null + offset crashes in [@nsHtml5TreeOpExecutor::ContinueInterruptedParsingAsync()]

RESOLVED FIXED in Firefox 58

Status

()

RESOLVED FIXED
a year ago
8 days ago

People

(Reporter: smaug, Assigned: smaug)

Tracking

unspecified
mozilla58
Points:
---

Firefox Tracking Flags

(firefox58 fixed)

Details

Attachments

(1 attachment)

(Assignee)

Description

a year ago
https://crash-stats.mozilla.com/report/index/e58f8612-b90a-48c9-80a5-30a3b0171027 is an example.
I think the issue is that mElement is somehow null in 
https://hg.mozilla.org/releases/mozilla-beta/annotate/86534d5daeef/dom/script/ScriptLoader.cpp#l2892

I'll look this a bit, and if nothing else, add a null check.
(Assignee)

Comment 1

a year ago
Hmm, this is trickier than I thought. Looks like only preloading doesn't have mElement set, but why do we call ContinueParserAsync on such requests. By mistake?
(Assignee)

Comment 2

a year ago
oh, hmm, maybe this is something else after all. Compilers clearly inline methods here, so a bit hard to follow this all.
(Assignee)

Comment 3

a year ago
mExecutor is null, if I read various crash reports right.
(Assignee)

Comment 4

a year ago
Looks like that may have happened if we've unlinked parser.
(Assignee)

Comment 5

a year ago
Quick and dirty. Other option is to go through all of the ownership model of parser to see why we get unlinked. But in principle if we end up closing the window or such and spin event loop, that could rather easily lead to this kinds result.
Attachment #8924270 - Flags: review?(hsivonen)
Attachment #8924270 - Flags: review?(hsivonen) → review+

Comment 6

a year ago
Pushed by opettay@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/9d76daebda99
ensure we have still the executor before trying to continue parsing, r=hsivonen

Comment 7

a year ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/9d76daebda99
Status: NEW → RESOLVED
Last Resolved: a year ago
status-firefox58: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
Component: DOM → DOM: Core & HTML
Product: Core → Core
You need to log in before you can comment on or make changes to this bug.