Crash in [@ mozilla::dom::syncedcontext::Transaction<T>::Commit | mozilla::dom::BrowsingContext::SetAllowJavascript ] via nsMsgContentPolicy::SetDisableItemsOnMailNewsUrlDocshells
Categories
(Thunderbird :: General, defect)
Tracking
(thunderbird_esr115 fixed)
Tracking | Status | |
---|---|---|
thunderbird_esr115 | --- | fixed |
People
(Reporter: axel-klotz, Assigned: mkmelin)
References
Details
Crash Data
Attachments
(1 file)
48 bytes,
text/x-phabricator-request
|
wsmwk
:
approval-comm-esr115+
|
Details | Review |
Crash report: https://crash-stats.mozilla.org/report/index/6df0186c-a192-4423-98e5-397180230228
MOZ_CRASH Reason: CanSet failed for field(s): AllowJavascript
Top 10 frames of crashing thread:
0 xul.dll mozilla::dom::syncedcontext::Transaction<mozilla::dom::BrowsingContext>::Commit docshell/base/SyncedContextInlines.h:103
1 xul.dll mozilla::dom::BrowsingContext::SetAllowJavascript docshell/base/BrowsingContext.h:256
2 xul.dll nsMsgContentPolicy::SetDisableItemsOnMailNewsUrlDocshells mailnews/base/src/nsMsgContentPolicy.cpp:853
3 xul.dll nsMsgContentPolicy::ShouldLoad mailnews/base/src/nsMsgContentPolicy.cpp:200
4 xul.dll nsContentPolicy::CheckPolicy dom/base/nsContentPolicy.cpp:119
5 xul.dll nsContentPolicy::ShouldLoad dom/base/nsContentPolicy.cpp:158
6 xul.dll NS_CheckContentLoadPolicy dom/base/nsContentPolicyUtils.h:239
7 xul.dll nsDocShell::PerformRetargeting docshell/base/nsDocShell.cpp:8561
8 xul.dll nsDocShell::InternalLoad docshell/base/nsDocShell.cpp:9338
9 xul.dll nsDocShell::OnLinkClickSync docshell/base/nsDocShell.cpp:13126
Comment 1•1 year ago
|
||
Hi Axel. Please describe what you were doing at the time of the crash.
Reporter | ||
Comment 2•1 year ago
|
||
Hi, at the time of the crash I just opened Thunderbird and went to a new mail in any mail account. Now I have solved my problem. I removed my mail accounts, reinstalled Thunderbird and set up the mail accounts again. Now the TB works as usual again. However, I did not find the cause of the problem in the process. Thanks for the support.
Comment 3•1 year ago
|
||
This bug might be a duplicate of AllowJavascript bug 1785115, which includes a [tbird]
whiteboard tag.
Comment 4•1 year ago
|
||
Thanks for bug 1834536, the signature for this has changed.
Comment 6•1 year ago
|
||
From the original bug on this:
(In reply to Worcester12345 from comment #0)
Crash report: https://crash-stats.mozilla.org/report/index/a225b295-0e5c-49fb-bb66-673570220816
MOZ_CRASH Reason:
CanSet failed for field(s): AllowJavascript
Top 10 frames of crashing thread:
0 xul.dll mozilla::dom::syncedcontext::Transaction<mozilla::dom::BrowsingContext>::Commit docshell/base/SyncedContextInlines.h:103 1 xul.dll mozilla::dom::BrowsingContext::SetAllowJavascript docshell/base/BrowsingContext.h:256 2 xul.dll nsMsgContentPolicy::SetDisableItemsOnMailNewsUrlDocshells mailnews/base/src/nsMsgContentPolicy.cpp:870 3 xul.dll nsMsgContentPolicy::ShouldLoad mailnews/base/src/nsMsgContentPolicy.cpp:199 4 xul.dll nsContentPolicy::CheckPolicy dom/base/nsContentPolicy.cpp:119 5 xul.dll nsContentPolicy::ShouldLoad dom/base/nsContentPolicy.cpp:158 6 xul.dll NS_CheckContentLoadPolicy dom/base/nsContentPolicyUtils.h:239 7 xul.dll nsDocShell::PerformRetargeting docshell/base/nsDocShell.cpp:8541 8 xul.dll nsDocShell::InternalLoad docshell/base/nsDocShell.cpp:9316 9 xul.dll nsDocShell::OnLinkClickSync docshell/base/nsDocShell.cpp:13104
Comment 7•6 months ago
|
||
The Thunderbird crash rate appears to be roughly the same for 102 and 115, even taking into account the signature mozilla::dom::syncedcontext::Transaction<T>::Commit
There does not appear to be a correlation to a specific add-on, in fact (in a small sample) 50% of crashes have no add-ons. For example bp-1a209e36-126f-4a55-b30c-b9c490231208
56% of crashes have uptime of < 1 minute. 80% uptime < 5 minutes.
Comment 8•6 months ago
|
||
Assuming that the crash this bug is talking about is the Thunderbird one, it appears that the AllowJavascript CanSet callback is failing https://searchfox.org/mozilla-central/rev/0948667bc62415d48abff27e1405fb4ab4d65d75/docshell/base/BrowsingContext.cpp#2772-2782.
It appears that fission.autostart is enabled for thunderbird right now, meaning that SHIP is also enabled so the first check is taken. This only allows the AllowJavascript flag to be set from within the parent process. The crash in comment 0 is happening in a content process, where some code is calling nsMsgContentPolicy::SetDisableItemsOnMailNewsUrlDocshells, and trying to call SetAllowJavascript from a content process, which is not allowed.
Thunderbird will either need to move that set into the parent process, or patch BrowsingContext.cpp to add a carve-out to allow unprivileged processes to change this flag.
--
from bug 1785115 comment 1 - 4
- mkmelin: https://searchfox.org/mozilla-central/rev/5c04fc7016eb7f52cf835d482f1125c8f139c959/docshell/base/SyncedContextInlines.h#102
from https://hg.mozilla.org/releases/comm-esr102/file/tip/mailnews/base/src/nsMsgContentPolicy.cpp#l870. What kind of link did you click? - None that I know of. This was Thunderbird.
- mkmelin: Sure, but the stack would indicate a click on a link. Maybe something special in a mail or feed?
- I don't have any "feeds", and nothing jumped out in emails. Usually, if it is a strange link, I won't even go near it.
Comment 9•6 months ago
|
||
worcester, do you still have the same crash signature?
Assignee | ||
Comment 10•6 months ago
|
||
Updated•6 months ago
|
Assignee | ||
Updated•6 months ago
|
Assignee | ||
Updated•6 months ago
|
Comment 11•6 months ago
|
||
Pushed by geoff@darktrojan.net:
https://hg.mozilla.org/comm-central/rev/be4fe2b3ebc3
Fix crash in [@ mozilla::dom::syncedcontext::Transaction<T>::Commit | mozilla::dom::BrowsingContext::SetAllowJavascript ] via nsMsgContentPolicy::SetDisableItemsOnMailNewsUrlDocshells. r=BenC
Assignee | ||
Comment 12•5 months ago
|
||
Comment on attachment 9367913 [details]
Bug 1819430 - Fix crash in [@ mozilla::dom::syncedcontext::Transaction<T>::Commit | mozilla::dom::BrowsingContext::SetAllowJavascript ] via nsMsgContentPolicy::SetDisableItemsOnMailNewsUrlDocshells. r=BenC
[Approval Request Comment]
Potential crash fix
Comment 13•5 months ago
|
||
Comment on attachment 9367913 [details]
Bug 1819430 - Fix crash in [@ mozilla::dom::syncedcontext::Transaction<T>::Commit | mozilla::dom::BrowsingContext::SetAllowJavascript ] via nsMsgContentPolicy::SetDisableItemsOnMailNewsUrlDocshells. r=BenC
[Triage Comment]
Approved for esr115
Comment 14•5 months ago
|
||
bugherder uplift |
Thunderbird 115.7.0:
https://hg.mozilla.org/releases/comm-esr115/rev/d21c8596957c
Comment 15•3 months ago
|
||
I estimate the crash rate of 115.8.0+8.1 has been cut in half. But there are still crashes
Description
•