Closed Bug 1325919 Opened 8 years ago Closed 8 years ago

Crash in mozilla::dom::TabGroup::EventTargetFor

Categories

(Core :: DOM: Core & HTML, defect)

x86
Windows 10
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla53
Tracking Status
firefox51 --- unaffected
firefox52 --- unaffected
firefox53 --- fixed

People

(Reporter: ting, Assigned: billm)

References

Details

(Keywords: crash)

Crash Data

Attachments

(2 files, 1 obsolete file)

This bug was filed from the Socorro interface and is report bp-0e240157-0d5f-427a-b7f6-71ef12161225. ============================================================= Top #11 of Nightly 20161225030206 on Windows, 3 crashes from 3 installations. The first appearance was build 20161225030206, could be from bug 1320753.
Blocks: 1320753
crashers are bad. Either this should get fixed asap or the problematic patches should be backed out. (I wonder why Bug 1320753 is still open. One shouldn't keep bugs open and land patches from it every now and then. Separate bugs makes managing all the backouts and such easier to follow.)
Flags: needinfo?(wmccloskey)
Attached patch assertion patch (obsolete) — Splinter Review
This doesn't seem to be happening very often yet (five crashes in three days so far). I'd like to leave the original patch in to try to see what's happening. This patch adds some more assertions. Right now we null out some fields on the TabGroup when the last window has left (this avoids the need to cycle collect it). The assertion is supposed to check that we never use those fields after that point. So someone is using a TabGroup after the last window tied to that TabGroup has been destroyed. One possibility is that the TabGroup gets reused (another window enters after the last window left). So I added an assertion to check for that. Another possibility is that all the windows are really dead. In that case, the only way to get to the TabGroup is via a DocGroup I think. So I added some assertions to see if we're going through a DocGroup to get to the TabGroup. There are also other possibilities that seem less likely (maybe an existing UAF in the code?). Hopefully one of these new assertions will hit and we'll have a better idea of what is happening.
Flags: needinfo?(wmccloskey)
Attachment #8822089 - Flags: review?(bugs)
Comment on attachment 8822089 [details] [diff] [review] assertion patch One should be able to "use" TabGroup/DocGroup even after there are no windows left. Otherwise all the users will need to check if there are windows. Could we have different setup for TabGroup vs DispatcherEventTarget. For example, could TabGroup always keep DispatcherEventTarget alive using UniquePtr or so, but DispatcherEventTarget would forward addref/releasing to TabGroup or something. I'm not atm familiar with DispatcherEventTarget lifetime management. But sure, we can first add these assertions. (However I really don't like keeping crashers even in Nightly. It is so effective way to get people out from using Nightlies). Could you use MOZ_DIAGNOSTIC_ASSERT here, so that we don't accidentally leak the assertions to beta/release. I think Nightly/Aurora is good enough for this diagnostic stuff.
Attachment #8822089 - Flags: review?(bugs) → review+
Attached patch patch v2Splinter Review
I thought about this some more. Maybe it's not right to forbid people from dispatching after the last window dies. There maybe could still be a document alive (I guess). Anyway, this just dispatches to the main thread directly in that case. The UniquePtr thing would be hard to implement since mEventTargets[i] may point to either a DispatcherEventTarget or to a ThrottledEventQueue (which then points to a DispatcherEventTarget).
Assignee: nobody → wmccloskey
Attachment #8822089 - Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #8822278 - Flags: review?(bugs)
Comment on attachment 8822278 [details] [diff] [review] patch v2 wrong patch, or something pushed to mozreview didn't get to bugzilla the right way.
Flags: needinfo?(wmccloskey)
Attachment #8822278 - Flags: review?(bugs)
Attached patch patch v3Splinter Review
Flags: needinfo?(wmccloskey)
Attachment #8822499 - Flags: review?(bugs)
Attachment #8822499 - Flags: review?(bugs) → review+
Pushed by wmccloskey@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/317cb251b8e2 Allow EventTargetFor to be used after last window has been destroyed (r=smaug)
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
Are 51 or 52 affected?
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: