Open
Bug 1869452
Opened 7 months ago
Updated 7 months ago
Assertion failure: IsOnWorkerThread(), at /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:5820
Categories
(Core :: Storage: Quota Manager, defect, P3)
Core
Storage: Quota Manager
Tracking
()
ASSIGNED
| Tracking | Status | |
|---|---|---|
| firefox122 | --- | affected |
People
(Reporter: tsmith, Assigned: asuth)
References
(Blocks 1 open bug)
Details
(4 keywords, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(1 file)
|
750 bytes,
text/html
|
Details |
Found while fuzzing m-c 20231124-8a861d9d1b4a (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Assertion failure: IsOnWorkerThread(), at /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:5820
#0 0x7f1ee720a01c in AssertIsOnWorkerThread /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:5820:3
#1 0x7f1ee720a01c in mozilla::dom::WorkerPrivate::AssertIsOnParentThread() const /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:2211:18
#2 0x7f1ee7227485 in mozilla::dom::WorkerRunnable::PreDispatch(mozilla::dom::WorkerPrivate*) /builds/worker/checkouts/gecko/dom/workers/WorkerRunnable.cpp:85:23
#3 0x7f1ee7207b93 in mozilla::dom::WorkerRunnable::Dispatch() /builds/worker/checkouts/gecko/dom/workers/WorkerRunnable.cpp:96:13
#4 0x7f1ee6ae038f in Finish /builds/worker/checkouts/gecko/dom/quota/StorageManager.cpp:572:9
#5 0x7f1ee6ae038f in mozilla::dom::(anonymous namespace)::RequestResolver::OnComplete(nsIQuotaRequest*) /builds/worker/checkouts/gecko/dom/quota/StorageManager.cpp:587:17
#6 0x7f1ee6ab3d53 in FireCallback /builds/worker/checkouts/gecko/dom/quota/QuotaRequests.cpp:281:16
#7 0x7f1ee6ab3d53 in mozilla::dom::quota::Request::SetResult(nsIVariant*) /builds/worker/checkouts/gecko/dom/quota/QuotaRequests.cpp:235:3
#8 0x7f1ee6a2444e in mozilla::dom::quota::QuotaRequestChild::HandleResponse(mozilla::dom::quota::EstimateResponse const&) /builds/worker/checkouts/gecko/dom/quota/ActorsChild.cpp:292:13
#9 0x7f1ee6a24b0d in mozilla::dom::quota::QuotaRequestChild::Recv__delete__(mozilla::dom::quota::RequestResponse const&) /builds/worker/checkouts/gecko/dom/quota/ActorsChild.cpp:379:7
#10 0x7f1ee6ade032 in mozilla::dom::quota::PQuotaRequestChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PQuotaRequestChild.cpp:135:52
#11 0x7f1ee2f06551 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:5589:32
#12 0x7f1ee2e99c2f in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1813:25
#13 0x7f1ee2e96982 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1732:9
#14 0x7f1ee2e97602 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1525:3
#15 0x7f1ee2e9874f in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1623:14
#16 0x7f1ee21b12d7 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:549:16
#17 0x7f1ee21a6ee3 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:876:26
#18 0x7f1ee21a56d7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:699:15
#19 0x7f1ee21a5b55 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:485:36
#20 0x7f1ee21b52b9 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:214:37
#21 0x7f1ee21b52b9 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#22 0x7f1ee21ca332 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#23 0x7f1ee21d145d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#24 0x7f1ee2e9fb43 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5
#25 0x7f1ee2db96d1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#26 0x7f1ee2db96d1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#27 0x7f1ee77b04e8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#28 0x7f1ee786d0e8 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33
#29 0x7f1ee988488b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:721:20
#30 0x7f1ee2ea0a76 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#31 0x7f1ee2db96d1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#32 0x7f1ee2db96d1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#33 0x7f1ee98840f2 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:656:34
#34 0x563e1f828276 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#35 0x563e1f828276 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#36 0x7f1ef6829d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#37 0x7f1ef6829e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#38 0x563e1f7fdfa8 in _start (/home/user/workspace/browsers/m-c-20231211210255-fuzzing-debug/firefox-bin+0x58fa8) (BuildId: 56fe865149bdb5b598f3cbb7b5287f4d38ad6b2a)
Flags: in-testsuite?
|
||
Comment 1•7 months ago
|
||
Verified bug as reproducible on mozilla-central 20231212043749-dab6b48a2a59.
Unable to bisect testcase (Testcase reproduces on start build!):
Start: bd78e2e5b1fe852424cf7c035580e44de70ac135 (20221213041109)
End: 8a861d9d1b4ac77e60a57489951253f8bec1a65e (20231124214933)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)
Whiteboard: [bugmon:bisected,confirmed]
|
||
Updated•7 months ago
|
Severity: -- → S2
Component: DOM: Workers → Storage: Quota Manager
Priority: -- → P3
|
|
||
Updated•7 months ago
|
Severity: S2 → S3
|
Assignee | |
Updated•7 months ago
|
Assignee: nobody → bugmail
Status: NEW → ASSIGNED
|
|
Assignee | |
Updated•7 months ago
|
Keywords: pernosco-wanted
|
|
||
Comment 2•7 months ago
|
||
Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.
Keywords: pernosco-wanted → pernosco
|
|
Assignee | |
Comment 5•7 months ago
|
||
Thanks for the pernosco trace and for the minimized test case!
This is a nested worker "the invariant is a lie" issue; the estimate runnable goes to the main thread and on the bounce back to the nested worker we're doing our normal WorkerRunnable invariant assertion that dispatches to the nested worker should come from the parent.
In practice, the lifecycle should generally be fine because of the PromiseWorkerProxy which holds a StrongWorkerRef. This test case does not involve the worker attempting to shutdown at all.
There's 2 ways to address this:
- Stop going to the main thread at all for StorageManager checks for workers.
- Refactorings related to eliminating the special WorkerRunnable behaviors; the end state of this is just ensuring the ThreadSafeWorkerRef is the only way to dispatch a runnable like this.
This is probably a month out at least unless this escalates to fuzzblocker.
You need to log in
before you can comment on or make changes to this bug.
Description
•