Closed Bug 854864 Opened 11 years ago Closed 3 years ago

crash in nsDocShell::InternalLoad when targeting a load to a docshell that's had nsFrameLoader::StartDestroy but hasn't destroyed its docshell yet

Categories

(Core :: DOM: Navigation, defect)

Product:
Core
Component:
DOM: Navigation
Version:
20 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox46 --- affected
firefox47 --- affected
firefox48 --- affected
firefox49 --- affected
firefox50 - ---
firefox51 - ---
firefox52 - ---

People

(Reporter: pauly, Unassigned)

References

(
URL
)

Details

(Keywords: assertion, crash, reproducible)

Crash Data

Attachments

(3 files)

Assertion stack
158.30 KB, text/plain
Details
windows debug build stack with todays m-c tip
10.51 KB, text/plain
Details
Minimalish testcase: will crash
498 bytes, text/html
Details 
This bug was filed from the Socorro interface and is 
report bp-7117f32c-220c-4220-a01b-d45542130325 .
============================================================= 

Follow-up for bug 820067
I don't think this anything to do with 820067.
No longer depends on: 820067
Severity: critical → normal
Crash Signature: [@ nsDocShell::InternalLoad(nsIURI*, nsIURI*, nsISupports*, unsigned int, wchar_t const*, char const*, nsAString_internal const&, nsIInputStream*, nsIInputStream*, unsigned int, nsISHEntry*, bool, nsIDocShell**, nsIRequest**)] → [@ nsDocShell::InternalLoad(nsIURI*, nsIURI*, nsISupports*, unsigned int, wchar_t const*, char const*, nsAString_internal const&, nsIInputStream*, nsIInputStream*, unsigned int, nsISHEntry*, bool, nsIDocShell**, nsIRequest**)] [@ nsDocShell::InternalLoad]
1. https://leboutique.com/?new=1
2. wait for it.

bp-6c8f1fa5-8246-4fa4-8d98-6582c2151214
[@ nsDocShell::InternalLoad ]

bp-f95da4e2-c5aa-47d0-909b-a8eed2151214
[@ nsIContent::IsHTMLElement ]

Bughunter reproduced this on Beta/43, Aurora/44, Nightly/45 on Linux, OSX, Windows.

Debug builds assert:

Assertion failure: mRawPtr != 0 (You can't dereference a NULL nsCOMPtr with operator->().), at c:\builds\moz2_slave\m-cen-w32-d-000000000000000000\build\src\obj-firefox\dist\include\nsCOMPtr.h:734
URL: https://leboutique.com/?new=1
Crash Signature: , nsIRequest**)] [@ nsDocShell::InternalLoad] → , nsIRequest**)] [@ nsDocShell::InternalLoad] [@ nsIContent::IsHTMLElement ]
Keywords: assertion, reproducible
Attached file Assertion stack 
>Thread 0 (crashed)
> 0  xul.dll!nsCOMPtr<mozilla::dom::Element>::operator->() [nsCOMPtr.h:f07e71078bc8 : 734 + 0x29]
>    eip = 0x5c1a1aad   esp = 0x0030bb50   ebp = 0x0030bfe8   ebx = 0x00000000
>    esi = 0x000002de   edi = 0x0a941d00   eax = 0x5f0ce2f8   ecx = 0x6e410ad9
>    edx = 0x00934d61   efl = 0x00200206
>    Found by: given as instruction pointer in context
> 1  xul.dll!nsDocShell::InternalLoad(nsIURI *,nsIURI *,bool,nsIURI *,unsigned int,nsISupports *,unsigned int,wchar_t const *,char const *,nsAString_internal const &,nsIInputStream *,nsIInputStream *,unsigned int,nsISHEntry *,bool,nsAString_internal const &,nsIDocShell *,nsIURI *,nsIDocShell * *,nsIRequest * *) [nsDocShell.cpp:f07e71078bc8 : 9595 + 0x11]
>    eip = 0x5e0bc012   esp = 0x0030bb58   ebp = 0x0030bfe8
>    Found by: call frame info
> 2  xul.dll!nsDocShell::InternalLoad(nsIURI *,nsIURI *,bool,nsIURI *,unsigned int,nsISupports *,unsigned int,wchar_t const *,char const *,nsAString_internal const &,nsIInputStream *,nsIInputStream *,unsigned int,nsISHEntry *,bool,nsAString_internal const &,nsIDocShell *,nsIURI *,nsIDocShell * *,nsIRequest * *) [nsDocShell.cpp:f07e71078bc8 : 9766 + 0x94]
>    eip = 0x5e0bc76b   esp = 0x0030bff0   ebp = 0x0030c4d0
>    Found by: call frame info
> 3  xul.dll!nsDocShell::OnLinkClickSync(nsIContent *,nsIURI *,wchar_t const *,nsAString_internal const &,nsIInputStream *,nsIInputStream *,nsIDocShell * *,nsIRequest * *) [nsDocShell.cpp:f07e71078bc8 : 13540 + 0xce]
>    eip = 0x5e0c345b   esp = 0x0030c4d8   ebp = 0x0030c910
>    Found by: call frame info
> 4  xul.dll!mozilla::dom::HTMLFormElement::SubmitSubmission(nsFormSubmission *) [HTMLFormElement.cpp:f07e71078bc8 : 830 + 0x8a]
>    eip = 0x5d588690   esp = 0x0030c918   ebp = 0x0030ca1c
>    Found by: call frame info
> 5  xul.dll!mozilla::dom::HTMLFormElement::DoSubmit(mozilla::WidgetEvent *) [HTMLFormElement.cpp:f07e71078bc8 : 683 + 0xa]
>    eip = 0x5d56af28   esp = 0x0030ca24   ebp = 0x0030ca38
>    Found by: call frame info
(In reply to Bob Clary [:bc:] from comment #6)
> more bughunter crashes on the same site:
> 
> https://leboutique.com/catalog/women/
> handbag?_openstat=ZGlyZWN0LnlhbmRleC5ydTsxMjg4MzEyMTsxMjk1MzQyOTg1O3N2aXQyNC5
> uZXQ6bmE&discount=85&new=1&utm_campaign=Y_Bags_NET
> 
> bp-d3e7a7a6-c697-4894-9881-e65502151226
> 
> This crash/assertion are common on https://leboutique.com

using this url is causing now Assertion failure: mRawPtr != 0 (You can't dereference a NULL nsCOMPtr with operator->().), at c:\users\mozilla\debug-builds\mozilla-central\firefox-debug\dist\include\nsCOMPtr.h:734
I can reproduce this crash using steps in comment 3.  The JS stack looks like:

0 YottosTracker/this.send() ["https://cdn.yottos.com/getmyad/_t.js":1]
    this = [object Object]
1 YottosTracker/this.aevent(d = 1, b = "add") ["https://cdn.yottos.com/getmyad/_t.js":1]
    this = [object Object]
2 <TOP LEVEL> ["https://leboutique.com/?new=1":1]
3 bi/<() ["https://www.googletagmanager.com/gtm.js?id=GTM-WVXJN6":75]
    this = [object Window]
4 bi/<([object Event]) ["https://www.googletagmanager.com/gtm.js?id=GTM-WVXJN6":76]
    this = [object HTMLScriptElement]
This is fairly exciting...

The basic problem is that we're submitting a form and targeting a named frame.  And that named frame is a zombie.

In particular, we're inserting a <script> that does the following:

1)  Removing an <iframe> from the DOM.
2)  Readding that <iframe> to the DOM.
3)  Doing a form submission targeting that iframe's name.

Normally the way this would work is that the iframe removal would tear down various stuff via nsFrameLoader::StartDestroy, post a script runner to Destroy the docshell, then finish that up before returning control to script.  But in this case, by the time we run the scriptrunner, which calls nsDocument::MaybeInitializeFinalizeFrameLoaders, we still have mUpdateNestLevel == 2 because we're still under the update that we started for the insertion of the <script> element.  So we do NOT finalize the frameloader and leave its docshell hanging out.  Then we end up back in script, add the <iframe> back to the DOM (probably creates a _another_ docshell, but the old one is still hanging out in the docshell tree), then do the submit and target the half-dead docshell...  This is the bug, of course.

Olli, any idea how we can make this work slightly better?  :(
Flags: needinfo?(bugs)
Summary: crash in nsDocShell::InternalLoad → crash in nsDocShell::InternalLoad when targeting a load to a docshell that's had nsFrameLoader::StartDestroy but hasn't destroyed its docshell yet
oh, hmm, EndUpdate decreases mUpdateNestLevel _after_ removing script blocker.
decreasing mUpdateNestLevel before removing script blocker seems to fix the crash in minimal testcase, but I need to still debug why :)
Firefox 46
bp-7617cb83-3f7f-4994-ae4a-95f742160520
[@ nsDocShell::InternalLoad ]

Nightly/49
bp-094bfa49-1580-48a8-9eef-958ed2160520
[@ nsDocShell::InternalLoad ]
status-firefox46: --- → affected
status-firefox47: --- → affected
status-firefox48: --- → affected
status-firefox49: --- → affected
I see 40 occurrences of this crash in the wild in the past 7 days, in versions ranging from FF 13 to FF 49.
Same symptoms as bug 443655. Not marking as a dup, because each bug has some analysis, and I'm not sure they're the same bug anyway.
[Tracking Requested - why for this release]:

while testing bug 1260669 and new reports i was able to reproduce the crash - https://leboutique.com/catalog/men/clothes?new=1#_=_ instantly crashes the browser nightly to beta opt and debug .

I guess since we still get reports at least from this site we should fix this.
tracking-firefox50: --- → ?
tracking-firefox51: --- → ?
tracking-firefox52: --- → ?
Tracking- for 52. Pretty low volume of these signatures on the trunk. The signature that has the most crashes, 254 is nsIContent::IsHTMLElement is on 49.0.1.
tracking-firefox52: ?-
(In reply to Marcia Knous [:marcia - use ni] from comment #18)
> Tracking- for 52. Pretty low volume of these signatures on the trunk. The
> signature that has the most crashes, 254 is nsIContent::IsHTMLElement is on
> 49.0.1.

Likewise for 50 and 51, not tracking.
tracking-firefox50: ?-
tracking-firefox51: ?-
also can reproduce this in https://leboutique.com/catalog/women/dress?new=1

another crash signature that this result in is https://crash-stats.mozilla.com/report/index/823229f4-0783-43cf-ac38-b514e2161103

xul.dll@0x691559 | xul.dll@0x14dde09 | xul.dll@0x14de5ae | xul.dll@0x14e3b54 | xul.dll@0xdb0a90 | xul.dll@0xd96460 | xul.dll@0xd964cb | xul.dll@0xdb0252 | xul.dll@0xc302b7 | xul.dll@0xc95015 | xul.dll@0x1c91ed8 | xul.dll@0x1c91d1c | xul.dll@0x1c971bb

This is WFM. (doing some end-of-year clean up to my needinfo queue)
There are other unrelated crashes in InternalLoad

Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(bugs)
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: