Closed Bug 1844619 Opened 1 years ago Closed 1 year ago

Assertion failure: usage == removedUsage, at /dom/fs/parent/datamodel/FileSystemDatabaseManagerVersion001.cpp:810

Categories

(Core :: DOM: File, defect, P3)

Product:
Core
Component:
DOM: File
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
120 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox-esr115 --- unaffected
firefox115 --- unaffected
firefox116 --- wontfix
firefox117 --- wontfix
firefox118 --- wontfix
firefox119 --- wontfix
firefox120 --- verified

People

(Reporter: jkratzer, Assigned: jjalkanen)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

Testcase
4.22 KB, application/octet-stream
Details
Bug 1844619 - Update assert to account for OPFS temporary files. r=#dom-storage
48 bytes, text/x-phabricator-request
Details | Review

Testcase found while fuzzing mozilla-central rev e73cc92e62db (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build e73cc92e62db --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip

Assertion failure: usage == removedUsage, at /dom/fs/parent/datamodel/FileSystemDatabaseManagerVersion001.cpp:810

    ==2292478==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fd72a11909a bp 0x7fd710075fa0 sp 0x7fd710075df0 T2292540)
    ==2292478==The signal is caused by a WRITE memory access.
    ==2292478==Hint: address points to the zero page.
        #0 0x7fd72a11909a in mozilla::dom::fs::data::FileSystemDatabaseManagerVersion001::RemoveDirectory(mozilla::dom::fs::FileSystemChildMetadata const&, bool) /dom/fs/parent/datamodel/FileSystemDatabaseManagerVersion001.cpp:809:3
        #1 0x7fd72a1204e5 in mozilla::dom::fs::data::FileSystemDatabaseManagerVersion001::ClearDestinationIfNotLocked(nsCOMPtr<mozIStorageConnection> const&, mozilla::dom::fs::data::FileSystemDataManager const*, mozilla::dom::fs::FileSystemEntryMetadata const&, mozilla::dom::fs::FileSystemChildMetadata const&) /dom/fs/parent/datamodel/FileSystemDatabaseManagerVersion001.cpp:1276:7
        #2 0x7fd72a11c5de in mozilla::dom::fs::data::FileSystemDatabaseManagerVersion001::PrepareMoveEntry(nsCOMPtr<mozIStorageConnection> const&, mozilla::dom::fs::data::FileSystemDataManager const*, mozilla::dom::fs::FileSystemEntryMetadata const&, mozilla::dom::fs::FileSystemChildMetadata const&, bool) /dom/fs/parent/datamodel/FileSystemDatabaseManagerVersion001.cpp:1330:3
        #3 0x7fd72a126864 in mozilla::dom::fs::data::FileSystemDatabaseManagerVersion002::MoveEntry(mozilla::dom::fs::FileSystemEntryMetadata const&, mozilla::dom::fs::FileSystemChildMetadata const&) /dom/fs/parent/datamodel/FileSystemDatabaseManagerVersion002.cpp:538:3
        #4 0x7fd72a0f3c26 in mozilla::dom::FileSystemManagerParent::RecvMoveEntry(mozilla::dom::fs::FileSystemMoveEntryRequest&&, std::function<void (mozilla::dom::fs::FileSystemMoveEntryResponse const&)>&&) /dom/fs/parent/FileSystemManagerParent.cpp:445:3
        #5 0x7fd72a151da9 in mozilla::dom::PFileSystemManagerParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PFileSystemManagerParent.cpp:903:91
        #6 0x7fd7272903bf in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:1811:25
        #7 0x7fd72728d112 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /ipc/glue/MessageChannel.cpp:1736:9
        #8 0x7fd72728dd92 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1536:3
        #9 0x7fd72728eedf in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1634:14
        #10 0x7fd7265c681b in mozilla::TaskQueue::Runner::Run() /xpcom/threads/TaskQueue.cpp:257:20
        #11 0x7fd7265f0845 in nsThreadPool::Run() /xpcom/threads/nsThreadPool.cpp:343:14
        #12 0x7fd7265e6ded in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1193:16
        #13 0x7fd7265edafd in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:480:10
        #14 0x7fd7272974be in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:300:20
        #15 0x7fd7271b11f1 in RunHandler /ipc/chromium/src/base/message_loop.cc:363:3
        #16 0x7fd7271b11f1 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3
        #17 0x7fd7265e2476 in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:391:10
        #18 0x7fd739cc89ef in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
        #19 0x7fd73a569b42 in start_thread nptl/pthread_create.c:442:8
        #20 0x7fd73a5fb9ff  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /dom/fs/parent/datamodel/FileSystemDatabaseManagerVersion001.cpp:809:3 in mozilla::dom::fs::data::FileSystemDatabaseManagerVersion001::RemoveDirectory(mozilla::dom::fs::FileSystemChildMetadata const&, bool)
    ==2292478==ABORTING
Attached file Testcase

Verified bug as reproducible on mozilla-central 20230720211923-0bc898fe0764.
The bug appears to have been introduced in the following build range:

Start: be6843e3475a7f536156aba03a849fe701932b0c (20230628154748)
End: 0df511b69760b69959818e34e07aa74a0ad7061a (20230628173448)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=be6843e3475a7f536156aba03a849fe701932b0c&tochange=0df511b69760b69959818e34e07aa74a0ad7061a

Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Component: DOM: Core & HTML → DOM: File

This bug has been marked as a regression. Setting status flag for Nightly to affected.

status-firefox117: --- → affected

:jjalkanen, since you are the author of the regressor, bug 1824305, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

Flags: needinfo?(jjalkanen)
Assignee: nobody → jjalkanen
Severity: -- → S3
Status: NEW → ASSIGNED
Flags: needinfo?(jjalkanen)
Priority: -- → P3

The assert is no longer correct in the presence of temporary files for writables.

See Also: → 1847619
See Also: → 1847989

Just to note: this assertion failure has been observed when testing https://phabricator.services.mozilla.com/D185965 with debug build.

Whiteboard: [bugmon:bisected,confirmed] → [bugmon:confirm]

Verified bug as reproducible on mozilla-central 20230830141844-c4e74daae186.
The bug appears to have been introduced in the following build range:

Start: be6843e3475a7f536156aba03a849fe701932b0c (20230628154748)
End: 0df511b69760b69959818e34e07aa74a0ad7061a (20230628173448)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=be6843e3475a7f536156aba03a849fe701932b0c&tochange=0df511b69760b69959818e34e07aa74a0ad7061a

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:confirm]

Verified bug as reproducible on mozilla-central 20230925160932-042e4bc9aa5a.
The bug appears to have been introduced in the following build range:

Start: be6843e3475a7f536156aba03a849fe701932b0c (20230628154748)
End: 0df511b69760b69959818e34e07aa74a0ad7061a (20230628173448)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=be6843e3475a7f536156aba03a849fe701932b0c&tochange=0df511b69760b69959818e34e07aa74a0ad7061a

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

Comment on attachment 9355119 [details]
Bug 1844619 - Update assert to account for OPFS temporary files. r=#dom-storage

Revision D188461 was moved to bug 1844617. Setting attachment 9355119 [details] to obsolete.

Attachment #9355119 - Attachment is obsolete: true
Attachment #9355119 - Attachment description: WIP: Bug 1844619 - Reproduce fuzzing finding. r=#dom-storage → Bug 1844619 - Update assert to account for OPFS temporary files. r=#dom-storage
Attachment #9355119 - Attachment is obsolete: false
Pushed by jjalkanen@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/18f530b95644 Update assert to account for OPFS temporary files. r=dom-storage-reviewers,janv

https://hg.mozilla.org/mozilla-central/rev/18f530b95644

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox120: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 120 Branch

Since nightly and release are affected, beta will likely be affected too.
For more information, please visit BugBot documentation.

status-firefox119: --- → affected

Verified bug as fixed on rev mozilla-central 20231004155628-c559095402a2.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox120: fixedverified
Keywords: bugmon

The patch landed in nightly and beta is affected.
:jjalkanen, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox119 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(jjalkanen)
status-firefox119: affectedwontfix
Flags: needinfo?(jjalkanen)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: