Closed Bug 1818500 Opened 2 years ago Closed 2 years ago

Crash in [@ IPC::EnumSerializer<T>::Write] in mozilla::dom::PBrowserChild::SendPFilePickerConstructor

Categories

(Core :: Widget: Win32, defect)

Product:
Core
Component:
Widget: Win32
Platform:
Unspecified
Windows
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
112 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox110 --- unaffected
firefox111 --- unaffected
firefox112 --- fixed

People

(Reporter: RyanVM, Assigned: emilio)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(2 files, 1 obsolete file)

Bug 1818500 - Fix serialization of nsIFilePicker::Mode. r=rkraesig,#ipc-reviewers
48 bytes, text/x-phabricator-request
Details | Review
Bug 1818500 - Try to re-enable test_picker_no_crash.html. r=rkraesig
48 bytes, text/x-phabricator-request
Details | Review

This is hitting reliably for me when trying to add an attachment to an email in Gmail.

Crash report: https://crash-stats.mozilla.org/report/index/da34b842-bb04-41dd-bd7a-724650230223

MOZ_CRASH Reason: MOZ_RELEASE_ASSERT(EnumValidator::IsLegalValue( static_cast<std::underlying_type_t<paramType>>(aValue)))

Top 10 frames of crashing thread:

0  xul.dll  IPC::EnumSerializer<nsIFilePicker::Mode, IPC::ContiguousEnumValidatorInclusive<nsIFilePicker::Mode, 0, 2> >::Write  ipc/glue/EnumSerializer.h:60
0  xul.dll  IPC::WriteParam  ipc/chromium/src/chrome/common/ipc_message_utils.h:291
0  xul.dll  mozilla::dom::PBrowserChild::SendPFilePickerConstructor  ipc/ipdl/PBrowserChild.cpp:1782
1  xul.dll  nsFilePickerProxy::Init  widget/nsFilePickerProxy.cpp:38
2  xul.dll  mozilla::dom::HTMLInputElement::InitFilePicker  dom/html/HTMLInputElement.cpp:817
3  xul.dll  mozilla::dom::HTMLInputElement::MaybeInitPickers  dom/html/HTMLInputElement.cpp:3544
3  xul.dll  mozilla::dom::HTMLInputElement::PostHandleEvent  dom/html/HTMLInputElement.cpp:4104
4  xul.dll  mozilla::EventTargetChainItem::PostHandleEvent  dom/events/EventDispatcher.cpp:441
4  xul.dll  mozilla::EventTargetChainItem::HandleEventTargetChain  dom/events/EventDispatcher.cpp:552
5  xul.dll  mozilla::EventTargetChainItem::HandleEventTargetChain  dom/events/EventDispatcher.cpp:629
Flags: needinfo?(rkraesig)

Set release status flags based on info from the regressing bug 1816740

status-firefox110: --- → unaffected
status-firefox111: --- → unaffected
status-firefox112: --- → affected
status-firefox-esr102: --- → unaffected

modeOpenMultiple is the last variant, this reproduces clicking on:

data:text/html,<input type=file multiple>

Assignee: nobody → emilio
Status: NEW → ASSIGNED

This seems to consistently leak an nsFilePickerProxy, at least on Linux,
tho...

Keywords: leave-open
Flags: in-testsuite?
Pushed by ryanvm@gmail.com: https://hg.mozilla.org/mozilla-central/rev/16f49fd3a5dc Fix serialization of nsIFilePicker::Mode. r=ipc-reviewers,mccr8 a=RyanVM

I've landed Emilio's patch on m-c and am getting Nightly respins going. Nightly updates are paused in the mean time.

Well, there's my morning dose of horror taken care of.

(In reply to Emilio Cobos Álvarez (:emilio) from comment #3)

This seems to consistently leak an nsFilePickerProxy, at least on Linux,
tho...

If you'd prefer, you can foist that patch on me and I'll take on investigating the leak. Alternatively, we can roll back the entire offending patchset, and you can land the test-enabling patch ahead of it.

Flags: needinfo?(rkraesig)

Alternatively, we can roll back the entire offending patchset, and you can land the test-enabling patch ahead of it.

Alternatively alternatively, we can, and probably should, just roll back the final patch of the set, D169855, which was the only one that touched the allocation code.

FWIW, this test was original disabled way back when due to leaks and crashes (see bug 1267491), so whatever issues it's hitting now very well may not be newly-introduced behaviors from your patches.

See Also: → 1818548

(In reply to Ryan VanderMeulen [:RyanVM] from comment #8)

FWIW, this test was original disabled way back when due to leaks and crashes (see bug 1267491), so whatever issues it's hitting now very well may not be newly-introduced behaviors from your patches.

For the record: your try-push here does indicate that it's preexisting. This bug can probably be closed, and any further work done under bug 1267491.

Depends on: 1818580

This seems to consistently leak an nsFilePickerProxy, at least on Linux,
tho...

Attachment #9319540 - Attachment is obsolete: true
Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/794b37afb146 Try to re-enable test_picker_no_crash.html. r=rkraesig
Blocks: 1267491
Keywords: leave-open

https://hg.mozilla.org/mozilla-central/rev/794b37afb146

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox112: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 112 Branch
Flags: in-testsuite? → in-testsuite+
No longer depends on: 1818580
See Also: → 1820622
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: