Closed Bug 1546454 Opened 1 year ago Closed 1 year ago

Assertion failure: parentContext (docShell must have BrowsingContext), at src/dom/base/nsFrameLoader.cpp:308

Categories

(Core :: DOM: Navigation, defect, P2)

defect

Tracking

()

RESOLVED FIXED
mozilla68
Fission Milestone M4
Tracking Status
firefox-esr60 --- unaffected
firefox67 --- unaffected
firefox68 --- fixed

People

(Reporter: tsmith, Assigned: farre)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords)

Attachments

(3 files)

Attached file testcase.html

The fuzzers started htting this issue around April 9th. Finally got a reproducable test case that I could reduce.

STR:

  1. use fuzzing build (not required but makes the test way more reliable)
  2. use attached prefs
  3. enable a11y
  4. open test case

Assertion failure: parentContext (docShell must have BrowsingContext), at src/dom/base/nsFrameLoader.cpp:308

#0 0x7ffba557b041 in CreateBrowsingContext(mozilla::dom::Element*, mozilla::dom::BrowsingContext*) src/dom/base/nsFrameLoader.cpp:308:3
#1 0x7ffba557a276 in nsFrameLoader::Create(mozilla::dom::Element*, mozilla::dom::BrowsingContext*, bool) src/dom/base/nsFrameLoader.cpp:361:37
#2 0x7ffba94040b7 in nsGenericHTMLFrameElement::EnsureFrameLoader() src/dom/html/nsGenericHTMLFrameElement.cpp:132:18
#3 0x7ffba94041e6 in GetContentWindowInternal src/dom/html/nsGenericHTMLFrameElement.cpp:101:3
#4 0x7ffba94041e6 in nsGenericHTMLFrameElement::GetContentWindow() src/dom/html/nsGenericHTMLFrameElement.cpp:117
#5 0x7ffba81c9e60 in mozilla::dom::HTMLIFrameElement_Binding::get_contentWindow(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLIFrameElement*, JSJitGetterCallArgs) src/obj-firefox/dom/bindings/HTMLIFrameElementBinding.cpp:837:44
#6 0x7ffba862d9e1 in bool mozilla::dom::binding_detail::GenericGetter<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3049:13
#7 0x7ffbafe9d530 in CallJSNative src/js/src/vm/Interpreter.cpp:442:13
#8 0x7ffbafe9d530 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:534
#9 0x7ffbafea1e23 in InternalCall src/js/src/vm/Interpreter.cpp:589:10
#10 0x7ffbafea1e23 in Call src/js/src/vm/Interpreter.cpp:605
#11 0x7ffbafea1e23 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:729
#12 0x7ffbb05071bf in CallGetter src/js/src/vm/NativeObject.cpp:2216:12
#13 0x7ffbb05071bf in GetExistingProperty<js::CanGC> src/js/src/vm/NativeObject.cpp:2268
#14 0x7ffbb05071bf in NativeGetPropertyInline<js::CanGC> src/js/src/vm/NativeObject.cpp:2517
#15 0x7ffbb05071bf in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) src/js/src/vm/NativeObject.cpp:2554
#16 0x7ffbafeaa1cd in GetProperty src/js/src/vm/ObjectOperations-inl.h:117:10
#17 0x7ffbafeaa1cd in GetProperty src/js/src/vm/ObjectOperations-inl.h:124
#18 0x7ffbafeaa1cd in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:4486
#19 0x7ffbafe7703f in GetPropertyOperation src/js/src/vm/Interpreter.cpp:215:10
#20 0x7ffbafe7703f in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:2766
#21 0x7ffbafe67768 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:422:10
#22 0x7ffbafe9dea3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:562:13
#23 0x7ffbafe9fb22 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:605:8
#24 0x7ffbb0b089a8 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2636:10
#25 0x7ffba7c332b0 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:267:37
#26 0x7ffba8f24d55 in Call<nsCOMPtr<mozilla::dom::EventTarget> > src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
#27 0x7ffba8f24d55 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) src/dom/events/JSEventHandler.cpp:205
#28 0x7ffba8ed445a in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1045:22
#29 0x7ffba8ed6519 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1240:17
#30 0x7ffba8eb6c31 in HandleEvent src/obj-firefox/dist/include/mozilla/EventListenerManager.h:355:5
#31 0x7ffba8eb6c31 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:349
#32 0x7ffba8eb4e66 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:551:16
#33 0x7ffba8ebbb9e in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1046:11
#34 0x7ffbaad2e7d6 in mozilla::(anonymous namespace)::AsyncTimeEventRunner::Run() src/dom/smil/SMILTimedElement.cpp:97:12
#35 0x7ffba0d51171 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1180:14
#36 0x7ffba0d58d94 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:486:10
#37 0x7ffba20b402f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:88:21
#38 0x7ffba1f8d1ae in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
#39 0x7ffba1f8d1ae in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
#40 0x7ffba1f8d1ae in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
#41 0x7ffbab5e24e3 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#42 0x7ffbaf8a0990 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:270:30
#43 0x7ffbafbb0407 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:4584:22
#44 0x7ffbafbb2e24 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:4722:8
#45 0x7ffbafbb4679 in XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:4803:21
#46 0x560b4e4ad37a in do_main src/browser/app/nsBrowserApp.cpp:212:22
#47 0x560b4e4ad37a in main src/browser/app/nsBrowserApp.cpp:291
Flags: in-testsuite?
Attached file prefs.js
Component: DOM: Core & HTML → Document Navigation
Flags: needinfo?(kyle)
Priority: -- → P2
Flags: needinfo?(kyle) → needinfo?(afarre)
Assignee: nobody → afarre
Status: NEW → ASSIGNED
Flags: needinfo?(afarre)

Haven't really been able to reproduce it, but the cause and fix is obvious. If a nsDocShell has been partially torn down, and the nsDocShell::mBrowsingContext field has been unset, then we should treat that exactly the same as if the docshell had been closed and not return a frameloader.

I've now been able to confirm, this fixes the issue.

Pushed by afarre@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/9a342b970de0
Don't create frameloader for partially destroyed docshell. r=qdot
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla68

Retroactively moving fixed bugs whose summaries mention "Fission" (or other Fission-related keywords) but are not assigned to a Fission Milestone to an appropriate Fission Milestone.

This will generate a lot of bugmail, so you can filter your bugmail for the following UUID and delete them en masse:

0ee3c76a-bc79-4eb2-8d12-05dc0b68e732

Fission Milestone: --- → M4
You need to log in before you can comment on or make changes to this bug.