Closed Bug 1772083 Opened 3 years ago Closed 3 years ago

Crash in [@ mozilla::dom::DOMIntersectionObserver::ComputeInput]

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
103 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox101 --- unaffected
firefox102 --- wontfix
firefox103 --- fixed

People

(Reporter: aryx, Assigned: emilio)

References

(Regression)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

Bug 1772083 - Downgrade an assertion for now while we try to find STR. r=smaug
48 bytes, text/x-phabricator-request
Details | Review

12 crashes from 5+ installations (all Windows). First crash report for Firefox 102.0a1 20220529190847.

Crash report: https://crash-stats.mozilla.org/report/index/058c1761-a137-4fa7-84ee-da2410220531

MOZ_CRASH Reason: MOZ_DIAGNOSTIC_ASSERT(!browserChild->IsTopLevel())

Top 10 frames of crashing thread:

0 xul.dll static mozilla::dom::DOMIntersectionObserver::ComputeInput dom/base/DOMIntersectionObserver.cpp:550
1 xul.dll mozilla::dom::Document::ShouldThrottleFrameRequests const dom/base/Document.cpp:7077
2 xul.dll nsRefreshDriver::ScheduleFrameRequestCallbacks layout/base/nsRefreshDriver.cpp:3020
3 xul.dll mozilla::dom::Document::UpdateFrameRequestCallbackSchedulingState dom/base/Document.cpp:7016
4 xul.dll nsGlobalWindowInner::RequestAnimationFrame dom/base/nsGlobalWindowInner.cpp:3625
5 xul.dll mozilla::dom::Window_Binding::requestAnimationFrame dom/bindings/WindowBinding.cpp:9247
6 xul.dll mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy, mozilla::dom::binding_detail::ThrowExceptions> dom/bindings/BindingUtils.cpp:3271
7 xul.dll Interpret js/src/vm/Interpreter.cpp:3314
8 xul.dll js::Call js/src/vm/Interpreter.cpp:605
9 xul.dll JS::Call js/src/vm/CallAndConstruct.cpp:117
Flags: needinfo?(emilio)

Is this something fuzzers might have hit?

Flags: needinfo?(twsmith)
Flags: needinfo?(jkratzer)

The only URLs in the crash reports are internal networks, so it's not
clear to me how it can happen. But given it can, handle it gracefully.

Assignee: nobody → emilio
Status: NEW → ASSIGNED
Flags: needinfo?(emilio)
Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/1928a32a84fb Downgrade an assertion for now while we try to find STR. r=smaug

No, sorry I'm not seeing anything.

Flags: needinfo?(twsmith)
Flags: needinfo?(jkratzer)

https://hg.mozilla.org/mozilla-central/rev/1928a32a84fb

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox103: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 103 Branch

The patch landed in nightly and beta is affected.
:emilio, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(emilio)

Probably not, it's only a diagnostic assert which shouldn't affect release users.

Flags: needinfo?(emilio)

I hit this crash while I am working on the LargestContentfulPaint implementation, so I am providing what I see here, please ignore me if they aren't helpful.

I hit the crash when I was testing dom/base/crashtests/1681729.html. 1681729.html initially embeds 1681729-inner1.html and 1681729-inner1.html embeds a srcdoc(let's call it C). Later 1681729.html switched to embed 1681729-inner2.html and when it did this, the parent document of 1681729-inner1.html set to null. So if I want compute the size of an element in C, this crash hits because nsContentUtils::GetInProcessSubtreeRootDocument(C) would return 1681729-inner1.html, which is not the top level document.

Maybe we should check rootDoc->IsActive() in this assertion?

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: