Crash in [@ mozilla::dom::Location::CallerSubsumes]
Categories
(Core :: DOM: Navigation, defect, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox72 | --- | unaffected |
| firefox73 | --- | unaffected |
| firefox74 | --- | disabled |
| firefox75 | blocking | fixed |
| firefox76 | + | fixed |
People
(Reporter: jcristau, Assigned: kmag)
References
(Regression)
Details
(Keywords: crash, regression, Whiteboard: [fenix])
Crash Data
Attachments
(2 files)
|
47 bytes,
text/x-phabricator-request
|
jcristau
:
approval-mozilla-beta-
|
Details | Review |
|
47 bytes,
text/x-phabricator-request
|
jcristau
:
approval-mozilla-beta+
|
Details | Review |
Crashes in nightly on all platforms starting with buildid 20200207035551, on MOZ_DIAGNOSTIC_ASSERT(outer).
This bug is for crash report bp-c5da9903-1745-43d8-b0fd-02c6c0200210.
Top 10 frames of crashing thread:
0 xul.dll mozilla::dom::Location::CallerSubsumes dom/base/Location.cpp:622
1 xul.dll mozilla::dom::Location::GetProtocol dom/base/Location.cpp:414
2 xul.dll mozilla::dom::Location_Binding::get_protocol dom/bindings/LocationBinding.cpp:236
3 xul.dll mozilla::dom::binding_detail::GenericGetter<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy, mozilla::dom::binding_detail::ThrowExceptions> dom/bindings/BindingUtils.cpp:3052
4 xul.dll js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:562
5 xul.dll js::CallGetter js/src/vm/Interpreter.cpp:766
6 xul.dll js::NativeGetProperty js/src/vm/NativeObject.cpp:2631
7 xul.dll JS_ForwardGetPropertyTo js/src/jsapi.cpp:2501
8 xul.dll mozilla::dom::Location_Binding::DOMProxyHandler::get const dom/bindings/LocationBinding.cpp:1556
9 xul.dll static js::Proxy::get js/src/proxy/Proxy.cpp:341
|
||
Comment 1•5 years ago
|
||
The crash started in build 20200207035551 with pushlog:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b372743705c9&tochange=7dcafc398876
So it could be related to patches for bug 1582832.
:kmag, could you investigate please ?
|
||
Updated•5 years ago
|
|
||
Updated•5 years ago
|
|
Reporter | |
Comment 2•5 years ago
|
||
Neha/Chris, we should get this fixed or backed out soon.
|
Assignee | |
Updated•5 years ago
|
|
|
Assignee | |
Comment 3•5 years ago
|
||
After bug 1582832, DocShell destruction and BrowsingContext detaching happen
in separate operations, leaving a gap where a DocShell has been destroyed, but
its BrowsingContext is still considered attached. During this gap, the usual
invariant that an in-process, attached BrowsingContext always has an
associated DOM window doesn't hold, nor do the usual invariants for outer
window forwarding security checks.
This patch fixes the detach timing so that a child BrowsingContext for a frame
which has been removed is always marked detached at the same time its DocShell
is destroyed.
|
||
Updated•5 years ago
|
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
|
||
Updated•5 years ago
|
|
||
Comment 4•5 years ago
|
||
since it's a MOZ_DIAGNOSTIC_ASSERT it shouldn't affect beta and release users.
|
||
Comment 5•5 years ago
|
||
Thanks Philipp! Also note that the changes that caused this in bug 1582832 have been backed out from beta.
|
||
Updated•5 years ago
|
|
|
Reporter | |
Comment 7•5 years ago
|
||
Do we need to back bug 1582832 out of beta (again) and trunk at this point?
|
|
||
Comment 8•5 years ago
|
||
(In reply to Julien Cristau [:jcristau] from comment #7)
Do we need to back bug 1582832 out of beta (again) and trunk at this point?
I'm not sure but I've started an email thread with kmag and Nika and will keep you posted (or they will) here.
|
|
||
Comment 9•5 years ago
|
||
(In reply to Andrew Overholt [:overholt] from comment #8)
(In reply to Julien Cristau [:jcristau] from comment #7)
Do we need to back bug 1582832 out of beta (again) and trunk at this point?
I'm not sure but I've started an email thread with kmag and Nika and will keep you posted (or they will) here.
kmag says he will have an unliftable fix soon. Also, the MOZ_DIAGNOSTIC_ASSERT crash should not affect Beta users (because MOZ_DIAGNOSTIC_ASSERTs are enabled in Nightly and DevEdition, but not Beta).
|
|
||
Updated•5 years ago
|
|
||
Updated•5 years ago
|
|
|
Reporter | |
Comment 11•5 years ago
|
||
(In reply to Chris Peterson [:cpeterson] from comment #9)
kmag says he will have an unliftable fix soon. Also, the MOZ_DIAGNOSTIC_ASSERT crash should not affect Beta users (because MOZ_DIAGNOSTIC_ASSERTs are enabled in Nightly and DevEdition, but not Beta).
Can we at least change the assert to debug-only? Only crashing nightly and devedition is no excuse to leave a top crasher unaddressed for several weeks IMO.
|
||
Comment 12•5 years ago
|
||
|
|
||
Comment 13•5 years ago
|
||
(In reply to Pulsebot from comment #12)
Pushed by nlayzell@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/c49115748677
Ensure BrowisngContexts are detached when nsDocShell is destroyed, r=farre
Nika, should we uplift your nsDocShell fix to 75 Beta? MOZ_DIAGNOSTIC_ASSERTs don't abort in Beta builds, but they do abort in DevEdition builds.
|
||
Comment 14•5 years ago
|
||
Comment on attachment 9126505 [details]
Bug 1614259 - Ensure BrowisngContexts are detached when nsDocShell is destroyed,
Beta/Release Uplift Approval Request
- User impact if declined: DevEdition-only top-crasher
- Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Medium
- Why is the change risky/not risky? (and alternatives if risky): This change impacts important parts of the BrowsingContext lifecycle, and could potentially cause regressions due to these changes. This patch has not been thoroughly tested on Nightly.
An alternative to performing the uplift would be to relax the MOZ_DIAGNOSTIC_ASSERT on the beta branch to a MOZ_ASSERT, which would reduce the crash rate without fixing the underlying issue.
- String changes made/needed:
|
|
||
Updated•5 years ago
|
|
||
Comment 15•5 years ago
|
||
| bugherder | ||
|
|
Reporter | |
Comment 16•5 years ago
|
||
What's the effect of this bug on a release or beta build, so without the crash? From the alternative you suggest (of making it a MOZ_ASSERT), I'm guessing it's not a huge deal?
|
|
||
Comment 17•5 years ago
|
||
The particular crash is one which would be safe to relax the assertion on, but there may be other, smaller, bugs which are caused by the same underlying issue which could crop-up.
|
|
Reporter | |
Comment 18•5 years ago
|
||
Thanks. I'd opt to relax the assert then, so DevEdition users don't keep crashing for 2 more weeks until 76.0b1.
|
|
Reporter | |
Comment 19•5 years ago
|
||
|
|
Reporter | |
Comment 20•5 years ago
|
||
Comment on attachment 9126505 [details]
Bug 1614259 - Ensure BrowisngContexts are detached when nsDocShell is destroyed,
let's go with the other patch for 75.
|
|
Reporter | |
Updated•5 years ago
|
|
|
Reporter | |
Comment 21•5 years ago
|
||
| bugherder uplift | ||
|
||
Comment 23•5 years ago
|
||
Please specify a root cause for this bug. See :tmaity for more information.
|
|
Assignee | |
Updated•4 years ago
|
Description
•