1888006 - Crash in [@ mozilla::CrashOnDanglingCheckedUnsafePtr::NotifyCheckFailure]

Status: RESOLVED FIXED

(Core :: Storage: IndexedDB, defect, P2)

Description

[Andrew McCreight [:mccr8]]

Crash report: https://crash-stats.mozilla.org/report/index/159eca64-a51c-4c03-a19b-a30f90240326

MOZ_CRASH Reason: MOZ_CRASH(Found dangling CheckedUnsafePtr)

Top 10 frames of crashing thread:

0  libxul.so  mozilla::CrashOnDanglingCheckedUnsafePtr::NotifyCheckFailure  dom/quota/CheckedUnsafePtr.h:419
0  libxul.so  mozilla::CheckingPolicyAccess::NotifyCheckFailure<mozilla::CrashOnDanglingCheckedUnsafePtr>  dom/quota/CheckedUnsafePtr.h:387
0  libxul.so  mozilla::CheckCheckedUnsafePtrs<mozilla::CrashOnDanglingCheckedUnsafePtr>::Check  dom/quota/CheckedUnsafePtr.h:411
0  libxul.so  mozilla::detail::SupportCheckedUnsafePtrImpl<mozilla::CrashOnDanglingCheckedUnsafePtr,   dom/quota/CheckedUnsafePtr.h:459
1  libxul.so  mozilla::dom::indexedDB::  dom/indexedDB/ActorsParent.cpp:3150
2  libxul.so  mozilla::dom::indexedDB::  dom/indexedDB/ActorsParent.cpp:3399
3  libxul.so  mozilla::Runnable::Release  xpcom/threads/nsThreadUtils.cpp:66
3  libxul.so  mozilla::dom::indexedDB::  dom/indexedDB/ActorsParent.cpp:14610
4  libxul.so  mozilla::RefPtrTraits<mozilla::dom::indexedDB::  mfbt/RefPtr.h:49
4  libxul.so  RefPtr<mozilla::dom::indexedDB::  mfbt/RefPtr.h:409

It looks like a bunch of these crashes started showing up on Nightly, with the 20240325214523 build.

Comment 1

[Andrew McCreight [:mccr8]]

[Tracking Requested - why for this release]:

Here are the changesets for that build. I see bug 1878146 and bug 934640 in that range that look potentially related.

Comment 2

[Jan Varga [:janv]]

Yeah, let me do more investigation...
I don't think it has something to do with bug 1878146.

Comment 3

[Jan Varga [:janv]]

Attachment: Bug 1888006 - Allow Maintenance::WaitForCompletion to be called multiple times; r=#dom-storage

Comment 4

[Jan Varga [:janv]]

Attachment: Bug 1888006 - Add a new test for idle daily maintenance and IDBFactory.databases() interaction; r=#dom-storage

Comment 5

[Pulsebot]

Pushed by jvarga@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/21e0b0f2578b
Allow Maintenance::WaitForCompletion to be called multiple times; r=dom-storage-reviewers,asuth

Comment 6

[BugBot [:suhaib / :marco/ :calixte]]

The bug is marked as tracked for firefox126 (nightly). However, the bug still has low severity.

:jstutte, could you please increase the severity for this tracked bug? If you disagree with the tracking decision, please talk with the release managers.

For more information, please visit BugBot documentation.

Comment 7

[Jens Stutte [:jstutte]]

IIUC the patch that is landing in comment 5 is already meant to address the problem, so in fact we are in a good shape here.

I also wonder if tracking alone is a sufficient reason for S2, actually. It might be a just hint that this is likely to become S2 if it hits release.

Comment 8

[Cosmin Sabou [:CosminS]]

https://hg.mozilla.org/mozilla-central/rev/21e0b0f2578b

Comment 9

[Jan Varga [:janv]]

There will be one more fix.

Comment 10

[Jan Varga [:janv]]

Attachment: Bug 1888006 - Allow one single factory operation to block multiple factory operations; r=#dom-storage

Comment 11

[Jan Varga [:janv]]

Attachment: Bug 1888006 - Add a new test for IDBFactory.open and IDBFactory.databases() interaction; r=#dom-storage

Comment 12

[BugBot [:suhaib / :marco/ :calixte]]

The bug is linked to a topcrash signature, which matches the following criterion:

• Top 10 desktop browser crashes on nightly

:janv, could you consider increasing the severity of this top-crash bug?

For more information, please visit BugBot documentation.

Comment 13

[Pulsebot]

Pushed by jvarga@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/57354c5689ef
Allow one single factory operation to block multiple factory operations; r=dom-storage-reviewers,asuth

Comment 14

[Cristina Horotan [:chorotan]]

https://hg.mozilla.org/mozilla-central/rev/57354c5689ef

Comment 15

[Pulsebot]

Pushed by jvarga@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/32f2a287ca42
Add a new test for IDBFactory.open and IDBFactory.databases() interaction; r=dom-storage-reviewers,asuth

Comment 16

[Jan Varga [:janv]]

It seems web platforms tests for indexedDB.databases don't cover the case when indexedDB.databases and multiple open or delete operations are requested at the same time. Fortunately, based on the crash reports, especially the CheckedUnsafePtr, we were quickly able to identify the issue. Two fixes and one new test already landed. One more test is about to land (for the interaction with database maintenance). I'm keeping the bug open, until we see that the number of crashes is zero in recent nightly builds.

Comment 17

[Iulian Moraru]

https://hg.mozilla.org/mozilla-central/rev/32f2a287ca42

Comment 18

[Jan Varga [:janv]]

There have been no crashes related to the signature after the second fix, so I'll just fix the remaining test to work on Android and that should be it.

Comment 19

[Jens Stutte [:jstutte]]

(In reply to Jan Varga [:janv] from comment #18)

There have been no crashes related to the signature after the second fix, so I'll just fix the remaining test to work on Android and that should be it.

Please move the test or any other remaining work to a new bug, as this is a tracked bug we should close it as early as we can.

Comment 20

[Phabricator Automation]

Comment on attachment 9393488 [details]
Bug 1888006 - Add a new test for idle daily maintenance and IDBFactory.databases() interaction; r=#dom-storage

Revision D205830 was moved to bug 1890283. Setting attachment 9393488 [details] to obsolete.