Crash in [@ RefPtr<T>::assign_assuming_AddRef | RefPtr<T>::operator= | mozilla::dom::BrowsingContextWebProgress::ContextReplaced]
Categories
(Core :: DOM: Navigation, defect)
Tracking
()
People
(Reporter: gsvelto, Assigned: farre)
Details
(Keywords: crash)
Crash Data
Attachments
(1 file)
|
48 bytes,
text/x-phabricator-request
|
pascalc
:
approval-mozilla-release+
RyanVM
:
approval-mozilla-esr115+
|
Details | Review |
Crash report: https://crash-stats.mozilla.org/report/index/bd9e6204-7d68-4d4c-bd7e-f435b0221104
Reason: EXCEPTION_ACCESS_VIOLATION_READ
Top 10 frames of crashing thread:
0 xul.dll RefPtr<mozilla::dom::CanonicalBrowsingContext>::assign_assuming_AddRef mfbt/RefPtr.h:66
1 xul.dll RefPtr<mozilla::dom::CanonicalBrowsingContext>::operator= mfbt/RefPtr.h:190
1 xul.dll mozilla::dom::BrowsingContextWebProgress::ContextReplaced docshell/base/BrowsingContextWebProgress.cpp:164
1 xul.dll mozilla::dom::CanonicalBrowsingContext::ReplacedBy docshell/base/CanonicalBrowsingContext.cpp:305
2 xul.dll FinishRestore docshell/shistory/nsSHistory.cpp:1285
3 xul.dll std::_Func_impl_no_alloc<`lambda at /builds/worker/checkouts/gecko/docshell/shistory/nsSHistory.cpp:1356:31', void, bool>::_Do_call docshell/shistory/nsSHistory.cpp:1359
4 xul.dll mozilla::dom:: dom/ipc/WindowGlobalParent.cpp:804
5 xul.dll IPC::MessageReader::ReadSentinel ipc/chromium/src/chrome/common/ipc_message_utils.h:175
5 xul.dll mozilla::dom::PContentParent::OnMessageReceived ipc/ipdl/PContentParent.cpp:7469
6 xul.dll mozilla::ipc::MessageChannel::DispatchAsyncMessage ipc/glue/MessageChannel.cpp:1756
We're accessing a NULL pointer though it's not clear where it's coming from. This seems to have started during the development of version 106, build ID 20221103095349 is the first affected.
|
||
Comment 1•3 years ago
|
||
Peter, this may be interesting for you to take a look at.
|
Reporter | |
Comment 2•2 years ago
|
||
Signature change due to the inlined functions being added to the stack
|
|
Reporter | |
Comment 3•2 years ago
|
||
Some useful comments from the crashes:
hitting the back button crashed the browser
I alt-clicked the history forward vbutton in the top bar of the browser thinking it would open the page I was on in a new window. Instead the browser crashed.
pressed alt+scroll accidentially and kept going back in history at a high speed and the browser closed
|
||
Comment 4•2 years ago
|
||
The bug is linked to a topcrash signature, which matches the following criterion:
- Top 20 desktop browser crashes on beta
For more information, please visit BugBot documentation.
|
|
||
Updated•2 years ago
|
|
|
||
Comment 5•2 years ago
|
||
Hi Andreas, this looks at your wheelhouse. Can you take a look please?
|
|
||
Comment 6•2 years ago
|
||
Based on the topcrash criteria, the crash signatures linked to this bug are not in the topcrash signatures anymore.
For more information, please visit BugBot documentation.
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Comment 7•2 years ago
•
|
||
This happens in nsSHistory::LoadURIOrBFCache and has got to do with allowing BFCache for pages with beforeunload handlers. This was turned on 2023-06-08, which is roughly two months (the time it takes for it hits the release channel) before it started spiking.
The stack seems to be mostly (all?) from when the promise gets resolved after ContentParent::SendDispatchBeforeUnloadToSubtree. This bounces back from ContentChild, which makes me wonder: can we race this somehow so that we call CanonicalBrowsingContext::ReplacedBy twice? In CanonicalBrowsingContext::ReplacedBy we'd definitely be able to explain the crash in that case.
My gut feeling is that it shouldn't be allowed to restore an already replaced browsing context. Either that or we need epochs to keep track of CanonicalBrowsingContext::ReplacedBy so that we can't skip ahead.
:sefeng, you added the code to allow BFCache for beforeunload-handler pages, does this seem reasonable?
:peterv, :smaug, you being the shistory experts, what would you expect to happen?
I'll do:
index 885121760a767..24f3c0895ac17 100644
--- a/docshell/shistory/nsSHistory.cpp
+++ b/docshell/shistory/nsSHistory.cpp
@@ -1370,7 +1370,7 @@ void nsSHistory::LoadURIOrBFCache(LoadEntryResult& aLoadEntry) {
->GetCurrentWindowGlobal()) {
wgp->PermitUnload([canonicalBC, loadState, she, frameLoader,
currentFrameLoader, canSave](bool aAllow) {
- if (aAllow) {
+ if (aAllow && !canonicalBC->IsReplaced()) {
FinishRestore(canonicalBC, loadState, she, frameLoader,
canSave && canonicalBC->AllowedInBFCache(
Nothing(), nullptr));
and see what try says.
|
|
Assignee | |
Updated•2 years ago
|
|
||
Comment 8•2 years ago
|
||
I don't have opinions.....given my changes were more like a small refactor.
|
||
Comment 9•2 years ago
|
||
That patch looks rather reasonable to me, but you need to run all the mochitests. Many of the bfcache tests are browser-chrome tests, or chrome or plain.
|
|
Assignee | |
Comment 10•2 years ago
|
||
(In reply to Olli Pettay [:smaug][bugs@pettay.fi] from comment #9)
That patch looks rather reasonable to me, but you need to run all the mochitests. Many of the bfcache tests are browser-chrome tests, or chrome or plain.
All mochitests coming up!
|
|
Assignee | |
Comment 11•2 years ago
|
||
|
|
Assignee | |
Comment 12•2 years ago
|
||
Yeah, so I think try is green enough. I pushed it to your review queue. Since this is a blind fix I don't think we should close this bug when the patch land, or at least not until we've verified that the crashes go down.
|
||
Comment 13•2 years ago
|
||
|
||
Updated•2 years ago
|
|
||
Comment 14•2 years ago
|
||
| bugherder | ||
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 15•2 years ago
•
|
||
I'm looking at crash-stats for beta 19 (which I think this patch made it into) and there seems to be no more crashes.
Hsin-Yi, is this a release uplift candidate?
|
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Comment 16•2 years ago
|
||
Clearing Peter's ni, Olli answered all the questions I had.
|
|
||
Comment 17•2 years ago
•
|
||
(In reply to Andreas Farre [:farre] from comment #15)
I'm looking at crash-stats for beta 19 (which I think this patch made it into) and there seems to be no more crashes.
Hsin-Yi, is this a release uplift candidate?
Sounds a reasonable uplift candidate for a ride-along.
|
|
Assignee | |
Comment 18•2 years ago
|
||
Comment on attachment 9354060 [details]
Bug 1799326 - Don't restore replaced browsing contexts from BFCache. r=smaug!
Beta/Release Uplift Approval Request
- User impact if declined: A fix for a fairly high crash bug gets delayed.
- Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Small and contained fix.
- String changes made/needed:
- Is Android affected?: Yes
|
|
Assignee | |
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
|
||
Comment 19•2 years ago
|
||
Comment on attachment 9354060 [details]
Bug 1799326 - Don't restore replaced browsing contexts from BFCache. r=smaug!
Approved for 115.4esr
|
|
||
Comment 20•2 years ago
|
||
| uplift | ||
|
|
||
Updated•2 years ago
|
|
||
Comment 21•2 years ago
|
||
Comment on attachment 9354060 [details]
Bug 1799326 - Don't restore replaced browsing contexts from BFCache. r=smaug!
Approved for our next 118 dot release, thanks.
|
|
||
Comment 22•2 years ago
|
||
| uplift | ||
|
|
||
Comment 23•2 years ago
|
||
| bugherder uplift | ||
Description
•