Open Bug 1983198 Opened 3 months ago Updated 2 months ago

PContentParent::SendNotifyVisited can exceed maximum IPC message size

Tracking

()

Status:

NEW

Tracking Flags:

Tracking

Status

firefox143

---

affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, pernosco)

Crash Data

Tyson Smith [:tsmith]

Reporter

Description

•

3 months ago

Found with m-c 20250704-a6f7315f4ebd (--enable-debug)

This was found by visiting a live website with a debug build.

A Pernosco session is available here: https://pernos.co/debug/8AcMpxEsVD1VcVyHNNXQgA/index.html

Hit MOZ_CRASH(IPC message size is too large) at /builds/worker/checkouts/gecko/ipc/glue/MessageLink.cpp:107

#0 0x7fffddf56e37 in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:248:3
#1 0x7fffddf56e37 in mozilla::ipc::PortLink::SendMessage(mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageLink.cpp:107:5
#2 0x7fffddf46ac1 in mozilla::ipc::MessageChannel::SendMessageToLink(mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:768:10
#3 0x7fffddf45485 in mozilla::ipc::MessageChannel::Send(mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>, long*) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:737:3
#4 0x7fffddf6c895 in mozilla::ipc::IProtocol::ChannelSend(mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>, long*) /builds/worker/checkouts/gecko/ipc/glue/ProtocolUtils.cpp:491:22
#5 0x7fffe5957455 in mozilla::dom::PContentParent::SendNotifyVisited(mozilla::Span<mozilla::dom::VisitedQueryResult const, 18446744073709551615ul>) /builds/worker/workspace/obj-build/ipc/ipdl/PContentParent.cpp:2284:21
#6 0x7fffe75b78ee in mozilla::BaseHistory::SendPendingVisitedResultsToChildProcesses() /builds/worker/checkouts/gecko/docshell/base/BaseHistory.cpp:221:17
#7 0x7fffdc85b36f in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1085:18
#8 0x7fffdc85b36f in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
#9 0x7fffdc85b36f in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
#10 0x7fffdc85b36f in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
#11 0x7fffdc85b36f in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
#12 0x7fffdc85b36f in apply<FdWatcher, void (FdWatcher::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1083:12
#13 0x7fffdc85b36f in mozilla::detail::RunnableMethodImpl<nsUpdateProcessor*, void (nsUpdateProcessor::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1134:13
#14 0x7fffdca855da in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:703:16
#15 0x7fffdca73048 in mozilla::TaskController::RunTask(mozilla::Task*) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:196:19
#16 0x7fffdca7a12d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:1310:20
#17 0x7fffdca77f2b in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:1175:15
#18 0x7fffdca78286 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:639:36
#19 0x7fffdca94931 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:333:37
#20 0x7fffdca94931 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#21 0x7fffdcab403b in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1159:16
#22 0x7fffdcabe9b8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#23 0x7fffddf58ab9 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#24 0x7fffdde65a04 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:369:10
#25 0x7fffdde65a04 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#26 0x7fffdde65a04 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#27 0x7fffe654cf76 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#28 0x7fffe671f1eb in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:471:33
#29 0x7fffe81b6f35 in nsAppStartup::Run() /builds/worker/checkouts/gecko/toolkit/components/startup/nsAppStartup.cpp:291:30
#30 0x7fffe83ea8e3 in XREMain::XRE_mainRun() /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5893:22
#31 0x7fffe83ec0ab in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:6138:8
#32 0x7fffe83ed103 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:6211:21
#33 0x5555556f0695 in do_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:232:22
#34 0x5555556f0695 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:464:16

Nika Layzell [:nika] (ni? for response)

Comment 1

•

2 months ago

This is a bug in the caller. We probably want to split this into multiple messages to avoid overflowing the max message size.

Component: IPC → DOM: Navigation

Summary: Hit MOZ_CRASH(IPC message size is too large) at /builds/worker/checkouts/gecko/ipc/glue/MessageLink.cpp:107 → PContentParent::SendNotifyVisited can exceed maximum IPC message size

Henri Sivonen (:hsivonen)

Updated

•

2 months ago

Severity: -- → S3

You need to log in before you can comment on or make changes to this bug.

Bugzilla

PContentParent::SendNotifyVisited can exceed maximum IPC message size

Categories

(Core :: DOM: Navigation, defect)

Tracking

()

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, pernosco)

Crash Data

Security

(public)

User Story

Description

Comment 1

Updated