Open Bug 1955345 Opened 1 year ago Updated 1 year ago

Assertion failure: usage == removedUsage, at /dom/fs/parent/datamodel/FileSystemDatabaseManagerVersion001.cpp:925

Categories

(Core :: Storage: Bucket File System, defect)

Product:
Core
Component:
Storage: Bucket File System
Platform:
x86_64
Linux
Type:
defect

Tracking

()

People

(Reporter: jkratzer, Unassigned, NeedInfo)

References

(Blocks 1 open bug)

Details

(Keywords: bugmon, pernosco, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

Testcase
713 bytes, text/plain
Details

Testcase found while fuzzing mozilla-central rev dae63a4237a9 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch --build dae63a4237a9 --debug --fuzzing  -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: usage == removedUsage, at /dom/fs/parent/datamodel/FileSystemDatabaseManagerVersion001.cpp:925

    ==470513==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x71150c6f709a bp 0x7114f46e92e0 sp 0x7114f46e91a0 T470934)
    ==470513==The signal is caused by a WRITE memory access.
    ==470513==Hint: address points to the zero page.
        #0 0x71150c6f709a in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:267:3
        #1 0x71150c6f709a in mozilla::dom::fs::data::FileSystemDatabaseManagerVersion001::RemoveFile(mozilla::dom::fs::FileSystemChildMetadata const&) /dom/fs/parent/datamodel/FileSystemDatabaseManagerVersion001.cpp:924:3
        #2 0x71150c6d69f9 in mozilla::dom::FileSystemManagerParent::RecvRemoveEntry(mozilla::dom::fs::FileSystemRemoveEntryRequest&&, std::function<void (mozilla::dom::fs::FileSystemRemoveEntryResponse const&)>&&) /dom/fs/parent/FileSystemManagerParent.cpp:408:3
        #3 0x71150c7266aa in mozilla::dom::PFileSystemManagerParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PFileSystemManagerParent.cpp:858:91
        #4 0x71150962ec29 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:1789:25
        #5 0x71150962be22 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /ipc/glue/MessageChannel.cpp:1716:9
        #6 0x71150962ca00 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1507:3
        #7 0x71150962db09 in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1607:14
        #8 0x711508ab1594 in mozilla::TaskQueue::Runner::Run() /xpcom/threads/TaskQueue.cpp:260:20
        #9 0x711508ad7ade in nsThreadPool::Run() /xpcom/threads/nsThreadPool.cpp:456:14
        #10 0x711508aceb6a in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1153:16
        #11 0x711508ad4fcf in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:480:10
        #12 0x7115096350e8 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:299:20
        #13 0x71150958ed91 in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
        #14 0x71150958ed91 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
        #15 0x711508aca487 in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:366:10
        #16 0x71151d3e89df in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:191:3
        #17 0x71151d4a2aa3 in start_thread nptl/pthread_create.c:447:8
        #18 0x71151d52fc3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
    
    ==470513==Register values:
    rax = 0x0000000000000000  rbx = 0xaaaaaaaaaaaaaaaa  rcx = 0x000000000000039d  rdx = 0x000071151d60a563  
    rdi = 0x000071151d60b700  rsi = 0x0000000000000000  rbp = 0x00007114f46e92e0  rsp = 0x00007114f46e91a0  
     r8 = 0x0000000000000000   r9 = 0x0000000000000003  r10 = 0x0000000000000000  r11 = 0x0000000000000293  
    r12 = 0x00007114f46e91f0  r13 = 0x00007114f46e9330  r14 = 0x000071150576fd30  r15 = 0x0000711468035190  
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:267:3 in MOZ_CrashSequence
    ==470513==ABORTING
Attached file Testcase

Verified bug as reproducible on mozilla-central 20250320093350-dae63a4237a9.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: ed7ada93d4ad18f5c9f613bf5ce8d5f89bdaa140 (20240321093138)
End: dae63a4237a9fdb38afbfe73a882b1a01c46ef57 (20250320093350)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False, searchfox=False, afl=False)

Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

Jan, do you know more about this?

Flags: needinfo?(jan.varga)

I was reviewing some related fixes but I think Jari knows more about this.

Flags: needinfo?(jan.varga) → needinfo?(jjalkanen)
Component: DOM: Core & HTML → Storage: Bucket File System
Severity: -- → S3
Flags: needinfo?(jjalkanen)
Keywords: pernosco-wanted
Flags: needinfo?(jjalkanen)

Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.

Keywords: pernosco-wantedpernosco

A pernosco session for this bug can be found here.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: