Closed Bug 1611767 Opened 6 years ago Closed 6 years ago

Crash in [@ nsGlobalWindowOuter::TabGroupOuter]

Categories

(Core :: DOM: Core & HTML, defect, P2)

Product:
Core
Component:
DOM: Core & HTML
Platform:
Unspecified
All
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla74
Tracking Flags:
Tracking Status
firefox-esr68 --- wontfix
firefox72 --- wontfix
firefox73 --- wontfix
firefox74 --- fixed

People

(Reporter: gsvelto, Assigned: mccr8)

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

Bug 1611767 - Add MaybeTabGroup methods.
47 bytes, text/x-phabricator-request
Details | Review

This bug is for crash report bp-b37c1045-835a-4985-9732-ed7d60200126.

Top 10 frames of crashing thread:

0 xul.dll nsGlobalWindowOuter::TabGroupOuter dom/base/nsGlobalWindowOuter.cpp:7536
1 xul.dll nsGlobalWindowInner::TabGroupInner dom/base/nsGlobalWindowInner.cpp:7064
2 xul.dll nsWindowMemoryReporter::CheckForGhostWindows dom/base/nsWindowMemoryReporter.cpp:850
3 xul.dll nsTimerImpl::Fire xpcom/threads/nsTimerImpl.cpp:562
4 xul.dll nsTimerEvent::Run xpcom/threads/TimerThread.cpp:259
5 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1220
6 xul.dll NS_ProcessNextEvent xpcom/threads/nsThreadUtils.cpp:486
7 xul.dll mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:87
8 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:308
9 xul.dll MessageLoop::Run ipc/chromium/src/base/message_loop.cc:290

This looks like an old crash (we've got reports going back to version 60) that happens when calling nsWindowMemoryReporter::CheckForGhostWindows(). The stacks are consistent across all versions.

We seem to be getting a NULL pointer dereference here.

Component: DMD → DOM: Core & HTML

We're trying to decide if a window is a ghost window. To do that, we get its tab group, to see if it is in the same tab group as a window we know is being displayed or whatever. However, this window doesn't have a tab group, so we look at its outer window to get the outer window's tab group.

Then we crash on this line: if (GetDocShell()->ItemType() == nsIDocShellTreeItem::typeChrome) {

Presumably GetDocShell() is null.

The basic issue here is that the ghost window detector is going to be called on windows in all sorts of weird states. Returning null from nsGlobalWindowOuter::TabGroupOuter() would presumably violate the invariant that this method never returns null, but for this particular consumer it seems okay to do. TabGroups are on the way out (bug 1561715), but maybe we could still fix this in the meanwhile. Maybe some kind of MaybeTabGroupOuter() method that does null checks would be okay.

Interesting find, Gabriele!

mccr8: Could you keep handling this? or could you assign somebody who can fix this soon?

Flags: needinfo?(continuation)
Priority: -- → P2

(In reply to Masayuki Nakano [:masayuki] (he/him)(JST, +0900) from comment #3)

mccr8: Could you keep handling this? or could you assign somebody who can fix this soon?

Sure, I can try to figure something out.

Assignee: nobody → continuation
Flags: needinfo?(continuation)

The ghost window checker examines windows in all sorts of weird states,
apparently including when the docshell on the outer is null. Add some
fallible variants of the tab group methods on inner and outer windows
so it can call one of those instead.

https://hg.mozilla.org/mozilla-central/rev/db5a39781cc9

Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox74: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla74
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: