Closed Bug 1654935 Opened 4 years ago Closed 4 years ago

Crash in [@ mozilla::dom::WindowGlobalChild::Create] during print preview

Categories

(Core :: DOM: Content Processes, defect)

Product:
Core
Component:
DOM: Content Processes
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
81 Branch
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 --- disabled
firefox79 --- disabled
firefox80 --- disabled
firefox81 --- fixed

People

(Reporter: mccr8, Assigned: tt)

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

Bug 1654935 - Copy over COOP header from new document to the docshell in nsPrintObject;
47 bytes, text/x-phabricator-request
Details | Review

This bug is for crash report bp-f55375a0-2ae5-412d-9d97-e843b0200715.

Top 10 frames of crashing thread:

0 XUL mozilla::dom::WindowGlobalChild::Create dom/ipc/WindowGlobalChild.cpp:92
1 XUL nsGlobalWindowInner::InitDocumentDependentState dom/base/nsGlobalWindowInner.cpp:1578
2 XUL nsGlobalWindowOuter::SetNewDocument dom/base/nsGlobalWindowOuter.cpp:2383
3 XUL nsDocumentViewer::SetDocumentInternal layout/base/nsDocumentViewer.cpp:1880
4 XUL nsPrintObject::InitAsRootObject layout/printing/nsPrintObject.cpp:205
5 XUL nsPrintJob::DoCommonPrint layout/printing/nsPrintJob.cpp:675
6 XUL nsPrintJob::CommonPrint layout/printing/nsPrintJob.cpp:595
7 XUL nsPrintJob::PrintPreview layout/printing/nsPrintJob.cpp:999
8 XUL nsDocumentViewer::PrintPreview layout/base/nsDocumentViewer.cpp:3233
9 XUL NS_InvokeByIndex

There's a release assert: policy == aWindow->GetBrowsingContext()->GetOpenerPolicy()).

Not a ton of them, but it looks like it has been happening for a while. The ones I looked at all were happening during print preview.

Summary: Crash in [@ mozilla::dom::WindowGlobalChild::Create] → Crash in [@ mozilla::dom::WindowGlobalChild::Create] during print preview

Nika, it looks like you added this assertion, so you might be interested in these crashes. I don't know if this is a dupe of an existing issue, but I didn't see any other crash signatures for this release assert.

Flags: needinfo?(nika)

This seems to be a crash caused by trying to print-preview a document with the Cross-Origin-Opener-Policy set.
Nika's analysis:
It should hopefully only require copying over the COOP header from aDoc->GetBrowsingContext() to mDocShell->GetBrowsingContext() here: https://searchfox.org/mozilla-central/rev/c6676771df58c6e0098574bc6b11517acbf264cf/layout/printing/nsPrintObject.cpp#198
Tom, can you fix this please?

Flags: needinfo?(nika) → needinfo?(ttung)

There are some reports with :

...
6 nsPrintJob::CommonPrint(bool, nsIPrintSettings*, nsIWebProgressListener*, mozilla::dom::Document*)
7 nsPrintJob::Print(mozilla::dom::Document*, nsIPrintSettings*, nsIWebProgressListener*)
...

(https://crash-stats.mozilla.org/report/index/c7d7fcea-1ea5-489f-86e0-b555c0200723#tab-details)

So, it seems that we miss the cases for nsPrintObject in general.

The assertion is used to ensure the new inner window's COOP header should be the same as the document's. Reflect this to PrintObject, this means viewer has a different BrowsingContext/OpenerPolicy with mDocument.

Therefore, I think :nika's analysis is right. Copying over the COOP header from aDoc->GetBrowsingContext() to mDocShell->GetBrowsingContext() should be able to fix the issue here.

A question here is should we only do this to PrintObject or all

Other notes:
In general, the COOP header is set in Document::StartDocumentLoad if

  1. It's a top-level content document
  2. An HTTP channel can be got from the aChannel
  3. A Docshell can be got from aContainer (the document is loaded by a docshell)
  4. A BrowsingContent can be got from the docshell in (3). (Which is set while the DocShell is contructed)
Assignee: nobody → ttung
Status: NEW → ASSIGNED
Flags: needinfo?(ttung)

The COOP header is set to BrowsingContext only in Document::StartDocumentLoad.
If the replaced document has a different COOP header from one in its docshell.
Then, we can crash while creating a window global child for a new inner window.

Pushed by ttung@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/b5a3e838eaec
Copy over COOP header from new document to the docshell in nsPrintObject; r=nika

Backed out changeset b5a3e838eaec (bug 1654935) for nsPrintObject.cpp related bustage

Push with failures: https://treeherder.mozilla.org/#/jobs?repo=autoland&group_state=expanded&fromchange=b5a3e838eaec55ecbf817f67f16270cee17e17a8&searchStr=build&tochange=e2337fd0fe7718a26d9ea0601fc4004a7b8ff586&selectedTaskRun=UQ67W-Y_SwmzB9e-_O7kHQ.0

Backout link: https://hg.mozilla.org/integration/autoland/rev/e2337fd0fe7718a26d9ea0601fc4004a7b8ff586

Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=312033214&repo=autoland&lineNumber=19942

[task 2020-08-04T19:17:09.051Z] 19:17:09     INFO -  make[4]: Entering directory '/builds/worker/workspace/obj-build/layout/printing'
[task 2020-08-04T19:17:09.054Z] 19:17:09     INFO -  /builds/worker/fetches/sccache/sccache /builds/worker/fetches/clang/bin/clang++ -std=gnu++17 -o Unified_cpp_layout_printing0.o -c  -I/builds/worker/workspace/obj-build/dist/stl_wrappers -I/builds/worker/workspace/obj-build/dist/system_wrappers -include /builds/worker/checkouts/gecko/config/gcc_hidden.h -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fstack-protector-strong -DNDEBUG=1 -DTRIMMED=1 -DOS_POSIX=1 -DOS_LINUX=1 -DMOZ_HAS_MOZGLUE -DMOZILLA_INTERNAL_API -DIMPL_LIBXUL -DSTATIC_EXPORTABLE_JS_API -I/builds/worker/checkouts/gecko/layout/printing -I/builds/worker/workspace/obj-build/layout/printing -I/builds/worker/workspace/obj-build/ipc/ipdl/_ipdlheaders -I/builds/worker/checkouts/gecko/ipc/chromium/src -I/builds/worker/checkouts/gecko/ipc/glue -I/builds/worker/checkouts/gecko/layout/base -I/builds/worker/checkouts/gecko/dom/base -I/builds/worker/checkouts/gecko/gfx/2d -I/builds/worker/checkouts/gecko/netwerk/base -I/builds/worker/workspace/obj-build/dist/include -I/builds/worker/workspace/obj-build/dist/include/nspr -I/builds/worker/workspace/obj-build/dist/include/nss -fPIC -DMOZILLA_CLIENT -include /builds/worker/workspace/obj-build/mozilla-config.h -Qunused-arguments -Qunused-arguments -Wall -Wbitfield-enum-conversion -Wempty-body -Wignored-qualifiers -Woverloaded-virtual -Wpointer-arith -Wshadow-field-in-constructor-modified -Wsign-compare -Wtype-limits -Wunreachable-code -Wunreachable-code-return -Wwrite-strings -Wno-invalid-offsetof -Wclass-varargs -Wempty-init-stmt -Wfloat-overflow-conversion -Wfloat-zero-conversion -Wloop-analysis -Wc++2a-compat -Wcomma -Wimplicit-fallthrough -Wunused-function -Wunused-variable -Werror=non-literal-null-conversion -Wstring-conversion -Wtautological-overlap-compare -Wtautological-unsigned-enum-zero-compare -Wtautological-unsigned-zero-compare -Wno-error=tautological-type-limit-compare -Wno-inline-new-delete -Wno-error=deprecated-declarations -Wno-error=array-bounds -Wno-error=backend-plugin -Wno-error=return-std-move -Wno-error=atomic-alignment -Wformat -Wformat-security -Wno-gnu-zero-variadic-macro-arguments -Werror=implicit-function-declaration -Wno-unknown-warning-option -D_GLIBCXX_USE_CXX11_ABI=0 -fno-sized-deallocation -fno-aligned-new -fcrash-diagnostics-dir=/builds/worker/artifacts -fno-exceptions -fno-strict-aliasing -fno-rtti -ffunction-sections -fdata-sections -fno-exceptions -fno-math-errno -pthread -pipe -g -Xclang -load -Xclang /builds/worker/workspace/obj-build/build/clang-plugin/libclang-plugin.so -Xclang -add-plugin -Xclang moz-check -O2 -fno-omit-frame-pointer -funwind-tables -Werror -fexperimental-new-pass-manager  -MD -MP -MF .deps/Unified_cpp_layout_printing0.o.pp   Unified_cpp_layout_printing0.cpp
[task 2020-08-04T19:17:09.055Z] 19:17:09     INFO -  In file included from Unified_cpp_layout_printing0.cpp:74:
[task 2020-08-04T19:17:09.055Z] 19:17:09    ERROR -  /builds/worker/checkouts/gecko/layout/printing/nsPrintObject.cpp:220:5: error: ignoring return value of function declared with 'warn_unused_result' attribute [-Werror,-Wunused-result]
[task 2020-08-04T19:17:09.055Z] 19:17:09     INFO -      targetBC->SetOpenerPolicy(sourceBC->Top()->GetOpenerPolicy());
[task 2020-08-04T19:17:09.055Z] 19:17:09     INFO -      ^~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[task 2020-08-04T19:17:09.055Z] 19:17:09     INFO -  1 error generated.
[task 2020-08-04T19:17:09.055Z] 19:17:09     INFO -  /builds/worker/checkouts/gecko/config/rules.mk:746: recipe for target 'Unified_cpp_layout_printing0.o' failed
[task 2020-08-04T19:17:09.056Z] 19:17:09    ERROR -  make[4]: *** [Unified_cpp_layout_printing0.o] Error 1
[task 2020-08-04T19:17:09.056Z] 19:17:09     INFO -  make[4]: Leaving directory '/builds/worker/workspace/obj-build/layout/printing'
[task 2020-08-04T19:17:09.056Z] 19:17:09     INFO -  /builds/worker/checkouts/gecko/config/recurse.mk:72: recipe for target 'layout/printing/target-objects' failed
[task 2020-08-04T19:17:09.057Z] 19:17:09    ERROR -  make[3]: *** [layout/printing/target-objects] Error 2
[task 2020-08-04T19:17:09.057Z] 19:17:09     INFO -  make[3]: *** Waiting for unfinished jobs....
Flags: needinfo?(ttung)

Looks like because it requires to handle the result after https://bugzilla.mozilla.org/show_bug.cgi?id=1613431. I will take a closer look tomorrow. Sorry for the backout!

Pushed by ttung@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/bf8fcf30ffed
Copy over COOP header from new document to the docshell in nsPrintObject; r=nika

https://hg.mozilla.org/mozilla-central/rev/bf8fcf30ffed

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox81: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 81 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: