Closed
Bug 1753366
Opened 3 years ago
Closed 3 years ago
Assertion failure: docShell, at /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:956
Categories
(Core :: DOM: Content Processes, defect, P2)
Core
DOM: Content Processes
Tracking
()
VERIFIED
FIXED
99 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr91 | --- | unaffected |
| firefox97 | --- | wontfix |
| firefox98 | --- | wontfix |
| firefox99 | --- | verified |
People
(Reporter: tsmith, Assigned: smaug)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(2 files)
Found while fuzzing m-c 20220124-9b23d1bb84b2 (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html --xvfb
Assertion failure: docShell, at /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:956
#0 0x7f82c623006a in mozilla::dom::BrowserChild::RecvLoadURL(nsDocShellLoadState*, mozilla::dom::ParentShowInfo const&) /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:956:3
#1 0x7f82c2d2a8df in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBrowserChild.cpp:4606:56
#2 0x7f82c271c86b in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8250:32
#3 0x7f82c258f35f in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2039:25
#4 0x7f82c258bc31 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1964:9
#5 0x7f82c258d10c in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1823:3
#6 0x7f82c258dd4d in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1851:14
#7 0x7f82c1afb91e in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:467:16
#8 0x7f82c1ad5776 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:770:26
#9 0x7f82c1ad4438 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:606:15
#10 0x7f82c1ad46b3 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:390:36
#11 0x7f82c1afe956 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:124:37
#12 0x7f82c1afe956 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#13 0x7f82c1aea073 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1195:16
#14 0x7f82c1af115a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:467:10
#15 0x7f82c2595166 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#16 0x7f82c24b5077 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
#17 0x7f82c24b4f82 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
#18 0x7f82c24b4f82 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
#19 0x7f82c6779198 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#20 0x7f82c87d5133 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:870:20
#21 0x7f82c259605a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#22 0x7f82c24b5077 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
#23 0x7f82c24b4f82 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
#24 0x7f82c24b4f82 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
#25 0x7f82c87d476c in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:707:34
#26 0x562415825029 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#27 0x562415825029 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:327:18
#28 0x7f82d7ac90b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#29 0x5624158007bc in _start (/home/worker/builds/m-c-20220124214229-fuzzing-debug/firefox-bin+0x157bc)
Flags: in-testsuite?
|
Reporter | |
Comment 1•3 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/eYEDrcvTsFcxKOUruABfig/index.html
|
||
Comment 2•3 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220203152805-61491ef8a39c.
The bug appears to have been introduced in the following build range:
Start: d1c894f81d2a11efc998f4294fe137cb371c1d2b (20211213201156)
End: 6c0d753b10f45d377d10f02992567641e9526fa9 (20211213215115)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=d1c894f81d2a11efc998f4294fe137cb371c1d2b&tochange=6c0d753b10f45d377d10f02992567641e9526fa9
Whiteboard: [bugmon:bisected,confirmed]
|
Assignee | |
Comment 4•3 years ago
|
||
Other places in BrowserChild explicitly just handle null docshell.
(The only special case is when we have just created WebBrowser object in Init())
|
||
Updated•3 years ago
|
Assignee: nobody → bugs
Status: NEW → ASSIGNED
|
||
Updated•3 years ago
|
Severity: -- → S3
Priority: -- → P2
Pushed by opettay@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/fca06702bcf7
remove unexpected MOZ_ASSERT, r=peterv
|
||
Comment 6•3 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox99:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 99 Branch
|
||
Comment 7•3 years ago
|
||
:smaug, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
Flags: needinfo?(bugs)
|
|
||
Comment 8•3 years ago
|
||
Presumably another fission triggered assert.
Flags: needinfo?(bugs)
Regressed by: 1732358
|
|
||
Comment 9•3 years ago
|
||
Set release status flags based on info from the regressing bug 1732358
status-firefox97:
--- → affected
status-firefox-esr91:
--- → unaffected
|
|
||
Comment 10•3 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220215092702-2bbcda1a3414.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
|
||
Updated•3 years ago
|
Has Regression Range: --- → yes
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
Flags: in-testsuite? → in-testsuite-
You need to log in
before you can comment on or make changes to this bug.
Description
•