Closed Bug 1809003 Opened 2 years ago Closed 2 years ago

Crash in [@ mozilla::ipc::FatalError | mozilla::ipc::IProtocol::HandleFatalError | nsDocShellLoadState::nsDocShellLoadState]

Categories

(Core :: DOM: Navigation, defect)

Product:
Core
Component:
DOM: Navigation
Platform:
Unspecified
Windows 11
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
110 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox108 --- unaffected
firefox109 --- unaffected
firefox110 + verified

People

(Reporter: mccr8, Unassigned)

References

(Regression)

Details

(5 keywords)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/c272fd34-9064-4a07-84d4-b35870230106

MOZ_CRASH Reason: MOZ_CRASH(IPC FatalError in the parent process!)

Top 10 frames of crashing thread:

0  xul.dll  mozilla::ipc::FatalError  ipc/glue/ProtocolUtils.cpp:170
1  xul.dll  mozilla::ipc::IProtocol::HandleFatalError const  ipc/glue/ProtocolUtils.cpp:402
2  xul.dll  nsDocShellLoadState::nsDocShellLoadState  docshell/base/nsDocShellLoadState.cpp:123
3  xul.dll  IPC::ParamTraits<nsDocShellLoadState*>::Read  dom/ipc/DocShellMessageUtils.cpp:38
4  xul.dll  IPC::ParamTraitsMozilla<RefPtr<nsDocShellLoadState> >::Read  ipc/chromium/src/chrome/common/ipc_message_utils.h:820
4  xul.dll  IPC::ReadParam  ipc/chromium/src/chrome/common/ipc_message_utils.h:296
4  xul.dll  IPC::ParamTraits<mozilla::net::DocumentChannelCreationArgs>::Read  ipc/ipdl/NeckoChannelParams.cpp:3549
5  xul.dll  IPC::ReadParam  ipc/chromium/src/chrome/common/ipc_message_utils.h:296
5  xul.dll  mozilla::net::PNeckoParent::OnMessageReceived  ipc/ipdl/PNeckoParent.cpp:1912
6  xul.dll  mozilla::dom::PContentParent::OnMessageReceived  ipc/ipdl/PContentParent.cpp:6693

This check was added a little while ago, but it seems to have just shown up recently, in Nightly.

Severity: -- → S2

The crash annotation is: nsDocShellLoadState URI changed while in content process

Tracking as the volume is high for the nighty channel.
Crashes started with build ID 20230108091812
Changelog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b7c21d63bd623860c099c96b5648bc07c5bc0a63&tochange=4208a0e0b9cd19fa86e08a4ec0867b870cbf9a31

There is no obvious regressor but a user comment on the crash mentions that it crashed when they removed the 's' in the 'https' portion of the url and I notice that we have an NSS upgrade (bug 1805486) in the changelog. Benjamin, could that crash be caused by NSS?

tracking-firefox110: --- → +
Flags: needinfo?(bbeurdouche)
Keywords: regression, regressionwindow-wanted

Hmm, did bug 1804684 cause this?

Flags: needinfo?(lyavor)

If the web page got first http -> https change, and then one initiated http based fragment navigation in the parent process, would that lead to this crash? Do we perhaps need to tweak the check before the FatalError or what?

The bug is linked to a topcrash signature, which matches the following criterion:

  • Top 10 desktop browser crashes on nightly

For more information, please visit auto_nag documentation.

Keywords: topcrash

The bug is marked as tracked for firefox110 (nightly). We have limited time to fix this, the soft freeze is in 3 days. However, the bug still isn't assigned.

:hsinyi, could you please find an assignee for this tracked bug? If you disagree with the tracking decision, please talk with the release managers.

For more information, please visit auto_nag documentation.

Flags: needinfo?(htsai)

I've managed to reproduce this issue.

Steps:

  1. go to about:config and set dom.security.https_first to true
  2. load https://foxnews.com
  3. edit the URL bar so that it says http://foxnews.com (removing the "s" from "https") and hit enter.

Immediate crash.

It doesn't seem to crash when dom.security.https_first is false.

Keywords: reproducible

The steps in comment 7 are basically the exact situation bug 1804684 is trying to address, so I'm going to assume that is the regressor. Probably good to confirm that, though.

Flags: needinfo?(bbeurdouche)
Regressed by: 1804684

The STR in comment 7 don't crash when dom.security.https_first is set to the default value of false.

(I picked https://foxnews.com because it showed up frequently in the crash URLs. I haven't actually tried other sites.)

Tomer is not working full-time. Can we back bug 1804684 out?

that sounds reasonable.

Backed out from autoland.

QA Whiteboard: [qa-regression-triage]
Flags: needinfo?(htsai)

Fixed by backout of bug 1804684.

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox110: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 110 Branch

I am on it

Flags: needinfo?(lyavor)

I was able to reproduce the issue on Win11 using FF build 110.0a1(20230108091812) and steps from comment#7. Issue also reproduces with same build on Win10/Ubuntu 20.04, on Win10 I got the same crash details as mentioned on description.
Using mozregression I got this Pushlog:pushlog_url: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=db88fa190f63506c1da204a5ff73202d679611e9&tochange=1d0bac6f86547f42d45b1d97a3aaee40a8642bee
2023-01-11T12:51:19: DEBUG : Found commit message:
Bug 1804684 - Fragment navigation may change document URI scheme from https to http r=smaug
Differential Revision: https://phabricator.services.mozilla.com/D165282

Verified as fixed on Win1/Ubuntu 20.04/Mac 10.13/Win10 using FF build 110.0a1(20230110214526).

status-firefox110: fixedverified
See Also: → 1823765
You need to log in before you can comment on or make changes to this bug.