Crash in TabParent::RecvInvokeDragSession

RESOLVED FIXED in Firefox 42

Status

()

Core
Drag and Drop
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: mrbkap, Assigned: mrbkap)

Tracking

unspecified
mozilla42
Points:
---

Firefox Tracking Flags

(firefox42 fixed)

Details

Attachments

(1 attachment)

(Assignee)

Description

3 years ago
I don't have good steps to reproduce here or a testcase. I got a parent process crash with this stack:

(gdb) bt
#0  0x00007f073eb7bf3d in nanosleep () at ../sysdeps/unix/syscall-template.S:81
#1  0x00007f073eb7bdd4 in __sleep (seconds=0) at ../sysdeps/unix/sysv/linux/sleep.c:137
#2  0x00007f07317e8ab3 in ah_crap_handler (signum=11)
    at /home/mrbkap/work/tree2/mozilla/toolkit/xre/nsSigHandlers.cpp:103
#3  0x00007f07317cabc8 in nsProfileLock::FatalSignalHandler (signo=11, info=0x7ffc11113c30, 
    context=0x7ffc11113b00)
    at /home/mrbkap/work/tree2/mozilla/toolkit/profile/nsProfileLock.cpp:195
#4  0x00007f073263dd53 in AsmJSFaultHandler (signum=11, info=0x7ffc11113c30, 
    context=0x7ffc11113b00)
    at /home/mrbkap/work/tree2/mozilla/js/src/asmjs/AsmJSSignalHandlers.cpp:1135
#5  <signal handler called>
#6  0x00007f072e84c930 in nsRefPtr<nsPresContext>::get (this=0x10)
    at ../../dist/include/mozilla/nsRefPtr.h:230
#7  0x00007f072e84afee in nsRefPtr<nsPresContext>::operator nsPresContext* (this=0x10)
    at ../../dist/include/mozilla/nsRefPtr.h:243
#8  0x00007f072e84abac in nsIPresShell::GetPresContext (this=0x0)
    at ../../dist/include/nsIPresShell.h:296
#9  0x00007f0730649115 in mozilla::dom::TabParent::RecvInvokeDragSession(nsTArray<mozilla::dom::IPCDataTransfer>&&, unsigned int const&, nsCString const&, unsigned int const&, unsigned int const&, unsigned int const&, unsigned char const&, int const&, int const&) (
    this=0x7f070254d000, 

The line in question is:
3240	  nsPresContext* pc = mFrameElement->OwnerDoc()->GetShell()->GetPresContext();

On IRC, smaug said that nsIDocument::GetShell can definitely return null.
(Assignee)

Comment 1

3 years ago
Created attachment 8641915 [details] [diff] [review]
Patch v1
Attachment #8641915 - Flags: review?(bugs)

Comment 2

3 years ago
Comment on attachment 8641915 [details] [diff] [review]
Patch v1

Actually I think we should then cancel the drag session on child.
So,
if (!shell) {
  Manager()->SendEndDragSession(true, true);
  return true;
}
Attachment #8641915 - Flags: review?(bugs) → review+

Comment 3

3 years ago
Oh, we may have two different managers. So

if (!shell) {
  if (Manager()->IsContentParent()) {
    Manager()->AsContentParent()->SendEndDragSession(true, true);
  }
  return true;
}
https://hg.mozilla.org/mozilla-central/rev/388cee5d9c5d
https://hg.mozilla.org/mozilla-central/rev/12d229711683
Status: NEW → RESOLVED
Last Resolved: 3 years ago
status-firefox42: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla42
You need to log in before you can comment on or make changes to this bug.