Assertion failure: mStream, at /builds/worker/workspace/obj-build/dist/include/mozilla/dom/FileSystemWritableFileStreamChild.h:24
Categories
(Core :: DOM: File, defect, P2)
Tracking
()
People
(Reporter: tsmith, Assigned: jjalkanen)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase)
Crash Data
Attachments
(2 files)
Found while fuzzing m-c 20230423-0bcf2642f5a6 (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Assertion failure: mStream, at /builds/worker/workspace/obj-build/dist/include/mozilla/dom/FileSystemWritableFileStreamChild.h:24
#0 0x7f208e4d3fcd in MutableWritableFileStreamPtr /builds/worker/workspace/obj-build/dist/include/mozilla/dom/FileSystemWritableFileStreamChild.h:24:5
#1 0x7f208e4d3fcd in mozilla::dom::FileSystemManagerChild::AllWritableFileStreamsClosed() const /builds/worker/checkouts/gecko/dom/fs/child/FileSystemManagerChild.cpp:54:33
#2 0x7f208e49bd80 in mozilla::dom::FileSystemManager::Shutdown() /builds/worker/checkouts/gecko/dom/fs/api/FileSystemManager.cpp:72:7
#3 0x7f208f2a3136 in mozilla::dom::StorageManager::Shutdown() /builds/worker/checkouts/gecko/dom/quota/StorageManager.cpp:756:25
#4 0x7f208f9984b9 in mozilla::dom::WorkerNavigator::Invalidate() /builds/worker/checkouts/gecko/dom/workers/WorkerNavigator.cpp:76:22
#5 0x7f208f9b030b in mozilla::dom::WorkerGlobalScope::NoteShuttingDown() /builds/worker/checkouts/gecko/dom/workers/WorkerScope.cpp:452:17
#6 0x7f208f9a8467 in mozilla::dom::WorkerPrivate::NotifyInternal(mozilla::dom::WorkerStatus) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:4915:25
#7 0x7f208f9a6e62 in mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:3297:9
#8 0x7f208f98f203 in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:2141:42
#9 0x7f208aa34e04 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1193:16
#10 0x7f208aa3ba4d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:479:10
#11 0x7f208b6ed47e in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20
#12 0x7f208b605711 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#13 0x7f208b605711 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#14 0x7f208aa304a6 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:391:10
#15 0x7f20a03cc9ef in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#16 0x7f20a0094b42 in start_thread nptl/pthread_create.c:442:8
#17 0x7f20a01269ff misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
Reporter | ||
Comment 1•1 year ago
•
|
||
This test case also triggers the follow assertion on release builds:
Hit MOZ_CRASH(MozPromise::ThenValue created from 'BeginClose' destroyed without being either disconnected, resolved, or rejected (dispatchRv: not dispatched)) at /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:534
Hit MOZ_CRASH(MozPromise::ThenValue created from 'ResolveCallback' destroyed without being either disconnected, resolved, or rejected (dispatchRv: NS_OK)) at /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:534
Reporter | ||
Comment 2•1 year ago
|
||
It also triggers:
==233423==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000066f8 (pc 0x7f6c9d7cd468 bp 0x7f6bf2a10070 sp 0x7f6bf2a10050 T30)
==233423==The signal is caused by a READ memory access.
#0 0x7f6c9d7cd468 in mozilla::dom::AutoJSAPI::Init(nsIGlobalObject*) /builds/worker/checkouts/gecko/dom/script/ScriptSettings.cpp:426
#1 0x7f6c9a51ad62 in operator() /builds/worker/checkouts/gecko/dom/fs/api/FileSystemWritableFileStream.cpp:334:24
#2 0x7f6c9a51ad62 in InvokeMethod<(lambda at /builds/worker/checkouts/gecko/dom/fs/api/FileSystemWritableFileStream.cpp:317:7), RefPtr<mozilla::MozPromise<already_AddRefed<mozilla::dom::FileSystemWritableFileStream>, nsresult, true> > ((lambda at /builds/worker/checkouts/gecko/dom/fs/api/FileSystemWritableFileStream.cpp:317:7)::*)(mozilla::MozPromise<mozilla::NotNull<nsCOMPtr<nsIRandomAccessStream> >, nsresult, true>::ResolveOrRejectValue &&), mozilla::MozPromise<mozilla::NotNull<nsCOMPtr<nsIRandomAccessStream> >, nsresult, true>::ResolveOrRejectValue> /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:654:12
#3 0x7f6c9a51ad62 in InvokeCallbackMethod<true, (lambda at /builds/worker/checkouts/gecko/dom/fs/api/FileSystemWritableFileStream.cpp:317:7), RefPtr<mozilla::MozPromise<already_AddRefed<mozilla::dom::FileSystemWritableFileStream>, nsresult, true> > ((lambda at /builds/worker/checkouts/gecko/dom/fs/api/FileSystemWritableFileStream.cpp:317:7)::*)(mozilla::MozPromise<mozilla::NotNull<nsCOMPtr<nsIRandomAccessStream> >, nsresult, true>::ResolveOrRejectValue &&), mozilla::MozPromise<mozilla::NotNull<nsCOMPtr<nsIRandomAccessStream> >, nsresult, true>::ResolveOrRejectValue, RefPtr<mozilla::MozPromise<already_AddRefed<mozilla::dom::FileSystemWritableFileStream>, nsresult, true>::Private> > /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:670:14
#4 0x7f6c9a51ad62 in mozilla::MozPromise<mozilla::NotNull<nsCOMPtr<nsIRandomAccessStream>>, nsresult, true>::ThenValue<mozilla::dom::FileSystemWritableFileStream::Create(nsCOMPtr<nsIGlobalObject> const&, RefPtr<mozilla::dom::FileSystemManager>&, RefPtr<mozilla::dom::FileSystemWritableFileStreamChild>, mozilla::ipc::RandomAccessStreamParams&&, mozilla::dom::fs::FileSystemEntryMetadata&&)::$_2>::DoResolveOrRejectInternal(mozilla::MozPromise<mozilla::NotNull<nsCOMPtr<nsIRandomAccessStream>>, nsresult, true>::ResolveOrRejectValue&) /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:938:7
#5 0x7f6c9a516fb8 in mozilla::MozPromise<mozilla::NotNull<nsCOMPtr<nsIRandomAccessStream>>, nsresult, true>::ThenValueBase::ResolveOrRejectRunnable::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:490:21
#6 0x7f6c92bec689 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1193:16
#7 0x7f6c92bf9cb4 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:479:10
#8 0x7f6c94811803 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20
#9 0x7f6c94637e9a in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
#10 0x7f6c94637e9a in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#11 0x7f6c94637e9a in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#12 0x7f6c92be367a in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:391:10
#13 0x7f6cb96eab3f in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#14 0x7f6cb9494b42 in start_thread nptl/pthread_create.c:442:8
#15 0x7f6cb95269ff misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
Reporter | ||
Updated•1 year ago
|
Comment 3•1 year ago
|
||
Unable to reproduce bug 1840184 using build mozilla-central 20230423212458-0bcf2642f5a6. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Updated•1 year ago
|
Comment 4•1 year ago
|
||
This bug prevents fuzzing from making progress; however, it has low severity. It is important for fuzz blocker bugs to be addressed in a timely manner (see here why?).
:jjalkanen, could you consider increasing the severity?
For more information, please visit BugBot documentation.
Comment 5•1 year ago
|
||
(In reply to Bugmon [:jkratzer for issues] from comment #3)
Unable to reproduce bug 1840184 using build mozilla-central 20230423212458-0bcf2642f5a6. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Hi Tyson, it seems we have an unclear state here ? Thanks
Reporter | ||
Comment 6•1 year ago
|
||
I can reproduce locally with m-c 20230703-a998c42399a8.
Maybe a Bugmon issue?
Reporter | ||
Comment 8•1 year ago
|
||
I can reproduce the originally reported issue:
Assertion failure: mStream, at /builds/worker/workspace/obj-build/dist/include/mozilla/dom/FileSystemWritableFileStreamChild.h:24
It appears the issues noted in comment 1 are resolved.
Comment 9•1 year ago
|
||
(In reply to Tyson Smith [:tsmith] (PTO) from comment #6)
I can reproduce locally with m-c 20230703-a998c42399a8.
Maybe a Bugmon issue?
I can't reproduce this issue locally using the testcase and build from comment 0.
Comment hidden (Intermittent Failures Robot) |
Comment hidden (Intermittent Failures Robot) |
Comment hidden (Intermittent Failures Robot) |
Comment hidden (Intermittent Failures Robot) |
Comment hidden (Intermittent Failures Robot) |
Comment hidden (Intermittent Failures Robot) |
Comment hidden (Intermittent Failures Robot) |
Comment 17•11 months ago
•
|
||
(In reply to Jason Kratzer [:jkratzer] from comment #9)
(In reply to Tyson Smith [:tsmith] (PTO) from comment #6)
I can reproduce locally with m-c 20230703-a998c42399a8.
Maybe a Bugmon issue?
I can't reproduce this issue locally using the testcase and build from comment 0.
I am a bit puzzled if we still have an issue here, but it seems that
1 failures in 3288 pushes (0.0 failures/push) were associated with this bug in the last 7 days.
https://treeherder.mozilla.org/intermittent-failures/bugdetails?bug=1840184&startday=2023-11-06&endday=2023-11-12&tree=all
does not contain the changes from bug 1825552 and also the revision from the last failure on beta.
I assume that means we will see this disappear entirely very soon.
Reporter | ||
Updated•11 months ago
|
Reporter | ||
Comment 18•11 months ago
|
||
Fuzzing m-c 20231009-6404412771ea
was the last build where we received a flood of reports. We have seen 3 since and they are not reproducible so I'm guessing those are a different issue.
Comment hidden (Intermittent Failures Robot) |
Comment hidden (Intermittent Failures Robot) |
Comment hidden (Intermittent Failures Robot) |
Comment hidden (Intermittent Failures Robot) |
Comment hidden (Intermittent Failures Robot) |
Comment hidden (Intermittent Failures Robot) |
Comment 25•8 months ago
|
||
The originally reported assertion seems to still happen rarely. Frequency is low, but maybe worth a second look.
Assignee | ||
Updated•8 months ago
|
Assignee | ||
Comment 26•8 months ago
|
||
The debug-only AllWritableFileStreamsClosed check obtains a non-owned pointer to WritableFileStream.
The check expects some pointers to already be null and ignores them but the mutable getter of the pointer asserts that the returned value is not null which sometimes leads to intermittent failures.
Asserting that the non-owner pointer is not null is however important for verifying the correct state of the CloseAllWritablesImpl.
Comment hidden (Intermittent Failures Robot) |
Updated•8 months ago
|
Updated•7 months ago
|
Comment 28•7 months ago
|
||
Comment 29•7 months ago
|
||
bugherder |
Updated•7 months ago
|
Comment hidden (Intermittent Failures Robot) |
Comment hidden (Intermittent Failures Robot) |
Comment hidden (Intermittent Failures Robot) |
Comment hidden (Intermittent Failures Robot) |
Description
•