Closed Bug 1582832 Opened 5 years ago Closed 4 years ago

Crash in [@ mozilla::dom::BrowsingContext::CreateFromIPC]

Categories

(Core :: DOM: Navigation, defect, P1)

Product:
Core
Component:
DOM: Navigation
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla74
Project Flags:
Fission Milestone M5
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox71 --- disabled
firefox72 --- disabled
firefox73 --- disabled
firefox74 --- disabled
firefox75 --- fixed

People

(Reporter: marcia, Assigned: kmag)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, testcase)

Crash Data

Attachments

(3 files)

Bug 1582832: Part 1 - Make FrameLoader owner rather than DocShell responsible for discarding a BC. r=nika
47 bytes, text/x-phabricator-request
Details | Review
Bug 1582832: Part 2 - Don't attach a BrowsingContext before a FrameLoader is initialized. r=nika
47 bytes, text/x-phabricator-request
Details | Review
Bug 1582832: Part 3 - Correctly handle windowless BCs created for printing. r=nika
47 bytes, text/x-phabricator-request
Details | Review

This bug is for crash report bp-094af257-082d-4684-a095-cd35a0190920.

Seen while looking at nightly crashes - these seem to be with Fission enabled: https://bit.ly/2kM5Jy3. The 71 crashes are macOS and Linux only.

Top 10 frames of crashing thread:

0 XUL mozilla::dom::BrowsingContext::CreateFromIPC docshell/base/BrowsingContext.cpp:163
1 XUL mozilla::dom::ContentChild::RecvRegisterBrowsingContextGroup dom/ipc/ContentChild.cpp:3907
2 XUL mozilla::dom::PContentChild::OnMessageReceived ipc/ipdl/PContentChild.cpp:12063
3 XUL mozilla::ipc::MessageChannel::DispatchMessage ipc/glue/MessageChannel.cpp:2185
4 XUL mozilla::ipc::MessageChannel::MessageTask::Run ipc/glue/MessageChannel.cpp:1985
5 XUL nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1225
6 XUL NS_ProcessNextEvent xpcom/threads/nsThreadUtils.cpp:486
7 XUL mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:110
8 XUL nsBaseAppShell::Run widget/nsBaseAppShell.cpp:137
9 XUL nsAppShell::Run widget/cocoa/nsAppShell.mm:705
Blocks: fission-dogfooding
Priority: -- → P3
No longer depends on: 1532661
Regressed by: 1532661

Hmm, perhaps bug 1532661 didn't actually regress this, but it is the code from bug 1532661 which crashes.

No longer regressed by: 1532661

Andreas, this seems to be the cause of dom/tests/mochitest/general/test_vibrator.html test failing with Fission. Could you look into this?

Flags: needinfo?(afarre)
Assignee: nobody → afarre
Flags: needinfo?(afarre)

(In reply to Neha Kochar [:neha] from comment #2)

Andreas, this seems to be the cause of dom/tests/mochitest/general/test_vibrator.html test failing with Fission. Could you look into this?

I cannot get dom/tests/mochitest/general/test_vibrator.html to fail, how hard I try.

Tentatively moving all bugs whose summaries mention "Fission" (or other Fission-related keywords) but are not assigned to a Fission Milestone to the "?" triage milestone.

This will generate a lot of bugmail, so you can filter your bugmail for the following UUID and delete them en masse:

0ee3c76a-bc79-4eb2-8d12-05dc0b68e732

Fission Milestone: --- → ?

Bugbug thinks this bug is a regression, but please revert this change in case of error.

Keywords: regression

No crashes on beta, Fission is disabled by default

status-firefox71: affecteddisabled
status-firefox72: --- → affected
Fission Milestone: ? → M5
Priority: P3 → P2

I was able to reproduce this on latest nightly https://crash-stats.mozilla.org/report/index/c03c4a84-c17c-40fa-84fb-1ce160191210

STR - Steps to reproduce (don't forget to disable any ad blockers you have)

  1. Go to https://www.reddit.com/r/videos/
  2. Scroll down a little bit, wait until you see the thumbnails for first few youtube videos
  3. Refresh the page. The video iframes have crashed and you have new pending crash reports to submit in about:crashes :-)

I also see this sometimes when trying to open attachments or links from a pinned Gmail tab (only after it's been open and pinned for some amount of time). Closing and re-opening the tab makes the crash go away (seems like the tab gets into some state over time which causes the crash, unsure if it has anything to do with being pinned).

I tried download from my pinned Gmail tab (has been a pinned tab forever) and it didn't reproduce for me.
It reproduced for me with Anny's STR from comment 8.

Assignee: afarre → agakhokidze
Status: NEW → ASSIGNED
Priority: P2 → P1
See Also: → 1580565

Anny, this crash was also intermittently happening for some mochitests:

  • toolkit/components/url-classifier/tests/mochitest/test_classify_by_default.html
  • dom/security/test/mixedcontentblocker/test_main.html (although this is also being tracked by Bug 1580771, for error "object did not follow block_active_content pref" so may require more work)

so we may be able to re-enable these tests in bug 1580565 once this is fixed.

Assigning this to Kris as he mentioned that he has outstanding patches that will fix this

Assignee: agakhokidze → kmaglione+bmo
Crash Signature: [@ mozilla::dom::BrowsingContext::CreateFromIPC] → [@ mozilla::dom::BrowsingContext::CreateFromIPC] [@ mozilla::dom::BrowsingContext::IPCInitializer::GetParent]

Between these two signatures, I think this is the top Fission-specific crash, by a good margin, with about 11% of all Fission enabled Nightly 73 crashes.

Kashav and I came up with this example (so one does not have to go to reddit) https://annygakh.github.io/test/. You can follow the same STR as I outlined above, with this page.

Keywords: testcase

This is #4 overall on 73 nightly, but there are usually only 1-2 crashes being generated per build.

There are all sorts of lifecycle issues which arise from making DocShell
responsible for discarding BrowsingContexts. In this particular bug, we tend
to run into them in cases where we create a BrowsingContext for a FrameLoader,
and then never create a DocShell for it, leading to it never being destroyed.
But there are myriad other issues as well.

This patch moves the responsibility for BrowsingContext lifecycle management
to the FrameLoader/FrameLoaderOwner, rather than the DocShell, which makes
things more consistent, and more closely aligns with spec-defined behavior.

There are cases where the initial BrowsingContext that we create for a
FrameLoader will never have a DocShell created for it. In the particular case
when the frame it belongs to is part of an inactive document, trying to
eagerly attach the BrowsingContext ends up attaching it as an active child of
its parent BrowsingContext, when it should be either cached or detached. Which
causes no end of problems.

This patch delays attaching the BrowsingContext until the FrameLoader is
initialized, which solves most of these problems.

A friend just ran into this crash in the wild in a January 16 nightly, push date was ~9h ago. I can get a crashid if it's desired, but right now I'm too lazy to have him dictate it to me. :-)

Blocks: 1608827

QA says they hit this crash when testing Office365 and Reddit with Fission.

status-firefox74: disabledaffected

I just got this crash when I followed a link from gmail. The link opens a new tab and that tab crashes. I tried twice and it reproduces reliably.

Pushed by maglione.k@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/6fd57b83bb52
Part 1 - Make FrameLoader owner rather than DocShell responsible for discarding a BC. r=nika
https://hg.mozilla.org/integration/autoland/rev/cefac6461948
Part 2 - Don't attach a BrowsingContext before a FrameLoader is initialized. r=nika
https://hg.mozilla.org/integration/autoland/rev/aea4783f8b48
Part 3 - Correctly handle windowless BCs created for printing. r=nika
Pushed by btara@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/1d190ee669ee
Update expectation for closed-attribute.window.html on fission a=test-only
Regressions: 1613775
No longer regressions: 1613775
Regressions: 1614259
Regressions: 1615508

This crash fix caused two known regressions in 74 beta, one a bigger crash on beta (bug 1614259), the other a functional regression (bug 1615508).
Kris, should we evaluate a backout of Bug 1582832 on the beta branch? Thanks

Flags: needinfo?(kmaglione+bmo)
Regressions: 1615584
Regressions: 1615480
No longer regressions: 1615480

(In reply to Pascal Chevrel:pascalc from comment #27)

This crash fix caused two known regressions in 74 beta, one a bigger crash on beta (bug 1614259), the other a functional regression (bug 1615508).
Kris, should we evaluate a backout of Bug 1582832 on the beta branch? Thanks

Yes, let's backout from beta. This should only really matter when Fission is enabled, and it can't be enabled on beta.

Flags: needinfo?(kmaglione+bmo)
See Also: → 1583254
See Also: → 1617038
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: