Closed Bug 1656854 Opened 4 years ago Closed 4 years ago

Crash in [@ IPCError-browser | RecvCreateBrowsingContext Parent has different group object]

Categories

(Core :: DOM: Navigation, defect, P2)

Product:
Core
Component:
DOM: Navigation
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
81 Branch
Project Flags:
Fission Milestone M6b
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 --- unaffected
firefox79 --- unaffected
firefox80 --- unaffected
firefox81 --- fixed

People

(Reporter: gsvelto, Assigned: nika)

References

Details

(Keywords: crash)

Crash Data

Attachments

(3 files)

Main process full stack trace
379.05 KB, text/plain
Details
Bug 1656854 - Part 1: Block subframe creation in discarded BCs,
47 bytes, text/x-phabricator-request
Details | Review
Bug 1656854 - Part 2: Add a BrowsingContextGroup keepalive to BrowserParent shutdown,
47 bytes, text/x-phabricator-request
Details | Review

This bug is for crash report bp-85b2a2f3-368c-4f56-a769-e92d90200802.

This started in buildid 20200802214843, I'll attach the full stack trace of the parent process.

Nika, it looks like you added this check in bug 1652085 (by making an existing failure more fine-grained), so you might be interested in this crash.

Flags: needinfo?(nika)

FWIW, I don't see any crashes for "Parent has different group ID", "Opener has different group ID", or "Opener has different group object" crashes, which were also "added" in that bug.

Hmm, interesting. I suppose the code I added in bug 1652085 to wait for the discard to be acked before discarding the BrowsingContextGroup in the parent process wasn't enough.

I've got a few ideas for where this could be coming from, so I'll put up a patch which might help.

Assignee: nobody → nika
Fission Milestone: --- → M6b
Flags: needinfo?(nika)
Priority: -- → P2
See Also: → 1652085

This should help catch and/or prevent any cases where we're creating a new
subframe at an unfortunate time during BrowsingContext or WindowContext
teardown.

In bug 1652085, I added BrowsingContextGroup keepalives while waiting for
replies to the discard message, however that message isn't actually sent to the
current owner process. Instead, the BrowsingContext is discarded by the
PBrowser being destroyed.

This should help ensure we also keep the group alive during normal BrowserParent
destruction.

Pushed by nlayzell@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/d5f1c00144e2
Part 1: Block subframe creation in discarded BCs, r=farre
https://hg.mozilla.org/integration/autoland/rev/ee09cb88af17
Part 2: Add a BrowsingContextGroup keepalive to BrowserParent shutdown, r=farre

https://hg.mozilla.org/mozilla-central/rev/d5f1c00144e2
https://hg.mozilla.org/mozilla-central/rev/ee09cb88af17

Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox81: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 81 Branch
See Also: → 1675820
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: