Hit MOZ_CRASH(DocumentLoadListener::Open for invalid history entry due to mismatch of 'Invalid LoadId') at /builds/worker/checkouts/gecko/netwerk/ipc/DocumentLoadListener.cpp:642
Categories
(Core :: DOM: Navigation, defect, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr102 | --- | unaffected |
| firefox107 | --- | unaffected |
| firefox108 | --- | unaffected |
| firefox109 | - | wontfix |
| firefox110 | --- | wontfix |
| firefox111 | --- | wontfix |
| firefox112 | --- | fixed |
People
(Reporter: tsmith, Assigned: peterv)
References
(Blocks 1 open bug, Regressed 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed][necko-triaged][fuzzblocker])
Crash Data
Attachments
(2 files)
Found while fuzzing m-c 20221207-8e09abeeb445 (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Hit MOZ_CRASH(DocumentLoadListener::Open for invalid history entry due to mismatch of 'Invalid LoadId') at /builds/worker/checkouts/gecko/netwerk/ipc/DocumentLoadListener.cpp:642
#0 0x7f569fb2a5fe in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
#1 0x7f569fb2a5fe in mozilla::net::DocumentLoadListener::Open(nsDocShellLoadState*, mozilla::net::LoadInfo*, unsigned int, unsigned int, mozilla::Maybe<unsigned long> const&, mozilla::TimeStamp const&, nsDOMNavigationTiming*, mozilla::Maybe<mozilla::dom::ClientInfo>&&, bool, mozilla::dom::ContentParent*, nsresult*) /builds/worker/checkouts/gecko/netwerk/ipc/DocumentLoadListener.cpp:639:7
#2 0x7f569fb227b3 in mozilla::net::DocumentLoadListener::OpenDocument(nsDocShellLoadState*, unsigned int, mozilla::Maybe<unsigned long> const&, mozilla::TimeStamp const&, nsDOMNavigationTiming*, mozilla::Maybe<mozilla::dom::ClientInfo>&&, mozilla::Maybe<bool>, mozilla::Maybe<bool>, mozilla::dom::ContentParent*, nsresult*) /builds/worker/checkouts/gecko/netwerk/ipc/DocumentLoadListener.cpp:919:10
#3 0x7f569fb2199a in mozilla::net::DocumentChannelParent::Init(mozilla::dom::CanonicalBrowsingContext*, mozilla::net::DocumentChannelCreationArgs const&) /builds/worker/checkouts/gecko/netwerk/ipc/DocumentChannelParent.cpp:69:40
#4 0x7f569fb3feea in mozilla::net::NeckoParent::RecvPDocumentChannelConstructor(mozilla::net::PDocumentChannelParent*, mozilla::dom::MaybeDiscarded<mozilla::dom::BrowsingContext> const&, mozilla::net::DocumentChannelCreationArgs const&) /builds/worker/checkouts/gecko/netwerk/ipc/NeckoParent.cpp:287:11
#5 0x7f569fbc6d46 in mozilla::net::PNeckoParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PNeckoParent.cpp:2056:79
#6 0x7f56a3bd2a8b in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentParent.cpp:6656:32
#7 0x7f569fda633a in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1756:25
#8 0x7f569fda2f97 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1681:9
#9 0x7f569fda3ae5 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1481:3
#10 0x7f569fda4e1f in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1579:14
#11 0x7f569f19b955 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:538:16
#12 0x7f569f196f3c in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:851:26
#13 0x7f569f195b0a in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:683:15
#14 0x7f569f195e65 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:461:36
#15 0x7f569f19f256 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:187:37
#16 0x7f569f19f256 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
#17 0x7f569f1b4be8 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1204:16
#18 0x7f569f1bb35d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:474:10
#19 0x7f569fdabc13 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#20 0x7f569fcd0ba8 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#21 0x7f569fcd0ab1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#22 0x7f569fcd0ab1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#23 0x7f56a41db1c8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:150:27
#24 0x7f56a62bb914 in nsAppStartup::Run() /builds/worker/checkouts/gecko/toolkit/components/startup/nsAppStartup.cpp:295:30
#25 0x7f56a6403983 in XREMain::XRE_mainRun() /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5767:22
#26 0x7f56a6404cc2 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5960:8
#27 0x7f56a640549a in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:6016:21
#28 0x561e422f5bac in do_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:226:22
#29 0x561e422f5bac in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:430:16
#30 0x7f56b4553d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#31 0x7f56b4553e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#32 0x561e422cc308 in _start (/home/user/workspace/browsers/m-c-20221207165436-fuzzing-debug/firefox-bin+0x5b308) (BuildId: 31ccb93dee8e541e1ea154db589a683108f90298)
|
||
Comment 1•1 year ago
|
||
This is bad. It crashed my whole browser.
https://crash-stats.mozilla.org/report/index/ecf6da18-d590-46a8-8ed3-8b6790221209
|
|
||
Comment 2•1 year ago
|
||
Bug 1799692 - Part 2: Specify TriggeringRemoteType for ClientOpenWindow loads, r=asuth
This builds on the changes in part 1 to specify the triggering remote type for
loads created from ClientOpenWindow.
Differential Revision: https://phabricator.services.mozilla.com/D162347
2022-12-09T08:31:50.128000: DEBUG : Did not find a branch, checking all integration branches
2022-12-09T08:31:50.128000: INFO : The bisection is done.
2022-12-09T08:31:50.350000: INFO : Stopped
|
||
Comment 3•1 year ago
|
||
Set release status flags based on info from the regressing bug 1799692
:nika, since you are the author of the regressor, bug 1799692, could you take a look? Also, could you set the severity field?
For more information, please visit auto_nag documentation.
|
||
Comment 4•1 year ago
|
||
Verified bug as reproducible on mozilla-central 20221209160025-4af9c56eb6d8.
Unable to bisect testcase (Unable to launch the start build!):
Start: 026fe822049a08d53bd3d711c2e7aa0dd06c19c5 (20211210053159)
End: 8e09abeeb445553bd956d537bcf54fcdf812bb52 (20221207165436)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)
|
||
Updated•1 year ago
|
|
||
Comment 5•1 year ago
|
||
Seems like we're trying to do a session history load for a LoadId which doesn't exist in the parent process. This makes sense given the code, as we replace the SessionHistoryEntry being loaded, which ends up destroying the existing SessionHistoryEntry while the load is in progress, before it is received and able to be processed. We'll probably need to be more clever about how we keep the entries around in the parent process to make something like this work, perhaps using a similar mechanism as the one for nsDocShellLoadState's pending load states (https://searchfox.org/mozilla-central/rev/2d24d893669ad0fe8d76b0427b25369d35fcc19b/docshell/base/nsDocShellLoadState.cpp#236-238).
quick debug pernosco trace I ran locally: https://pernos.co/debug/R8AgJjPXa7kUwdyQbGrUtw/index.html#f{m[AWCM,3Q_,t[AQ,CtQ4_,f{e[AU1s,Gh4K_,s{afw0aFzAA,bAY8,uAnoIfA,oAoQTkA___/
|
|
||
Updated•1 year ago
|
|
Assignee | |
Updated•1 year ago
|
|
|
Assignee | |
Comment 7•1 year ago
|
||
When we start the load for a reload, check that the entry we're trying to
reload is still connected to session history.
|
|
Assignee | |
Comment 8•1 year ago
|
||
Letting the reload happen would lead to a very weird state, because we don't actually know where the reloaded entry needs to be in session history. For example with this test case, we'd do the reload without adding the entry to session history, and then start doing the pushState loop again after the last pushState from the original load.
|
||
Updated•1 year ago
|
Pushed by pvanderbeken@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/6b39ac73fb99 Hit MOZ_CRASH(DocumentLoadListener::Open for invalid history entry due to mismatch of 'Invalid LoadId'). r=smaug
|
||
Comment 10•1 year ago
•
|
||
Backed out for causing build bustages
There are also perma bc failures.
Push with failures 1
Push with failures 2
Failure log 1
Failure log 2
|
|
||
Comment 11•1 year ago
|
||
If we fail to land this before release it shouldn't cause problems there. The error of 'Invalid LoadId' is caused by the call to look up the LoadId failing, and in release builds, this will cause a load error rather than a crash: https://searchfox.org/mozilla-central/rev/d6a131ceb435c03ccab2592578f6e2ebf12c1644/netwerk/ipc/DocumentLoadListener.cpp#638-645. If this check hadn't failed, we would've errored out anyway later on in the same function, just a bit later in the process: (https://searchfox.org/mozilla-central/rev/d6a131ceb435c03ccab2592578f6e2ebf12c1644/netwerk/ipc/DocumentLoadListener.cpp#701-711, https://searchfox.org/mozilla-central/rev/d6a131ceb435c03ccab2592578f6e2ebf12c1644/docshell/base/CanonicalBrowsingContext.cpp#568-574), so we're not causing a substantial behaviour change here.
Because of that, we probably don't need to track fixing this for 109.
|
|
||
Comment 12•1 year ago
|
||
Thanks for the additional context!
|
|
||
Comment 13•1 year ago
|
||
Since the crash volume is low (less than 15 per week), the severity is downgraded to S3. Feel free to change it back if you think the bug is still critical.
For more information, please visit auto_nag documentation.
|
Reporter | |
Comment 14•1 year ago
|
||
The browser fuzzers are hitting this issue frequently.
|
|
||
Comment 15•1 year ago
|
||
This bug prevents fuzzing from making progress; however, it has low severity. It is important for fuzz blocker bugs to be addressed in a timely manner (see here why?).
:peterv, could you increase the severity?
For more information, please visit auto_nag documentation.
|
||
Comment 16•1 year ago
|
||
Pushed by pvanderbeken@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/efdaaeb6ecf2 Hit MOZ_CRASH(DocumentLoadListener::Open for invalid history entry due to mismatch of 'Invalid LoadId'). r=smaug
|
|
Assignee | |
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
||
Comment 17•1 year ago
|
||
| bugherder | ||
|
|
||
Comment 18•1 year ago
|
||
Verified bug as fixed on rev mozilla-central 20230124170102-5529d6960828.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
|
||
Comment 19•1 year ago
|
||
Backout by sstanca@mozilla.com: https://hg.mozilla.org/mozilla-central/rev/2ac913a38e4c Backed out changeset efdaaeb6ecf2 for causing Bug 1812257. a=backout
|
||
Comment 20•1 year ago
|
||
Backed out for causing Bug 1812257. https://hg.mozilla.org/mozilla-central/rev/2ac913a38e4cd0c49ceabd0bbd21dd862908f3fb
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
|
||
Comment 21•1 year ago
|
||
Pushed by pvanderbeken@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/288aeaafcffd Hit MOZ_CRASH(DocumentLoadListener::Open for invalid history entry due to mismatch of 'Invalid LoadId'). r=smaug
|
|
||
Comment 22•1 year ago
|
||
| bugherder | ||
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
||
Updated•10 months ago
|
Description
•