Closed Bug 1667035 Opened 4 years ago Closed 4 years ago

Crash in [@ mozilla::dom::CanonicalBrowsingContext::RemoveDynEntriesFromActiveSessionHistoryEntry]

Categories

(Core :: DOM: Navigation, defect, P1)

Product:
Core
Component:
DOM: Navigation
Platform:
Unspecified
All
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
83 Branch
Project Flags:
Fission Milestone M6b
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox82 --- unaffected
firefox83 --- fixed

People

(Reporter: gsvelto, Assigned: smaug)

References

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

Bug 1667035 - Crash in [@ mozilla::dom::CanonicalBrowsingContext::RemoveDynEntriesFromActiveSessionHistoryEntry], r=jesup
47 bytes, text/x-phabricator-request
Details | Review

Maybe Fission related. (DOMFissionEnabled=1)

Crash report: https://crash-stats.mozilla.org/report/index/c008e210-1163-4cf5-9cfe-bbbea0200923

Top 10 frames of crashing thread:

0 libxul.so mozilla::dom::CanonicalBrowsingContext::RemoveDynEntriesFromActiveSessionHistoryEntry docshell/base/CanonicalBrowsingContext.cpp:602
1 libxul.so mozilla::dom::ContentParent::RecvRemoveDynEntriesFromActiveSessionHistoryEntry dom/ipc/ContentParent.cpp:7007
2 libxul.so mozilla::dom::PContentParent::OnMessageReceived ipc/ipdl/PContentParent.cpp:13249
3 libxul.so mozilla::ipc::MessageChannel::DispatchMessage ipc/glue/MessageChannel.cpp:2074
4 libxul.so mozilla::ipc::MessageChannel::MessageTask::Run ipc/glue/MessageChannel.cpp:1953
5 libxul.so mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal xpcom/threads/TaskController.cpp:514
6 libxul.so nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1234
7 libxul.so mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:87
8 libxul.so MessageLoop::Run ipc/chromium/src/base/message_loop.cc:309
9 libxul.so nsBaseAppShell::Run widget/nsBaseAppShell.cpp:137

Only two crashes on nightly with this signature but they're from different users, on different platforms and the stack trace is exactly the same so this is likely a valid issue. Peter can you have a look? It seems like this code was introduced in bug 1660868.

I wonder if this can happen if we have just moved session history from one CanonicalBrowsingContext to another.

Assignee: nobody → bugs
Blocks: fission-history-m6b
Severity: -- → S1
Status: NEW → ASSIGNED
Fission Milestone: --- → M6b
Priority: -- → P1

This is most probably caused by the fact that session history in parent pref used to be live until Sept 25.
But based on code auditing, I think there is in theory a racyness issue if
ContentParent::RecvRemoveDynEntriesFromActiveSessionHistoryEntry[1] is received right after CanonicalBrowsingContext::ReplacedBy call before the old browsing context has been discarded.

[1] https://searchfox.org/mozilla-central/rev/f27594d62e7f1d57626889255ce6a3071d67209f/dom/ipc/ContentParent.cpp#7077-7080

Pushed by opettay@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/d3264bc23ed7
Crash in [@ mozilla::dom::CanonicalBrowsingContext::RemoveDynEntriesFromActiveSessionHistoryEntry], r=jesup

https://hg.mozilla.org/mozilla-central/rev/d3264bc23ed7

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox83: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 83 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: