Crash in [@ nsDocShell::GetBrowsingContext | nsDocumentViewer::PermitUnload]
Categories
(Core :: DOM: Navigation, defect)
Tracking
()
People
(Reporter: mccr8, Assigned: smaug)
References
Details
(Keywords: crash)
Crash Data
Attachments
(2 files)
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
phab-bot
:
approval-mozilla-beta+
|
Details | Review |
Crash report: https://crash-stats.mozilla.org/report/index/9647b345-2f19-4f38-968b-cba910240311
Reason: SIGSEGV / SEGV_MAPERR
Top 10 frames of crashing thread:
0 libxul.so RefPtr<mozilla::dom::BrowsingContext>::get const mfbt/RefPtr.h:314
0 libxul.so RefPtr<mozilla::dom::BrowsingContext>::operator mozilla::dom::BrowsingContext* const& mfbt/RefPtr.h:327
0 libxul.so nsDocShell::GetBrowsingContext docshell/base/nsDocShell.cpp:13533
0 libxul.so nsDocumentViewer::PermitUnload layout/base/nsDocumentViewer.cpp:1146
1 libxul.so nsDocShell::InternalLoad docshell/base/nsDocShell.cpp
2 libxul.so nsDocShell::LoadHistoryEntry docshell/base/nsDocShell.cpp:12018
3 libxul.so nsDocShell::LoadHistoryEntry docshell/base/nsDocShell.cpp:11939
4 libxul.so nsDocShell::LoadURI docshell/base/nsDocShell.cpp:783
5 libxul.so mozilla::dom::BrowsingContext::LoadURI docshell/base/BrowsingContext.cpp:1967
6 libxul.so nsSHistory::LoadURIOrBFCache docshell/shistory/nsSHistory.cpp:1403
While the bogus looking stacks with OffTheBooksMutex::Unlock in them from bug 1842606 are still present, while looking at this signature, it seems like this nsDocumentViewer::PermitUnload variation is much more common now.
It looks like the crash is on this line of nsDocumentViewer::PermitUnload:
RefPtr<BrowsingContext> bc = mContainer->GetBrowsingContext();
This looks like a missing null check on mContainer. I see two other places that do this call without an obvious null check, so maybe those need to be fixed, too.
|
Reporter | |
Comment 1•1 year ago
|
||
Out of the 2687 crashes with this signature in the last 3 months, 2093 of them have PermitUnload in the proto signature (about 78%).
|
|
Reporter | |
Comment 2•1 year ago
|
||
One bug 1884689 is deployed, the signature will change.
|
||
Comment 3•1 year ago
|
||
The severity field is not set for this bug.
:boris, could you have a look please?
For more information, please visit BugBot documentation.
|
||
Comment 4•1 year ago
|
||
I'd like to move this into DOM related component, per the call stack in comment 0 (e.g. browsing context and nsSHistory).
|
Assignee | |
Comment 6•1 year ago
|
||
Yeah, I think we just miss some null checks.
|
|
Assignee | |
Comment 7•1 year ago
|
||
|
||
Comment 9•1 year ago
|
||
| bugherder | ||
|
||
Updated•1 year ago
|
|
|
||
Comment 10•1 year ago
|
||
Please nominate this for Beta uplift when you get a chance.
|
|
Assignee | |
Comment 11•1 year ago
|
||
Original Revision: https://phabricator.services.mozilla.com/D205767
|
||
Updated•1 year ago
|
|
|
||
Comment 12•1 year ago
|
||
beta Uplift Approval Request
- User impact if declined: crashes
- Code covered by automated testing: no
- Fix verified in Nightly: no
- Needs manual QE test: no
- Steps to reproduce for manual QE testing: -
- Risk associated with taking this patch: Low
- Explanation of risk level: Simple null check based on crash reports
- String changes made/needed: NA
- Is Android affected?: yes
|
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
||
Comment 13•1 year ago
|
||
| uplift | ||
|
|
Assignee | |
Updated•1 year ago
|
Description
•