d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#30 0x7f3bf6994e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#31 0x55cea6772308 in _start (/home/user/workspace/browsers/m-c-20230109162059-fuzzing-debug/firefox-bin+0x5b308) (BuildId: fcb61112671969adba17e28990b158e625456a9f)
Flags: in-testsuite?

A Pernosco session is available here: https://pernos.co/debug/yjry7CvE-WiPUVxzn7teiw/index.html

Assignee: nobody → jvarga
Blocks: OPFS
Severity: -- → S2
Status: NEW → ASSIGNED
Priority: -- → P1

Verified bug as reproducible on mozilla-central 20230112041059-539f28c1de72.
The bug appears to have been introduced in the following build range:

Start: 070c2bc9f8138aa9200c0e5e4af123c9e79fdaec (20220903093211)
End: 54117faf74fa285f410b772eb2916c90cd1f6270 (20220903111608)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=070c2bc9f8138aa9200c0e5e4af123c9e79fdaec&tochange=54117faf74fa285f410b772eb2916c90cd1f6270

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]

Based on comment #2, this bug contains a bisection range found by bugmon. However, the Regressed by field is still not filled.

:janv, if possible, could you fill the Regressed by field and investigate this regression?

For more information, please visit auto_nag documentation.

Flags: needinfo?(jvarga)

The bisection range doesn't seem to be related to this bug.

Flags: needinfo?(jvarga)
Pushed by jvarga@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/6ee360938844
Shutdown FileSystemManager before releasing it; r=dom-storage-reviewers,jesup

https://hg.mozilla.org/mozilla-central/rev/6ee360938844

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox110: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 110 Branch

Verified bug as fixed on rev mozilla-central 20230113213947-963d01420434.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox110: fixedverified
Keywords: bugmon
status-firefox109: --- → disabled
status-firefox-esr102: --- → unaffected
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: