Crash in [@ IPCError-browser | CommitFromIPC Invalid Transaction from Child - CanSet failed for field(s): CurrentInnerWindowId]
Categories
(Core :: DOM: Navigation, defect, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr78 | --- | unaffected |
firefox86 | --- | wontfix |
firefox87 | --- | fixed |
People
(Reporter: gsvelto, Assigned: nika)
References
Details
(Keywords: crash)
Crash Data
Attachments
(2 files)
Maybe Fission related. (DOMFissionEnabled=1)
Crash report: https://crash-stats.mozilla.org/report/index/a3201055-2afe-4c6b-b88d-1926d0210206
Reason: EXC_BREAKPOINT / EXC_I386_BPT
Top 10 frames of crashing thread:
0 libsystem_kernel.dylib read
1 XUL nsFileInputStream::Read netwerk/base/nsFileStreams.cpp:473
2 XUL nsBufferedInputStream::ReadSegments netwerk/base/nsBufferedStreams.cpp:464
3 XUL mozilla::css::StreamLoader::OnDataAvailable layout/style/StreamLoader.cpp:157
4 XUL nsSyncLoadService::PushSyncStreamToListener dom/base/nsSyncLoadService.cpp:348
5 XUL mozilla::css::Loader::LoadSheet layout/style/Loader.cpp:1271
6 XUL mozilla::css::Loader::InternalLoadNonDocumentSheet layout/style/Loader.cpp:2084
7 XUL mozilla::css::Loader::LoadSheetSync layout/style/Loader.cpp:2006
8 XUL mozilla::GlobalStyleSheetCache::LoadSheet layout/style/GlobalStyleSheetCache.cpp:549
9 XUL mozilla::GlobalStyleSheetCache::Singleton layout/style/GlobalStyleSheetCache.cpp:447
This seems to be happening on all platforms, low volume. I'll attach the stack traces of the main process ASAP.
Reporter | ||
Comment 1•3 years ago
|
||
Updated•3 years ago
|
Comment 2•3 years ago
|
||
I guess the assertion is more navigation related.
Comment 3•3 years ago
|
||
This is Fission related so tracking for Fission M8 and needinfo'ing Nika.
Nika suspects the crash is here:
// Double-check ownership if we aren't the setter.
if (!Canonical()->IsOwnedByProcess(aSource->ChildID()) &&
aSource->ChildID() != Canonical()->GetInFlightProcessId()) {
return false;
}
Assignee | ||
Comment 4•3 years ago
|
||
Taking this bug as I ended up needing to fix it in order to fix a test only crash while working on bug 1663757
Assignee | ||
Comment 5•3 years ago
|
||
In some cases, a content process may think they should be able to make a change
to a synced field, but in the meantime something in the parent process has
changed and the change can no longer be applied. This was the cause of a number
of issues around the in-flight process ID, and can cause issues such as crashes
if the CanSet method was made too strict.
This patch introduces a new possible return type from CanSet
which allows
requesting a Revert
. A reverted field change will either be cancelled at the
source (if the CanSet fails in the setting process), or will be cancelled by
sending a new transaction back to the source process reverting the change to
ensure consistency.
In addition, some additional logging is added which made it easier to locate the
underlying bug and verify the correctness of the change.
The current primary use-case for this new feature is the CurrentInnerWindowId
field which can be updated by the previous process' docshell after the parent
process has already performed a switch to a new process. This can lead to the
current WindowContext being inaccurate for a BrowsingContext in some edge cases
as we allow the flawed set due the in-flight process ID matching.
This patch changes the logic to no longer check the in-flight process ID, and
instead revert any changes to the CurrentInnerWindowId field coming from a
process which is not currently active in the BrowsingContext.
No tests were added as it is very timing-sensitive, and difficult to create the
specific scenario, however without these changes my patch for bug 1663757
consistently causes geckoview-junit crashes due to currentWindowGlobal being
incorrect.
Pushed by nlayzell@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/e6fd1344bbde Add support for reverting racy changes in CanSet, r=kmag
Comment 7•3 years ago
|
||
bugherder |
Updated•3 years ago
|
Description
•