Clicking Yes/No on the `Let Windows apps access your location` window after visiting a page in the same tab and then requesting location permission again will cause a crash
Categories
(Core :: DOM: Geolocation, defect)
Tracking
()
People
(Reporter: atrif, Assigned: handyman)
References
(Regression)
Details
(Keywords: regression)
Crash Data
Attachments
(7 files, 1 obsolete file)
|
5.45 MB,
image/gif
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
phab-bot
:
approval-mozilla-beta+
|
Details | Review |
|
48 bytes,
text/x-phabricator-request
|
phab-bot
:
approval-mozilla-beta+
|
Details | Review |
|
48 bytes,
text/x-phabricator-request
|
phab-bot
:
approval-mozilla-esr128+
|
Details | Review |
|
48 bytes,
text/x-phabricator-request
|
phab-bot
:
approval-mozilla-esr128+
|
Details | Review |
crash_geo_step2.gif
Found in
- 133.0a1 (2024-10-21)
Affected versions
- 133.0a1 (2024-10-21)
- 132.0
- 131.0.2
- 128.4.0esr
Tested platforms
- Affected platforms: Windows 11 24H2
- Unaffected platforms: Windows 10, macOS 12, Ubuntu
Preconditions
- Windows 11 24H2 (26100.2152) / (26100.2033)
- Geolocation was not used before - make a new Windows user profile and follow the steps
Steps to reproduce
- Open https://developer.mozilla.org/en-US/docs/Web/API/Geolocation_API/Using_the_Geolocation_API#result
- Click
Show my locationbutton and then Click onAllowbutton. - Open a new webapge in the tab where the geolocation is requested.
- Click the back arrow.
- Click
Show my locationbutton and clickYeson the Windows location request.
Expected result
- No crash.
Actual result
- Firefox crashes. Attaching a screen recording.
Regression range
- Most likely started with bug 1900225.
Additional notes
- Attached a screen recording.
- This has the same crash signature as bug 1926201 but David asked to file separate issues bug1917201#comment33
|
||
Comment 1•1 year ago
|
||
:handyman, since you are the author of the regressor, bug 1900225, could you take a look? Also, could you set the severity field?
For more information, please visit BugBot documentation.
|
||
Updated•1 year ago
|
|
Assignee | |
Updated•1 year ago
|
|
|
||
Comment 2•1 year ago
|
||
Set release status flags based on info from the regressing bug 1900225
|
||
Comment 3•1 year ago
|
||
:handyman any updates on this? Wondering how the investigation is going and if we can expect anymore fixes?
|
|
Assignee | |
Comment 4•1 year ago
|
||
|
|
||
Updated•1 year ago
|
|
||
Comment 5•1 year ago
|
||
David, is that an S4 given the volume? Should it be assigned? Thanks
|
|
Assignee | |
Comment 6•1 year ago
|
||
Agreed. I'm looking at it now.
|
|
Assignee | |
Comment 7•1 year ago
|
||
This avoids invalidating iterators when mutating the collection during iteration.
|
||
Comment 9•1 year ago
|
||
| bugherder | ||
|
|
||
Comment 10•1 year ago
|
||
The patch landed in nightly and beta is affected.
:handyman, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox134towontfix.
For more information, please visit BugBot documentation.
|
|
Assignee | |
Comment 11•1 year ago
|
||
As a test for this shows (as suggested in the review), HashSet isn't a fix for this. This is, presumably, an example of the slightly changed crash that comes with the recent patch. The problem is that, ModIterator ("A hash table iterator that permits modification, removal and rekeying.") only applies to the remove method on ModIterator itself. The remove method on the HashTable/HashSet object will still cause an iterator invalidation. I'm going to have to iterate over a copy of the collection and check for removal at each iteration.
|
|
||
Updated•1 year ago
|
|
|
Assignee | |
Comment 12•1 year ago
|
||
HashSet::ModIterator::Remove does not invalidate iterators but
HashSet::Remove does. We need to preserve iteration on removal from the
collection itself, so we either need a collection that guarantees that
(like std::set) or a copy. We use an array copy here, for optimal asymptotic
performance.
Includes a test that both OnChange and OnError allow listener removal.
|
||
Updated•1 year ago
|
|
|
Assignee | |
Comment 13•1 year ago
|
||
To avoid iterators being invalidated during iteration, this needs a collection
that allows mutation during iteration (like std::set) or a copy. This uses
a copy to get the best asymptotic performance.
Includes a test that both OnChange and OnError allow listener removal.
|
||
Comment 14•1 year ago
|
||
|
||
Comment 15•1 year ago
|
||
| bugherder | ||
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
Reporter | |
Comment 16•1 year ago
|
||
I can no longer reproduce the issue using Firefox 135.0a1 (2024-12-05) on Windows 11x64 and aarch64 by following the steps from comment 0. I also can no longer reproduce bug 1926201 so I'm closing bug 1926201 as a duplicate of this issue.
|
|
||
Comment 18•1 year ago
|
||
No crashes on Nightly since the second patch landed. Are these ready for Beta and ESR128 approval requests? They graft cleanly to both.
|
|
Assignee | |
Comment 19•1 year ago
|
||
Comment on attachment 9441498 [details]
Bug 1926196: Iterate over a copy of WifiListenerData to allow mutation r=#necko-reviewers!
Beta/Release Uplift Approval Request
- User impact if declined/Reason for urgency: Crashes on Windows in some cases when geolocation is requested. Bug 1935354 is listed as also needed because it fixes the build for MinGW, but I don't know if MinGW builds are important to beta/ESR?
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: Bug 1935354
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): The change is a different collections data structure. It is only visible to users when it causes things not to crash. It's also small and self contained.
- String changes made/needed: N/A
- Is Android affected?: No
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration:
- User impact if declined:
- Fix Landed on Version:
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky):
|
|
Assignee | |
Comment 20•1 year ago
|
||
Comment on attachment 9441498 [details]
Bug 1926196: Iterate over a copy of WifiListenerData to allow mutation r=#necko-reviewers!
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: This has a fairly high volume of crashes on Windows.
- User impact if declined: Crashes on Windows in some cases when geolocation is requested. Bug 1935354 is listed as also needed because it fixes the build for MinGW, but I don't know if MinGW builds are important to beta/ESR?
- Fix Landed on Version: 135
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): The change is a different collections data structure. It is only visible to users when it causes things not to crash. It's also small and self contained.
|
|
||
Comment 21•1 year ago
|
||
David, cab543d891e7 does not graft cleanly to the beta branch. Could you rebase your patch? (probably the same for ESR). Also, please ask for uplift in Bug 1935354 (and make sure the patch applies to the branch). Thanks!
|
|
||
Comment 22•1 year ago
|
||
This avoids invalidating iterators when mutating the collection during iteration.
Original Revision: https://phabricator.services.mozilla.com/D230422
|
|
||
Updated•1 year ago
|
|
|
||
Comment 23•1 year ago
|
||
To avoid iterators being invalidated during iteration, this needs a collection
that allows mutation during iteration (like std::set) or a copy. This uses
a copy to get the best asymptotic performance.
Includes a test that both OnChange and OnError allow listener removal.
Original Revision: https://phabricator.services.mozilla.com/D231002
|
|
||
Updated•1 year ago
|
|
|
||
Comment 24•1 year ago
|
||
This avoids invalidating iterators when mutating the collection during iteration.
Original Revision: https://phabricator.services.mozilla.com/D230422
|
|
||
Updated•1 year ago
|
|
|
||
Comment 25•1 year ago
|
||
To avoid iterators being invalidated during iteration, this needs a collection
that allows mutation during iteration (like std::set) or a copy. This uses
a copy to get the best asymptotic performance.
Includes a test that both OnChange and OnError allow listener removal.
Original Revision: https://phabricator.services.mozilla.com/D231002
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Comment 26•1 year ago
|
||
| uplift | ||
|
||
Updated•1 year ago
|
|
|
Assignee | |
Comment 27•1 year ago
|
||
Thanks Ryan for picking that up while I was on PTO.
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Comment 28•1 year ago
|
||
| uplift | ||
|
|
||
Updated•1 year ago
|
|
|
Reporter | |
Comment 29•1 year ago
|
||
Verified fixed using Firefox 128.6.0esr (20241216192234) from comment 28 and Firefox 134.0b11 (20241216180229) from comment 26 (treeherder builds) on Windows 11 aarch64 by following the steps from comment 0. I also verified steps from bug 1926201 and that issue no longer reproduces.
Description
•