Crash in [@ nsNavHistoryResult::HandlePlacesEvent]
Categories
(Toolkit :: Places, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox87 | --- | unaffected |
| firefox88 | --- | fixed |
| firefox89 | --- | fixed |
People
(Reporter: aryx, Assigned: daisuke)
References
(Regression)
Details
(Keywords: crash, regression)
Crash Data
Attachments
(1 file)
|
48 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
|
Details | Review |
This signature went from 1-2 crashes per release to 10-30 crashes per beta version (gecko version is the first frequently affected one). The code in stack frame #0 is from bug 897954.
Daisuke, please investigate.
Crash report: https://crash-stats.mozilla.org/report/index/d3e4055e-e8ff-4a32-966b-7c2f00210406
Reason: EXCEPTION_ACCESS_VIOLATION_READ
Top 10 frames of crashing thread:
0 xul.dll nsNavHistoryResult::HandlePlacesEvent toolkit/components/places/nsNavHistoryResult.cpp:4222
1 xul.dll static mozilla::dom::PlacesObservers::NotifyListeners dom/base/PlacesObservers.cpp:296
2 xul.dll mozilla::dom::PlacesObservers_Binding::notifyListeners dom/bindings/PlacesObserversBinding.cpp:404
3 xul.dll js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:520
4 xul.dll Interpret js/src/vm/Interpreter.cpp:3244
5 xul.dll js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:552
6 xul.dll js::Call js/src/vm/Interpreter.cpp:597
7 xul.dll js::CallSelfHostedFunction js/src/vm/SelfHosting.cpp:1642
8 xul.dll js::jit::InterpretResume js/src/jit/VMFunctions.cpp:1306
9 @0x1e9aaf24adf
|
Assignee | |
Comment 1•3 years ago
|
||
Thank you for letting me know, Sebastian.
I will take a look at this issue.
|
|
Assignee | |
Updated•3 years ago
|
|
|
Assignee | |
Comment 2•3 years ago
|
||
Until now, we have removed the listener for purge_caches on the destructor.
https://searchfox.org/mozilla-central/rev/ee9dab6aa95f167a34cb178960f7375210a0bba4/toolkit/components/places/nsNavHistoryResult.cpp#3482-3484
But, when closing, since NS_IMPL_CYCLE_COLLECTION_UNLINK_BEGIN will be called before calling the destructor, even if mRootNode is unlinked, might capture the purge_caches event.
https://searchfox.org/mozilla-central/rev/ee9dab6aa95f167a34cb178960f7375210a0bba4/toolkit/components/places/nsNavHistoryResult.cpp#3411
And in the case, it will crash due to touch the null object.
In this change, remove the listener before unlinking the mRootNode explicitly.
Pushed by dakatsuka.birchill@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/acd4f182c089 Remove purge_caches listener before unlinking mRootNode.r=mak
|
Reporter | |
Comment 4•3 years ago
|
||
| bugherder | ||
|
||
Comment 5•3 years ago
|
||
please ask for Beta uplift when you have a chance.
|
|
Assignee | |
Comment 7•3 years ago
|
||
Comment on attachment 9213977 [details]
Bug 1703332: Remove purge_caches listener before unlinking mRootNode.r?mak!
Beta/Release Uplift Approval Request
- User impact if declined: Depending on the timing, it may crash.
- Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): We changed just the timing of removing the observer.
- String changes made/needed: None
|
||
Comment 8•3 years ago
|
||
Comment on attachment 9213977 [details]
Bug 1703332: Remove purge_caches listener before unlinking mRootNode.r?mak!
Fingers crossed that it helps with the spike. Approved for 88.0rc1.
|
|
||
Comment 9•3 years ago
|
||
| bugherder uplift | ||
|
||
Updated•3 years ago
|
Description
•