Closed
Bug 1566310
Opened 5 years ago
Closed 5 years ago
crash near null in [@ mozilla::dom::WindowGlobalChild::BeforeUnloadAdded]
Categories
(Core :: DOM: Content Processes, defect, P2)
Core
DOM: Content Processes
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox-esr68 | --- | unaffected |
| firefox68 | --- | unaffected |
| firefox69 | --- | unaffected |
| firefox70 | blocking | fixed |
People
(Reporter: tsmith, Assigned: u608768)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: crash, regression, testcase, Whiteboard: [rca - unhandled exceptions])
Crash Data
Attachments
(2 files)
Found with m-c:
BuildID=20190716001037
SourceStamp=57e096cabc296b897baec44b65ece648b54463c0
==77861==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000a8 (pc 0x7fba79001fb5 bp 0x7fff911b8310 sp 0x7fff911b8260 T0)
==77861==The signal is caused by a READ memory access.
==77861==Hint: address points to the zero page.
#0 0x7fba79001fb4 in mozilla::dom::WindowGlobalChild::BeforeUnloadAdded() src/dom/ipc/WindowGlobalChild.cpp
#1 0x7fba7328e9ec in nsGlobalWindowInner::EventListenerAdded(nsAtom*) src/dom/base/nsGlobalWindowInner.cpp:6074:25
#2 0x7fba77308d5a in mozilla::EventListenerManager::AddEventListenerInternal(mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>, mozilla::EventMessage, nsAtom*, mozilla::EventListenerFlags const&, bool, bool) src/dom/events/EventListenerManager.cpp:401:14
#3 0x7fba7731009c in mozilla::EventListenerManager::SetEventHandlerInternal(nsAtom*, mozilla::TypedEventHandler const&, bool) src/dom/events/EventListenerManager.cpp:720:5
#4 0x7fba7731ea4f in mozilla::EventListenerManager::SetEventHandler(mozilla::dom::OnBeforeUnloadEventHandlerNonNull*) src/dom/events/EventListenerManager.cpp:1550:3
#5 0x7fba75bb70ee in SetOnbeforeunload src/obj-firefox/dist/include/mozilla/EventNameList.h:278:1
#6 0x7fba75bb70ee in mozilla::dom::Window_Binding::set_onbeforeunload(JSContext*, JS::Handle<JSObject*>, nsGlobalWindowInner*, JSJitSetterCallArgs) src/obj-firefox/dom/bindings/WindowBinding.cpp:16840
#7 0x7fba76a7a55e in bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::MaybeGlobalThisPolicy>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3134:8
#8 0x7fba7e3c6c77 in CallJSNative src/js/src/vm/Interpreter.cpp:448:13
#9 0x7fba7e3c6c77 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:540
#10 0x7fba7e3ccd0d in InternalCall src/js/src/vm/Interpreter.cpp:595:10
#11 0x7fba7e3ccd0d in Call src/js/src/vm/Interpreter.cpp:611
#12 0x7fba7e3ccd0d in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) src/js/src/vm/Interpreter.cpp:749
#13 0x7fba7e8e8143 in SetExistingProperty(JSContext*, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyResult>, JS::ObjectOpResult&) src/js/src/vm/NativeObject.cpp:2932:8
#14 0x7fba7e8e0c21 in bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) src/js/src/vm/NativeObject.cpp:2961:14
#15 0x7fba7f12cd97 in SetProperty src/js/src/vm/ObjectOperations-inl.h:283:10
#16 0x7fba7f12cd97 in js::ForwardingProxyHandler::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) const src/js/src/proxy/Wrapper.cpp:149
#17 0x7fba732ad030 in nsOuterWindowProxy::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) const src/dom/base/nsGlobalWindowOuter.cpp:938:23
#18 0x7fba7f107ea1 in setInternal src/js/src/proxy/Proxy.cpp:395:19
#19 0x7fba7f107ea1 in js::Proxy::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) src/js/src/proxy/Proxy.cpp:403
#20 0x7fba7e3a1ed9 in SetProperty src/js/src/vm/ObjectOperations-inl.h:280:12
#21 0x7fba7e3a1ed9 in SetPropertyOperation src/js/src/vm/Interpreter.cpp:270
#22 0x7fba7e3a1ed9 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:2854
#23 0x7fba7e39105f in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:425:10
#24 0x7fba7e3c777f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:568:13
#25 0x7fba7e3c99a2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:611:8
#26 0x7fba7f05e568 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2658:10
#27 0x7fba76056fde in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:267:37
#28 0x7fba77366c4c in Call<nsCOMPtr<mozilla::dom::EventTarget> > src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
#29 0x7fba77366c4c in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) src/dom/events/JSEventHandler.cpp:205
#30 0x7fba77315f09 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1030:22
#31 0x7fba77317dd7 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1222:17
#32 0x7fba772f86f1 in HandleEvent src/obj-firefox/dist/include/mozilla/EventListenerManager.h:353:5
#33 0x7fba772f86f1 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:349
#34 0x7fba772f6926 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:551:16
#35 0x7fba772fd694 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1047:11
#36 0x7fba7a31a82f in nsDocumentViewer::LoadComplete(nsresult) src/layout/base/nsDocumentViewer.cpp:1147:7
#37 0x7fba7d1d0cd3 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) src/docshell/base/nsDocShell.cpp:6676:20
#38 0x7fba7d1cfcc2 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp:6476:7
#39 0x7fba7d1d58e7 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp
#40 0x7fba71c1b675 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) src/uriloader/base/nsDocLoader.cpp:1333:3
#41 0x7fba71c1a26a in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:892:14
#42 0x7fba71c148a0 in nsDocLoader::DocLoaderIsEmpty(bool) src/uriloader/base/nsDocLoader.cpp:726:9
#43 0x7fba71c148b8 in ChildDoneWithOnload src/uriloader/base/nsDocLoader.h:217:5
#44 0x7fba71c148b8 in nsDocLoader::DocLoaderIsEmpty(bool) src/uriloader/base/nsDocLoader.cpp:729
#45 0x7fba71c18125 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:614:5
#46 0x7fba71c19db4 in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp
#47 0x7fba6f327e51 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:568:22
#48 0x7fba7353d838 in DoUnblockOnload src/dom/base/Document.cpp:10702:18
#49 0x7fba7353d838 in mozilla::dom::Document::UnblockOnload(bool) src/dom/base/Document.cpp:10634
#50 0x7fba73573d25 in mozilla::dom::Document::DispatchContentLoadedEvents() src/dom/base/Document.cpp:7130:3
#51 0x7fba7368c89b in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1124:12
#52 0x7fba7368c89b in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1130
#53 0x7fba7368c89b in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:1176
#54 0x7fba6efa79d5 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:295:32
#55 0x7fba6efe891c in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1225:14
#56 0x7fba6eff07a4 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:486:10
#57 0x7fba7041322f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:88:21
#58 0x7fba702db6fe in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
#59 0x7fba702db6fe in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
#60 0x7fba702db6fe in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
#61 0x7fba79a63223 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#62 0x7fba7e0e7afe in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:919:20
#63 0x7fba702db6fe in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
#64 0x7fba702db6fe in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
#65 0x7fba702db6fe in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
#66 0x7fba7e0e6641 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:754:34
#67 0x56316644e113 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#68 0x56316644e113 in main src/browser/app/nsBrowserApp.cpp:267
Flags: in-testsuite?
|
||
Comment 1•5 years ago
|
||
Kashav, here's a test case for the crash that is showing up on Nightly.
Flags: needinfo?(kmadan)
Pushed by kmadan@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ce9f99b79f12
Nullcheck mWindowGlobalChild prior to notifying it of beforeunload listeners, r=nika
|
||
Updated•5 years ago
|
status-firefox68:
--- → unaffected
status-firefox69:
--- → unaffected
status-firefox-esr60:
--- → unaffected
status-firefox-esr68:
--- → unaffected
tracking-firefox70:
--- → blocking
|
||
Comment 5•5 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla70
|
||
Updated•5 years ago
|
Severity: normal → major
|
|
||
Updated•5 years ago
|
Crash Signature: [@ mozilla::dom::WindowGlobalChild::BeforeUnloadAdded]
[@ nsGlobalWindowInner::EventListenerAdded]
|
||
Updated•5 years ago
|
Crash Signature: [@ mozilla::dom::WindowGlobalChild::BeforeUnloadAdded]
[@ nsGlobalWindowInner::EventListenerAdded] → [@ mozilla::dom::WindowGlobalChild::BeforeUnloadAdded]
[@ nsGlobalWindowInner::EventListenerAdded]
Fission Milestone: --- → M4
|
|
||
Updated•5 years ago
|
Priority: -- → P2
This bug has been identified as part of a pilot on determining root causes of blocking and dot release drivers.
It needs a root-cause set for it. Please see the list at https://docs.google.com/document/d/1FFEGsmoU8T0N8R9kk-MXWptOPtXXXRRIe4vQo3_HgMw/.
Add the root cause as a whiteboard tag in the form [rca - <cause> ] and remove the rca-needed keyword.
If you have questions, please contact :tmaity.
Keywords: rca-needed
Keywords: rca-needed
Whiteboard: [rca - Unhandled exceptions]
Whiteboard: [rca - Unhandled exceptions] → [rca - unhandled exceptions]
|
|
||
Updated•3 years ago
|
Has Regression Range: --- → yes
You need to log in
before you can comment on or make changes to this bug.
Description
•