Closed Bug 1856089 Opened 9 months ago Closed 9 months ago

Assertion failure: mWorkerPromise, at /builds/worker/checkouts/gecko/dom/promise/Promise.cpp:890

Categories

(Core :: Storage: Quota Manager, defect, P2)

Product:
Core
Component:
Storage: Quota Manager
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
120 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox118 --- wontfix
firefox119 --- fixed
firefox120 --- fixed

People

(Reporter: tsmith, Assigned: jstutte)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, pernosco, Whiteboard: [fuzzblocker])

Crash Data

Attachments

(1 file)

Bug 1856089 - Harden RequestResolver::ResolveOrReject against a race with WorkerRef::Notify. r?#dom-storage-reviewers
48 bytes, text/x-phabricator-request
dmeehan
: approval-mozilla-beta+
Details | Review

Found while fuzzing m-c 20230730-ce5b2b0d4bc0 (--enable-debug --enable-fuzzing)

This issue is inconsistently reproducible and therefore a reduced test case is not available.
A Pernosco session is available here: https://pernos.co/debug/UB3cJbtzHtw94yan2IQspw/index.html

This issue is frequently reported by fuzzer, marking as fuzzblocker.

Assertion failure: mWorkerPromise, at /builds/worker/checkouts/gecko/dom/promise/Promise.cpp:890

#0 0x7efd7b4dcdc4 in mozilla::dom::PromiseWorkerProxy::WorkerPromise() const /builds/worker/checkouts/gecko/dom/promise/Promise.cpp:890:3
#1 0x7efd7ad127c4 in mozilla::dom::(anonymous namespace)::RequestResolver::ResolveOrReject() /builds/worker/checkouts/gecko/dom/quota/StorageManager.cpp:430:23
#2 0x7efd7ad12cfc in mozilla::dom::(anonymous namespace)::RequestResolver::FinishWorkerRunnable::WorkerRun(JSContext*, mozilla::dom::WorkerPrivate*) /builds/worker/checkouts/gecko/dom/quota/StorageManager.cpp:596:14
#3 0x7efd7b454ed7 in mozilla::dom::WorkerRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/WorkerRunnable.cpp:372:12
#4 0x7efd763c8aed in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1193:16
#5 0x7efd763cf7fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#6 0x7efd7b4420be in mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:3408:7
#7 0x7efd7b4262f3 in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:2112:42
#8 0x7efd763c8aed in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1193:16
#9 0x7efd763cf7fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#10 0x7efd7707841e in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20
#11 0x7efd76f92151 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#12 0x7efd76f92151 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#13 0x7efd763c4176 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:391:10
#14 0x7efd89b249ef in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#15 0x7efd8a3cdb42 in start_thread nptl/pthread_create.c:442:8
#16 0x7efd8a45ebb3 in __clone misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:100

This is also reported by fuzzers as:

==6826==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x7fd101fd466d bp 0x7fd0da4e2550 sp 0x7fd0da4e2340 T75)
==6826==The signal is caused by a READ memory access.
==6826==Hint: address points to the zero page.
    #0 0x7fd101fd466d in get /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:325:27
    #1 0x7fd101fd466d in operator nsIGlobalObject * /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:338:12
    #2 0x7fd101fd466d in MaybeSomething<mozilla::dom::StorageEstimate &> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Promise.h:426:25
    #3 0x7fd101fd466d in void mozilla::dom::Promise::MaybeResolve<mozilla::dom::StorageEstimate&>(mozilla::dom::StorageEstimate&) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Promise.h:94:5
    #4 0x7fd101fd4354 in mozilla::dom::(anonymous namespace)::RequestResolver::ResolveOrReject() /gecko/dom/quota/StorageManager.cpp:440:16
    #5 0x7fd101fd4ddf in mozilla::dom::(anonymous namespace)::RequestResolver::FinishWorkerRunnable::WorkerRun(JSContext*, mozilla::dom::WorkerPrivate*) /gecko/dom/quota/StorageManager.cpp:596:14
    #6 0x7fd102f49a78 in mozilla::dom::WorkerRunnable::Run() /gecko/dom/workers/WorkerRunnable.cpp:372:12
    #7 0x7fd0f8a926ef in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1192:16
    #8 0x7fd0f8a9ff9a in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:480:10
    #9 0x7fd102f28a4b in mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /gecko/dom/workers/WorkerPrivate.cpp:3413:7
    #10 0x7fd102ef19b9 in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /gecko/dom/workers/RuntimeService.cpp:2114:42
    #11 0x7fd0f8a926ef in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1192:16
    #12 0x7fd0f8a9ff9a in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:480:10
    #13 0x7fd0fa6a9481 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:300:20
    #14 0x7fd0fa4d273a in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:370:10
    #15 0x7fd0fa4d273a in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:363:3
    #16 0x7fd0fa4d273a in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:345:3
    #17 0x7fd0f8a89870 in nsThread::ThreadFunc(void*) /gecko/xpcom/threads/nsThread.cpp:370:10
    #18 0x7fd11f8eb10f in _pt_root /gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #19 0x55901371868a in asan_thread_start(void*) /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:225:31
    #20 0x7fd120071b42 in start_thread nptl/pthread_create.c:442:8
    #21 0x7fd120102bb3 in __clone misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:100

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:325:27 in get
Thread T75 created by T0 (Isolated Web Co) here:
    #0 0x559013701e2d in pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:237:3
    #1 0x7fd11f8d9834 in _PR_CreateThread /gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
    #2 0x7fd11f8c742e in PR_CreateThread /gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
    #3 0x7fd0f8a8d309 in nsThread::Init(nsTSubstring<char> const&) /gecko/xpcom/threads/nsThread.cpp:619:20
    #4 0x7fd102f5cbea in mozilla::dom::WorkerThread::Create(mozilla::dom::WorkerThreadFriendKey const&) /gecko/dom/workers/WorkerThread.cpp:101:7
    #5 0x7fd102ec0bd7 in mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(mozilla::dom::WorkerPrivate&) /gecko/dom/workers/RuntimeService.cpp:1313:37
    #6 0x7fd102ebf463 in mozilla::dom::workerinternals::RuntimeService::RegisterWorker(mozilla::dom::WorkerPrivate&) /gecko/dom/workers/RuntimeService.cpp:1195:19
    #7 0x7fd102f206bd in mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerKind, mozilla::dom::RequestCredentials, mozilla::dom::WorkerType, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&, nsTString<char16_t>, std::function<void (bool)>&&, std::function<void ()>&&) /gecko/dom/workers/WorkerPrivate.cpp:2692:24
    #8 0x7fd102ede677 in mozilla::dom::Worker::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::dom::WorkerOptions const&, mozilla::ErrorResult&) /gecko/dom/workers/Worker.cpp:50:41
    #9 0x7fd0fe580018 in mozilla::dom::Worker_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/./WorkerBinding.cpp:1158:52
    #10 0x7fd109a53c71 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:486:13
    #11 0x7fd109a53c71 in CallJSNativeConstructor /gecko/js/src/vm/Interpreter.cpp:502:8
    #12 0x7fd109a53c71 in InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:727:10
    #13 0x7fd109a755b8 in ConstructFromStack /gecko/js/src/vm/Interpreter.cpp:755:10
    #14 0x7fd109a755b8 in js::Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3381:16
    #15 0x7fd109a4f835 in MaybeEnterInterpreterTrampoline /gecko/js/src/vm/Interpreter.cpp:400:10
    #16 0x7fd109a4f835 in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:458:13
    #17 0x7fd109a50c1e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:612:13
    #18 0x7fd109a52ba6 in InternalCall /gecko/js/src/vm/Interpreter.cpp:647:10
    #19 0x7fd109a52ba6 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:679:8
    #20 0x7fd109baeebb in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/CallAndConstruct.cpp:119:10
    #21 0x7fd0fe9cb09f in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/./EventListenerBinding.cpp:62:8
    #22 0x7fd0ffd93c20 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
    #23 0x7fd0ffd92e5f in mozilla::EventListenerManager::HandleEventSingleListener(mozilla::EventListenerManager::Listener*, nsAtom*, mozilla::WidgetEvent*, mozilla::dom::Event*, mozilla::dom::EventTarget*, bool) /gecko/dom/events/EventListenerManager.cpp:1342:43
    #24 0x7fd0ffd95b5a in mozilla::EventListenerManager::HandleEventWithListenerArray(mozilla::EventListenerManager::ListenerArray*, nsAtom*, mozilla::EventMessage, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, bool) /gecko/dom/events/EventListenerManager.cpp:1663:12
    #25 0x7fd0ffd945b6 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /gecko/dom/events/EventListenerManager.cpp:1560:35
    #26 0x7fd0ffd77b02 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /gecko/dom/events/EventDispatcher.cpp:363:17
    #27 0x7fd0ffd75028 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /gecko/dom/events/EventDispatcher.cpp:610:18
    #28 0x7fd0ffd7ca59 in mozilla::EventDispatcher::Dispatch(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /gecko/dom/events/EventDispatcher.cpp:1222:11
    #29 0x7fd0ffd85815 in mozilla::EventDispatcher::DispatchDOMEvent(mozilla::dom::EventTarget*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /gecko/dom/events/EventDispatcher.cpp
    #30 0x7fd0fcce3e2b in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /gecko/dom/base/nsINode.cpp:1401:17
    #31 0x7fd0fc3c2f65 in nsContentUtils::DispatchEvent(mozilla::dom::Document*, mozilla::dom::EventTarget*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /gecko/dom/base/nsContentUtils.cpp:4637:29
    #32 0x7fd0fc3c2c14 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, mozilla::dom::EventTarget*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /gecko/dom/base/nsContentUtils.cpp:4603:10
    #33 0x7fd0fc8545d5 in mozilla::dom::Document::DispatchContentLoadedEvents() /gecko/dom/base/Document.cpp:8060:3
    #34 0x7fd0fc982f2b in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1164:18
    #35 0x7fd0fc982f2b in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
    #36 0x7fd0fc982f2b in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
    #37 0x7fd0fc982f2b in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
    #38 0x7fd0fc982f2b in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
    #39 0x7fd0fc982f2b in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12
    #40 0x7fd0fc982f2b in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1213:13
    #41 0x7fd0f8a6085a in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:559:16
    #42 0x7fd0f8a4ae58 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:886:26
    #43 0x7fd0f8a47867 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:709:15
    #44 0x7fd0f8a48149 in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:495:36
    #45 0x7fd0f8a68331 in operator() /gecko/xpcom/threads/TaskController.cpp:218:37
    #46 0x7fd0f8a68331 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /gecko/xpcom/threads/nsThreadUtils.h:548:5
    #47 0x7fd0f8a92333 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1198:16
    #48 0x7fd0f8a9ff9a in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:480:10
    #49 0x7fd0fa6a7cce in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:85:21
    #50 0x7fd0fa4d273a in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:370:10
    #51 0x7fd0fa4d273a in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:363:3
    #52 0x7fd0fa4d273a in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:345:3
    #53 0x7fd103b5d289 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:148:27
    #54 0x7fd109604cbe in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:721:20
    #55 0x7fd0fa4d273a in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:370:10
    #56 0x7fd0fa4d273a in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:363:3
    #57 0x7fd0fa4d273a in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:345:3
    #58 0x7fd109604263 in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:656:34
    #59 0x55901375c16c in content_process_main /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #60 0x55901375c16c in main /gecko/browser/app/nsBrowserApp.cpp:375:18
    #61 0x7fd120006d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

I added some notes to the pernosco session. It seems that there is a race between sending the results of a QuotaRequest and an ongoing (apparently) independent nsDocShell::Destroy which causes a WorkerRef::Notify to clear mWorkerPromise before the FinishWorkerRunnable is executed.

Flags: needinfo?(jvarga)
Assignee: nobody → jstutte
Status: NEW → ASSIGNED

See the patch.

Flags: needinfo?(jvarga)
Severity: -- → S3
Priority: -- → P2
Pushed by jstutte@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f20181abc275
Harden RequestResolver::ResolveOrReject against a race with WorkerRef::Notify. r=dom-storage-reviewers,asuth

https://hg.mozilla.org/mozilla-central/rev/f20181abc275

Status: ASSIGNED → RESOLVED
Closed: 9 months ago
status-firefox120: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 120 Branch

The patch landed in nightly and beta is affected.
:jstutte, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox119 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(jstutte)

(In reply to Tyson Smith [:tsmith] from comment #1)

This is also reported by fuzzers as:

==6826==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x7fd101fd466d bp 0x7fd0da4e2550 sp 0x7fd0da4e2340 T75)
==6826==The signal is caused by a READ memory access.
==6826==Hint: address points to the zero page.
    #0 0x7fd101fd466d in get /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:325:27
    #1 0x7fd101fd466d in operator nsIGlobalObject * /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:338:12
    #2 0x7fd101fd466d in MaybeSomething<mozilla::dom::StorageEstimate &> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Promise.h:426:25
    #3 0x7fd101fd466d in void mozilla::dom::Promise::MaybeResolve<mozilla::dom::StorageEstimate&>(mozilla::dom::StorageEstimate&) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Promise.h:94:5
    #4 0x7fd101fd4354 in mozilla::dom::(anonymous namespace)::RequestResolver::ResolveOrReject() /gecko/dom/quota/StorageManager.cpp:440:16
    #5 0x7fd101fd4ddf in mozilla::dom::(anonymous namespace)::RequestResolver::FinishWorkerRunnable::WorkerRun(JSContext*, mozilla::dom::WorkerPrivate*) /gecko/dom/quota/StorageManager.cpp:596:14
    ...

Given that we have crash reports with this stack we probably should uplift this, yeah.

Flags: needinfo?(jstutte)

Comment on attachment 9356567 [details]
Bug 1856089 - Harden RequestResolver::ResolveOrReject against a race with WorkerRef::Notify. r?#dom-storage-reviewers

Beta/Release Uplift Approval Request

  • User impact if declined: Not very frequent nullptr crashes.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Just an extra if for an edge case.
  • String changes made/needed:
  • Is Android affected?: Yes
Attachment #9356567 - Flags: approval-mozilla-beta?

Comment on attachment 9356567 [details]
Bug 1856089 - Harden RequestResolver::ResolveOrReject against a race with WorkerRef::Notify. r?#dom-storage-reviewers

Approved for 119.0b6

Attachment #9356567 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Crash Signature: [@ mozilla::dom::Promise::MaybeSomething<T> | mozilla::dom::Promise::MaybeResolve | mozilla::dom::(anonymous namespace)::RequestResolver::ResolveOrReject]
status-firefox118: --- → wontfix
status-firefox-esr115: --- → unaffected
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: