Closed Bug 1819430 Opened 1 year ago Closed 6 months ago

Crash in [@ mozilla::dom::syncedcontext::Transaction<T>::Commit | mozilla::dom::BrowsingContext::SetAllowJavascript ] via nsMsgContentPolicy::SetDisableItemsOnMailNewsUrlDocshells

Categories

(Thunderbird :: General, defect)

Product:
Thunderbird
Component:
General
Version:
Thunderbird 102
Platform:
x86_64
All
Type:
defect

Tracking

(thunderbird_esr115 fixed)

Status:
RESOLVED FIXED
Milestone:
122 Branch
Tracking Flags:
Tracking Status
thunderbird_esr115 --- fixed

People

(Reporter: axel-klotz, Assigned: mkmelin)

References

Details

Crash Data

Attachments

(1 file)

Bug 1819430 - Fix crash in [@ mozilla::dom::syncedcontext::Transaction<T>::Commit | mozilla::dom::BrowsingContext::SetAllowJavascript ] via nsMsgContentPolicy::SetDisableItemsOnMailNewsUrlDocshells. r=BenC
48 bytes, text/x-phabricator-request
wsmwk
: approval-comm-esr115+
Details | Review

Crash report: https://crash-stats.mozilla.org/report/index/6df0186c-a192-4423-98e5-397180230228

MOZ_CRASH Reason: CanSet failed for field(s): AllowJavascript

Top 10 frames of crashing thread:

0  xul.dll  mozilla::dom::syncedcontext::Transaction<mozilla::dom::BrowsingContext>::Commit  docshell/base/SyncedContextInlines.h:103
1  xul.dll  mozilla::dom::BrowsingContext::SetAllowJavascript  docshell/base/BrowsingContext.h:256
2  xul.dll  nsMsgContentPolicy::SetDisableItemsOnMailNewsUrlDocshells  mailnews/base/src/nsMsgContentPolicy.cpp:853
3  xul.dll  nsMsgContentPolicy::ShouldLoad  mailnews/base/src/nsMsgContentPolicy.cpp:200
4  xul.dll  nsContentPolicy::CheckPolicy  dom/base/nsContentPolicy.cpp:119
5  xul.dll  nsContentPolicy::ShouldLoad  dom/base/nsContentPolicy.cpp:158
6  xul.dll  NS_CheckContentLoadPolicy  dom/base/nsContentPolicyUtils.h:239
7  xul.dll  nsDocShell::PerformRetargeting  docshell/base/nsDocShell.cpp:8561
8  xul.dll  nsDocShell::InternalLoad  docshell/base/nsDocShell.cpp:9338
9  xul.dll  nsDocShell::OnLinkClickSync  docshell/base/nsDocShell.cpp:13126

Hi Axel. Please describe what you were doing at the time of the crash.

Component: Untriaged → General
Flags: needinfo?(axel-klotz)
Summary: Crash in [@ mozilla::dom::syncedcontext::Transaction<T>::Commit] → Crash in [@ mozilla::dom::syncedcontext::Transaction<T>::Commit] via nsMsgContentPolicy::SetDisableItemsOnMailNewsUrlDocshells

Hi, at the time of the crash I just opened Thunderbird and went to a new mail in any mail account. Now I have solved my problem. I removed my mail accounts, reinstalled Thunderbird and set up the mail accounts again. Now the TB works as usual again. However, I did not find the cause of the problem in the process. Thanks for the support.

Flags: needinfo?(axel-klotz)

This bug might be a duplicate of AllowJavascript bug 1785115, which includes a [tbird] whiteboard tag.

See Also: → 1785115

Thanks for bug 1834536, the signature for this has changed.

Crash Signature: [@ mozilla::dom::syncedcontext::Transaction<T>::Commit] → [@ mozilla::dom::syncedcontext::Transaction<T>::Commit | mozilla::dom::BrowsingContext::SetAllowJavascript ]
See Also: → 1834536
Summary: Crash in [@ mozilla::dom::syncedcontext::Transaction<T>::Commit] via nsMsgContentPolicy::SetDisableItemsOnMailNewsUrlDocshells → Crash in [@ mozilla::dom::syncedcontext::Transaction<T>::Commit | mozilla::dom::BrowsingContext::SetAllowJavascript ] via nsMsgContentPolicy::SetDisableItemsOnMailNewsUrlDocshells
Duplicate of this bug: 1785115

From the original bug on this:

(In reply to Worcester12345 from comment #0)

Crash report: https://crash-stats.mozilla.org/report/index/a225b295-0e5c-49fb-bb66-673570220816

MOZ_CRASH Reason: CanSet failed for field(s): AllowJavascript

Top 10 frames of crashing thread:

0 xul.dll mozilla::dom::syncedcontext::Transaction<mozilla::dom::BrowsingContext>::Commit docshell/base/SyncedContextInlines.h:103
1 xul.dll mozilla::dom::BrowsingContext::SetAllowJavascript docshell/base/BrowsingContext.h:256
2 xul.dll nsMsgContentPolicy::SetDisableItemsOnMailNewsUrlDocshells mailnews/base/src/nsMsgContentPolicy.cpp:870
3 xul.dll nsMsgContentPolicy::ShouldLoad mailnews/base/src/nsMsgContentPolicy.cpp:199
4 xul.dll nsContentPolicy::CheckPolicy dom/base/nsContentPolicy.cpp:119
5 xul.dll nsContentPolicy::ShouldLoad dom/base/nsContentPolicy.cpp:158
6 xul.dll NS_CheckContentLoadPolicy dom/base/nsContentPolicyUtils.h:239
7 xul.dll nsDocShell::PerformRetargeting docshell/base/nsDocShell.cpp:8541
8 xul.dll nsDocShell::InternalLoad docshell/base/nsDocShell.cpp:9316
9 xul.dll nsDocShell::OnLinkClickSync docshell/base/nsDocShell.cpp:13104

The Thunderbird crash rate appears to be roughly the same for 102 and 115, even taking into account the signature mozilla::dom::syncedcontext::Transaction<T>::Commit

There does not appear to be a correlation to a specific add-on, in fact (in a small sample) 50% of crashes have no add-ons. For example bp-1a209e36-126f-4a55-b30c-b9c490231208

56% of crashes have uptime of < 1 minute. 80% uptime < 5 minutes.

Status: UNCONFIRMED → NEW
status-thunderbird_esr115: --- → affected
Ever confirmed: true
Flags: needinfo?(mkmelin+mozilla)
OS: Windows 10 → All

From bug 1785115 comment 9

Assuming that the crash this bug is talking about is the Thunderbird one, it appears that the AllowJavascript CanSet callback is failing https://searchfox.org/mozilla-central/rev/0948667bc62415d48abff27e1405fb4ab4d65d75/docshell/base/BrowsingContext.cpp#2772-2782.

It appears that fission.autostart is enabled for thunderbird right now, meaning that SHIP is also enabled so the first check is taken. This only allows the AllowJavascript flag to be set from within the parent process. The crash in comment 0 is happening in a content process, where some code is calling nsMsgContentPolicy::SetDisableItemsOnMailNewsUrlDocshells, and trying to call SetAllowJavascript from a content process, which is not allowed.

Thunderbird will either need to move that set into the parent process, or patch BrowsingContext.cpp to add a carve-out to allow unprivileged processes to change this flag.

--

from bug 1785115 comment 1 - 4

worcester, do you still have the same crash signature?

Flags: needinfo?(worcester12345)
Assignee: nobody → mkmelin+mozilla
Status: NEW → ASSIGNED
Flags: needinfo?(mkmelin+mozilla)
Keywords: checkin-needed-tb
Target Milestone: --- → 122 Branch

Pushed by geoff@darktrojan.net:
https://hg.mozilla.org/comm-central/rev/be4fe2b3ebc3
Fix crash in [@ mozilla::dom::syncedcontext::Transaction<T>::Commit | mozilla::dom::BrowsingContext::SetAllowJavascript ] via nsMsgContentPolicy::SetDisableItemsOnMailNewsUrlDocshells. r=BenC

Status: ASSIGNED → RESOLVED
Closed: 6 months ago
Keywords: checkin-needed-tb
Resolution: --- → FIXED

Comment on attachment 9367913 [details]
Bug 1819430 - Fix crash in [@ mozilla::dom::syncedcontext::Transaction<T>::Commit | mozilla::dom::BrowsingContext::SetAllowJavascript ] via nsMsgContentPolicy::SetDisableItemsOnMailNewsUrlDocshells. r=BenC

[Approval Request Comment]
Potential crash fix

Attachment #9367913 - Flags: approval-comm-esr115?

Comment on attachment 9367913 [details]
Bug 1819430 - Fix crash in [@ mozilla::dom::syncedcontext::Transaction<T>::Commit | mozilla::dom::BrowsingContext::SetAllowJavascript ] via nsMsgContentPolicy::SetDisableItemsOnMailNewsUrlDocshells. r=BenC

[Triage Comment]
Approved for esr115

Attachment #9367913 - Flags: approval-comm-esr115? → approval-comm-esr115+

I estimate the crash rate of 115.8.0+8.1 has been cut in half. But there are still crashes

Flags: needinfo?(worcester12345)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: