Closed Bug 1612894 Opened 2 months ago Closed 2 months ago

Assertion failure: !aParam->IsDiscarded() (Cannot send discarded BrowsingContext between processes!), at /builds/worker/workspace/build/src/docshell/base/BrowsingContext.cpp:1466

Categories

(Core :: DOM: Navigation, defect, P1, critical)

defect

Tracking

()

RESOLVED FIXED
mozilla74
Tracking Status
firefox-esr68 --- unaffected
firefox72 --- unaffected
firefox73 --- unaffected
firefox74 --- fixed

People

(Reporter: jkratzer, Assigned: smaug)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: crash, regression, testcase)

Crash Data

Attachments

(3 files)

Attached file testcase.html

Testcase found while fuzzing mozilla-central rev f4e3917a0fa1.

Assertion failure: !aParam->IsDiscarded() (Cannot send discarded BrowsingContext between processes!), at /builds/worker/workspace/build/src/docshell/base/BrowsingContext.cpp:1466

==27974==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7ff82811331f bp 0x7fff4323a750 sp 0x7fff4323a6a0 T0)
==27974==The signal is caused by a WRITE memory access.
==27974==Hint: address points to the zero page.
    #0 0x7ff82811331e in mozilla::ipc::IPDLParamTraits<mozilla::dom::BrowsingContext*>::Write(IPC::Message*, mozilla::ipc::IProtocol*, mozilla::dom::BrowsingContext*) /builds/worker/workspace/build/src/docshell/base/BrowsingContext.cpp:1464:5
    #1 0x7ff81e4b16e6 in mozilla::dom::PContentChild::SendCommitBrowsingContextTransaction(mozilla::dom::BrowsingContext*, mozilla::dom::syncedcontext::Transaction<mozilla::dom::BrowsingContext> const&, unsigned long const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PContentChild.cpp:7276:5
    #2 0x7ff8280fa07a in SendCommitTransaction /builds/worker/workspace/build/src/docshell/base/BrowsingContext.cpp:1190:11
    #3 0x7ff8280fa07a in mozilla::dom::syncedcontext::Transaction<mozilla::dom::BrowsingContext>::Commit(mozilla::dom::BrowsingContext*) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/SyncedContextInlines.h:37:13
    #4 0x7ff828197fc5 in void mozilla::dom::BrowsingContext::SetHistoryID<nsID&>(nsID&) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/BrowsingContext.h:128:3
    #5 0x7ff82810b589 in nsDocShell::InternalLoad(nsDocShellLoadState*, nsIDocShell**, nsIRequest**) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:9096:25
    #6 0x7ff828140a6c in nsDocShell::LoadHistoryEntry(nsISHEntry*, unsigned int) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:11340:8
    #7 0x7ff828167eaf in nsDocShell::Reload(unsigned int) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
    #8 0x7ff820eb7426 in mozilla::dom::Location::Reload(bool, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/Location.cpp:583:45
    #9 0x7ff82107ffdc in nsHistory::Go(int, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsHistory.cpp:149:22
    #10 0x7ff82295ba8c in mozilla::dom::History_Binding::go(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/HistoryBinding.cpp:238:24
    #11 0x7ff8229aaa68 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3151:13
    #12 0x7ff828e19433 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:469:13
    #13 0x7ff828e19433 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:561:12
    #14 0x7ff828e1b22a in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:624:10
    #15 0x7ff828dfffa5 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:628:10
    #16 0x7ff828dfffa5 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3036:16
    #17 0x7ff828de3af4 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:441:10
    #18 0x7ff828e19515 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:596:13
    #19 0x7ff828e1b22a in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:624:10
    #20 0x7ff828e1b506 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:641:8
    #21 0x7ff828fb0d62 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2797:10
    #22 0x7ff8225c5330 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:52:8
    #23 0x7ff82306276b in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
    #24 0x7ff8230621a4 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1073:43
    #25 0x7ff823063806 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1271:17
    #26 0x7ff8230514ef in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:356:17
    #27 0x7ff82304fa41 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:558:16
    #28 0x7ff8230544fb in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1055:11
    #29 0x7ff825644d1e in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1143:7
    #30 0x7ff82817bcc7 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6094:20
    #31 0x7ff82817ae75 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:5877:7
    #32 0x7ff82817f8df in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
    #33 0x7ff81f867230 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1347:3
    #34 0x7ff81f8661bc in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:906:14
    #35 0x7ff81f862490 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:726:9
    #36 0x7ff81f864cc3 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:614:5
    #37 0x7ff81f865d4c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp
    #38 0x7ff81d125f17 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:604:22
    #39 0x7ff81d129127 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:511:10
    #40 0x7ff820dd9aff in mozilla::dom::Document::DoUnblockOnload() /builds/worker/workspace/build/src/dom/base/Document.cpp:10707:18
    #41 0x7ff820d8f8cc in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/workspace/build/src/dom/base/Document.cpp:10639:9
    #42 0x7ff820db4bcc in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/Document.cpp:7312:3
    #43 0x7ff820e7ff64 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1163:12
    #44 0x7ff820e7ff64 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1169:12
    #45 0x7ff820e7ff64 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1215:13
    #46 0x7ff81ce688b3 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:282:20
    #47 0x7ff81ce9d038 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1220:14
    #48 0x7ff81cea7e4c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #49 0x7ff81e0f5cbf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:87:21
    #50 0x7ff81dff0047 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #51 0x7ff81dff0047 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
    #52 0x7ff81dff0047 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
    #53 0x7ff8250a31a8 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
    #54 0x7ff828bb3e06 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:943:20
    #55 0x7ff81dff0047 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #56 0x7ff81dff0047 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
    #57 0x7ff81dff0047 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
    #58 0x7ff828bb34af in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:778:34
    #59 0x558e155f9401 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #60 0x558e155f9401 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:303:18
    #61 0x7ff83f8cab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/docshell/base/BrowsingContext.cpp:1464:5 in mozilla::ipc::IPDLParamTraits<mozilla::dom::BrowsingContext*>::Write(IPC::Message*, mozilla::ipc::IProtocol*, mozilla::dom::BrowsingContext*)
Flags: in-testsuite?

This is sort of an issue with session-history-in-parent, but more so this shows that synced field transaction usage is error prone. One would
need to check the state of BrowsingContext always before using the fields.
Should Transaction::Commit perhaps check the state of the BrowsingContext?

Flags: needinfo?(afarre)
Priority: -- → P1

If we're trying to set a synced field on a bc, and that bc has been discarded should we:

  1. Quietly ignore the set
  2. Have every synced field setter return a result to indicate success

I'll have a look and see if we can say anything general.

Duplicate of this bug: 1613323

Looks like we have crashes on wild too, bug 1613323

Attached file prefs-default-e10s.js

This brings back https://hg.mozilla.org/mozilla-central/rev/641b9a29f6ee#l1.346 for now.
The patch is based on code auditing, since haven't managed to reproduce the crash.

To sort out what behavior is wanted eventually, see
https://bugzilla.mozilla.org/show_bug.cgi?id=1613431

Assignee: nobody → bugs
Status: NEW → ASSIGNED
Pushed by opettay@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/1188d4a56335
bring back the IsDiscarded check, r=farre
Status: ASSIGNED → RESOLVED
Closed: 2 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla74

Is the attached testcase something we could land in-tree?

Flags: needinfo?(afarre) → needinfo?(bugs)

This is hard to reproduce, that is an issue. So testcase itself might run most of the time without catching the issue.

Crash Signature: [@ mozilla::dom::PContentChild::SendCommitBrowsingContextTransaction]

It doesn't seem that the fix had an effect on crashes, we actually have more crashes on Nightly than last week, should we reopen the bug or file another one?

See Also: → 1615403
See Also: → 1615480

(In reply to Pascal Chevrel:pascalc from comment #12)

It doesn't seem that the fix had an effect on crashes, we actually have more crashes on Nightly than last week, should we reopen the bug or file another one?

I filed bug 1615480 for the residual crashes. The assertion is different. Kris said it is a different issue.

You need to log in before you can comment on or make changes to this bug.