Fission Crash in [@ nsDocShell::UpdateURLAndHistory]
Categories
(Core :: DOM: Navigation, defect, P2)
Tracking
()
Fission Milestone | M6b |
Tracking | Status | |
---|---|---|
firefox-esr78 | --- | wontfix |
firefox81 | --- | unaffected |
firefox82 | --- | unaffected |
firefox83 | --- | fixed |
People
(Reporter: cpeterson, Unassigned)
References
Details
(Keywords: crash)
Crash Data
Maybe Fission related. (DOMFissionEnabled=1)
We have 16 crash reports with this signature from the last twelve months (starting with buildID 20200403170909). There was a slight uptick in these crashes again this week starting with buildID 20200922154306. Perhaps from people enabling the fission.sessionHistoryInParent
pref? 5/6 of this week's reports have Fission enabled.
Crash report: https://crash-stats.mozilla.org/report/index/a776df9e-53af-4955-929f-d56540200924
Top 10 frames of crashing thread:
0 xul.dll nsDocShell::UpdateURLAndHistory docshell/base/nsDocShell.cpp:11041
1 xul.dll nsDocShell::AddState docshell/base/nsDocShell.cpp:10982
2 xul.dll nsHistory::PushOrReplaceState dom/base/nsHistory.cpp:265
3 xul.dll nsHistory::PushState dom/base/nsHistory.cpp:216
4 xul.dll mozilla::dom::History_Binding::pushState dom/bindings/HistoryBinding.cpp:377
5 xul.dll mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions> dom/bindings/BindingUtils.cpp:3229
6 xul.dll js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:600
7 xul.dll js::fun_apply js/src/vm/JSFunction.cpp:1209
8 xul.dll js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:600
9 xul.dll js::jit::DoCallFallback js/src/jit/BaselineIC.cpp:3027
Comment 1•4 years ago
|
||
The crashes are happening in this block of code:
if (StaticPrefs::fission_sessionHistoryInParent()) {
// FIXME Need to save the current scroll position on mActiveEntry.
scrollRestorationIsManual = mActiveEntry->GetScrollRestorationIsManual();
} else {
// Save the current scroll position (bug 590573). Step 2.3.
mOSHE->SetScrollPosition(scrollPos.x, scrollPos.y);
scrollRestorationIsManual = mOSHE->GetScrollRestorationIsManual();
}
One of them is on the mOSHE->SetScrollPosition
line (when session history in parent is disabled), but the rest are on the line scrollRestorationIsManual = mActiveEntry->GetScrollRestorationIsManual();
(when session history in parent is enabled). All of the crashes are null derefs.
Comment 2•4 years ago
|
||
My guess would be, not knowing this code, is that this could be a crash caused by a user flipping the pref while the browser is running. The comment on mActiveEntry
says it is only set when session history in parent is active.
Comment 3•4 years ago
|
||
This can probably be fixed by changing sessionHistoryInParent
to use a mirror: once
pref instead of mirror: always
. https://searchfox.org/mozilla-central/rev/9fab6c0021ed9b103a70bf5c296b45949a2950bc/modules/libpref/init/StaticPrefList.yaml#3593
cc :smaug
Updated•4 years ago
|
Comment 4•4 years ago
|
||
yeah, this shouldn't happen if sessionHistoryInParent is 'once', which it has been for couple of days.
Comment 5•4 years ago
|
||
This is expected to have been fixed with the fix for bug 1666881.
Comment 6•4 years ago
|
||
Please reopen if you still see this. But as far as I see, this could have occurred when switching off session history in parent.
Updated•4 years ago
|
Description
•