Open Bug 1983886 Opened 5 months ago Updated 3 months ago

Crash in [@ IPCError-browser | RecvCreateBrowsingContext Parent has different group object] with a testcase involving iframes, local file, and print-previews

Categories

(Core :: DOM: Navigation, defect)

Product:
Core
Component:
DOM: Navigation
Platform:
Unspecified
Windows 11
Type:
defect

Tracking

()

People

(Reporter: mayankleoboy1, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash)

Crash Data

Attachments

(2 files)

prnt preview stress causing DOM navigation crash.html
1.38 KB, text/html
Details
Compressed video demonstrating the crash.7z
5.15 MB, application/x-compressed
Details

Crash report: https://crash-stats.mozilla.org/report/index/6750245f-a15f-443d-aea6-2c60b0250819

Reason:

EXCEPTION_BREAKPOINT

Top 10 frames:

0  ucrtbase.dll  strlen
1  xul.dll  PropertySpecNameToId(JSContext*, JSPropertySpec::Name, JS::MutableHandle<JS::...  js/src/jsapi.cpp:2128
1  xul.dll  JS_DefineProperties(JSContext*, JS::Handle<JSObject*>, JSPropertySpec const*)  js/src/vm/PropertyAndElement.cpp:855
2  xul.dll  mozilla::dom::Define(JSContext*, JS::Handle<JSObject*>, JSPropertySpec const*)  dom/bindings/BindingUtils.cpp:716
2  xul.dll  mozilla::dom::DefinePrefable<const JSPropertySpec>(JSContext*, JS::Handle<JSO...  dom/bindings/BindingUtils.cpp:731
3  xul.dll  mozilla::dom::DefineLegacyUnforgeableAttributes(JSContext*, JS::Handle<JSObje...  dom/bindings/BindingUtils.cpp:748
3  xul.dll  mozilla::dom::Location_Binding::CreateInterfaceObjects(JSContext*, JS::Handle...  dom/bindings/LocationBinding.cpp:1822
4  xul.dll  mozilla::dom::GetPerInterfaceObjectHandle(JSContext*, unsigned long long, voi...  dom/bindings/BindingUtils.cpp:4257
4  xul.dll  mozilla::dom::Location_Binding::GetProtoObjectHandle(JSContext*)  dom/bindings/LocationBinding.cpp:1859
4  xul.dll  mozilla::dom::Location_Binding::Wrap(JSContext*, mozilla::dom::Location*, nsW...  dom/bindings/LocationBinding.cpp:1728

I have 80% reproducible STR.

Open the testcase in two foreground tabs. Start the profiler. Keep the profiler enabled during this whole time.
Click the "start extreme printing" button on both. Print-preview panes will open in both the tabs
Now unload one tab, switch back to it and reload the tab. if IT doesnt crash, click on the "start extreme printing" button again.
Keep on unloading and reloading till you get a crash.

https://crash-stats.mozilla.org/report/index/6abcbb9b-0f8b-40f4-9390-831270250819
https://crash-stats.mozilla.org/report/index/6750245f-a15f-443d-aea6-2c60b0250819
https://crash-stats.mozilla.org/report/index/d41083a7-a042-421d-b625-fdb8e0250819
https://crash-stats.mozilla.org/report/index/e5df3978-c07a-4886-9832-7eacd0250819

Believe it or not this is a compressed video file.
Un7zip it to see the demonstration of the crash. I repeatedly do the STR but dont get a crash till the very end.

I had also set dom.ipc.processCount.file=20 ,and opened the testcase from my local machine.

Summary: Crash in [@ IPCError-browser | RecvCreateBrowsingContext Parent has different group object] with a testcase involving print-previews → Crash in [@ IPCError-browser | RecvCreateBrowsingContext Parent has different group object] with a testcase involving iframes, local file, and print-previews
Blocks: 1980560
Component: DOM: Navigation → IPC

The severity field is not set for this bug.
:jld, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(jld)
Component: IPC → General
Flags: needinfo?(jld)
Product: Core → Firefox
Component: General → DOM: Navigation
Product: Firefox → Core

The severity field is not set for this bug.
:smaug, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(smaug)

S3, based on that it's a content process crash, low crash volume, requiring restricted STRs

Severity: -- → S3
Flags: needinfo?(smaug)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: