Closed Bug 1523078 Opened 6 years ago Closed 6 years ago

Crash in nsFocusManager::GetRedirectedFocus

Categories

(Firefox :: Session Restore, defect)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
firefox-esr60 --- unaffected
firefox64 --- unaffected
firefox65 --- unaffected
firefox66 --- fixed

People

(Reporter: calixte, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, Whiteboard: [qa-66b-p2])

Crash Data

This bug is for crash report bp-367c45d2-0f84-44b1-9856-6bba60190126.

Top 10 frames of crashing thread:

0 XUL nsFocusManager::GetRedirectedFocus mfbt/RefPtr.h:267
1 XUL SetElementAsString toolkit/components/sessionstore/SessionStoreUtils.cpp:696
2 XUL mozilla::dom::SessionStoreUtils::RestoreFormData toolkit/components/sessionstore/SessionStoreUtils.cpp:964
3 XUL mozilla::dom::SessionStoreUtils_Binding::restoreFormData dom/bindings/SessionStoreUtilsBinding.cpp:1811
4 XUL js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:441
5 XUL Interpret js/src/vm/Interpreter.cpp:592
6 XUL js::RunScript js/src/vm/Interpreter.cpp:421
7 XUL js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:561
8 XUL JS::Call js/src/vm/Interpreter.cpp:604
9 XUL mozilla::dom::EventListener::HandleEvent dom/bindings/EventListenerBinding.cpp:52

There are 228 crashes (from 166 installations) in nightly 66 starting with buildid 20190125215013. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1497146.

[1] https://hg.mozilla.org/mozilla-central/rev?node=21ad3aeb636f

Flags: needinfo?(alchen)

I got this crash after an upgrade+restart of the Nightly and while restoring a Tab with a running Twitch Stream:
bp-34a242ad-42b3-4191-8eb4-8dffb0190126

ditto for me for a tab containing a swagger ui api docs page:
bp-0d9f58e0-10c2-4650-8915-adf7d0190126
bp-3fe5cb6a-51bc-46a3-9618-d5bdb0190126

Could you provide the page for me to reproduce the symptom?
Thanks.

Flags: needinfo?(alchen)
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED

After the investigation, we found the reason for this crash.
The crash happens when we pass a nullptr to "GetRedirectedFocus()".
Since there is no null check in "GetRedirectedFocus()", it crashes.

The scenario is like this:
There is an element called "BTextElement" with string value in the session restore data.
When restoring the page, we try to set the original value to "BTextElement".
However, since the page changed, we cannot get "BTextElement" anymore.
In original patch, we will get nullptr and pass it to "GetRedirectedFocus()".

Whiteboard: [qa-66b-p2]
You need to log in before you can comment on or make changes to this bug.