Closed Bug 631440 Opened 13 years ago Closed 13 years ago

Crash [@ nsDocShell::AddToSessionHistory] with pushState

Categories

(Core :: DOM: Navigation, defect)

Product:
Core
Component:
DOM: Navigation
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla2.0b12

People

(Reporter: jruderman, Assigned: mossop)

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(3 files)

testcase
201 bytes, text/html
Details
stack traces
37.93 KB, text/plain
Details
patch rev 1
4.11 KB, patch
bzbarsky
: review+
benjamin
: approval2.0+
Details | Diff | Splinter Review
Attached file testcase 
Based on when I started seeing this bug, I suspect it's a regression from bug 602256.

Like in bug 630801, the pushState call has an effect despite throwing.
Attached file stack traces 

    
    

    
  
Silly question, how do I reproduce this? I loaded the testcase in a debug build and nothing happened except the popup blocker showed

    
    

    
  
Guess I can see the problem though, attempting to pushstate before there is an initial history state will crash. Not sure what the behaviour should be there (probably throw an exception) but an easy fix is to just not clone in that case.

    
    

    
  
Should have looked closer at the stack. The call to pushstate happens before the load state but does throw an exception, however before that it sets mLoadType to LOAD_PUSHSTATE. The subsequent load of the window then acts somewhat as if it was a pushState and so attempts to clone the history. Simple fix is to move setting mLoadType to after all the checks are performed and we actually start to mutate things. This might fix bug 630801 too, pushing to try now.
Assignee: nobody → dtownsend
Whiteboard: [has patch][waiting on try]

    
    

    
  
This testcase requires popups to be enabled.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patch rev 1Splinter Review
      

    


  
This moves setting mLoadType to later and that alone is enough to resolve the crash. I also added a check on mOSHE to the specific code that changed for protection. The testcase successfully crashes without the fix applied and passes with.

        Attachment #510306 -
        Flags: review?(bzbarsky)

    
  
Whiteboard: [has patch][waiting on try] → [has patch][needs review bz]

    
    

    
  
Comment on attachment 510306 [details] [diff] [review]
patch rev 1

r=me

        Attachment #510306 -
        Flags: review?(bzbarsky) → review+

    
  

        Attachment #510306 -
        Flags: approval2.0?

    
  
Whiteboard: [has patch][needs review bz] → [has patch][needs approval]

    
  

        Attachment #510306 -
        Flags: approval2.0? → approval2.0+

    
    

    
  
Landed tis yesterday: http://hg.mozilla.org/mozilla-central/rev/33dc58befe48
Status: NEW → RESOLVED
Closed: 13 years ago
Flags: in-testsuite+
Flags: in-litmus-
Resolution: --- → FIXED
Target Milestone: --- → mozilla2.0b12

    
  
Whiteboard: [has patch][needs approval]
Crash Signature: [@ nsDocShell::AddToSessionHistory]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: