Closed Bug 1524188 Opened 6 years ago Closed 6 years ago

Crash in InvalidArrayIndex_CRASH | mozilla::dom::CanonicalBrowsingContext::CleanupContexts

Categories

(Core :: DOM: Core & HTML, defect, P2)

Product:
Core
Component:
DOM: Core & HTML
Platform:
Unspecified
Windows 7
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla67
Project Flags:
Fission Milestone M4
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox65 --- unaffected
firefox66 --- unaffected
firefox67 --- fixed

People

(Reporter: calixte, Assigned: farre)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

Bug 1524188 - Avoid array mutation when cleaning browsing contexts.
47 bytes, text/x-phabricator-request
Details | Review

This bug is for crash report bp-1780dd7d-e879-46af-98aa-9d6590190131.

Top 10 frames of crashing thread:

0 mozglue.dll static void MOZ_CrashOOL mfbt/Assertions.h:314
1 mozglue.dll MOZ_CrashPrintf mfbt/Assertions.cpp:55
2 xul.dll InvalidArrayIndex_CRASH xpcom/ds/nsTArray.cpp:27
3 xul.dll mozilla::dom::CanonicalBrowsingContext::CleanupContexts docshell/base/CanonicalBrowsingContext.cpp:47
4 xul.dll mozilla::dom::ContentParent::ActorDestroy dom/ipc/ContentParent.cpp:1753
5 xul.dll void mozilla::dom::PContentParent::DestroySubtree ipc/ipdl/PContentParent.cpp:10445
6 xul.dll mozilla::dom::PContentParent::OnChannelError ipc/ipdl/PContentParent.cpp:10094
7 xul.dll mozilla::dom::ContentParent::OnChannelError dom/ipc/ContentParent.cpp:1548
8 xul.dll nsresult mozilla::detail::RunnableMethodImpl<mozilla::dom::ServiceWorkerRegistration*, void  xpcom/threads/nsThreadUtils.h:1171
9 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1161

There are 3 crashes (from 3 installations) in nightly 67 with buildid 20190130215539. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1521149.

[1] https://hg.mozilla.org/mozilla-central/rev?node=db3c21efe3c0

Flags: needinfo?(afarre)
Assignee: nobody → afarre
Status: NEW → ASSIGNED
Flags: needinfo?(afarre)

Detaching a browsing context may mutate its parent or toplevel
list. Take copies when iterating and detaching browsing contexts of
crashed processes.

Pushed by afarre@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/cc322acff7a7 Avoid array mutation when cleaning browsing contexts. r=nika
Priority: -- → P2

https://hg.mozilla.org/mozilla-central/rev/cc322acff7a7

Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox67: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla67
Component: DOM → DOM: Core & HTML

Retroactively moving fixed bugs whose summaries mention "Fission" (or other Fission-related keywords) but are not assigned to a Fission Milestone to an appropriate Fission Milestone.

This will generate a lot of bugmail, so you can filter your bugmail for the following UUID and delete them en masse:

0ee3c76a-bc79-4eb2-8d12-05dc0b68e732

Fission Milestone: --- → M4
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: