1687267 - Crash in [@ mozilla::dom::ChildSHistory::Index]

Status: RESOLVED FIXED

(Core :: DOM: Navigation, defect, P3)

Description

[Gabriele Svelto [:gsvelto]]

Crash report: https://crash-stats.mozilla.org/report/index/482213fe-e6be-4537-abca-05e500210117

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0 xul.dll mozilla::dom::ChildSHistory::Index docshell/shistory/ChildSHistory.cpp:81
1 xul.dll mozilla::dom::ChildSHistory::Go docshell/shistory/ChildSHistory.cpp:139
2 xul.dll mozilla::dom::ChildSHistory::PendingAsyncHistoryNavigation::Run docshell/shistory/ChildSHistory.h:117
3 xul.dll mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal xpcom/threads/TaskController.cpp:739
4 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1200
5 xul.dll mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:87
6 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:327
7 xul.dll MessageLoop::Run ipc/chromium/src/base/message_loop.cc:309
8 xul.dll nsBaseAppShell::Run widget/nsBaseAppShell.cpp:137
9 xul.dll nsAppShell::Run widget/windows/nsAppShell.cpp:602

This does not appear to be a new crash as we have reports with consistent stacks going back a while. It appears to be a NULL access, presumably mHistory contains the NULL pointer but I can verify it by inspecting a minidump if needed.

Comment 1

[Olli Pettay [:smaug][bugs@pettay.fi]]

Attachment: Bug 1687267 - remove pending history navigations when swithing to another process, r=peterv

The patch is based on code inspection. Crashes seem to happen when mHistory has been cleared,
and yet PendingAsyncHistoryNavigation::Run calls Go().

Comment 2

[Pulsebot]

Pushed by opettay@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/7b5fb4f923e6
remove pending history navigations when swithing to another process, r=peterv

Comment 3

[Sandor Molnar[:smolnar]]

https://hg.mozilla.org/mozilla-central/rev/7b5fb4f923e6