Closed
Bug 1728611
Opened 3 years ago
Closed 19 days ago
Assertion failure: mSentFinishOrAbort, at /dom/indexedDB/IDBFileHandle.cpp:65
Categories
(Core :: Storage: IndexedDB, defect, P3)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, Whiteboard: [bugmon:confirm] dom-lws-bugdash-triage)
Attachments
(1 file)
|
2.34 KB,
text/plain
|
Details |
Found while fuzzing mozilla-central rev e67bca14d669 (built with: --enable-debug --enable-fuzzing).
Unfortunately I don't have a reliable testcase at the moment but will update this if one becomes available.
Assertion failure: mSentFinishOrAbort, at /dom/indexedDB/IDBFileHandle.cpp:65
==20487==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f588dc24c5a bp 0x7ffff8c99bf0 sp 0x7ffff8c99bd0 T20487)
==20487==The signal is caused by a WRITE memory access.
==20487==Hint: address points to the zero page.
#0 0x7f588dc24c5a in mozilla::dom::IDBFileHandle::~IDBFileHandle() /dom/indexedDB/IDBFileHandle.cpp:65:3
#1 0x7f588dc24e90 in mozilla::dom::IDBFileHandle::~IDBFileHandle() /dom/indexedDB/IDBFileHandle.cpp:61:33
#2 0x7f58899ea228 in SnowWhiteKiller::MaybeKillObject(SnowWhiteKiller::SnowWhiteObject&) /xpcom/base/nsCycleCollector.cpp:2426:29
#3 0x7f58899df346 in SnowWhiteKiller::~SnowWhiteKiller() /xpcom/base/nsCycleCollector.cpp:2413:7
#4 0x7f58899dea9a in nsCycleCollector::FreeSnowWhite(bool) /xpcom/base/nsCycleCollector.cpp:2603:3
#5 0x7f58899e2e32 in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) /xpcom/base/nsCycleCollector.cpp:3583:3
#6 0x7f58899e2a09 in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /xpcom/base/nsCycleCollector.cpp:3407:9
#7 0x7f58899e27a7 in nsCycleCollector::ShutdownCollect() /xpcom/base/nsCycleCollector.cpp:3350:20
#8 0x7f58899e39d6 in nsCycleCollector::Shutdown(bool) /xpcom/base/nsCycleCollector.cpp:3644:5
#9 0x7f58899e5412 in nsCycleCollector_shutdown(bool) /xpcom/base/nsCycleCollector.cpp:3959:18
#10 0x7f5889b0b3be in mozilla::ShutdownXPCOM(nsIServiceManager*) /xpcom/build/XPCOMInit.cpp:709:3
#11 0x7f588fbb40ac in XRE_TermEmbedding() /toolkit/xre/nsEmbedFunctions.cpp:218:3
#12 0x7f588a41a15e in mozilla::ipc::ScopedXREEmbed::Stop() /ipc/glue/ScopedXREEmbed.cpp:90:5
#13 0x7f588fbb4697 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:753:16
#14 0x5643ef8ccab6 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#15 0x5643ef8ccab6 in main /browser/app/nsBrowserApp.cpp:327:18
#16 0x7f589f9250b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#17 0x5643ef8a98bc in _start (/home/worker/builds/m-c-20210814094200-fuzzing-debug/firefox-bin+0x158bc)
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /dom/indexedDB/IDBFileHandle.cpp:65:3 in mozilla::dom::IDBFileHandle::~IDBFileHandle()
==20487==ABORTING
|
Reporter | |
Comment 1•3 years ago
|
||
|
||
Updated•3 years ago
|
Component: DOM: Core & HTML → Storage: IndexedDB
|
|
Reporter | |
Updated•3 years ago
|
|
||
Comment 2•3 years ago
|
||
Hi Jason, were you lucky to find a reliable test case here?
Flags: needinfo?(jkratzer)
|
|
||
Updated•3 years ago
|
Severity: -- → S3
Priority: -- → P3
|
|
Reporter | |
Comment 3•3 years ago
|
||
Jens, sorry for the slow response. Unfortunately I still haven't managed to find a testcase reliable enough to include here. Nor have I been able to get a pernosco session for this issue. However this issue is still occurring regularly. The last crash was found on 2021-10-01.
Flags: needinfo?(jkratzer)
|
|
||
Comment 4•19 days ago
|
||
The IDBFileHandle has gone.
Status: NEW → RESOLVED
Closed: 19 days ago
Resolution: --- → WORKSFORME
Whiteboard: [bugmon:confirm] → [bugmon:confirm] dom-lws-bugdash-triage
You need to log in
before you can comment on or make changes to this bug.
Description
•