Closed Bug 1702678 Opened 3 years ago Closed 3 years ago

Assertion failure: !mDestroyed, at src/docshell/base/BrowsingContextGroup.cpp:54

Categories

(Core :: DOM: Navigation, defect, P2)

Product:
Core
Component:
DOM: Navigation
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
90 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox88 --- wontfix
firefox89 --- wontfix
firefox90 --- fixed

People

(Reporter: tsmith, Assigned: kmag)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, crash)

Attachments

(1 file)

Bug 1702678: Handle corner case when opener window is closed from a nested event loop during open. r=nika
48 bytes, text/x-phabricator-request
Details | Review

Found while fuzzing m-c 20210319-092ee6b0c9f2 (--enable-address-sanitizer --enable-fuzzing)

A test case and/or Pernosco sesion will be attached when available.

Assertion failure: !mDestroyed, at src/docshell/base/BrowsingContextGroup.cpp:54

#0 0x7fa9304fd8d3 in mozilla::dom::BrowsingContextGroup::Register(nsISupports*) src/docshell/base/BrowsingContextGroup.cpp:54:3
#1 0x7fa9304d50dd in mozilla::dom::Register(mozilla::dom::BrowsingContext*) src/docshell/base/BrowsingContext.cpp:164:30
#2 0x7fa9304d4e6d in mozilla::dom::BrowsingContext::EnsureAttached() src/docshell/base/BrowsingContext.cpp:450:5
#3 0x7fa929269d49 in nsFrameLoader::EnsureBrowsingContextAttached() src/dom/base/nsFrameLoader.cpp:3817:28
#4 0x7fa92925cecd in nsFrameLoader::MaybeCreateDocShell() src/dom/base/nsFrameLoader.cpp:2151:8
#5 0x7fa92925db2f in nsFrameLoader::GetDocShell(mozilla::ErrorResult&) src/dom/base/nsFrameLoader.cpp:802:19
#6 0x7fa92d021cca in mozilla::dom::XULFrameElement::GetDocShell() src/dom/xul/XULFrameElement.cpp:45:37
#7 0x7fa92a56d46a in mozilla::dom::XULFrameElement_Binding::get_docShell(JSContext*, JS::Handle<JSObject*>, void*, JSJitGetterCallArgs) /builds/worker/workspace/obj-build/dom/bindings/XULFrameElementBinding.cpp:53:64
#8 0x7fa92aba1de2 in bool mozilla::dom::binding_detail::GenericGetter<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3120:13
#9 0x7fa93125a050 in CallJSNative src/js/src/vm/Interpreter.cpp:435:13
#10 0x7fa93125a050 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:520:12
#11 0x7fa93125be89 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:580:10
#12 0x7fa93125c10b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:597:8
#13 0x7fa93125d6c8 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:721:10
#14 0x7fa931775212 in CallGetter src/js/src/vm/NativeObject.cpp:2104:12
#15 0x7fa931775212 in GetExistingProperty<js::CanGC> src/js/src/vm/NativeObject.cpp:2134:12
#16 0x7fa931775212 in NativeGetPropertyInline<js::CanGC> src/js/src/vm/NativeObject.cpp:2278:14
#17 0x7fa931775212 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) src/js/src/vm/NativeObject.cpp:2308:10
#18 0x7fa931263709 in GetProperty src/js/src/vm/ObjectOperations-inl.h:116:10
#19 0x7fa931263709 in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, js::PropertyName*, JS::MutableHandle<JS::Value>) src/js/src/vm/ObjectOperations-inl.h:123:10
#20 0x7fa931262be2 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:4559:10
#21 0x7fa931244041 in GetPropertyOperation src/js/src/vm/Interpreter.cpp:219:10
#22 0x7fa931244041 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:2935:12
#23 0x7fa931228de3 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:405:13
#24 0x7fa93125a18a in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:552:13
#25 0x7fa93125be89 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:580:10
#26 0x7fa93125c10b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:597:8
#27 0x7fa931ac2da2 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2856:10
#28 0x7fa92a12d02f in mozilla::dom::LifecycleConnectedCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/WebComponentsBinding.cpp:237:8
#29 0x7fa928f3de6b in void mozilla::dom::LifecycleConnectedCallback::Call<RefPtr<mozilla::dom::Element> >(RefPtr<mozilla::dom::Element> const&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WebComponentsBinding.h:141:12
#30 0x7fa928ef7889 in Call<RefPtr<mozilla::dom::Element> > /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WebComponentsBinding.h:163:12
#31 0x7fa928ef7889 in mozilla::dom::CustomElementCallback::Call() src/dom/base/CustomElementRegistry.cpp:110:13
#32 0x7fa928f06ff5 in mozilla::dom::CustomElementReactionsStack::InvokeReactions(AutoTArray<RefPtr<mozilla::dom::Element>, 3ul>*, nsIGlobalObject*) src/dom/base/CustomElementRegistry.cpp:1438:19
#33 0x7fa928f06954 in mozilla::dom::CustomElementReactionsStack::PopAndInvokeElementQueue() src/dom/base/CustomElementRegistry.cpp:1330:5
#34 0x7fa927f17368 in mozilla::dom::CustomElementReactionsStack::LeaveCEReactions(JSContext*, bool) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/CustomElementRegistry.h:298:7
#35 0x7fa927f12ba2 in mozilla::dom::AutoCEReaction::~AutoCEReaction() /builds/worker/workspace/obj-build/dist/include/mozilla/dom/CustomElementRegistry.h:597:22
#36 0x7fa9299627da in ~MaybeStorage /builds/worker/workspace/obj-build/dist/include/mozilla/Maybe.h:283:24
#37 0x7fa9299627da in mozilla::dom::Node_Binding::appendChild(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/NodeBinding.cpp:1005:1
#38 0x7fa92abab4ce in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3238:13
#39 0x7fa93125a050 in CallJSNative src/js/src/vm/Interpreter.cpp:435:13
#40 0x7fa93125a050 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:520:12
#41 0x7fa93125be89 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:580:10
#42 0x7fa9312450d2 in CallFromStack src/js/src/vm/Interpreter.cpp:584:10
#43 0x7fa9312450d2 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3244:16
#44 0x7fa931228de3 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:405:13
#45 0x7fa93125a18a in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:552:13
#46 0x7fa93125be89 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:580:10
#47 0x7fa9321035fc in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) src/js/src/jit/BaselineIC.cpp:1841:10
#48 0x7fa89beccd27  (<unknown module>)
Flags: needinfo?(twsmith)

A Pernosco session is available here: https://pernos.co/debug/F2vxSIpuFczAAXX6vUOeeA/index.html

Flags: needinfo?(twsmith)

Nika peeked at the Pernosco session and says we should ignore the opener if it has already been discarded.

Assignee: nobody → kmaglione+bmo
Severity: -- → S3
Fission Milestone: --- → M7a
Priority: -- → P2
Status: NEW → ASSIGNED

This is happening with Fission & e10s disabled so not a Fission bug.

Fission Milestone: M7a → ---

There's a r+ patch which didn't land and no activity in this bug for 2 weeks.
:kmag, could you have a look please?
For more information, please visit auto_nag documentation.

Flags: needinfo?(nika)
Flags: needinfo?(kmaglione+bmo)
Flags: needinfo?(nika)
Pushed by maglione.k@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/0672855335bc
Handle corner case when opener window is closed from a nested event loop during open. r=nika
Flags: needinfo?(kmaglione+bmo)
Pushed by maglione.k@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/761fdc9f84d2
Handle corner case when opener window is closed from a nested event loop during open. r=nika

Backed out for causing assertion failure in windowwatcher/nsWindowWatcher

Backout link: https://hg.mozilla.org/integration/autoland/rev/78aaa908b43f0be792779d026895df9856c46a8b

Push with failures

Failure log

Flags: needinfo?(kmaglione+bmo)
Pushed by maglione.k@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/9913711e8283
Handle corner case when opener window is closed from a nested event loop during open. r=nika

https://hg.mozilla.org/mozilla-central/rev/9913711e8283

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox90: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 90 Branch
status-firefox88: --- → wontfix
status-firefox89: affectedwontfix
status-firefox-esr78: --- → unaffected
Flags: needinfo?(kmaglione+bmo) → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: