Closed Bug 1662791 Opened 4 years ago Closed 4 years ago

Assertion failure: false (NS_SUCCEEDED(mBrowsingContext->SetHistoryID(mHistoryID))), at /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:8995

Categories

(Core :: DOM: Navigation, defect, P2)

defect

Tracking

()

VERIFIED FIXED
Fission Milestone M6c
Tracking Status
firefox82 --- affected

People

(Reporter: jkratzer, Assigned: smacleod)

References

(Blocks 2 open bugs, Regression)

Details

(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

Attached file testcase.html

Assertion failure: false (NS_SUCCEEDED(mBrowsingContext->SetHistoryID(mHistoryID))), at /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:8995

Testcase found while fuzzing mozilla-central rev b74ab1682dea. Testcase must be served over HTTP in order to reproduce.

==15252==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7faf9415dd98 bp 0x7ffe2dae79d0 sp 0x7ffe2dae71c0 T0)
==15252==The signal is caused by a WRITE memory access.
==15252==Hint: address points to the zero page.
    #0 0x7faf9415dd98 in nsDocShell::InternalLoad(nsDocShellLoadState*) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:8995:7
    #1 0x7faf9420b5db in nsDocShell::LoadHistoryEntry(nsDocShellLoadState*, unsigned int, bool) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:11349:10
    #2 0x7faf941a69b8 in nsDocShell::LoadHistoryEntry(nsISHEntry*, unsigned int) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:11273:10
    #3 0x7faf94181482 in nsDocShell::Reload(unsigned int) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
    #4 0x7faf8cb5d44a in mozilla::dom::Location::Reload(bool, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Location.cpp:583:45
    #5 0x7faf8cd29e25 in nsHistory::Go(int, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsHistory.cpp:146:22
    #6 0x7faf8e7ac3a3 in mozilla::dom::History_Binding::go(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/HistoryBinding.cpp:240:24
    #7 0x7faf8e7fb6c8 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3227:13
    #8 0x7faf94eaa948 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:507:13
    #9 0x7faf94eaa948 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:599:12
    #10 0x7faf94eacc6b in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:664:10
    #11 0x7faf94e939e1 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:668:10
    #12 0x7faf94e939e1 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3336:16
    #13 0x7faf94e745b0 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:468:13
    #14 0x7faf94eaaad9 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:636:13
    #15 0x7faf94eacc6b in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:664:10
    #16 0x7faf94eacff0 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:681:8
    #17 0x7faf9503c7f2 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2831:10
    #18 0x7faf8e3facc8 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:55:8
    #19 0x7faf8ef47ad8 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:66:12
    #20 0x7faf8ef474f4 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1082:43
    #21 0x7faf8ef490fd in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1279:17
    #22 0x7faf8ef3703e in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:356:17
    #23 0x7faf8ef35843 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:558:16
    #24 0x7faf8ef39bf9 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1058:11
    #25 0x7faf8ef3e8f9 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp
    #26 0x7faf8cd3577f in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1300:17
    #27 0x7faf8c79719b in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4072:28
    #28 0x7faf8c796f13 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4042:10
    #29 0x7faf8ca4abae in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7231:3
    #30 0x7faf8cb18ccf in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1188:12
    #31 0x7faf8cb18ccf in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1194:12
    #32 0x7faf8cb18ccf in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1240:13
    #33 0x7faf890245cd in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:146:20
    #34 0x7faf8902eae9 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:242:16
    #35 0x7faf8902aff7 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:512:26
    #36 0x7faf89028e87 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:371:15
    #37 0x7faf890292dd in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:168:36
    #38 0x7faf8903a8f1 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:83:37
    #39 0x7faf8903a8f1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
    #40 0x7faf8905e8f4 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1234:14
    #41 0x7faf8906907c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #42 0x7faf8a33224f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
    #43 0x7faf8a236f01 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #44 0x7faf8a236f01 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #45 0x7faf8a236f01 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #46 0x7faf90f7e207 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #47 0x7faf94c3fd9f in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
    #48 0x7faf8a236f01 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #49 0x7faf8a236f01 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #50 0x7faf8a236f01 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #51 0x7faf94c3f33c in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
    #52 0x55e1b88088dd in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #53 0x55e1b8808d17 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:303:18
    #54 0x7fafac43db96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:8995:7 in nsDocShell::InternalLoad(nsDocShellLoadState*)
Flags: in-testsuite?
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Bugmon Analysis: Verified bug as reproducible on mozilla-central 20200902095359-b74ab1682dea. The bug appears to have been introduced in the following build range: > Start: d3ee0fea1cba43de1b7198d482a248f120e45ace (20200731135847) > End: 2698c61b00f5b0261adef5561438e56c5ad4c8d9 (20200731135923) > Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=d3ee0fea1cba43de1b7198d482a248f120e45ace&tochange=2698c61b00f5b0261adef5561438e56c5ad4c8d9

We should add a check in InternalLoad for discarded BrowsingContext.

Fission Milestone: --- → M6c
Priority: -- → P2
Assignee: nobody → bugs

Or, hmm, this is not session history issue as such, but page load issue, and we shouldn't even get to that far in the method if browsingcontext has been discarded.

Assignee: bugs → nobody
Assignee: nobody → afarre
Status: NEW → ASSIGNED
Assignee: afarre → smacleod

This was fixed by Bug 1671697 (we now ignore when this call to SetHistoryID fails.

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20201116210217-6b97acd45602.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon

:smacleod, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(smacleod)
Flags: needinfo?(smacleod)
Regressed by: 1613431
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: