Closed Bug 1667186 Opened 4 years ago Closed 4 years ago

Fission Crash in [@ nsDocShell::UpdateURLAndHistory]

Categories

(Core :: DOM: Navigation, defect, P2)

Unspecified
Windows 10
defect

Tracking

()

RESOLVED FIXED
Fission Milestone M6b
Tracking Status
firefox-esr78 --- wontfix
firefox81 --- unaffected
firefox82 --- unaffected
firefox83 --- fixed

People

(Reporter: cpeterson, Unassigned)

References

Details

(Keywords: crash)

Crash Data

Maybe Fission related. (DOMFissionEnabled=1)

We have 16 crash reports with this signature from the last twelve months (starting with buildID 20200403170909). There was a slight uptick in these crashes again this week starting with buildID 20200922154306. Perhaps from people enabling the fission.sessionHistoryInParent pref? 5/6 of this week's reports have Fission enabled.

Crash report: https://crash-stats.mozilla.org/report/index/a776df9e-53af-4955-929f-d56540200924

Top 10 frames of crashing thread:

0 xul.dll nsDocShell::UpdateURLAndHistory docshell/base/nsDocShell.cpp:11041
1 xul.dll nsDocShell::AddState docshell/base/nsDocShell.cpp:10982
2 xul.dll nsHistory::PushOrReplaceState dom/base/nsHistory.cpp:265
3 xul.dll nsHistory::PushState dom/base/nsHistory.cpp:216
4 xul.dll mozilla::dom::History_Binding::pushState dom/bindings/HistoryBinding.cpp:377
5 xul.dll mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions> dom/bindings/BindingUtils.cpp:3229
6 xul.dll js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:600
7 xul.dll js::fun_apply js/src/vm/JSFunction.cpp:1209
8 xul.dll js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:600
9 xul.dll js::jit::DoCallFallback js/src/jit/BaselineIC.cpp:3027

The crashes are happening in this block of code:

    if (StaticPrefs::fission_sessionHistoryInParent()) {
      // FIXME Need to save the current scroll position on mActiveEntry.
      scrollRestorationIsManual = mActiveEntry->GetScrollRestorationIsManual();
    } else {
      // Save the current scroll position (bug 590573).  Step 2.3.
      mOSHE->SetScrollPosition(scrollPos.x, scrollPos.y);

      scrollRestorationIsManual = mOSHE->GetScrollRestorationIsManual();
    }

One of them is on the mOSHE->SetScrollPosition line (when session history in parent is disabled), but the rest are on the line scrollRestorationIsManual = mActiveEntry->GetScrollRestorationIsManual(); (when session history in parent is enabled). All of the crashes are null derefs.

My guess would be, not knowing this code, is that this could be a crash caused by a user flipping the pref while the browser is running. The comment on mActiveEntry says it is only set when session history in parent is active.

This can probably be fixed by changing sessionHistoryInParent to use a mirror: once pref instead of mirror: always. https://searchfox.org/mozilla-central/rev/9fab6c0021ed9b103a70bf5c296b45949a2950bc/modules/libpref/init/StaticPrefList.yaml#3593

cc :smaug

Flags: needinfo?(bugs)
Severity: -- → S2
Fission Milestone: ? → M6b
Priority: -- → P2

yeah, this shouldn't happen if sessionHistoryInParent is 'once', which it has been for couple of days.

Flags: needinfo?(bugs)

This is expected to have been fixed with the fix for bug 1666881.

Please reopen if you still see this. But as far as I see, this could have occurred when switching off session history in parent.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.