Open Bug 1819162 Opened 1 year ago Updated 1 year ago

Assertion failure: !originInfo->mCanonicalQuotaObjects.Count(), at /dom/quota/ActorsParent.cpp:4012

Categories

(Core :: Storage: IndexedDB, defect, P3)

Product:
Core
Component:
Storage: IndexedDB
Platform:
x86_64
Windows
Type:
defect

Tracking

()

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: testcase)

Attachments

(1 file)

Testcase
242 bytes, text/plain
Details

Testcase found while fuzzing mozilla-central rev b8a8b74dbdd0 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build b8a8b74dbdd0 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: !originInfo->mCanonicalQuotaObjects.Count(), at /dom/quota/ActorsParent.cpp:4012

    r10 = 0x00007fff1a3226a1	r11 = 0x0000004ce713ef80	r12 = 0x00007ffed6725058
    r13 = 0x00000166a8059580	r14 = 0x0000000000000001	r15 = 0x0000000000000000
     r8 = 0x0000004ce713ffa0	 r9 = 0x00007fff1a2d0000	rax = 0x00007ffed67251c9
    rbp = 0x00007ffed672526c	rbx = 0x0000004ce713f608	rcx = 0x00007fff04917dc8
    rdi = 0x00000166a805d670	rdx = 0x0000000000000000	rip = 0x00007ffed04abb1b
    rsi = 0x00000166a1a054d0	rsp = 0x0000004ce713f5c0
    OS|Windows NT|10.0.19044
    CPU|amd64|family 6 model 158 stepping 10|4
    Crash|EXCEPTION_BREAKPOINT|0x00007ffed04abb1b|33
    33|0|xul.dll|mozilla::dom::quota::QuotaManager::UnloadQuota()|hg:hg.mozilla.org/mozilla-central:dom/quota/ActorsParent.cpp:b8a8b74dbdd01cade5a6aa258ce75f922969b639|4012|0x83b
    33|1|xul.dll|mozilla::dom::quota::QuotaManager::ShutdownStorageInternal()|hg:hg.mozilla.org/mozilla-central:dom/quota/ActorsParent.cpp:b8a8b74dbdd01cade5a6aa258ce75f922969b639|6029|0x46
    33|2|xul.dll|mozilla::dom::quota::(anonymous namespace)::ShutdownStorageOp::DoDirectoryWork(mozilla::dom::quota::QuotaManager&)|hg:hg.mozilla.org/mozilla-central:dom/quota/ActorsParent.cpp:b8a8b74dbdd01cade5a6aa258ce75f922969b639|7278|0xd4
    33|3|xul.dll|mozilla::dom::quota::(anonymous namespace)::OriginOperationBase::Run()|hg:hg.mozilla.org/mozilla-central:dom/quota/ActorsParent.cpp:b8a8b74dbdd01cade5a6aa258ce75f922969b639|7032|0x1b7
    33|4|xul.dll|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:b8a8b74dbdd01cade5a6aa258ce75f922969b639|1219|0x9ef
    33|5|xul.dll|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:b8a8b74dbdd01cade5a6aa258ce75f922969b639|477|0x44
    33|6|xul.dll|mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:b8a8b74dbdd01cade5a6aa258ce75f922969b639|330|0x112
    33|7|xul.dll|MessageLoop::RunHandler()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:b8a8b74dbdd01cade5a6aa258ce75f922969b639|374|0x4f
    33|8|xul.dll|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:b8a8b74dbdd01cade5a6aa258ce75f922969b639|356|0x6e
    33|9|xul.dll|nsThread::ThreadFunc(void*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:b8a8b74dbdd01cade5a6aa258ce75f922969b639|384|0x143
    33|10|nss3.dll|_PR_NativeRunThread(void*)|hg:hg.mozilla.org/mozilla-central:nsprpub/pr/src/threads/combined/pruthr.c:b8a8b74dbdd01cade5a6aa258ce75f922969b639|399|0x120
    33|11|nss3.dll|pr_root(void*)|hg:hg.mozilla.org/mozilla-central:nsprpub/pr/src/md/windows/w95thred.c:b8a8b74dbdd01cade5a6aa258ce75f922969b639|139|0x10
    33|12|ucrtbase.dll||||
    33|13|KERNELBASE.dll||||
    33|14|ucrtbase.dll||||
    33|15|kernel32.dll||||
    33|16|ucrtbase.dll||||
    33|17|mozglue.dll|patched_BaseThreadInitThunk(int, void*, void*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/dllservices/mozglue/WindowsDllBlocklist.cpp:b8a8b74dbdd01cade5a6aa258ce75f922969b639|592|0x93
    33|18|ntdll.dll||||
    33|19|KERNELBASE.dll||||
Attached file Testcase 

    
    

    
  
Is it possible that the encoding of the testcase is changed when it is uploaded to bugzilla ?

The only thing which looks suspicious is the weird string passed to indexedDB.open.

Usually I can easily reproduce testcases like this when I convert them to a crashtest, but not this time.



    
    

    
  
Maybe it's reproducible on windows only.



    
    

    
  
(In reply to Jan Varga [:janv] from comment #3)




Maybe it's reproducible on windows only.




Yes, it is Windows only.


Severity: -- → S3
Priority: -- → P3

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: