Crash in mozilla::dom::ChildSHistory::LegacySHistory

VERIFIED FIXED in Firefox 61

Status

()

defect
P1
blocker
VERIFIED FIXED
Last year
Last year

People

(Reporter: calixte, Assigned: Nika)

Tracking

(Blocks 1 bug, {crash, regression})

Trunk
mozilla61
Unspecified
Linux
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox-esr52 unaffected, firefox59 unaffected, firefox60 unaffected, firefox61blocking verified)

Details

(crash signature)

Attachments

(1 attachment)

This bug was filed from the Socorro interface and is
report bp-bd03514e-3a05-476c-806b-548560180412.
=============================================================

Top 10 frames of crashing thread:

0 libxul.so mozilla::dom::ChildSHistory::LegacySHistory docshell/shistory/ChildSHistory.cpp:87
1 libxul.so nsHistory::PushOrReplaceState dom/base/nsHistory.cpp:292
2 libxul.so nsHistory::ReplaceState dom/base/nsHistory.cpp:258
3 libxul.so mozilla::dom::HistoryBinding::replaceState dom/bindings/HistoryBinding.cpp:384
4 libxul.so mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions> dom/bindings/BindingUtils.cpp:3195
5 libxul.so libxul.so@0x2f2d3fd 
6 libxul.so libxul.so@0x2f64d74 
7  @0x1e32983dc3c7 
8  @0x7f128d223d7f 
9  @0x1e32983d64e1 

=============================================================

There are 3 crashes (from 3 installations) in nightly 61 with buildid 20180412001050. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1434768.

[1] https://hg.mozilla.org/mozilla-central/rev?node=47c477fefd3b
Flags: needinfo?(nika)
I just hit this https://crash-stats.mozilla.com/report/index/b4096876-e749-498f-89aa-eceda0180413
When clicking a link on a google search result page pointing to an ietf draft.
Approaching 200 crashes since this was filed. Nils - Is the crash reproducible? If so please paste the link. Thanks.
Flags: needinfo?(drno)
(In reply to Marcia Knous [:marcia - needinfo? me] from comment #2)
> Nils - Is the crash
> reproducible? If so please paste the link. Thanks.

I tried a couple of time with the same search terms and clicking new links as well as links I had clicked before, but was not able to reproduce it any more.
Flags: needinfo?(drno)
Volume is up to almost 800 crashes since initial filing - Mac and Linux only, with Mac 10.13 accounting for the majority of crashes.
Looks like this accidentally got thrown out in the refactoring.
Attachment #8968315 - Flags: review?(bzbarsky)
Flags: needinfo?(nika)
Duplicate of this bug: 1453572
Assignee: nobody → nika
Severity: critical → blocker
Priority: -- → P1
Comment on attachment 8968315 [details] [diff] [review]
Null-check rootSH in nsDocShell::AddState

r=me, though I kinda wonder how we get into this state (torn-down docshell?).
Attachment #8968315 - Flags: review?(bzbarsky) → review+
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/mozilla-central/rev/26d6282bdbe0
Null-check rootSH in nsDocShell::AddState. r=bz, a=RyanVM
Status: NEW → RESOLVED
Closed: Last year
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.