Closed
Bug 1709466
Opened 4 years ago
Closed 4 years ago
Assertion failure: !mIsDiscarded (We're already closed?), at src/docshell/base/BrowsingContext.cpp:898
Categories
(Core :: DOM: Navigation, defect, P3)
Core
DOM: Navigation
Tracking
()
People
(Reporter: tsmith, Assigned: kmag)
References
(Blocks 1 open bug)
Details
(Keywords: assertion)
Attachments
(1 file)
First found while fuzzing m-c 20210422-c00239b6c351 (--enable-debug --enable-fuzzing).
Assertion failure: !mIsDiscarded (We're already closed?), at src/docshell/base/BrowsingContext.cpp:898
#0 0x7fcadb3f31f1 in mozilla::dom::BrowsingContext::PrepareForProcessChange() src/docshell/base/BrowsingContext.cpp:898:3
#1 0x7fcadb41f40a in nsDocShell::Destroy() src/docshell/base/nsDocShell.cpp:4676:23
#2 0x7fcadb735d70 in nsWebBrowser::SetDocShell(nsDocShell*) src/toolkit/components/browser/nsWebBrowser.cpp:1131:18
#3 0x7fcadb735295 in nsWebBrowser::InternalDestroy() src/toolkit/components/browser/nsWebBrowser.cpp:175:3
#4 0x7fcadb73912c in Destroy src/toolkit/components/browser/nsWebBrowser.cpp:855:3
#5 0x7fcadb73912c in non-virtual thunk to nsWebBrowser::Destroy() src/toolkit/components/browser/nsWebBrowser.cpp
#6 0x7fcad9bea479 in mozilla::dom::BrowserChild::DestroyWindow() src/dom/ipc/BrowserChild.cpp:888:31
#7 0x7fcad9bf9377 in mozilla::dom::BrowserChild::RecvDestroy() src/dom/ipc/BrowserChild.cpp:2462:3
#8 0x7fcad6a9863b in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBrowserChild.cpp:6422:56
#9 0x7fcad654eadb in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8415:32
#10 0x7fcad63c397e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2154:25
#11 0x7fcad63bfe5d in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2078:9
#12 0x7fcad63c1306 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1926:3
#13 0x7fcad63c204b in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1957:13
#14 0x7fcad5a996e3 in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:473:16
#15 0x7fcad5a76ed9 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:757:26
#16 0x7fcad5a75e44 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:612:15
#17 0x7fcad5a75fd3 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:396:36
#18 0x7fcad5a9d006 in operator() src/xpcom/threads/TaskController.cpp:135:37
#19 0x7fcad5a9d006 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
#20 0x7fcad5a88d00 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1159:16
#21 0x7fcad5a8f9fa in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:548:10
#22 0x7fcad63c92b6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:87:21
#23 0x7fcad6333d23 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:335:10
#24 0x7fcad6333c3d in RunHandler src/ipc/chromium/src/base/message_loop.cc:328:3
#25 0x7fcad6333c3d in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:310:3
#26 0x7fcada10a5c8 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#27 0x7fcadb98bd43 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:906:20
#28 0x7fcad63ca19c in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:237:9
#29 0x7fcad6333d23 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:335:10
#30 0x7fcad6333c3d in RunHandler src/ipc/chromium/src/base/message_loop.cc:328:3
#31 0x7fcad6333c3d in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:310:3
#32 0x7fcadb98b91f in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:738:34
#33 0x5610f0b21396 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#34 0x5610f0b21396 in main src/browser/app/nsBrowserApp.cpp:309:18
#35 0x7fcaecab00b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#36 0x5610f0aff13c in _start (/home/worker/builds/m-c-20210422093115-fuzzing-debug/firefox-bin+0x1513c)
|
Reporter | |
Comment 1•4 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/UmCHkLgdof7XlIQf7jVOSA/index.html
|
||
Comment 2•4 years ago
|
||
kmag will investigate whether this assertion failure is related to Fission.
Severity: -- → S3
Fission Milestone: --- → ?
Flags: needinfo?(kmaglione+bmo)
Priority: -- → P3
|
||
Updated•4 years ago
|
Assignee: nobody → kmaglione+bmo
Fission Milestone: ? → M7a
|
|
||
Updated•4 years ago
|
Flags: needinfo?(kmaglione+bmo)
|
Assignee | |
Comment 3•4 years ago
|
||
If a <browser> is removed in the middle of a process change, the previous
DocShell may be torn down while it's still expecting a process change. There's
really nothing more to do in that case, though, so we can just skip the
PrepareForProcessChange call rather than asserting.
Pushed by maglione.k@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/3873b8b96925
Don't prepare for process change when already discarded. r=nika
|
|
||
Comment 5•4 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox91:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 91 Branch
|
||
Updated•4 years ago
|
|
||
Updated•4 years ago
|
status-firefox89:
--- → wontfix
status-firefox-esr78:
--- → wontfix
You need to log in
before you can comment on or make changes to this bug.
Description
•