Closed Bug 1601525 Opened 4 years ago Closed 4 years ago

Assertion failure: !aParam->IsDiscarded() (Cannot send discarded BrowsingContext between processes!), at src/docshell/base/BrowsingContext.cpp:1416

Categories

(Core :: DOM: Navigation, defect)

Product:
Core
Component:
DOM: Navigation
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1600684
Tracking Flags:
Tracking Status
firefox72 --- fixed
firefox73 --- fixed

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, crash)

Attachments

(1 file)

log_stderr.txt
56.41 KB, text/plain
Details
Attached file log_stderr.txt

One of the fuzzers have been hitting this fairly often for the last few weeks but I am unable to get a test case that reliably reproduces the issue.

It was first seen with m-c 20191113-35436d4e7917.
This report is from m-c 20191204-13fb375eaf14.

Assertion failure: !aParam->IsDiscarded() (Cannot send discarded BrowsingContext between processes!), at src/docshell/base/BrowsingContext.cpp:1416

==10544==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f7e2d7bd12f bp 0x7ffd4351eab0 sp 0x7ffd4351ea00 T0)
==10544==The signal is caused by a WRITE memory access.
==10544==Hint: address points to the zero page.
    #0 0x7f7e2d7bd12e in mozilla::ipc::IPDLParamTraits<mozilla::dom::BrowsingContext*>::Write(IPC::Message*, mozilla::ipc::IProtocol*, mozilla::dom::BrowsingContext*) /src/docshell/base/BrowsingContext.cpp:1414:5
    #1 0x7f7e22a2d8dc in mozilla::dom::PContentChild::SendWindowClose(mozilla::dom::BrowsingContext*, bool const&) /src/obj-firefox/ipc/ipdl/PContentChild.cpp:7457:5
    #2 0x7f7e2d7b5c66 in mozilla::dom::BrowsingContext::Close(mozilla::dom::CallerType, mozilla::ErrorResult&) /src/docshell/base/BrowsingContext.cpp:978:9
    #3 0x7f7e2d7d10c6 in MaybeCloseWindowHelper::Notify(nsITimer*) /src/docshell/base/nsDSURIContentListener.cpp:67:15
    #4 0x7f7e2144d5eb in nsTimerImpl::Fire(int) /src/xpcom/threads/nsTimerImpl.cpp:564:39
    #5 0x7f7e2144cd79 in nsTimerEvent::Run() /src/xpcom/threads/TimerThread.cpp:260:11
    #6 0x7f7e2145f6fa in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1250:14
    #7 0x7f7e21466ba1 in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:486:10
    #8 0x7f7e226a867f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:88:21
    #9 0x7f7e225b0692 in RunInternal /src/ipc/chromium/src/base/message_loop.cc:315:10
    #10 0x7f7e225b0692 in RunHandler /src/ipc/chromium/src/base/message_loop.cc:308:3
    #11 0x7f7e225b0692 in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:290:3
    #12 0x7f7e2a30dc68 in nsBaseAppShell::Run() /src/widget/nsBaseAppShell.cpp:137:27
    #13 0x7f7e2e3d43b6 in XRE_RunAppShell() /src/toolkit/xre/nsEmbedFunctions.cpp:932:20
    #14 0x7f7e225b0692 in RunInternal /src/ipc/chromium/src/base/message_loop.cc:315:10
    #15 0x7f7e225b0692 in RunHandler /src/ipc/chromium/src/base/message_loop.cc:308:3
    #16 0x7f7e225b0692 in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:290:3
    #17 0x7f7e2e3d3c3f in XRE_InitChildProcess(int, char**, XREChildData const*) /src/toolkit/xre/nsEmbedFunctions.cpp:767:34
    #18 0x564baa61e5cc in content_process_main /src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #19 0x564baa61e5cc in main /src/browser/app/nsBrowserApp.cpp:272:18

This looks like bug 1600684, which was logged based on a crash I got in the wild. I was going to try to write something that does the obvious thing of trying to close an already closed cross-process iframe window, but maybe it isn't that simple, if the fuzzers haven't come up with anything.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: