1876009 - tb perma PROCESS-CRASH | application crashed [@ nsPresContext::GetPresShell] | comm/mail/test/browser/openpgp/browser_viewMessageSecurity.js

Status: RESOLVED FIXED

(Core :: Layout, defect)

Description

[Treeherder Bug Filer]

Filed by: mkmelin [at] iki.fi
Parsed log: https://treeherder.mozilla.org/logviewer?job_id=444261783&repo=comm-central
Full log: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/FtP63SRmQLSCjvmmuFQacw/runs/0/artifacts/public/logs/live_backing.log

---

Comment 1

[Magnus Melin [:mkmelin]]

Something from https://hg.mozilla.org/mozilla-central/pushloghtml?changeset=7800a7cccda7eb305d8cd32bb4c36c0674cf20e1

Comment 2

[Magnus Melin [:mkmelin]]

The regressor is https://hg.mozilla.org/mozilla-central/rev/2424d5c30267f67ab2b28119d75d89f0441b30e0 (bug 1833814)
Bug 1875984 is likely a duplicate but the thunderbird case is 100% reproducible.

Comment 3

[Magnus Melin [:mkmelin]]

FWIW, not a null pointer crash

Comment 4

[:Gijs (he/him)]

(In reply to Magnus Melin [:mkmelin] from comment #3)

Thanks for figuring this out. It's unfortunate we didn't catch this before uplifting the regressing patch to beta and esr...

FWIW, not a null pointer crash

Uh, isn't it? The stack I'm seeing seems to say it's a nullptr crash (0x20, which is close to nullptr, so probably an opt build accessing a member of something that's been nulled out)? (In future please include the stack in comment 0)

(restricting for now because AIUI that's what we do for non-nullptr crashes, but if I'm right I don't think this needs to be a sec bug)

[task 2024-01-23T08:39:45.265Z] 08:39:45     INFO - PROCESS-CRASH | application crashed [@ nsPresContext::GetPresShell] | comm/mail/test/browser/openpgp/browser_viewMessageSecurity.js 
[task 2024-01-23T08:39:45.265Z] 08:39:45     INFO - Process type: main
[task 2024-01-23T08:39:45.265Z] 08:39:45     INFO - Process pid: 1813
[task 2024-01-23T08:39:45.265Z] 08:39:45     INFO - Crash dump filename: /var/folders/57/3wnksz0s4qx24p2qd52cnj0h000014/T/tmpb67hmr0c.mozrunner/minidumps/F220F085-5B9A-400B-A5E3-CE2BABF0DEC3.dmp
[task 2024-01-23T08:39:45.265Z] 08:39:45     INFO - Operating system: Mac OS X
[task 2024-01-23T08:39:45.266Z] 08:39:45     INFO -                   10.15.7 19H524
[task 2024-01-23T08:39:45.266Z] 08:39:45     INFO - CPU: amd64
[task 2024-01-23T08:39:45.266Z] 08:39:45     INFO -      family 6 model 158 stepping 10
[task 2024-01-23T08:39:45.266Z] 08:39:45     INFO -      12 CPUs
[task 2024-01-23T08:39:45.266Z] 08:39:45     INFO - 
[task 2024-01-23T08:39:45.266Z] 08:39:45     INFO - Crash reason:  EXC_BAD_ACCESS / KERN_INVALID_ADDRESS
[task 2024-01-23T08:39:45.266Z] 08:39:45     INFO - Crash address: 0x0000000000000020 **
[task 2024-01-23T08:39:45.266Z] 08:39:45     INFO -     ** Null pointer detected with offset: 0x0000000000000020
[task 2024-01-23T08:39:45.266Z] 08:39:45     INFO - Crashing instruction: `mov rax, qword [rdi + 0x20]`
[task 2024-01-23T08:39:45.266Z] 08:39:45     INFO - Memory accessed by instruction:
[task 2024-01-23T08:39:45.266Z] 08:39:45     INFO -   0. Address: 0x0000000000000020
[task 2024-01-23T08:39:45.266Z] 08:39:45     INFO -      Size: 8
[task 2024-01-23T08:39:45.266Z] 08:39:45     INFO - Mac Crash Info:
[task 2024-01-23T08:39:45.266Z] 08:39:45     INFO - 
[task 2024-01-23T08:39:45.266Z] 08:39:45     INFO - Mac Boot Args: chunklist-security-epoch=0 -chunklist-no-rev2-dev
[task 2024-01-23T08:39:45.266Z] 08:39:45     INFO - 
[task 2024-01-23T08:39:45.266Z] 08:39:45     INFO - Process uptime: 88 seconds
[task 2024-01-23T08:39:45.266Z] 08:39:45     INFO - 
[task 2024-01-23T08:39:45.266Z] 08:39:45     INFO - Thread 0 MainThread (crashed)
[task 2024-01-23T08:39:45.266Z] 08:39:45     INFO -  0  XUL!nsPresContext::GetPresShell() const [nsPresContext.h:7800a7cccda7eb305d8cd32bb4c36c0674cf20e1 : 226]
[task 2024-01-23T08:39:45.266Z] 08:39:45     INFO -     Found by: inlining
[task 2024-01-23T08:39:45.266Z] 08:39:45     INFO -  1  XUL!nsPresContext::GetParentPresContext() const [nsPresContext.cpp:7800a7cccda7eb305d8cd32bb4c36c0674cf20e1 : 1177]
[task 2024-01-23T08:39:45.267Z] 08:39:45     INFO -     Found by: inlining
[task 2024-01-23T08:39:45.267Z] 08:39:45     INFO -  2  XUL!nsPresContext::GetRootPresContext() const [nsPresContext.cpp:7800a7cccda7eb305d8cd32bb4c36c0674cf20e1 : 1232 + 0x0]
[task 2024-01-23T08:39:45.267Z] 08:39:45     INFO -      rax = 0x0000000000000000    rdx = 0x000000011c944c08
[task 2024-01-23T08:39:45.267Z] 08:39:45     INFO -      rcx = 0x00007ffeea8d2a00    rbx = 0x0000000000000000
[task 2024-01-23T08:39:45.267Z] 08:39:45     INFO -      rsi = 0x00000001353d8500    rdi = 0x0000000000000000
[task 2024-01-23T08:39:45.267Z] 08:39:45     INFO -      rbp = 0x00007ffeea8d29d0    rsp = 0x00007ffeea8d29c0
[task 2024-01-23T08:39:45.267Z] 08:39:45     INFO -       r8 = 0x00000000000030a4     r9 = 0x0000000000000000
[task 2024-01-23T08:39:45.267Z] 08:39:45     INFO -      r10 = 0x000000010a252250    r11 = 0x000000010a252248
[task 2024-01-23T08:39:45.267Z] 08:39:45     INFO -      r12 = 0x0000000140395c00    r13 = 0x0000000000000000
[task 2024-01-23T08:39:45.267Z] 08:39:45     INFO -      r14 = 0x00007ffeea8d2a78    r15 = 0x00000001353d8500
[task 2024-01-23T08:39:45.267Z] 08:39:45     INFO -      rip = 0x00000001184b9433
[task 2024-01-23T08:39:45.267Z] 08:39:45     INFO -     Found by: given as instruction pointer in context
[task 2024-01-23T08:39:45.267Z] 08:39:45     INFO -  3  XUL!nsXULPopupManager::RemoveMenuChainItem(nsMenuChainItem*) [nsXULPopupManager.cpp:7800a7cccda7eb305d8cd32bb4c36c0674cf20e1 : 245 + 0x7]
[task 2024-01-23T08:39:45.267Z] 08:39:45     INFO -      rbx = 0x00000001105d5660    rbp = 0x00007ffeea8d2a40
[task 2024-01-23T08:39:45.267Z] 08:39:45     INFO -      rsp = 0x00007ffeea8d29e0    r12 = 0x0000000140395c00
[task 2024-01-23T08:39:45.267Z] 08:39:45     INFO -      r13 = 0x0000000000000000    r14 = 0x00007ffeea8d2a78
[task 2024-01-23T08:39:45.267Z] 08:39:45     INFO -      r15 = 0x00000001353d8500    rip = 0x00000001187c18ca
[task 2024-01-23T08:39:45.267Z] 08:39:45     INFO -     Found by: call frame info
[task 2024-01-23T08:39:45.267Z] 08:39:45     INFO -  4  XUL!nsXULPopupManager::PopupDestroyed(nsMenuPopupFrame*) [nsXULPopupManager.cpp:7800a7cccda7eb305d8cd32bb4c36c0674cf20e1 : 2037 + 0xa]
[task 2024-01-23T08:39:45.267Z] 08:39:45     INFO -      rbx = 0x00000001105d5660    rbp = 0x00007ffeea8d2ab0
[task 2024-01-23T08:39:45.267Z] 08:39:45     INFO -      rsp = 0x00007ffeea8d2a50    r12 = 0x0000000140395c00
[task 2024-01-23T08:39:45.267Z] 08:39:45     INFO -      r13 = 0x0000000000000000    r14 = 0x00007ffeea8d2a78
[task 2024-01-23T08:39:45.268Z] 08:39:45     INFO -      r15 = 0x00000001353d8500    rip = 0x00000001187b141d
[task 2024-01-23T08:39:45.268Z] 08:39:45     INFO -     Found by: call frame info
[task 2024-01-23T08:39:45.268Z] 08:39:45     INFO -  5  XUL!nsMenuPopupFrame::Destroy(mozilla::FrameDestroyContext&) [nsMenuPopupFrame.cpp:7800a7cccda7eb305d8cd32bb4c36c0674cf20e1 : 2196 + 0xa]
[task 2024-01-23T08:39:45.268Z] 08:39:45     INFO -      rbx = 0x00007ffeea8d2bb8    rbp = 0x00007ffeea8d2ae0
[task 2024-01-23T08:39:45.268Z] 08:39:45     INFO -      rsp = 0x00007ffeea8d2ac0    r12 = 0x0000000140395c00
[task 2024-01-23T08:39:45.268Z] 08:39:45     INFO -      r13 = 0x00000001403d50a0    r14 = 0x0000000142e41aa8
[task 2024-01-23T08:39:45.268Z] 08:39:45     INFO -      r15 = 0x00000001105d5660    rip = 0x00000001187b113f
[task 2024-01-23T08:39:45.268Z] 08:39:45     INFO -     Found by: call frame info
[task 2024-01-23T08:39:45.268Z] 08:39:45     INFO -  6  XUL!nsFrameList::DestroyFrames(mozilla::FrameDestroyContext&) [nsFrameList.cpp:7800a7cccda7eb305d8cd32bb4c36c0674cf20e1 : 40 + 0xb]
[task 2024-01-23T08:39:45.268Z] 08:39:45     INFO -      rbx = 0x000000013f978a80    rbp = 0x00007ffeea8d2b10
[task 2024-01-23T08:39:45.268Z] 08:39:45     INFO -      rsp = 0x00007ffeea8d2af0    r12 = 0x0000000140395c00
[task 2024-01-23T08:39:45.268Z] 08:39:45     INFO -      r13 = 0x00000001403d50a0    r14 = 0x00007ffeea8d2bb8
[task 2024-01-23T08:39:45.268Z] 08:39:45     INFO -      r15 = 0x0000000142e41aa8    rip = 0x0000000118562bb7
[task 2024-01-23T08:39:45.268Z] 08:39:45     INFO -     Found by: call frame info
[task 2024-01-23T08:39:45.268Z] 08:39:45     INFO -  7  XUL!nsContainerFrame::DestroyAbsoluteFrames(mozilla::FrameDestroyContext&) [nsContainerFrame.cpp:7800a7cccda7eb305d8cd32bb4c36c0674cf20e1 : 198]
[task 2024-01-23T08:39:45.268Z] 08:39:45     INFO -     Found by: inlining
[task 2024-01-23T08:39:45.268Z] 08:39:45     INFO -  8  XUL!nsContainerFrame::Destroy(mozilla::FrameDestroyContext&) [nsContainerFrame.cpp:7800a7cccda7eb305d8cd32bb4c36c0674cf20e1 : 227 + 0x5d]
[task 2024-01-23T08:39:45.268Z] 08:39:45     INFO -      rbx = 0x00007ffeea8d2bb8    rbp = 0x00007ffeea8d2ba0
[task 2024-01-23T08:39:45.268Z] 08:39:45     INFO -      rsp = 0x00007ffeea8d2b20    r12 = 0x0000000140395c00
[task 2024-01-23T08:39:45.268Z] 08:39:45     INFO -      r13 = 0x00000001403d50a0    r14 = 0x000000014061f020
[task 2024-01-23T08:39:45.268Z] 08:39:45     INFO -      r15 = 0x00007ffeea8d2bb8    rip = 0x000000011856274b
[task 2024-01-23T08:39:45.268Z] 08:39:45     INFO -     Found by: call frame info
[task 2024-01-23T08:39:45.269Z] 08:39:45     INFO -  9  XUL!nsFrameManager::Destroy() [nsFrameManager.cpp:7800a7cccda7eb305d8cd32bb4c36c0674cf20e1 : 54]
[task 2024-01-23T08:39:45.269Z] 08:39:45     INFO -     Found by: inlining
[task 2024-01-23T08:39:45.269Z] 08:39:45     INFO - 10  XUL!nsCSSFrameConstructor::WillDestroyFrameTree() [nsCSSFrameConstructor.cpp:7800a7cccda7eb305d8cd32bb4c36c0674cf20e1 : 7769 + 0x92]
[task 2024-01-23T08:39:45.269Z] 08:39:45     INFO -      rbx = 0x0000000137563d40    rbp = 0x00007ffeea8d2f10
[task 2024-01-23T08:39:45.269Z] 08:39:45     INFO -      rsp = 0x00007ffeea8d2bb0    r12 = 0x0000000140395c00
[task 2024-01-23T08:39:45.269Z] 08:39:45     INFO -      r13 = 0x00000001403d50a0    r14 = 0x000000014061f020
[task 2024-01-23T08:39:45.269Z] 08:39:45     INFO -      r15 = 0x00007ffeea8d2bb8    rip = 0x000000011848c5f0
[task 2024-01-23T08:39:45.269Z] 08:39:45     INFO -     Found by: call frame info
[task 2024-01-23T08:39:45.269Z] 08:39:45     INFO - 11  XUL!mozilla::PresShell::Destroy() [PresShell.cpp:7800a7cccda7eb305d8cd32bb4c36c0674cf20e1 : 1340 + 0x4]
[task 2024-01-23T08:39:45.269Z] 08:39:45     INFO -      rbx = 0x00000001403d5000    rbp = 0x00007ffeea8d2ff0
[task 2024-01-23T08:39:45.269Z] 08:39:45     INFO -      rsp = 0x00007ffeea8d2f20    r12 = 0x0000000140395c00
[task 2024-01-23T08:39:45.269Z] 08:39:45     INFO -      r13 = 0x00000001403d50a0    r14 = 0x00000001334cd800
[task 2024-01-23T08:39:45.269Z] 08:39:45     INFO -      r15 = 0x0000000000000000    rip = 0x00000001184096f5
[task 2024-01-23T08:39:45.269Z] 08:39:45     INFO -     Found by: call frame info
[task 2024-01-23T08:39:45.269Z] 08:39:45     INFO - 12  XUL!nsDocumentViewer::DestroyPresShell() [nsDocumentViewer.cpp:7800a7cccda7eb305d8cd32bb4c36c0674cf20e1 : 3455 + 0x4]
[task 2024-01-23T08:39:45.269Z] 08:39:45     INFO -      rbx = 0x000000013dc4c3c0    rbp = 0x00007ffeea8d3010
[task 2024-01-23T08:39:45.269Z] 08:39:45     INFO -      rsp = 0x00007ffeea8d3000    r12 = 0x0000000000000000
[task 2024-01-23T08:39:45.269Z] 08:39:45     INFO -      r13 = 0x0000000000000008    r14 = 0x0000000140426f20
[task 2024-01-23T08:39:45.269Z] 08:39:45     INFO -      r15 = 0x000000013dd73400    rip = 0x000000011849f053
[task 2024-01-23T08:39:45.269Z] 08:39:45     INFO -     Found by: call frame info
[task 2024-01-23T08:39:45.269Z] 08:39:45     INFO - 13  XUL!nsDocumentViewer::Hide() [nsDocumentViewer.cpp:7800a7cccda7eb305d8cd32bb4c36c0674cf20e1 : 2139 + 0x7]
[task 2024-01-23T08:39:45.270Z] 08:39:45     INFO -      rbx = 0x000000013dc4c3c0    rbp = 0x00007ffeea8d3060
[task 2024-01-23T08:39:45.270Z] 08:39:45     INFO -      rsp = 0x00007ffeea8d3020    r12 = 0x0000000000000000
[task 2024-01-23T08:39:45.270Z] 08:39:45     INFO -      r13 = 0x0000000000000008    r14 = 0x000000013dd73598
[task 2024-01-23T08:39:45.270Z] 08:39:45     INFO -      r15 = 0x000000013dd73400    rip = 0x000000011849b6e4
[task 2024-01-23T08:39:45.270Z] 08:39:45     INFO -     Found by: call frame info
[task 2024-01-23T08:39:45.270Z] 08:39:45     INFO - 14  XUL!nsDocShell::SetVisibility(bool) [nsDocShell.cpp:7800a7cccda7eb305d8cd32bb4c36c0674cf20e1 : 0 + 0x12]
[task 2024-01-23T08:39:45.270Z] 08:39:45     INFO -      rbx = 0x0000000000000001    rbp = 0x00007ffeea8d30a0
[task 2024-01-23T08:39:45.270Z] 08:39:45     INFO -      rsp = 0x00007ffeea8d3070    r12 = 0x0000000000000000
[task 2024-01-23T08:39:45.270Z] 08:39:45     INFO -      r13 = 0x0000000000000008    r14 = 0x000000013dc4c3c0
[task 2024-01-23T08:39:45.270Z] 08:39:45     INFO -      r15 = 0x000000013dd73400    rip = 0x000000011940eb5a
[task 2024-01-23T08:39:45.270Z] 08:39:45     INFO -     Found by: call frame info
[task 2024-01-23T08:39:45.270Z] 08:39:45     INFO - 15  XUL!nsFrameLoader::Hide() [nsFrameLoader.cpp:7800a7cccda7eb305d8cd32bb4c36c0674cf20e1 : 1191 + 0x9]
[task 2024-01-23T08:39:45.270Z] 08:39:45     INFO -      rbx = 0x000000013dd73400    rbp = 0x00007ffeea8d30d0
[task 2024-01-23T08:39:45.270Z] 08:39:45     INFO -      rsp = 0x00007ffeea8d30b0    r12 = 0x0000000000000000
[task 2024-01-23T08:39:45.270Z] 08:39:45     INFO -      r13 = 0x0000000000000008    r14 = 0x0000000000000000
[task 2024-01-23T08:39:45.270Z] 08:39:45     INFO -      r15 = 0x0000000133e75a60    rip = 0x0000000114bb374f
[task 2024-01-23T08:39:45.270Z] 08:39:45     INFO -     Found by: call frame info
[task 2024-01-23T08:39:45.270Z] 08:39:45     INFO - 16  XUL!nsHideViewer::Run() [nsSubDocumentFrame.cpp:7800a7cccda7eb305d8cd32bb4c36c0674cf20e1 : 925 + 0x4]
[task 2024-01-23T08:39:45.270Z] 08:39:45     INFO -      rbx = 0x0000000133e75a60    rbp = 0x00007ffeea8d3100
[task 2024-01-23T08:39:45.271Z] 08:39:45     INFO -      rsp = 0x00007ffeea8d30e0    r12 = 0x0000000000000000
[task 2024-01-23T08:39:45.271Z] 08:39:45     INFO -      r13 = 0x0000000000000008    r14 = 0x0000000000000000
[task 2024-01-23T08:39:45.271Z] 08:39:45     INFO -      r15 = 0x0000000133e75a60    rip = 0x00000001186c93c2
[task 2024-01-23T08:39:45.271Z] 08:39:45     INFO -     Found by: call frame info
[task 2024-01-23T08:39:45.271Z] 08:39:45     INFO - 17  XUL!nsContentUtils::RemoveScriptBlocker() [nsContentUtils.cpp:7800a7cccda7eb305d8cd32bb4c36c0674cf20e1 : 6130 + 0x5]
[task 2024-01-23T08:39:45.271Z] 08:39:45     INFO -      rbx = 0x000000011276edd8    rbp = 0x00007ffeea8d31d0
[task 2024-01-23T08:39:45.271Z] 08:39:45     INFO -      rsp = 0x00007ffeea8d3110    r12 = 0x0000000000000000
[task 2024-01-23T08:39:45.271Z] 08:39:45     INFO -      r13 = 0x0000000000000008    r14 = 0x00007ffeea8d3128
[task 2024-01-23T08:39:45.271Z] 08:39:45     INFO -      r15 = 0x0000000133e75a60    rip = 0x0000000114876107
[task 2024-01-23T08:39:45.271Z] 08:39:45     INFO -     Found by: call frame info
[task 2024-01-23T08:39:45.271Z] 08:39:45     INFO - 18  XUL!nsAutoScriptBlocker::~nsAutoScriptBlocker() [nsContentUtils.h:7800a7cccda7eb305d8cd32bb4c36c0674cf20e1 : 3675]
[task 2024-01-23T08:39:45.271Z] 08:39:45     INFO -     Found by: inlining
[task 2024-01-23T08:39:45.271Z] 08:39:45     INFO - 19  XUL!nsAutoScriptBlocker::~nsAutoScriptBlocker() [nsContentUtils.h:7800a7cccda7eb305d8cd32bb4c36c0674cf20e1 : 3675]
[task 2024-01-23T08:39:45.271Z] 08:39:45     INFO -     Found by: inlining
[task 2024-01-23T08:39:45.271Z] 08:39:45     INFO - 20  XUL!mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) [PresShell.cpp:7800a7cccda7eb305d8cd32bb4c36c0674cf20e1 : 4334 + 0x4]
[task 2024-01-23T08:39:45.271Z] 08:39:45     INFO -      rbx = 0x000000013c9c3000    rbp = 0x00007ffeea8d3310
[task 2024-01-23T08:39:45.271Z] 08:39:45     INFO -      rsp = 0x00007ffeea8d31e0    r12 = 0x00000001388febc0
[task 2024-01-23T08:39:45.271Z] 08:39:45     INFO -      r13 = 0x000000013c9c3098    r14 = 0x000000013c9c30a0
[task 2024-01-23T08:39:45.271Z] 08:39:45     INFO -      r15 = 0x000000011f41dd28    rip = 0x000000011841b510
[task 2024-01-23T08:39:45.272Z] 08:39:45     INFO -     Found by: call frame info
[task 2024-01-23T08:39:45.272Z] 08:39:45     INFO - 21  XUL!mozilla::PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) [PresShell.h:7800a7cccda7eb305d8cd32bb4c36c0674cf20e1 : 1474]
[task 2024-01-23T08:39:45.272Z] 08:39:45     INFO -     Found by: inlining
[task 2024-01-23T08:39:45.272Z] 08:39:45     INFO - 22  XUL!nsRefreshDriver::TickObserverArray(unsigned int, mozilla::TimeStamp) [nsRefreshDriver.cpp:7800a7cccda7eb305d8cd32bb4c36c0674cf20e1 : 2502 + 0xc]
[task 2024-01-23T08:39:45.272Z] 08:39:45     INFO -      rbx = 0x0000000080000010    rbp = 0x00007ffeea8d3400
[task 2024-01-23T08:39:45.272Z] 08:39:45     INFO -      rsp = 0x00007ffeea8d3320    r12 = 0x000000013c9c3000
[task 2024-01-23T08:39:45.272Z] 08:39:45     INFO -      r13 = 0x0000000000000000    r14 = 0x00000001334cdb58
[task 2024-01-23T08:39:45.272Z] 08:39:45     INFO -      r15 = 0x00007ffeea8d333f    rip = 0x00000001183de0ae
[task 2024-01-23T08:39:45.272Z] 08:39:45     INFO -     Found by: call frame info
[task 2024-01-23T08:39:45.272Z] 08:39:45     INFO - 23  XUL!nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) [nsRefreshDriver.cpp:7800a7cccda7eb305d8cd32bb4c36c0674cf20e1 : 2736 + 0x22]
[task 2024-01-23T08:39:45.272Z] 08:39:45     INFO -      rbx = 0x00000001334cd800    rbp = 0x00007ffeea8d3720
[task 2024-01-23T08:39:45.272Z] 08:39:45     INFO -      rsp = 0x00007ffeea8d3410    r12 = 0x0000000000000000
[task 2024-01-23T08:39:45.272Z] 08:39:45     INFO -      r13 = 0x00000000e5e7401a    r14 = 0x00000001334cd840
[task 2024-01-23T08:39:45.272Z] 08:39:45     INFO -      r15 = 0x0000000000000004    rip = 0x00000001183d9a0c
[task 2024-01-23T08:39:45.272Z] 08:39:45     INFO -     Found by: call frame info
[task 2024-01-23T08:39:45.272Z] 08:39:45     INFO - 24  XUL!mozilla::RefreshDriverTimer::TickDriver(nsRefreshDriver*, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) [nsRefreshDriver.cpp:7800a7cccda7eb305d8cd32bb4c36c0674cf20e1 : 367]
[task 2024-01-23T08:39:45.272Z] 08:39:45     INFO -     Found by: inlining
[task 2024-01-23T08:39:45.272Z] 08:39:45     INFO - 25  XUL!mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) [nsRefreshDriver.cpp:7800a7cccda7eb305d8cd32bb4c36c0674cf20e1 : 345 + 0xc]
[task 2024-01-23T08:39:45.272Z] 08:39:45     INFO -      rbx = 0x000000ac0847afef    rbp = 0x00007ffeea8d3760
[task 2024-01-23T08:39:45.273Z] 08:39:45     INFO -      rsp = 0x00007ffeea8d3730    r12 = 0x0000000000000001
[task 2024-01-23T08:39:45.273Z] 08:39:45     INFO -      r13 = 0x0000000110550c20    r14 = 0x00000000000012e1
[task 2024-01-23T08:39:45.273Z] 08:39:45     INFO -      r15 = 0x0000000000000000    rip = 0x00000001183e53ae
[task 2024-01-23T08:39:45.273Z] 08:39:45     INFO -     Found by: call frame info

I'm not really an expert in this code but what I think is happening is:

1. there's an open popup
2. that popup's prescontext/presshell gets destroyed
3. that triggers the popup's RemoveMenuChainItem
4. we then want the popup's root presshell, but that's already been unlinked/destroyed
5. we would nullcheck the root presshell later, but don't bother nullchecking the immediate parent presshell before trying to fetch that root presshell.

I don't know how realistically a user could hit this, but it's clear it's happening in this automated test.

Emilio, does this sound right and do I "just" need to add an intermediate var for the presshell and nullcheck it before trying to use it to get the root presshell?

Comment 6

[Daniel Holbert [:dholbert]]

(In reply to :Gijs (he/him) from comment #4)

(In reply to Magnus Melin [:mkmelin] from comment #3)

FWIW, not a null pointer crash

Uh, isn't it? The stack I'm seeing seems to say it's a nullptr crash (0x20, which is close to nullptr, so probably an opt build accessing a member of something that's been nulled out)?
[...]
(restricting for now because AIUI that's what we do for non-nullptr crashes, but if I'm right I don't think this needs to be a sec bug)

FWIW, I agree that this looks like a nullptr crash (trying to read a member-var from a nullptr pointer-val, or something along those lines) and hence probably doesn't need to be restricted-visibility.

Just to be on the safe side before un-hiding: Magnus, was there something else (besides 0x20 being not-quite-zero) that's leading you to think that this is not a nullptr crash?

Comment 7

[Daniel Holbert [:dholbert]]

It looks like we've got a user who hit a version of this crash recently, too, over in bp-ceda5af0-1d45-4721-952c-bf5680240126. (Handy for seeing the exact lines of code linked from the backtrace in the crash report there.)

Based on that, it looks like presContext is probably nullptr here:
https://searchfox.org/mozilla-central/rev/b75080bb8b11844d18cb5f9ac6e68a866ef8e243/layout/xul/nsXULPopupManager.cpp#237-238,244-245

nsPresContext* presContext =
    aItem->Frame()->PresContext()->GetRootPresContext();
...
nsCOMPtr<nsIWidget> rootWidget =
    presContext->GetRootPresContext()->GetRootWidget();

So I think we probably just need to null-check presContext before the last line that I quoted there (and bail out in whatever way makes sense if it's null).

Comment 9

[Emilio Cobos Álvarez [:emilio]]

Yeah, you just need to null-check the root pres context.

Comment 10

[Magnus Melin [:mkmelin]]

I wrote it's not a null pointer crash since at least normally I don't see stacks past the actual null pointer access. I could be wrong.

Anyhow, I tried the suggestions from above (I think), and it's not working. I'll attach what I've checked

Comment 11

[Magnus Melin [:mkmelin]]

Attachment: bug1876009_crasher-non-working.patch

Still crashing. The crash did move a bit, but it's just another mystery crash at mozilla/layout/xul/nsXULPopupManager.cpp:1549 now...

Comment 12

[Magnus Melin [:mkmelin]]

Someone more familiar with this should take a look...

Comment 13

[Emilio Cobos Álvarez [:emilio]]

Attachment: 0001-Null-check-root-PC.patch

Comment 14

[Emilio Cobos Álvarez [:emilio]]

I meant to say:

Early-returning when the root prescontext is null is wrong. Does the attached patch work for you? I can test it in TB later today.

Comment 15

[Magnus Melin [:mkmelin]]

Thanks, yes that patch fixes the issue!

Comment 16

[Emilio Cobos Álvarez [:emilio]]

Attachment: Bug 1876009 - Null-check root pres context in nsXULPopupManager code. r=Gijs

Comment 17

[:Gijs (he/him)]

Removing sec flag per previous discussion.

Comment 18

[Pulsebot]

Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/3790029e1c35
Null-check root pres context in nsXULPopupManager code. r=Gijs

Comment 19

[Narcis Beleuzu [:NarcisB]]

https://hg.mozilla.org/mozilla-central/rev/3790029e1c35

Comment 20

[Intermittent Failures Robot]

33 failures in 698 pushes (0.047 failures/push) were associated with this bug yesterday.

Repository breakdown:

• comm-central: 33

Platform and build breakdown:

• windows11-64-2009-qr: 7
  • debug: 3
  • opt: 4
• linux1804-64-qr: 4
  • opt: 2
  • debug: 2
• windows11-32-2009-qr: 4
  • opt: 2
  • debug: 2
• macosx1015-64-qr: 4
  • opt: 2
  • debug: 2
• linux1804-64-shippable-qr: 2
  • opt: 2
• windows11-32-2009-shippable-qr: 2
  • opt: 2
• windows11-64-2009-shippable-qr: 4
  • opt: 4
• windows11-64-2009-asan-qr: 2
  • opt: 2
• linux1804-64-ccov-qr: 2
  • opt: 2
• macosx1015-64-shippable-qr: 2
  • opt: 2

For more details, see:
https://treeherder.mozilla.org/intermittent-failures/bugdetails?bug=1876009&startday=2024-01-29&endday=2024-01-29&tree=all

Comment 21

[BugBot [:suhaib / :marco/ :calixte]]

The patch landed in nightly and beta is affected.
:emilio, is this bug important enough to require an uplift?

• If yes, please nominate the patch for beta approval.
• If no, please set status-firefox123 to wontfix.

For more information, please visit BugBot documentation.

Comment 22

[Emilio Cobos Álvarez [:emilio]]

Comment on attachment 9376935 [details]
Bug 1876009 - Null-check root pres context in nsXULPopupManager code. r=Gijs

Beta/Release Uplift Approval Request

• User impact if declined: potential crashes when closing windows
• Is this code covered by automated tests?: Yes
• Has the fix been verified in Nightly?: Yes
• Needs manual test from QE?: No
• If yes, steps to reproduce:
• List of other uplifts needed: none
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): Null-checks.
• String changes made/needed: none
• Is Android affected?: No

Comment 23

[Pascal Chevrel:pascalc]

Comment on attachment 9376935 [details]
Bug 1876009 - Null-check root pres context in nsXULPopupManager code. r=Gijs

Approved for 123 beta 5, thanks.

Comment 24

[Pulsebot]

https://hg.mozilla.org/releases/mozilla-beta/rev/27b2087fda41

Comment 25

[Pascal Chevrel:pascalc]

https://hg.mozilla.org/releases/mozilla-beta/rev/27b2087fda41

Comment 26

[Intermittent Failures Robot]

33 failures in 3952 pushes (0.008 failures/push) were associated with this bug in the last 7 days.

** This failure happened more than 30 times this week! Resolving this bug is a high priority. **

** Try to resolve this bug as soon as possible. If unresolved for 2 weeks, the affected test(s) may be disabled. **

Repository breakdown:

• comm-central: 33

Platform and build breakdown:

• windows11-64-2009-qr: 7
  • debug: 3
  • opt: 4
• linux1804-64-qr: 4
  • opt: 2
  • debug: 2
• windows11-32-2009-qr: 4
  • opt: 2
  • debug: 2
• macosx1015-64-qr: 4
  • opt: 2
  • debug: 2
• linux1804-64-shippable-qr: 2
  • opt: 2
• windows11-32-2009-shippable-qr: 2
  • opt: 2
• windows11-64-2009-shippable-qr: 4
  • opt: 4
• windows11-64-2009-asan-qr: 2
  • opt: 2
• linux1804-64-ccov-qr: 2
  • opt: 2
• macosx1015-64-shippable-qr: 2
  • opt: 2

For more details, see:
https://treeherder.mozilla.org/intermittent-failures/bugdetails?bug=1876009&startday=2024-01-29&endday=2024-02-04&tree=all