Closed Bug 1325919 Opened 7 years ago Closed 7 years ago

Crash in mozilla::dom::TabGroup::EventTargetFor

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
Windows 10
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla53
Tracking Flags:
Tracking Status
firefox51 --- unaffected
firefox52 --- unaffected
firefox53 --- fixed

People

(Reporter: ting, Assigned: billm)

References

Details

(Keywords: crash)

Crash Data

Attachments

(2 files, 1 obsolete file)

patch v2
211 bytes, patch
Details | Diff | Splinter Review
patch v3
1.85 KB, patch
smaug
: review+
Details | Diff | Splinter Review 
This bug was filed from the Socorro interface and is 
report bp-0e240157-0d5f-427a-b7f6-71ef12161225.
=============================================================
Top #11 of Nightly 20161225030206 on Windows, 3 crashes from 3 installations. The first appearance was build 20161225030206, could be from bug 1320753.
Blocks: 1320753
crashers are bad. Either this should get fixed asap or the problematic patches should be backed out.

(I wonder why Bug 1320753 is still open. One shouldn't keep bugs open and land patches from it every now and then. Separate bugs makes managing all the backouts and such easier to follow.)
Flags: needinfo?(wmccloskey)
Attached patch assertion patch (obsolete) — Splinter Review 
This doesn't seem to be happening very often yet (five crashes in three days so far). I'd like to leave the original patch in to try to see what's happening. This patch adds some more assertions.

Right now we null out some fields on the TabGroup when the last window has left (this avoids the need to cycle collect it). The assertion is supposed to check that we never use those fields after that point. So someone is using a TabGroup after the last window tied to that TabGroup has been destroyed.

One possibility is that the TabGroup gets reused (another window enters after the last window left). So I added an assertion to check for that.

Another possibility is that all the windows are really dead. In that case, the only way to get to the TabGroup is via a DocGroup I think. So I added some assertions to see if we're going through a DocGroup to get to the TabGroup. There are also other possibilities that seem less likely (maybe an existing UAF in the code?). Hopefully one of these new assertions will hit and we'll have a better idea of what is happening.
Flags: needinfo?(wmccloskey)
Attachment #8822089 - Flags: review?(bugs)
Comment on attachment 8822089 [details] [diff] [review]
assertion patch

One should be able to "use" TabGroup/DocGroup even after there are no windows left. Otherwise all the users will need to check if there are windows.

Could we have different setup for TabGroup vs DispatcherEventTarget.
For example, could TabGroup always keep DispatcherEventTarget alive using UniquePtr or so, but
DispatcherEventTarget would forward addref/releasing to TabGroup or something.
I'm not atm familiar with DispatcherEventTarget lifetime management.


But sure, we can first add these assertions.
(However I really don't like keeping crashers even in Nightly. It is so effective way to get people out from using Nightlies).

Could you use MOZ_DIAGNOSTIC_ASSERT here, so that we don't accidentally leak the assertions to beta/release. I think Nightly/Aurora is good enough for this diagnostic stuff.
Attachment #8822089 - Flags: review?(bugs) → review+
Attached patch patch v2Splinter Review 
I thought about this some more. Maybe it's not right to forbid people from dispatching after the last window dies. There maybe could still be a document alive (I guess). Anyway, this just dispatches to the main thread directly in that case.

The UniquePtr thing would be hard to implement since mEventTargets[i] may point to either a DispatcherEventTarget or to a ThrottledEventQueue (which then points to a DispatcherEventTarget).
Assignee: nobody → wmccloskey
Attachment #8822089 - Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #8822278 - Flags: review?(bugs)
Comment on attachment 8822278 [details] [diff] [review]
patch v2

wrong patch, or something pushed to mozreview didn't get to bugzilla the right way.
Flags: needinfo?(wmccloskey)
Attachment #8822278 - Flags: review?(bugs)
Attached patch patch v3Splinter Review 
Flags: needinfo?(wmccloskey)

        Attachment #8822499 -
        Flags: review?(bugs)

        Attachment #8822499 -
        Flags: review?(bugs) → review+

    
    

    
  
Pushed by wmccloskey@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/317cb251b8e2
Allow EventTargetFor to be used after last window has been destroyed (r=smaug)

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/317cb251b8e2
Status: ASSIGNED → RESOLVED
Closed: 7 years ago

          status-firefox53:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla53

    
    

    
  
Are 51 or 52 affected?

          status-firefox51:
          --- → ?

          status-firefox52:
          --- → ?
Component: DOM → DOM: Core & HTML

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: