Crash in nsFocusManager::GetRedirectedFocus
Categories
(Firefox :: Session Restore, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr60 | --- | unaffected |
firefox64 | --- | unaffected |
firefox65 | --- | unaffected |
firefox66 | --- | fixed |
People
(Reporter: calixte, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, regression, Whiteboard: [qa-66b-p2])
Crash Data
This bug is for crash report bp-367c45d2-0f84-44b1-9856-6bba60190126.
Top 10 frames of crashing thread:
0 XUL nsFocusManager::GetRedirectedFocus mfbt/RefPtr.h:267
1 XUL SetElementAsString toolkit/components/sessionstore/SessionStoreUtils.cpp:696
2 XUL mozilla::dom::SessionStoreUtils::RestoreFormData toolkit/components/sessionstore/SessionStoreUtils.cpp:964
3 XUL mozilla::dom::SessionStoreUtils_Binding::restoreFormData dom/bindings/SessionStoreUtilsBinding.cpp:1811
4 XUL js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:441
5 XUL Interpret js/src/vm/Interpreter.cpp:592
6 XUL js::RunScript js/src/vm/Interpreter.cpp:421
7 XUL js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:561
8 XUL JS::Call js/src/vm/Interpreter.cpp:604
9 XUL mozilla::dom::EventListener::HandleEvent dom/bindings/EventListenerBinding.cpp:52
There are 228 crashes (from 166 installations) in nightly 66 starting with buildid 20190125215013. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1497146.
[1] https://hg.mozilla.org/mozilla-central/rev?node=21ad3aeb636f
Comment 1•6 years ago
|
||
I got this crash after an upgrade+restart of the Nightly and while restoring a Tab with a running Twitch Stream:
bp-34a242ad-42b3-4191-8eb4-8dffb0190126
Comment 2•6 years ago
|
||
ditto for me for a tab containing a swagger ui api docs page:
bp-0d9f58e0-10c2-4650-8915-adf7d0190126
bp-3fe5cb6a-51bc-46a3-9618-d5bdb0190126
Comment 3•6 years ago
|
||
Could you provide the page for me to reproduce the symptom?
Thanks.
Reporter | ||
Comment 4•6 years ago
|
||
Comment 5•6 years ago
|
||
After the investigation, we found the reason for this crash.
The crash happens when we pass a nullptr to "GetRedirectedFocus()".
Since there is no null check in "GetRedirectedFocus()", it crashes.
The scenario is like this:
There is an element called "BTextElement" with string value in the session restore data.
When restoring the page, we try to set the original value to "BTextElement".
However, since the page changed, we cannot get "BTextElement" anymore.
In original patch, we will get nullptr and pass it to "GetRedirectedFocus()".
Updated•6 years ago
|
Description
•