Closed Bug 1611767 Opened 9 months ago Closed 9 months ago

Crash in [@ nsGlobalWindowOuter::TabGroupOuter]


(Core :: DOM: Core & HTML, defect, P2)




Tracking Status
firefox-esr68 --- wontfix
firefox72 --- wontfix
firefox73 --- wontfix
firefox74 --- fixed


(Reporter: gsvelto, Assigned: mccr8)


(Keywords: crash)

Crash Data


(1 file)

This bug is for crash report bp-b37c1045-835a-4985-9732-ed7d60200126.

Top 10 frames of crashing thread:

0 xul.dll nsGlobalWindowOuter::TabGroupOuter dom/base/nsGlobalWindowOuter.cpp:7536
1 xul.dll nsGlobalWindowInner::TabGroupInner dom/base/nsGlobalWindowInner.cpp:7064
2 xul.dll nsWindowMemoryReporter::CheckForGhostWindows dom/base/nsWindowMemoryReporter.cpp:850
3 xul.dll nsTimerImpl::Fire xpcom/threads/nsTimerImpl.cpp:562
4 xul.dll nsTimerEvent::Run xpcom/threads/TimerThread.cpp:259
5 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1220
6 xul.dll NS_ProcessNextEvent xpcom/threads/nsThreadUtils.cpp:486
7 xul.dll mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:87
8 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/
9 xul.dll MessageLoop::Run ipc/chromium/src/base/

This looks like an old crash (we've got reports going back to version 60) that happens when calling nsWindowMemoryReporter::CheckForGhostWindows(). The stacks are consistent across all versions.

We seem to be getting a NULL pointer dereference here.

Component: DMD → DOM: Core & HTML

We're trying to decide if a window is a ghost window. To do that, we get its tab group, to see if it is in the same tab group as a window we know is being displayed or whatever. However, this window doesn't have a tab group, so we look at its outer window to get the outer window's tab group.

Then we crash on this line: if (GetDocShell()->ItemType() == nsIDocShellTreeItem::typeChrome) {

Presumably GetDocShell() is null.

The basic issue here is that the ghost window detector is going to be called on windows in all sorts of weird states. Returning null from nsGlobalWindowOuter::TabGroupOuter() would presumably violate the invariant that this method never returns null, but for this particular consumer it seems okay to do. TabGroups are on the way out (bug 1561715), but maybe we could still fix this in the meanwhile. Maybe some kind of MaybeTabGroupOuter() method that does null checks would be okay.

Interesting find, Gabriele!

mccr8: Could you keep handling this? or could you assign somebody who can fix this soon?

Flags: needinfo?(continuation)
Priority: -- → P2

(In reply to Masayuki Nakano [:masayuki] (he/him)(JST, +0900) from comment #3)

mccr8: Could you keep handling this? or could you assign somebody who can fix this soon?

Sure, I can try to figure something out.

Assignee: nobody → continuation
Flags: needinfo?(continuation)

The ghost window checker examines windows in all sorts of weird states,
apparently including when the docshell on the outer is null. Add some
fallible variants of the tab group methods on inner and outer windows
so it can call one of those instead.

Closed: 9 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla74
You need to log in before you can comment on or make changes to this bug.