Crash in [@ mozilla::ipc::MessageChannel::Send | mozilla::dom::PContentChild::SendStartVisitedQueries | IPC_Message_Name=PContent::Msg_StartVisitedQueries]
Categories
(Toolkit :: Places, defect, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr78 | --- | unaffected |
firefox83 | --- | unaffected |
firefox84 | --- | unaffected |
firefox85 | --- | verified |
firefox86 | --- | verified |
People
(Reporter: sebo, Assigned: emilio)
Details
(Keywords: crash)
Crash Data
Attachments
(5 files)
47 bytes,
text/x-phabricator-request
|
jcristau
:
approval-mozilla-beta+
|
Details | Review |
47 bytes,
text/x-phabricator-request
|
jcristau
:
approval-mozilla-beta+
|
Details | Review |
47 bytes,
text/x-phabricator-request
|
jcristau
:
approval-mozilla-beta+
|
Details | Review |
47 bytes,
text/x-phabricator-request
|
jcristau
:
approval-mozilla-beta+
|
Details | Review |
48 bytes,
text/x-phabricator-request
|
Details | Review |
Crash report: https://crash-stats.mozilla.org/report/index/1ef9719c-cbbc-4066-95f8-5f53f0201206
MOZ_CRASH Reason: MOZ_CRASH(IPC message size is too large)
Top 10 frames of crashing thread:
0 xul.dll mozilla::ipc::MessageChannel::Send ipc/glue/MessageChannel.cpp:968
1 xul.dll mozilla::dom::PContentChild::SendStartVisitedQueries ipc/ipdl/PContentChild.cpp:3267
2 xul.dll mozilla::places::History::StartPendingVisitedQueries toolkit/components/places/History.cpp:2168
3 xul.dll mozilla::detail::RunnableFunction<`lambda at /builds/worker/checkouts/gecko/docshell/base/BaseHistory.cpp:32:7'>::Run xpcom/threads/nsThreadUtils.h:534
4 xul.dll mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal xpcom/threads/TaskController.cpp:732
5 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1200
6 xul.dll mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:87
7 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:327
8 xul.dll MessageLoop::Run ipc/chromium/src/base/message_loop.cc:309
9 xul.dll nsBaseAppShell::Run widget/nsBaseAppShell.cpp:137
Steps to reproduce the issue:
- Open https://api.csswg.org/bikeshed/
- Upload a CSS Bikeshed file (e.g. https://github.com/w3c/csswg-drafts/blob/master/css-syntax-3/Overview.bs)
- Wait a moment
Sebastian
Comment 1•3 years ago
|
||
I reproduced this under a debugger. The message contains 896 URLs; most of them appear to be copies of the same data
URL with a 642771-byte path. The total message size is over half a gigabyte.
Comment 2•3 years ago
|
||
There's no reason to send a query to the parent process for the visited status of data
URLs, as we will never store them in history. We should probably "fix" this by checking nsNavHistory::CanAddURIToHistory
before starting any SQL queries or sending messages to the parent process.
Assignee | ||
Updated•3 years ago
|
Assignee | ||
Comment 3•3 years ago
|
||
Assignee | ||
Comment 4•3 years ago
|
||
And do some minor improvements (use static prefs etc) while at it.
Depends on D99583
Assignee | ||
Comment 5•3 years ago
|
||
Depends on D99584
Assignee | ||
Updated•3 years ago
|
Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/2db8a64f71ba Remove dead Database::MaxUrlLength(). r=mak
Updated•3 years ago
|
Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/f74a9a5edbef Move nsNavHistory::CanAddURIToHistory to BaseHistory. r=mak https://hg.mozilla.org/integration/autoland/rev/2f43fcc8980c Don't bother sending visited queries for URIs that we never store in history. r=mak
Assignee | ||
Comment 8•3 years ago
|
||
aLink might be null in the parent process, and even though it's only
null when getting URIs via IPC (which should never hit this code path in
a correct execution), we don't trust the child process so this is safer.
Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/32f969ba472c Add a null-check.
Comment 10•3 years ago
|
||
bugherder |
Updated•3 years ago
|
Assignee | ||
Updated•3 years ago
|
Updated•3 years ago
|
Updated•3 years ago
|
Comment 11•3 years ago
|
||
The patch landed in nightly and beta is affected.
:emilio, is this bug important enough to require an uplift?
If not please set status_beta
to wontfix
.
For more information, please visit auto_nag documentation.
Assignee | ||
Comment 12•3 years ago
|
||
Comment on attachment 9193092 [details]
Bug 1680977 - Add a null-check.
Beta/Release Uplift Approval Request
- User impact if declined: crashes when a page has lots of links with big data URIs.
- Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: Yes
- If yes, steps to reproduce: comment 0
- List of other uplifts needed: none
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Doesn't seem like a common situation, but it's a relatively easy fix, so might be worth taking
- String changes made/needed: none
Assignee | ||
Updated•3 years ago
|
Updated•3 years ago
|
Comment 13•3 years ago
|
||
Reproduced the crash on affected 85.0b4 (64-bit) on Windows 10, macOS 10.15 and Ubuntu 16.04.
Verified-fixed on the latest Firefox Nightly 86.0a1 (2020-12-21)(20201221155804) on the above mentioned OSes.
Waiting for the fix to be uplifted on Beta as well if approved.
Comment 14•3 years ago
|
||
Comment on attachment 9192829 [details]
Bug 1680977 - Remove dead Database::MaxUrlLength(). r=mak
approved for 85.0b5
Updated•3 years ago
|
Updated•3 years ago
|
Updated•3 years ago
|
Comment 15•3 years ago
|
||
Comment 16•3 years ago
|
||
Pushed by jcristau@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/af9f27bb7080 stop defining now-unused PREF_HISTORY_MAXURLLEN* macros. r=emilio
Comment 17•3 years ago
|
||
bugherder |
Comment 18•3 years ago
|
||
bugherder uplift |
Reporter | ||
Comment 19•3 years ago
|
||
Tested right now in 85.0b6 (64-Bit) and it works fine for me while it was still broken in 85.0b5. Thanks a lot for the quick fix! And a Happy New Year to you all!
Sebastian
Description
•