Closed Bug 1913783 Opened 1 year ago Closed 1 year ago

Assertion failure: mActor, at /dom/localstorage/LSSnapshot.cpp:996

Categories

(Core :: Storage: localStorage & sessionStorage, defect, P2)

Product:
Core
Component:
Storage: localStorage & sessionStorage
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

Testcase
6.66 KB, application/octet-stream
Details

Testcase found while fuzzing mozilla-central rev 35292ed5ccd3 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch --build 35292ed5ccd3 --debug --fuzzing  -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: mActor, at /dom/localstorage/LSSnapshot.cpp:996

    ==99199==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x71da1f19f24e bp 0x7ffe26d6d220 sp 0x7ffe26d6d210 T99199)
    ==99199==The signal is caused by a WRITE memory access.
    ==99199==Hint: address points to the zero page.
        #0 0x71da1f19f24e in mozilla::dom::LSSnapshot::Finish(bool) /dom/localstorage/LSSnapshot.cpp:996:3
        #1 0x71da19f29fbd in operator() /xpcom/threads/nsTimerImpl.cpp:681:36
        #2 0x71da19f29fbd in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at /xpcom/threads/nsTimerImpl.cpp:681:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:682:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:309:16
        #3 0x71da19f29fbd in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at /xpcom/threads/nsTimerImpl.cpp:678:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:681:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:682:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:318:14
        #4 0x71da19f29fbd in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at /xpcom/threads/nsTimerImpl.cpp:677:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:678:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:681:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:682:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:318:14
        #5 0x71da19f29fbd in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at /xpcom/threads/nsTimerImpl.cpp:676:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:677:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:678:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:681:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:682:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:318:14
        #6 0x71da19f29fbd in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at /xpcom/threads/nsTimerImpl.cpp:676:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:677:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:678:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:681:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:682:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:902:12
        #7 0x71da19f29fbd in match<(lambda at /xpcom/threads/nsTimerImpl.cpp:676:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:677:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:678:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:681:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:682:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:857:12
        #8 0x71da19f29fbd in nsTimerImpl::Fire(int) /xpcom/threads/nsTimerImpl.cpp:675:22
        #9 0x71da19f29168 in nsTimerEvent::Run() /xpcom/threads/TimerThread.cpp:515:11
        #10 0x71da19f1f7c7 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:618:16
        #11 0x71da19f15236 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:945:26
        #12 0x71da19f13c47 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:768:15
        #13 0x71da19f140c5 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:554:36
        #14 0x71da19f23199 in operator() /xpcom/threads/TaskController.cpp:271:37
        #15 0x71da19f23199 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /xpcom/threads/nsThreadUtils.h:548:5
        #16 0x71da19f36b1d in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1204:16
        #17 0x71da19f3d81f in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:480:10
        #18 0x71da1aa9de33 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:107:5
        #19 0x71da1a9f5a81 in RunHandler /ipc/chromium/src/base/message_loop.cc:363:3
        #20 0x71da1a9f5a81 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3
        #21 0x71da1f2681d8 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
        #22 0x71da1f321694 in nsAppShell::Run() /widget/gtk/nsAppShell.cpp:469:33
        #23 0x71da201c74cb in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:710:20
        #24 0x71da1aa9ecd6 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #25 0x71da1a9f5a81 in RunHandler /ipc/chromium/src/base/message_loop.cc:363:3
        #26 0x71da1a9f5a81 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3
        #27 0x71da201c6d5b in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:645:34
        #28 0x59a25e1f19ce in main /browser/app/nsBrowserApp.cpp:403:22
        #29 0x71da28b3ad8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #30 0x71da28b3ae3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #31 0x59a25e1c7708 in _start (/home/jkratzer/builds/m-c-20240815213144-fuzzing-debug/firefox-bin+0x58708) (BuildId: e87ce1070f28d1261bd96e3cf66c7cdf7a443eba)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /dom/localstorage/LSSnapshot.cpp:996:3 in mozilla::dom::LSSnapshot::Finish(bool)
    ==99199==ABORTING
Attached file Testcase

Verified bug as reproducible on mozilla-central 20240819211600-8caf84e02c27.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 58826b04f826554d81e88a2115ded444ef1cf5f4 (20230822040001)
End: 35292ed5ccd315545be61708ca54ef3a7b95feb1 (20240815213144)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Severity: -- → S3
Priority: -- → P1

The first thing which we can try to do here is to convert the assertion into a check and return.

Priority: P1 → P2

Testcase crashes using the initial build (mozilla-central 20240815213144-35292ed5ccd3) but not with tip (mozilla-central 20241012094524-75d81c21a6ae.)

The bug appears to have been fixed in the following build range:

Start: 5a6d4f139a8b138ece7c4f7eeb8d800d669af462 (20241003163113)
End: 8bf9b33334cc18d16279f8238b18473377817597 (20241003114906)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=5a6d4f139a8b138ece7c4f7eeb8d800d669af462&tochange=8bf9b33334cc18d16279f8238b18473377817597

jkratzer, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Flags: needinfo?(jkratzer)
Keywords: bugmon

Maybe a positive side effect of bug 1919555.

I can no longer reproduce this locally and this was only found once by the fuzzers on 2024/08/19. Should we close this :janv?

Flags: needinfo?(jkratzer) → needinfo?(jvarga)

Yeah, let's reopen or file a new bug if the issue appears again.

Status: NEW → RESOLVED
Closed: 1 year ago
Flags: needinfo?(jvarga)
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: