Closed Bug 1840184 Opened 1 year ago Closed 7 months ago

Assertion failure: mStream, at /builds/worker/workspace/obj-build/dist/include/mozilla/dom/FileSystemWritableFileStreamChild.h:24

Categories

(Core :: DOM: File, defect, P2)

defect

Tracking

()

RESOLVED FIXED
125 Branch
Tracking Status
firefox-esr115 --- wontfix
firefox116 --- wontfix
firefox117 --- wontfix
firefox123 --- wontfix
firefox124 --- wontfix
firefox125 --- fixed

People

(Reporter: tsmith, Assigned: jjalkanen)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Crash Data

Attachments

(2 files)

Attached file testcase.html

Found while fuzzing m-c 20230423-0bcf2642f5a6 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: mStream, at /builds/worker/workspace/obj-build/dist/include/mozilla/dom/FileSystemWritableFileStreamChild.h:24

#0 0x7f208e4d3fcd in MutableWritableFileStreamPtr /builds/worker/workspace/obj-build/dist/include/mozilla/dom/FileSystemWritableFileStreamChild.h:24:5
#1 0x7f208e4d3fcd in mozilla::dom::FileSystemManagerChild::AllWritableFileStreamsClosed() const /builds/worker/checkouts/gecko/dom/fs/child/FileSystemManagerChild.cpp:54:33
#2 0x7f208e49bd80 in mozilla::dom::FileSystemManager::Shutdown() /builds/worker/checkouts/gecko/dom/fs/api/FileSystemManager.cpp:72:7
#3 0x7f208f2a3136 in mozilla::dom::StorageManager::Shutdown() /builds/worker/checkouts/gecko/dom/quota/StorageManager.cpp:756:25
#4 0x7f208f9984b9 in mozilla::dom::WorkerNavigator::Invalidate() /builds/worker/checkouts/gecko/dom/workers/WorkerNavigator.cpp:76:22
#5 0x7f208f9b030b in mozilla::dom::WorkerGlobalScope::NoteShuttingDown() /builds/worker/checkouts/gecko/dom/workers/WorkerScope.cpp:452:17
#6 0x7f208f9a8467 in mozilla::dom::WorkerPrivate::NotifyInternal(mozilla::dom::WorkerStatus) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:4915:25
#7 0x7f208f9a6e62 in mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:3297:9
#8 0x7f208f98f203 in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:2141:42
#9 0x7f208aa34e04 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1193:16
#10 0x7f208aa3ba4d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:479:10
#11 0x7f208b6ed47e in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20
#12 0x7f208b605711 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#13 0x7f208b605711 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#14 0x7f208aa304a6 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:391:10
#15 0x7f20a03cc9ef in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#16 0x7f20a0094b42 in start_thread nptl/pthread_create.c:442:8
#17 0x7f20a01269ff  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
Flags: in-testsuite?

This test case also triggers the follow assertion on release builds:

Hit MOZ_CRASH(MozPromise::ThenValue created from 'BeginClose' destroyed without being either disconnected, resolved, or rejected (dispatchRv: not dispatched)) at /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:534
Hit MOZ_CRASH(MozPromise::ThenValue created from 'ResolveCallback' destroyed without being either disconnected, resolved, or rejected (dispatchRv: NS_OK)) at /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:534

It also triggers:

==233423==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000066f8 (pc 0x7f6c9d7cd468 bp 0x7f6bf2a10070 sp 0x7f6bf2a10050 T30)
==233423==The signal is caused by a READ memory access.
    #0 0x7f6c9d7cd468 in mozilla::dom::AutoJSAPI::Init(nsIGlobalObject*) /builds/worker/checkouts/gecko/dom/script/ScriptSettings.cpp:426
    #1 0x7f6c9a51ad62 in operator() /builds/worker/checkouts/gecko/dom/fs/api/FileSystemWritableFileStream.cpp:334:24
    #2 0x7f6c9a51ad62 in InvokeMethod<(lambda at /builds/worker/checkouts/gecko/dom/fs/api/FileSystemWritableFileStream.cpp:317:7), RefPtr<mozilla::MozPromise<already_AddRefed<mozilla::dom::FileSystemWritableFileStream>, nsresult, true> > ((lambda at /builds/worker/checkouts/gecko/dom/fs/api/FileSystemWritableFileStream.cpp:317:7)::*)(mozilla::MozPromise<mozilla::NotNull<nsCOMPtr<nsIRandomAccessStream> >, nsresult, true>::ResolveOrRejectValue &&), mozilla::MozPromise<mozilla::NotNull<nsCOMPtr<nsIRandomAccessStream> >, nsresult, true>::ResolveOrRejectValue> /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:654:12
    #3 0x7f6c9a51ad62 in InvokeCallbackMethod<true, (lambda at /builds/worker/checkouts/gecko/dom/fs/api/FileSystemWritableFileStream.cpp:317:7), RefPtr<mozilla::MozPromise<already_AddRefed<mozilla::dom::FileSystemWritableFileStream>, nsresult, true> > ((lambda at /builds/worker/checkouts/gecko/dom/fs/api/FileSystemWritableFileStream.cpp:317:7)::*)(mozilla::MozPromise<mozilla::NotNull<nsCOMPtr<nsIRandomAccessStream> >, nsresult, true>::ResolveOrRejectValue &&), mozilla::MozPromise<mozilla::NotNull<nsCOMPtr<nsIRandomAccessStream> >, nsresult, true>::ResolveOrRejectValue, RefPtr<mozilla::MozPromise<already_AddRefed<mozilla::dom::FileSystemWritableFileStream>, nsresult, true>::Private> > /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:670:14
    #4 0x7f6c9a51ad62 in mozilla::MozPromise<mozilla::NotNull<nsCOMPtr<nsIRandomAccessStream>>, nsresult, true>::ThenValue<mozilla::dom::FileSystemWritableFileStream::Create(nsCOMPtr<nsIGlobalObject> const&, RefPtr<mozilla::dom::FileSystemManager>&, RefPtr<mozilla::dom::FileSystemWritableFileStreamChild>, mozilla::ipc::RandomAccessStreamParams&&, mozilla::dom::fs::FileSystemEntryMetadata&&)::$_2>::DoResolveOrRejectInternal(mozilla::MozPromise<mozilla::NotNull<nsCOMPtr<nsIRandomAccessStream>>, nsresult, true>::ResolveOrRejectValue&) /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:938:7
    #5 0x7f6c9a516fb8 in mozilla::MozPromise<mozilla::NotNull<nsCOMPtr<nsIRandomAccessStream>>, nsresult, true>::ThenValueBase::ResolveOrRejectRunnable::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:490:21
    #6 0x7f6c92bec689 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1193:16
    #7 0x7f6c92bf9cb4 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:479:10
    #8 0x7f6c94811803 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20
    #9 0x7f6c94637e9a in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
    #10 0x7f6c94637e9a in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
    #11 0x7f6c94637e9a in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
    #12 0x7f6c92be367a in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:391:10
    #13 0x7f6cb96eab3f in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #14 0x7f6cb9494b42 in start_thread nptl/pthread_create.c:442:8
    #15 0x7f6cb95269ff  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
Crash Signature: [@ mozilla::dom::AutoJSAPI::Init]
Whiteboard: [fuzzblocker]

Unable to reproduce bug 1840184 using build mozilla-central 20230423212458-0bcf2642f5a6. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Severity: -- → S3
Priority: -- → P2

This bug prevents fuzzing from making progress; however, it has low severity. It is important for fuzz blocker bugs to be addressed in a timely manner (see here why?).
:jjalkanen, could you consider increasing the severity?

For more information, please visit BugBot documentation.

Flags: needinfo?(jjalkanen)

(In reply to Bugmon [:jkratzer for issues] from comment #3)

Unable to reproduce bug 1840184 using build mozilla-central 20230423212458-0bcf2642f5a6. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Hi Tyson, it seems we have an unclear state here ? Thanks

Flags: needinfo?(twsmith)

I can reproduce locally with m-c 20230703-a998c42399a8.

Maybe a Bugmon issue?

Flags: needinfo?(twsmith) → needinfo?(jkratzer)

This might have been fixed by 1825552

Flags: needinfo?(jjalkanen)

I can reproduce the originally reported issue:

Assertion failure: mStream, at /builds/worker/workspace/obj-build/dist/include/mozilla/dom/FileSystemWritableFileStreamChild.h:24

It appears the issues noted in comment 1 are resolved.

Whiteboard: [fuzzblocker]
See Also: → 1841702

(In reply to Tyson Smith [:tsmith] (PTO) from comment #6)

I can reproduce locally with m-c 20230703-a998c42399a8.

Maybe a Bugmon issue?

I can't reproduce this issue locally using the testcase and build from comment 0.

Flags: needinfo?(jkratzer)

(In reply to Jason Kratzer [:jkratzer] from comment #9)

(In reply to Tyson Smith [:tsmith] (PTO) from comment #6)

I can reproduce locally with m-c 20230703-a998c42399a8.

Maybe a Bugmon issue?

I can't reproduce this issue locally using the testcase and build from comment 0.

I am a bit puzzled if we still have an issue here, but it seems that

1 failures in 3288 pushes (0.0 failures/push) were associated with this bug in the last 7 days.
https://treeherder.mozilla.org/intermittent-failures/bugdetails?bug=1840184&startday=2023-11-06&endday=2023-11-12&tree=all

does not contain the changes from bug 1825552 and also the revision from the last failure on beta.

I assume that means we will see this disappear entirely very soon.

Flags: needinfo?(twsmith)

Fuzzing m-c 20231009-6404412771ea was the last build where we received a flood of reports. We have seen 3 since and they are not reproducible so I'm guessing those are a different issue.

Flags: needinfo?(twsmith)

The originally reported assertion seems to still happen rarely. Frequency is low, but maybe worth a second look.

Flags: needinfo?(jjalkanen)
Assignee: nobody → jjalkanen
Flags: needinfo?(jjalkanen)

The debug-only AllWritableFileStreamsClosed check obtains a non-owned pointer to WritableFileStream.
The check expects some pointers to already be null and ignores them but the mutable getter of the pointer asserts that the returned value is not null which sometimes leads to intermittent failures.
Asserting that the non-owner pointer is not null is however important for verifying the correct state of the CloseAllWritablesImpl.

Attachment #9382316 - Attachment description: Bug 1840184 - Add method for FileSystemWritableFileStreamChild shutdown correctness check. r=#dom-storage → Bug 1840184 - Move FileSystemWritableFileStreamChild shutdown check from getter to site of usage. r=#dom-storage
Attachment #9382316 - Attachment description: Bug 1840184 - Move FileSystemWritableFileStreamChild shutdown check from getter to site of usage. r=#dom-storage → Bug 1840184 - Remove redundant FileSystemWritableFileStreamChild shutdown check. r=#dom-storage
Pushed by jjalkanen@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/e15f4500542b Remove redundant FileSystemWritableFileStreamChild shutdown check. r=dom-storage-reviewers,janv
Status: NEW → RESOLVED
Closed: 7 months ago
Resolution: --- → FIXED
Target Milestone: --- → 125 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: