Closed
Bug 1672444
Opened 4 years ago
Closed 4 years ago
crash at null in [@ mozilla::dom::BrowserChild::RecvLoadURL]
Categories
(Core :: DOM: Content Processes, defect, P2)
Core
DOM: Content Processes
Tracking
()
RESOLVED
FIXED
84 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox82 | --- | wontfix |
| firefox83 | --- | wontfix |
| firefox84 | --- | fixed |
People
(Reporter: tsmith, Assigned: nika)
References
(Blocks 1 open bug)
Details
(Keywords: crash)
Crash Data
Attachments
(1 file)
The test case is too unreliable to reduce. I will attach a Pernosco session shortly.
==25684==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f7feeb8a14d bp 0x7ffe298353d0 sp 0x7ffe29835240 T0)
==25684==The signal is caused by a READ memory access.
==25684==Hint: address points to the zero page.
#0 0x7f7feeb8a14d in mozilla::dom::BrowserChild::RecvLoadURL(nsDocShellLoadState*, mozilla::dom::ParentShowInfo const&) /gecko/dom/ipc/BrowserChild.cpp:990:13
#1 0x7f7fe93ffc51 in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBrowserChild.cpp:4513:56
#2 0x7f7fe8a3e38b in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8579:32
#3 0x7f7fe87c8f9e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /gecko/ipc/glue/MessageChannel.cpp:2150:25
#4 0x7f7fe87c4f54 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /gecko/ipc/glue/MessageChannel.cpp:2074:9
#5 0x7f7fe87c6d58 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /gecko/ipc/glue/MessageChannel.cpp:1922:3
#6 0x7f7fe87c7828 in mozilla::ipc::MessageChannel::MessageTask::Run() /gecko/ipc/glue/MessageChannel.cpp:1953:13
#7 0x7f7fe74d11c9 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:245:16
#8 0x7f7fe74cdcb7 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:515:26
#9 0x7f7fe74cbb57 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:374:15
#10 0x7f7fe74cbfad in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:171:36
#11 0x7f7fe74d8a91 in operator() /gecko/xpcom/threads/TaskController.cpp:85:37
#12 0x7f7fe74d8a91 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
#13 0x7f7fe74f853b in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1197:14
#14 0x7f7fe7502dbc in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:513:10
#15 0x7f7fe87d1c3f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:87:21
#16 0x7f7fe86d5101 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
#17 0x7f7fe86d5101 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
#18 0x7f7fe86d5101 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
#19 0x7f7fef4b8427 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
#20 0x7f7ff31dac4f in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
#21 0x7f7fe86d5101 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
#22 0x7f7fe86d5101 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
#23 0x7f7fe86d5101 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
#24 0x7f7ff31da1ec in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
#25 0x56349bfbbd2d in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#26 0x56349bfbc167 in main /gecko/browser/app/nsBrowserApp.cpp:304:18
|
Reporter | |
Updated•4 years ago
|
Crash Signature: [@ mozilla::dom::BrowserChild::RecvLoadURL]
|
|
Reporter | |
Comment 1•4 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/-y1xrnJNrB_31kusD7dv_w/index.html
|
||
Comment 2•4 years ago
|
||
Crash on a null DocShell.
Assigning to Nika.
Assignee: nobody → nika
Severity: -- → S3
status-firefox82:
--- → wontfix
status-firefox83:
--- → wontfix
Priority: -- → P2
|
Assignee | |
Comment 3•4 years ago
|
||
Turns out I was wrong in my initial assessment about when the docshell can be null, after the Destroy message has been received, the nsDocShell reference from the BrowsingContext is actually cleared, which is the whole reason for this crash.
Fortunately it's an easy fix - just actually return in the error case :-)
|
|
Assignee | |
Comment 4•4 years ago
|
||
Pushed by nlayzell@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/4e663d42d459 Null-check docShell in BrowserChild::RecvLoadURL, r=annyG
|
||
Comment 6•4 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → 84 Branch
|
||
Updated•4 years ago
|
status-firefox-esr78:
--- → unaffected
You need to log in
before you can comment on or make changes to this bug.
Description
•