Closed
Bug 1619857
Opened 4 years ago
Closed 4 years ago
Crash in [@ mozilla::dom::BrowserChild::GetTopLevelViewportVisibleRectInSelfCoords]
Categories
(Core :: DOM: Core & HTML, defect, P2)
Tracking
()
RESOLVED
FIXED
mozilla75
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox73 | --- | unaffected |
| firefox74 | --- | unaffected |
| firefox75 | --- | fixed |
People
(Reporter: gsvelto, Assigned: hiro)
References
(Regression)
Details
(Keywords: crash, regression)
Crash Data
Attachments
(1 file)
This bug is for crash report bp-570fedc4-8c69-4600-b7b0-d3a8b0200214.
Top 10 frames of crashing thread:
0 XUL mozilla::dom::BrowserChild::GetTopLevelViewportVisibleRectInSelfCoords const dom/ipc/BrowserChild.cpp:3399
1 XUL mozilla::dom::DOMIntersectionObserver::Update dom/base/DOMIntersectionObserver.cpp:425
2 XUL mozilla::dom::Document::UpdateIntersectionObservations dom/base/Document.cpp:14639
3 XUL nsRefreshDriver::UpdateIntersectionObservations layout/base/nsRefreshDriver.cpp:1645
4 XUL nsRefreshDriver::Tick layout/base/nsRefreshDriver.cpp:2093
5 XUL mozilla::RefreshDriverTimer::TickRefreshDrivers layout/base/nsRefreshDriver.cpp:374
6 XUL mozilla::RefreshDriverTimer::Tick layout/base/nsRefreshDriver.cpp:368
7 XUL mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver layout/base/nsRefreshDriver.cpp:740
8 XUL mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync layout/base/nsRefreshDriver.cpp:635
9 XUL mozilla::layout::VsyncChild::RecvNotify layout/ipc/VsyncChild.cpp:64
This is a NULL-pointer dereference of the BrowserChild. Since this is happening on a refresh driver tick I wonder if this might be because of a stale object. The oldest build id for this crash is 20200213214257.
|
||
Comment 1•4 years ago
|
||
Hiro, could you, please, take a look?
|
||
Updated•4 years ago
|
Has Regression Range: --- → yes
|
Assignee | |
Updated•4 years ago
|
Assignee: nobody → hikezoe.birchill
Status: NEW → ASSIGNED
Flags: needinfo?(hikezoe.birchill)
|
|
Assignee | |
Comment 2•4 years ago
|
||
I gave up writing crash tests for this since it's quite hard to destroy
an OOP iframe during processing IntersectionObserver's update step in the
OOP process.
Pushed by hikezoe.birchill@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/1c5275a57680 Early return from GetOopIframeMetrics in cases where either the presshell or the docshell is being destroyed. r=emilio
|
||
Comment 4•4 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox75:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla75
|
||
Updated•4 years ago
|
status-firefox73:
--- → unaffected
status-firefox74:
--- → unaffected
status-firefox-esr68:
--- → unaffected
|
||
Updated•4 years ago
|
Keywords: regression
|
||
Comment 5•4 years ago
|
||
Hi there Hiroyuki, is there something that QA could verify here? If so, could you please provide some STR? Thanks!
Flags: needinfo?(hikezoe.birchill)
|
|
Assignee | |
Comment 6•4 years ago
|
||
No, it's a race condition, I don't think there is STR to reproduce this issue.
Flags: needinfo?(hikezoe.birchill)
You need to log in
before you can comment on or make changes to this bug.
Description
•