Closed Bug 1702797 Opened 3 years ago Closed 3 years ago

Crash in [@ mozilla::dom::sessionstore::FormEntryValue::AssertSanity]

Categories

(Firefox :: Session Restore, defect)

defect

Tracking

()

RESOLVED FIXED
90 Branch
Fission Milestone M7a
Tracking Status
firefox-esr78 --- unaffected
firefox87 --- unaffected
firefox88 --- unaffected
firefox89 --- fixed
firefox90 --- fixed

People

(Reporter: aryx, Assigned: u608768)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

2 crashes on 2 machines, both with Fission

Crash report: https://crash-stats.mozilla.org/report/index/fd8785f1-623b-44ad-b104-794150210329

MOZ_CRASH Reason: MOZ_RELEASE_ASSERT((mType) == (aType)) (unexpected type tag)

Top 10 frames of crashing thread:

0 libxul.so mozilla::dom::sessionstore::FormEntryValue::AssertSanity const ipc/ipdl/_ipdlheaders/mozilla/dom/sessionstore/SessionStoreTypes.h:448
1 libxul.so RestoreFormEntry toolkit/components/sessionstore/SessionStoreUtils.cpp:1230
2 libxul.so mozilla::dom::SessionStoreUtils::RestoreFormData toolkit/components/sessionstore/SessionStoreUtils.cpp:1259
3 libxul.so mozilla::dom::SessionStoreRestoreData::RestoreInto toolkit/components/sessionstore/SessionStoreRestoreData.cpp:78
4 libxul.so mozilla::dom::WindowGlobalChild::RecvRestoreTabContent dom/ipc/WindowGlobalChild.cpp:568
5 libxul.so mozilla::dom::PWindowGlobalChild::OnMessageReceived ipc/ipdl/PWindowGlobalChild.cpp:1243
6 libxul.so mozilla::dom::PContentChild::OnMessageReceived ipc/ipdl/PContentChild.cpp:8544
7 libxul.so mozilla::ipc::MessageChannel::DispatchMessage ipc/glue/MessageChannel.cpp:2078
8 libxul.so mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal xpcom/threads/TaskController.cpp:754
9 libxul.so nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1155
Flags: needinfo?(kmadan)

This doesn't make a whole lot of sense to me since we're checking the type before attempting to retrieve the value. Keeping NI around, hopefully we can get some STR.

Crash Signature: [@ mozilla::dom::sessionstore::FormEntryValue::AssertSanity] → [@ mozilla::dom::sessionstore::FormEntryValue::AssertSanity] [@ RestoreFormEntry ]
Fission Milestone: --- → M7a

A document that changes the "multiple" attribute of the <select> element after
the load event (eg., perhaps in response to user action) will crash the browser
since we will attempt to restore data collected for a multi-select into a
single-select.

Assignee: nobody → kmadan
Status: NEW → ASSIGNED

Going to assume that all crashes were caused by comment #3, and that the signatures that pointed to the TFileList case had bad line numbers. Will revisit this if those still happen after this lands.

Flags: needinfo?(kmadan)
Pushed by kmadan@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ead1910420a0
Split up the SingleSelect and MultipleSelect cases in RestoreFormEntry, r=nika

Backed out changeset ead1910420a0 (Bug 1702797) for causing bc failures in browser_multiple_select_after_load.js
Backout link: https://hg.mozilla.org/integration/autoland/rev/bb0aa9579a5c0dd1913d7068d707343178551b07
Push with failures, failure log.

Flags: needinfo?(kmadan)
Pushed by kmadan@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ea76d1ba27da
Split up the SingleSelect and MultipleSelect cases in RestoreFormEntry, r=nika

Test failed in the first push because I wasn't calling forgetClosedWindows().

Flags: needinfo?(kmadan)
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 90 Branch

Kashav, should we uplift this crash fix to 89 Beta? The regressing bug 1572084 landed in 89 Nightly.

We will be running a Fission Beta experiment that will enable Fission for about 5% of 89 Beta users.

Flags: needinfo?(kmadan)

Comment on attachment 9215815 [details]
Bug 1702797 - Split up the SingleSelect and MultipleSelect cases in RestoreFormEntry, r?nika

Beta/Release Uplift Approval Request

  • User impact if declined: Tab crash during browser restore.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Low risk. Doesn't change behavior for users.
  • String changes made/needed:
Flags: needinfo?(kmadan)
Attachment #9215815 - Flags: approval-mozilla-beta?

It shouldn't reproduce often, but a tab crash during browser restore is not great, so it makes sense to uplift. Thanks for the reminder!

Blocks: 1707105

Comment on attachment 9215815 [details]
Bug 1702797 - Split up the SingleSelect and MultipleSelect cases in RestoreFormEntry, r?nika

Fission crash, uplift approved for 89 beta 5, thanks.

Attachment #9215815 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: