Crash in [@ mozilla::dom::BrowsingContext::Get]
Categories
(Core :: DOM: Navigation, defect, P2)
Tracking
()
Fission Milestone | M5 |
People
(Reporter: gsvelto, Unassigned)
References
Details
(Keywords: crash, regression)
Crash Data
This bug is for crash report bp-4b925c1d-61bd-49c8-9490-f7b240191020.
Top 10 frames of crashing thread:
0 xul.dll mozilla::dom::BrowsingContext::Get docshell/base/BrowsingContext.cpp:89
1 xul.dll mozilla::dom::BrowsingContext::GetOpener docshell/base/BrowsingContext.h:225
2 xul.dll nsGlobalWindowOuter::TabGroupOuter dom/base/nsGlobalWindowOuter.cpp:7714
3 xul.dll nsGlobalWindowOuter::TabGroupOuter dom/base/nsGlobalWindowOuter.cpp
4 xul.dll nsGlobalWindowOuter::TabGroupOuter dom/base/nsGlobalWindowOuter.cpp
5 xul.dll nsGlobalWindowOuter::TabGroupOuter dom/base/nsGlobalWindowOuter.cpp
6 xul.dll nsGlobalWindowOuter::TabGroupOuter dom/base/nsGlobalWindowOuter.cpp
7 xul.dll nsGlobalWindowOuter::TabGroupOuter dom/base/nsGlobalWindowOuter.cpp
8 xul.dll nsGlobalWindowOuter::TabGroupOuter dom/base/nsGlobalWindowOuter.cpp
9 xul.dll nsGlobalWindowOuter::TabGroupOuter dom/base/nsGlobalWindowOuter.cpp
This is a stack overflow caused by excessive (infinite?) recursion in nsGlobalWindowOuter::TabGroupOuter()
. This could be a regression as it happens only on nightly and the oldest build for which I could find a crash is 20190916155843.
A quick glance at the crashes shows that most of them have a few addons installed.
Comment 1•5 years ago
|
||
Bugbug thinks this bug is a regression, but please revert this change in case of error.
Updated•5 years ago
|
Comment 3•5 years ago
|
||
Interesting. I'm guessing that the window window.open
-ed itself, meaning it's opener is set to itself, and then changed process. The TabGroup
code doesn't handle process switches well, and so bugs out when in this state.
This should be fixed by removing the mechanism entirely in bug 1561715, though may also be possible to work around if that isn't going to be happening super soon.
Comment 5•5 years ago
|
||
Bug 1592403 has some STR for this infinite recursion.
Comment 6•5 years ago
•
|
||
Updated•5 years ago
|
Comment 7•5 years ago
|
||
Because of removal of TabGroup possibly fixing this, perhaps farre you could retest this stuff (using Bug 1592403) after TabGroups are gone.
Comment 8•5 years ago
|
||
Tentatively moving all bugs whose summaries mention "Fission" (or other Fission-related keywords) but are not assigned to a Fission Milestone to the "?" triage milestone.
This will generate a lot of bugmail, so you can filter your bugmail for the following UUID and delete them en masse:
0ee3c76a-bc79-4eb2-8d12-05dc0b68e732
Updated•5 years ago
|
Comment 9•5 years ago
|
||
Andreas confirmed that this depends on TabGroup removal.
Updated•5 years ago
|
Description
•