1455819 - Crash in nsGlobalWindowInner::CallOnChildren<T>

Status: RESOLVED FIXED

(Core :: DOM: Core & HTML, defect, P1)

Description

[[:philipp]]

This bug was filed from the Socorro interface and is
report bp-1201277c-183c-4810-8f7d-4b7ad0180419.
=============================================================

Top 10 frames of crashing thread:

0 xul.dll nsGlobalWindowInner::CallOnChildren<void  dom/base/nsGlobalWindowInner.cpp:6306
1 xul.dll nsGlobalWindowInner::Resume dom/base/nsGlobalWindowInner.cpp:6122
2 xul.dll mozilla::dom::nsResumeTimeoutsEvent::Run dom/xhr/XMLHttpRequestMainThread.cpp:157
3 xul.dll mozilla::SchedulerGroup::Runnable::Run xpcom/threads/SchedulerGroup.cpp:395
4 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1040
5 xul.dll mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:97
6 xul.dll mozilla::ipc::MessagePumpForChildProcess::Run ipc/glue/MessagePump.cpp:301
7 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:319
8 xul.dll MessageLoop::Run ipc/chromium/src/base/message_loop.cc:299
9 xul.dll nsBaseAppShell::Run widget/nsBaseAppShell.cpp:157

=============================================================

this cross-platform crash has been around for a while - it's primarily affecting users of italian builds, so perhaps it's something specific to websites that are frequently visited in that locale (many comments point towards newspaper sites). the url correlations from crash reports may provide more insight here...

Comment 1

[Marco Castelluccio [:marco]]

Most crashes don't contain a URL. There are a lot of crashes on newspaper websites, such as www.larena.it or www.liberoquotidiano.it.

Comment 2

[Olli Pettay [:smaug]]

Null pointer crash. We have similar issue in one other place.

Comment 3

[Olli Pettay [:smaug]]

Attachment: child_docshell_iteration.diff

This patch is based on code inspection.

remote: View your change here:
remote:   https://hg.mozilla.org/try/rev/3b3af74cb95e3fb5cbe584cd8ecd2c1905f6c641
remote: 
remote: Follow the progress of your build on Treeherder:
remote:   https://treeherder.mozilla.org/#/jobs?repo=try&revision=3b3af74cb95e3fb5cbe584cd8ecd2c1905f6c641
remote: recorded changegroup in replication log in 0.057s

Comment 4

[Bob Clary [:bc] (inactive)]

Bughunter can reproduce with http://www.liberoquotidiano.it/news/sfoglio/13324310/ballando-con-le-stelle-milly-carlucci-selvaggia-lucarelli-voto-raoul-bova-reazione-attore.html on Linux.

bp-56413306-5304-4c4e-ab0f-efd231180426

Comment 5

[Nika Layzell [:nika] (ni? for response)]

Comment on attachment 8970853 [details] [diff] [review]
child_docshell_iteration.diff

Review of attachment 8970853 [details] [diff] [review]:
-----------------------------------------------------------------

::: dom/base/nsGlobalWindowInner.cpp
@@ +6327,5 @@
>  
>    int32_t childCount = 0;
>    docShell->GetChildCount(&childCount);
>  
> +  AutoTArray<nsCOMPtr<nsIDocShellTreeItem>, 8> children;

Please add a comment explaining that we copy to avoid concurrent modification errors

@@ +6473,5 @@
>    if (docShell) {
>      int32_t childCount = 0;
>      docShell->GetChildCount(&childCount);
>  
> +    AutoTArray<nsCOMPtr<nsIDocShellTreeItem>, 8> children;

Same here

Comment 6

[Olli Pettay [:smaug]]

Attachment: child_docshell_iteration_2.diff

Comment 7

[Olli Pettay [:smaug]]

Attachment: child_docshell_iteration_3.diff

Comment 8

[Pulsebot]

Pushed by opettay@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/c80d4798b4e1
Crash in nsGlobalWindowInner::CallOnChildren<T>, r=nika

Comment 9

[Andreea Pavel [:apavel]]

https://hg.mozilla.org/mozilla-central/rev/c80d4798b4e1

Comment 10

[Julien Cristau [:jcristau]]

Safe (null) crash, low volume, marking wontfix for 60.