Open
Bug 1910011
Opened 1 year ago
Updated 1 day ago
Crash in [@ mozilla::dom::ClientHandle::Control]
Categories
(Core :: DOM: Service Workers, defect, P2)
Tracking
()
ASSIGNED
People
(Reporter: mccr8, Assigned: asuth, NeedInfo)
References
Details
(Keywords: crash, pernosco)
Crash Data
Attachments
(1 file)
|
4.29 MB,
video/quicktime
|
Details |
Crash report: https://crash-stats.mozilla.org/report/index/764d3abd-e872-4cef-a7b1-62e130240725
MOZ_CRASH Reason: MOZ_RELEASE_ASSERT(ClientMatchPrincipalInfo(mClientInfo.PrincipalInfo(), aServiceWorker.PrincipalInfo()))
Top 10 frames:
0 xul.dll mozilla::dom::ClientHandle::Control(mozilla::dom::ServiceWorkerDescriptor con... dom/clients/manager/ClientHandle.cpp:110
1 xul.dll mozilla::dom::ServiceWorkerManager::StartControllingClient::<lambda_1>::opera... dom/serviceworkers/ServiceWorkerManager.cpp:590
1 xul.dll nsBaseHashtable<nsIDHashKey, mozilla::UniquePtr<mozilla::dom::ServiceWorkerMa... xpcom/ds/nsBaseHashtable.h:836
1 xul.dll nsTHashtable<nsBaseHashtableET<nsIDHashKey, mozilla::UniquePtr<mozilla::dom::... xpcom/ds/nsTHashtable.h:437
1 xul.dll PLDHashTable::WithEntryHandle(void const*, nsTHashtable<nsBaseHashtableET<nsI... xpcom/ds/PLDHashTable.h:605
1 xul.dll nsTHashtable<nsBaseHashtableET<nsIDHashKey, mozilla::UniquePtr<mozilla::dom::... xpcom/ds/nsTHashtable.h:434
1 xul.dll nsBaseHashtable<nsIDHashKey, mozilla::UniquePtr<mozilla::dom::ServiceWorkerMa... xpcom/ds/nsBaseHashtable.h:834
1 xul.dll mozilla::dom::ServiceWorkerManager::StartControllingClient(mozilla::dom::Clie... dom/serviceworkers/ServiceWorkerManager.cpp:541
2 xul.dll mozilla::dom::ServiceWorkerManager::IsAvailable(nsIPrincipal*, nsIURI*, nsICh... dom/serviceworkers/ServiceWorkerManager.cpp:2289
2 xul.dll mozilla::dom::ServiceWorkerInterceptController::ShouldPrepareForIntercept(nsI... dom/serviceworkers/ServiceWorkerInterceptController.cpp:120
This is currently the number 5 top main process crash on release and I didn't see a recent bug on file for it so I'm filing this one.
|
Assignee | |
Updated•1 year ago
|
Assignee: nobody → bugmail
Severity: -- → S3
Status: NEW → ASSIGNED
Priority: -- → P2
See Also: → 1880012
|
||
Comment 1•8 months ago
|
||
The bug is linked to a topcrash signature, which matches the following criterion:
- Top 20 desktop browser crashes on beta
:asuth, could you consider increasing the severity of this top-crash bug?
For more information, please visit BugBot documentation.
Flags: needinfo?(bugmail)
Keywords: topcrash
I'm facing this issue since version 132 (I think), and in my case it is always triggered when I open view-source for a specific webpage (which is running on a local vm). If I open the same webpage in public on production, view-source works.
The troubleshooting-mode did not help, also clearing the start-cache...
(In reply to Stefan from comment #2)
In addition to that:
- clearing the website's data (in my case for 127.0.0.1 where the vm is running) fixed the issue
- viewing the source in private mode works
- viewing the source in a different container (I'm using the multi-account containers extension) works
- viewing the source in a new profile works
So it seems like it depends on website/cache data.
|
|
Assignee | |
Comment 4•8 months ago
|
||
Thank you for the details about view-source triggering the crash and the extensive testing of alternate modes which helps ensure this is a ServiceWorker-specific problem, that's invaluable data!
Flags: needinfo?(bugmail)
|
|
||
Comment 5•7 months ago
|
||
Based on the topcrash criteria, the crash signature linked to this bug is not a topcrash signature anymore.
For more information, please visit BugBot documentation.
Keywords: topcrash
|
|
Assignee | |
Comment 6•3 months ago
|
||
|
|
Assignee | |
Comment 7•3 months ago
|
||
I posted roughly the following summary in the "Firefox Anti-Tracking Development" channel on matrix earlier today and :timhuang confirmed that we should indeed be cloning the CJS instead of reusing it; I'm editing the summary slightly to be less of a question:
I think I've isolated the problem in https://bugzilla.mozilla.org/show_bug.cgi?id=1910011 to this code where we copy a live instance of a CookieJarSettings from the parent document into an iframe instead of snapshotting/cloning/forking it in the parent process:
// Let's inherit the cookie behavior and permission from the parent
// document.
mCookieJarSettings = aLoadingContext->OwnerDoc()->CookieJarSettings();
The general problem that ends up happening is:
- We Create a CookieJarSettings for a parent BCID 0x380000018
- We inherit that CJS as a live object reference into the LoadInfo for child iframe BCID 0xa00000002 (brown color in pernosco notebook) and then use the CJS to mint a ReservedClientInfo that has a partitionKey without ",f" in it
- We inherit that same CJS as a live object reference into the LoadInfo for child iframe BCID 0xa00000004 (orange in the pernosco notebook). This iframe is same-site to the top-level navigable so we update the partition key for the shared CJS to have a ",f" in it.
- For BCID 0xa00000002 when we're processing the interception we use StoragePrincipalHelper::GetOriginAttributes to get the right principal for the ServiceWorker, but the CJS has been mutated since the last time we sampled it and now our OriginAttributes have a ",f" in it.
- ServiceWorkers ClientHandle::Control gets angry because the PrincipalInfos don't match.
Aside: I do understand we have mozilla::OriginAttributes::EqualsIgnoringPartitionKey but for storage key semantics the partition key does matter and needs to be consistent. In my review of https://phabricator.services.mozilla.com/D127841 where we use the comparison, I think it made sense to use because the loading principal is distinct from the storage key / effective storage principal.
The BC Hierarchy:
- Root:
0x9https://news.htn.tech/TONS-OF-ENTROPY- Depth 1:
0x380000018https://news-z.info/check.html- Depth 2:
0xa00000002https://howto-news.info/check.html(brown color in pernosco notebook) (this is the one where the intercept gets upset) - Depth 2:
0xa00000003https://news-evi.net/check.html(purple color in pernosco notebook) - Depth 2:
0xa00000004https://htn.tech/check.html(orange color in pernosco notebook) (same-site)
- Depth 2:
- Depth 1:
|
||
Comment 8•3 months ago
|
||
I'm sorry. I didn't look into the issue in detail when I replied to you. I think the root cause is not reusing the CJS here, but not using the updated partitionKey for creating ClientInfo because the Key will be updated later. Inheriting CJS from the parent document happens in the child process, and we send it to the parent process and deserialize it for channel loading. The deserialization creates a new CJS in the parent process.
In the current implementation, the Depth 2: https://htn.tech/check.html will get an additional ,f in the partitionKey because it's same-site with a foreign ancestor. And we update the partitionKey when we open the channel in the parent process, which is later than creating the ClientInfo.
I think we should either
- Update the partitoinKey early. Moving it before we create the ClientInfo so that we can have the right Key.
- Update the clientInfo together when we update the partitionKey in CJS, but I am uncertain if we can update the clientInfo after creation.
I think 1. is doable, but we still need to ensure the key is properly updated for other types of loads, such as subresources.
|
|
||
Comment 9•3 months ago
|
||
Apparently, we have implemented the 1). option already in Bug 1736488. So, the issue is somehting else.
|
||
Comment 10•7 days ago
•
|
||
I can reliably hit this crash on macOS running Sequoia 15.5 with Firefox 141.0 (aarch64) and Firefox Nightly on macOS Tahoe Beta when trying to login to replit.com from a sample app it generated using replit auth in preview mode (not on a deployed app). One of those crash reports is https://crash-stats.mozilla.org/report/index/8ffa7d72-8cec-4d76-9894-1ae3e0250730
To reproduce the problem, use or clone this sample app https://replit.com/@haftandilian/Sample-Note-App-With-Login and then attempt to login using a replit account.
The problem reproduces on a fresh profile.
I'll add a screen recording demonstrating how I hit the crash.
|
|
||
Comment 11•7 days ago
|
||
|
|
||
Comment 12•7 days ago
•
|
||
Here's the stack from a debug build. Is there anything else I could collect to help debugging?
* thread #1, name = 'MainThread', queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
frame #0: 0x000000034be19408 XUL`MOZ_CrashSequence(aAddress=0x0000000000000000, aLine=111) at Assertions.h:253:3
250 : // no output registers
251 : "r"(aAddress), "r"(aLine));
252 # elif defined(__arm__) || defined(__aarch64__)
-> 253 asm volatile(
254 "str %1,[%0];\n" // Write the line number to the crashing address
255 : // no output registers
256 : "r"(aAddress), "r"(aLine));
Target 0: (firefox) stopped.
(lldb) bt
* thread #1, name = 'MainThread', queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
* frame #0: 0x000000034be19408 XUL`MOZ_CrashSequence(aAddress=0x0000000000000000, aLine=111) at Assertions.h:253:3
frame #1: 0x000000034be1a4a0 XUL`mozilla::dom::ClientHandle::Control(this=0x0000000313728ae0, aServiceWorker=0x000000031419f0a0) at ClientHandle.cpp:110:3
frame #2: 0x000000034ffa5be4 XUL`mozilla::dom::ServiceWorkerManager::StartControllingClient(mozilla::dom::ClientInfo const&, mozilla::dom::ServiceWorkerRegistrationInfo*, bool)::$_0::operator()(this=0x000000016aef6a68, entry=0x000000016aef6870) const at ServiceWorkerManager.cpp:604:33
frame #3: 0x000000034ffa5874 XUL`decltype(auto) std::__1::invoke_result<mozilla::dom::ServiceWorkerManager::StartControllingClient(mozilla::dom::ClientInfo const&, mozilla::dom::ServiceWorkerRegistrationInfo*, bool)::$_0, nsBaseHashtable<nsIDHashKey, mozilla::UniquePtr<mozilla::dom::ServiceWorkerManager::ControlledClientData, mozilla::DefaultDelete<mozilla::dom::ServiceWorkerManager::ControlledClientData>>, mozilla::dom::ServiceWorkerManager::ControlledClientData*, nsUniquePtrConverter<mozilla::dom::ServiceWorkerManager::ControlledClientData>>::EntryHandle&&>::type nsBaseHashtable<nsIDHashKey, mozilla::UniquePtr<mozilla::dom::ServiceWorkerManager::ControlledClientData, mozilla::DefaultDelete<mozilla::dom::ServiceWorkerManager::ControlledClientData>>, mozilla::dom::ServiceWorkerManager::ControlledClientData*, nsUniquePtrConverter<mozilla::dom::ServiceWorkerManager::ControlledClientData>>::WithEntryHandle<mozilla::dom::ServiceWorkerManager::StartControllingClient(mozilla::dom::ClientInfo const&, mozilla::dom::ServiceWorkerRegistrationInfo*, bool)::$_0>(nsID const&, mozilla::dom::ServiceWorkerManager::StartControllingClient(mozilla::dom::ClientInfo const&, mozilla::dom::ServiceWorkerRegistrationInfo*, bool)::$_0&&)::'lambda'(mozilla::dom::ServiceWorkerManager::StartControllingClient(mozilla::dom::ClientInfo const&, mozilla::dom::ServiceWorkerRegistrationInfo*, bool)::$_0)::operator()<nsTHashtable<nsBaseHashtableET<nsIDHashKey, mozilla::UniquePtr<mozilla::dom::ServiceWorkerManager::ControlledClientData, mozilla::DefaultDelete<mozilla::dom::ServiceWorkerManager::ControlledClientData>>>>::EntryHandle>(this=0x000000016aef6a10, entryHandle=EntryHandle @ 0x000000016aef68e0) const at nsBaseHashtable.h:849:18
frame #4: 0x000000034ffa57e8 XUL`decltype(auto) std::__1::invoke_result<mozilla::dom::ServiceWorkerManager::StartControllingClient(mozilla::dom::ClientInfo const&, mozilla::dom::ServiceWorkerRegistrationInfo*, bool)::$_0, nsTHashtable<nsBaseHashtableET<nsIDHashKey, mozilla::UniquePtr<mozilla::dom::ServiceWorkerManager::ControlledClientData, mozilla::DefaultDelete<mozilla::dom::ServiceWorkerManager::ControlledClientData>>>>::EntryHandle&&>::type nsTHashtable<nsBaseHashtableET<nsIDHashKey, mozilla::UniquePtr<mozilla::dom::ServiceWorkerManager::ControlledClientData, mozilla::DefaultDelete<mozilla::dom::ServiceWorkerManager::ControlledClientData>>>>::WithEntryHandle<std::__1::invoke_result<mozilla::dom::ServiceWorkerManager::StartControllingClient(mozilla::dom::ClientInfo const&, mozilla::dom::ServiceWorkerRegistrationInfo*, bool)::$_0, nsBaseHashtable<nsIDHashKey, mozilla::UniquePtr<mozilla::dom::ServiceWorkerManager::ControlledClientData, mozilla::DefaultDelete<mozilla::dom::ServiceWorkerManager::ControlledClientData>>, mozilla::dom::ServiceWorkerManager::ControlledClientData*, nsUniquePtrConverter<mozilla::dom::ServiceWorkerManager::ControlledClientData>>::EntryHandle&&>::type nsBaseHashtable<nsIDHashKey, mozilla::UniquePtr<mozilla::dom::ServiceWorkerManager::ControlledClientData, mozilla::DefaultDelete<mozilla::dom::ServiceWorkerManager::ControlledClientData>>, mozilla::dom::ServiceWorkerManager::ControlledClientData*, nsUniquePtrConverter<mozilla::dom::ServiceWorkerManager::ControlledClientData>>::WithEntryHandle<mozilla::dom::ServiceWorkerManager::StartControllingClient(mozilla::dom::ClientInfo const&, mozilla::dom::ServiceWorkerRegistrationInfo*, bool)::$_0>(nsID const&, mozilla::dom::ServiceWorkerManager::StartControllingClient(mozilla::dom::ClientInfo const&, mozilla::dom::ServiceWorkerRegistrationInfo*, bool)::$_0&&)::'lambda'(mozilla::dom::ServiceWorkerManager::StartControllingClient(mozilla::dom::ClientInfo const&, mozilla::dom::ServiceWorkerRegistrationInfo*, bool)::$_0)>(nsID const&, mozilla::dom::ServiceWorkerManager::StartControllingClient(mozilla::dom::ClientInfo const&, mozilla::dom::ServiceWorkerRegistrationInfo*, bool)::$_0&&)::'lambda'(mozilla::dom::ServiceWorkerManager::StartControllingClient(mozilla::dom::ClientInfo const&, mozilla::dom::ServiceWorkerRegistrationInfo*, bool)::$_0)::operator()<PLDHashTable::EntryHandle>(this=0x000000016aef69c8, entryHandle=EntryHandle @ 0x000000016aef6958) const at nsTHashtable.h:439:18
frame #5: 0x000000034ffa5754 XUL`std::__1::invoke_result<mozilla::dom::ServiceWorkerManager::StartControllingClient(mozilla::dom::ClientInfo const&, mozilla::dom::ServiceWorkerRegistrationInfo*, bool)::$_0, PLDHashTable::EntryHandle&&>::type PLDHashTable::WithEntryHandle<std::__1::invoke_result<mozilla::dom::ServiceWorkerManager::StartControllingClient(mozilla::dom::ClientInfo const&, mozilla::dom::ServiceWorkerRegistrationInfo*, bool)::$_0, nsTHashtable<nsBaseHashtableET<nsIDHashKey, mozilla::UniquePtr<mozilla::dom::ServiceWorkerManager::ControlledClientData, mozilla::DefaultDelete<mozilla::dom::ServiceWorkerManager::ControlledClientData>>>>::EntryHandle&&>::type nsTHashtable<nsBaseHashtableET<nsIDHashKey, mozilla::UniquePtr<mozilla::dom::ServiceWorkerManager::ControlledClientData, mozilla::DefaultDelete<mozilla::dom::ServiceWorkerManager::ControlledClientData>>>>::WithEntryHandle<std::__1::invoke_result<mozilla::dom::ServiceWorkerManager::StartControllingClient(mozilla::dom::ClientInfo const&, mozilla::dom::ServiceWorkerRegistrationInfo*, bool)::$_0, nsBaseHashtable<nsIDHashKey, mozilla::UniquePtr<mozilla::dom::ServiceWorkerManager::ControlledClientData, mozilla::DefaultDelete<mozilla::dom::ServiceWorkerManager::ControlledClientData>>, mozilla::dom::ServiceWorkerManager::ControlledClientData*, nsUniquePtrConverter<mozilla::dom::ServiceWorkerManager::ControlledClientData>>::EntryHandle&&>::type nsBaseHashtable<nsIDHashKey, mozilla::UniquePtr<mozilla::dom::ServiceWorkerManager::ControlledClientData, mozilla::DefaultDelete<mozilla::dom::ServiceWorkerManager::ControlledClientData>>, mozilla::dom::ServiceWorkerManager::ControlledClientData*, nsUniquePtrConverter<mozilla::dom::ServiceWorkerManager::ControlledClientData>>::WithEntryHandle<mozilla::dom::ServiceWorkerManager::StartControllingClient(mozilla::dom::ClientInfo const&, mozilla::dom::ServiceWorkerRegistrationInfo*, bool)::$_0>(nsID const&, mozilla::dom::ServiceWorkerManager::StartControllingClient(mozilla::dom::ClientInfo const&, mozilla::dom::ServiceWorkerRegistrationInfo*, bool)::$_0&&)::'lambda'(mozilla::dom::ServiceWorkerManager::StartControllingClient(mozilla::dom::ClientInfo const&, mozilla::dom::ServiceWorkerRegistrationInfo*, bool)::$_0)>(nsID const&, mozilla::dom::ServiceWorkerManager::StartControllingClient(mozilla::dom::ClientInfo const&, mozilla::dom::ServiceWorkerRegistrationInfo*, bool)::$_0&&)::'lambda'(mozilla::dom::ServiceWorkerManager::StartControllingClient(mozilla::dom::ClientInfo const&, mozilla::dom::ServiceWorkerRegistrationInfo*, bool)::$_0)>(this=0x0000000119b8b0d0, aKey=0x00000003165ce200, aFunc=0x000000016aef69c8) at PLDHashTable.h:605:12
frame #6: 0x000000034ffa56cc XUL`std::__1::invoke_result<mozilla::dom::ServiceWorkerManager::StartControllingClient(mozilla::dom::ClientInfo const&, mozilla::dom::ServiceWorkerRegistrationInfo*, bool)::$_0, nsTHashtable<nsBaseHashtableET<nsIDHashKey, mozilla::UniquePtr<mozilla::dom::ServiceWorkerManager::ControlledClientData, mozilla::DefaultDelete<mozilla::dom::ServiceWorkerManager::ControlledClientData>>>>::EntryHandle&&>::type nsTHashtable<nsBaseHashtableET<nsIDHashKey, mozilla::UniquePtr<mozilla::dom::ServiceWorkerManager::ControlledClientData, mozilla::DefaultDelete<mozilla::dom::ServiceWorkerManager::ControlledClientData>>>>::WithEntryHandle<std::__1::invoke_result<mozilla::dom::ServiceWorkerManager::StartControllingClient(mozilla::dom::ClientInfo const&, mozilla::dom::ServiceWorkerRegistrationInfo*, bool)::$_0, nsBaseHashtable<nsIDHashKey, mozilla::UniquePtr<mozilla::dom::ServiceWorkerManager::ControlledClientData, mozilla::DefaultDelete<mozilla::dom::ServiceWorkerManager::ControlledClientData>>, mozilla::dom::ServiceWorkerManager::ControlledClientData*, nsUniquePtrConverter<mozilla::dom::ServiceWorkerManager::ControlledClientData>>::EntryHandle&&>::type nsBaseHashtable<nsIDHashKey, mozilla::UniquePtr<mozilla::dom::ServiceWorkerManager::ControlledClientData, mozilla::DefaultDelete<mozilla::dom::ServiceWorkerManager::ControlledClientData>>, mozilla::dom::ServiceWorkerManager::ControlledClientData*, nsUniquePtrConverter<mozilla::dom::ServiceWorkerManager::ControlledClientData>>::WithEntryHandle<mozilla::dom::ServiceWorkerManager::StartControllingClient(mozilla::dom::ClientInfo const&, mozilla::dom::ServiceWorkerRegistrationInfo*, bool)::$_0>(nsID const&, mozilla::dom::ServiceWorkerManager::StartControllingClient(mozilla::dom::ClientInfo const&, mozilla::dom::ServiceWorkerRegistrationInfo*, bool)::$_0&&)::'lambda'(mozilla::dom::ServiceWorkerManager::StartControllingClient(mozilla::dom::ClientInfo const&, mozilla::dom::ServiceWorkerRegistrationInfo*, bool)::$_0)>(this=0x0000000119b8b0d0, aKey=0x00000003165ce200, aFunc=0x000000016aef6a10) at nsTHashtable.h:436:25
frame #7: 0x000000034ff3f31c XUL`std::__1::invoke_result<mozilla::dom::ServiceWorkerManager::StartControllingClient(mozilla::dom::ClientInfo const&, mozilla::dom::ServiceWorkerRegistrationInfo*, bool)::$_0, nsBaseHashtable<nsIDHashKey, mozilla::UniquePtr<mozilla::dom::ServiceWorkerManager::ControlledClientData, mozilla::DefaultDelete<mozilla::dom::ServiceWorkerManager::ControlledClientData>>, mozilla::dom::ServiceWorkerManager::ControlledClientData*, nsUniquePtrConverter<mozilla::dom::ServiceWorkerManager::ControlledClientData>>::EntryHandle&&>::type nsBaseHashtable<nsIDHashKey, mozilla::UniquePtr<mozilla::dom::ServiceWorkerManager::ControlledClientData, mozilla::DefaultDelete<mozilla::dom::ServiceWorkerManager::ControlledClientData>>, mozilla::dom::ServiceWorkerManager::ControlledClientData*, nsUniquePtrConverter<mozilla::dom::ServiceWorkerManager::ControlledClientData>>::WithEntryHandle<mozilla::dom::ServiceWorkerManager::StartControllingClient(mozilla::dom::ClientInfo const&, mozilla::dom::ServiceWorkerRegistrationInfo*, bool)::$_0>(this=0x0000000119b8b0d0, aKey=0x00000003165ce200, aFunc=0x000000016aef6a68) at nsBaseHashtable.h:847:18
frame #8: 0x000000034ff3f2a8 XUL`mozilla::dom::ServiceWorkerManager::StartControllingClient(this=0x0000000119b8b040, aClientInfo=0x000000016aef6db0, aRegistrationInfo=0x00000003159237c0, aControlClientHandle=true) at ServiceWorkerManager.cpp:556:29
frame #9: 0x000000034ff39f84 XUL`mozilla::dom::ServiceWorkerManager::DispatchFetchEvent(this=0x0000000119b8b040, aChannel=0x0000000308e31300, aRv=0x000000016aef6e30) at ServiceWorkerManager.cpp:2300:7
frame #10: 0x000000034ff39538 XUL`mozilla::dom::ServiceWorkerInterceptController::ChannelIntercepted(this=0x00000003165d47e0, aChannel=0x0000000308e31300) at ServiceWorkerInterceptController.cpp:163:8
frame #11: 0x0000000346811dbc XUL`mozilla::net::ParentChannelListener::ChannelIntercepted(this=0x00000003168690c0, aChannel=0x0000000308e31300) at ParentChannelListener.cpp:234:34
frame #12: 0x00000003467f5618 XUL`mozilla::net::InterceptedHttpChannel::AsyncOpenInternal(this=0x0000000308e31300) at InterceptedHttpChannel.cpp:188:20
frame #13: 0x00000003467f96b8 XUL`mozilla::net::InterceptedHttpChannel::AsyncOpen(this=0x0000000308e31300, aListener=0x0000000139fb7c10) at InterceptedHttpChannel.cpp:616:3
frame #14: 0x0000000346899fe0 XUL`mozilla::net::nsHttpChannel::OpenRedirectChannel(this=0x00000003165c7300, rv=NS_OK) at nsHttpChannel.cpp:3675:26
frame #15: 0x00000003468980d4 XUL`mozilla::net::nsHttpChannel::ContinueAsyncRedirectChannelToURI(this=0x00000003165c7300, rv=NS_OK) at nsHttpChannel.cpp:3635:10
frame #16: 0x00000003468bd034 XUL`mozilla::net::nsHttpChannel::OnRedirectVerifyCallback(this=0x00000003165c7300, result=NS_OK) at nsHttpChannel.cpp:10095:14
frame #17: 0x0000000345f13638 XUL`mozilla::net::nsAsyncVerifyRedirectCallbackEvent::Run(this=0x00000003168c9900) at nsAsyncRedirectVerifyHelper.cpp:41:22
frame #18: 0x00000003459260ac XUL`mozilla::RunnableTask::Run(this=0x0000000316869b40) at TaskController.cpp:703:16
frame #19: 0x0000000345914184 XUL`mozilla::TaskController::RunTask(aTask=0x0000000316869b40) at TaskController.cpp:196:19
frame #20: 0x000000034591aa58 XUL`mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(this=0x000000011c0249d0, aProofOfLock=0x000000016aef7dc0) at TaskController.cpp:1310:20
frame #21: 0x0000000345917b78 XUL`mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(this=0x000000011c0249d0, aProofOfLock=0x000000016aef7dc0) at TaskController.cpp:1133:15
frame #22: 0x0000000345917f34 XUL`mozilla::TaskController::ProcessPendingMTTask(this=0x000000011c0249d0, aMayWait=false) at TaskController.cpp:639:36
frame #23: 0x0000000345943ae8 XUL`mozilla::TaskController::TaskController()::$_0::operator()(this=0x000000011c008128) const at TaskController.cpp:333:37
frame #24: 0x0000000345943a54 XUL`mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run(this=0x000000011c008100) at nsThreadUtils.h:548:5
frame #25: 0x000000034596c478 XUL`nsThread::ProcessNextEvent(this=0x000000010d972120, aMayWait=false, aResult=0x000000016aef8127) at nsThread.cpp:1159:16
frame #26: 0x0000000345967e8c XUL`NS_ProcessPendingEvents(aThread=0x000000010d972120, aTimeout=10) at nsThreadUtils.cpp:445:19
frame #27: 0x00000003502d8048 XUL`nsBaseAppShell::NativeEventCallback(this=0x0000000122fe4c20) at nsBaseAppShell.cpp:87:3
frame #28: 0x00000003503b7a40 XUL`nsAppShell::ProcessGeckoEvents(aInfo=0x0000000122fe4c20) at nsAppShell.mm:542:11
frame #29: 0x0000000199483bc8 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 28
frame #30: 0x0000000199483b5c CoreFoundation`__CFRunLoopDoSource0 + 172
frame #31: 0x00000001994838c8 CoreFoundation`__CFRunLoopDoSources0 + 232
frame #32: 0x0000000199482558 CoreFoundation`__CFRunLoopRun + 820
frame #33: 0x0000000199540988 CoreFoundation`_CFRunLoopRunSpecificWithOptions + 532
frame #34: 0x00000001a5f38874 HIToolbox`RunCurrentEventLoopInMode + 316
frame #35: 0x00000001a5f3ba1c HIToolbox`ReceiveNextEventCommon + 240
frame #36: 0x00000001a60c5318 HIToolbox`_BlockUntilNextEventMatchingListInMode + 48
frame #37: 0x000000019dd4e938 AppKit`_DPSBlockUntilNextEventMatchingListInMode + 236
frame #38: 0x000000019d87aeec AppKit`_DPSNextEvent + 588
frame #39: 0x000000019e2b0168 AppKit`-[NSApplication(NSEventRouting) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 688
frame #40: 0x000000019e2afe74 AppKit`-[NSApplication(NSEventRouting) nextEventMatchingMask:untilDate:inMode:dequeue:] + 72
frame #41: 0x00000003503b655c XUL`-[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:](self=0x000000010c1199f0, _cmd="nextEventMatchingMask:untilDate:inMode:dequeue:", mask=18446744073709551615, expiration=4001-01-01 00:00:00 UTC, mode="kCFRunLoopDefaultMode", flag=YES) at nsAppShell.mm:191:24
frame #42: 0x000000019d873730 AppKit`-[NSApplication run] + 368
frame #43: 0x00000003503b6350 XUL`-[GeckoNSApplication run](self=0x000000010c1199f0, _cmd="run") at nsAppShell.mm:175:3
frame #44: 0x00000003503b8698 XUL`nsAppShell::Run(this=0x0000000122fe4c20) at nsAppShell.mm:872:5
frame #45: 0x0000000351c1fd5c XUL`nsAppStartup::Run(this=0x0000000121b3eca0) at nsAppStartup.cpp:291:30
frame #46: 0x0000000351e8a8c0 XUL`XREMain::XRE_mainRun(this=0x000000016aefa570) at nsAppRunner.cpp:5893:22
frame #47: 0x0000000351e8b874 XUL`XREMain::XRE_main(this=0x000000016aefa570, argc=4, argv=0x000000016aefb238, aConfig=0x000000016aefa700) at nsAppRunner.cpp:6138:8
frame #48: 0x0000000351e8bf3c XUL`XRE_main(argc=4, argv=0x000000016aefb238, aConfig=0x000000016aefa700) at nsAppRunner.cpp:6211:21
frame #49: 0x0000000351ea91f4 XUL`mozilla::BootstrapImpl::XRE_main(this=0x00000001052a8170, argc=4, argv=0x000000016aefb238, aConfig=0x000000016aefa700) at Bootstrap.cpp:46:12
frame #50: 0x0000000104f0517c firefox`do_main(argc=4, argv=0x000000016aefb238, envp=0x000000016aefb260) at nsBrowserApp.cpp:232:22
frame #51: 0x0000000104f049ec firefox`main(argc=4, argv=0x000000016aefb238, envp=0x000000016aefb260) at nsBrowserApp.cpp:464:16
frame #52: 0x000000019902d924 dyld`start + 6400
Flags: needinfo?(tihuang)
Flags: needinfo?(bugmail)
|
|
||
Comment 13•5 days ago
•
|
||
QE request: reproduce the bug using the test case in comment 10 on Linux with rr and a debug firefox build and submit to pernosco. I keep hitting rr crashes when trying to capture this on an amd64 Ubuntu 24.04.2 system.
Flags: qe-verify+
|
|
||
Comment 14•5 days ago
|
||
Removing QE request. I successfully captured an rr recording and am waiting for the pernosco upload to be available.
Flags: qe-verify+
|
|
||
Comment 15•4 days ago
|
||
| pernosco | ||
You need to log in
before you can comment on or make changes to this bug.
Description
•