Open Bug 1735793 Opened 4 years ago Updated 3 years ago

Crash in [@ xpc::CompartmentOriginInfo::IsSameOrigin]

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox-esr78 --- affected
firefox-esr91 --- affected
firefox93 --- affected
firefox94 --- affected
firefox95 --- affected

People

(Reporter: aryx, Unassigned)

Details

(Keywords: crash)

Crash Data

Crash already existed before Firefox 93, affected installation count jumped (before edit: "got slightly more frequent"; crash-stats and BMO show diferent numbers). 86% of crashes after >1h.

Crash report: https://crash-stats.mozilla.org/report/index/0e7561f6-7ebf-41d7-8fc6-75dd80211014

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0 xul.dll xpc::CompartmentOriginInfo::IsSameOrigin const js/xpconnect/src/XPCJSRuntime.cpp:531
1 xul.dll FindSameOriginCompartment dom/base/nsGlobalWindowOuter.cpp:1951
2 xul.dll JS_IterateCompartmentsInZone js/src/gc/PublicIterators.cpp:219
3 xul.dll nsGlobalWindowOuter::SetNewDocument dom/base/nsGlobalWindowOuter.cpp:2245
4 xul.dll nsDocumentViewer::InitInternal layout/base/nsDocumentViewer.cpp:900
5 xul.dll nsDocumentViewer::Init layout/base/nsDocumentViewer.cpp:682
6 xul.dll nsDocShell::Embed docshell/base/nsDocShell.cpp:5549
7 xul.dll nsDocShell::CreateContentViewer docshell/base/nsDocShell.cpp:7860
8 xul.dll nsDSURIContentListener::DoContent docshell/base/nsDSURIContentListener.cpp:179
9 xul.dll nsDocumentOpenInfo::TryContentListener uriloader/base/nsURILoader.cpp:596

Hi Andrew,
Can you take a look at this and suggest if some actions we should take? Thanks!

Flags: needinfo?(continuation)

This looks like a null deref, maybe on CompartmentOriginInfo::mOrigin, which is not ever supposed to be null, judging by the assert.

My guess would be that this is one of these weird crashes we get if we OOM while in the middle of the complex set up process for a document or window. I looked at some crashes, and two of them had system memory usage of around 97%.

If we really have a null here, I'm guessing things are so messed up that we can't really do much to recover. The best we could probably do here would be to track down the place where an allocation fails and we end up with a null mOrigin and crash there.

Although, in this particular case we're iterating over all compartments in a zone when we find the messed up compartment, so maybe we could detect this issue and just ignore that compartment. But maybe we'll end up crashing somewhere else.

Flags: needinfo?(continuation)

According to comment 2 and the current crash volume, changing severity to S3.

Severity: S2 → S3
You need to log in before you can comment on or make changes to this bug.