Testcase found while fuzzing mozilla-central rev f4e3917a0fa1.

Assertion failure: !aParam->IsDiscarded() (Cannot send discarded BrowsingContext between processes!), at /builds/worker/workspace/build/src/docshell/base/BrowsingContext.cpp:1466

==27974==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7ff82811331f bp 0x7fff4323a750 sp 0x7fff4323a6a0 T0)
==27974==The signal is caused by a WRITE memory access.
==27974==Hint: address points to the zero page.
    #0 0x7ff82811331e in mozilla::ipc::IPDLParamTraits<mozilla::dom::BrowsingContext*>::Write(IPC::Message*, mozilla::ipc::IProtocol*, mozilla::dom::BrowsingContext*) /builds/worker/workspace/build/src/docshell/base/BrowsingContext.cpp:1464:5
    #1 0x7ff81e4b16e6 in mozilla::dom::PContentChild::SendCommitBrowsingContextTransaction(mozilla::dom::BrowsingContext*, mozilla::dom::syncedcontext::Transaction<mozilla::dom::BrowsingContext> const&, unsigned long const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PContentChild.cpp:7276:5
    #2 0x7ff8280fa07a in SendCommitTransaction /builds/worker/workspace/build/src/docshell/base/BrowsingContext.cpp:1190:11
    #3 0x7ff8280fa07a in mozilla::dom::syncedcontext::Transaction<mozilla::dom::BrowsingContext>::Commit(mozilla::dom::BrowsingContext*) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/SyncedContextInlines.h:37:13
    #4 0x7ff828197fc5 in void mozilla::dom::BrowsingContext::SetHistoryID<nsID&>(nsID&) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/BrowsingContext.h:128:3
    #5 0x7ff82810b589 in nsDocShell::InternalLoad(nsDocShellLoadState*, nsIDocShell**, nsIRequest**) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:9096:25
    #6 0x7ff828140a6c in nsDocShell::LoadHistoryEntry(nsISHEntry*, unsigned int) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:11340:8
    #7 0x7ff828167eaf in nsDocShell::Reload(unsigned int) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
    #8 0x7ff820eb7426 in mozilla::dom::Location::Reload(bool, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/Location.cpp:583:45
    #9 0x7ff82107ffdc in nsHistory::Go(int, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsHistory.cpp:149:22
    #10 0x7ff82295ba8c in mozilla::dom::History_Binding::go(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/HistoryBinding.cpp:238:24
    #11 0x7ff8229aaa68 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3151:13
    #12 0x7ff828e19433 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:469:13
    #13 0x7ff828e19433 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:561:12
    #14 0x7ff828e1b22a in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:624:10
    #15 0x7ff828dfffa5 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:628:10
    #16 0x7ff828dfffa5 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3036:16
    #17 0x7ff828de3af4 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:441:10
    #18 0x7ff828e19515 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:596:13
    #19 0x7ff828e1b22a in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:624:10
    #20 0x7ff828e1b506 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:641:8
    #21 0x7ff828fb0d62 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2797:10
    #22 0x7ff8225c5330 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:52:8
    #23 0x7ff82306276b in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
    #24 0x7ff8230621a4 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1073:43
    #25 0x7ff823063806 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1271:17
    #26 0x7ff8230514ef in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:356:17
    #27 0x7ff82304fa41 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:558:16
    #28 0x7ff8230544fb in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1055:11
    #29 0x7ff825644d1e in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1143:7
    #30 0x7ff82817bcc7 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6094:20
    #31 0x7ff82817ae75 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:5877:7
    #32 0x7ff82817f8df in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
    #33 0x7ff81f867230 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1347:3
    #34 0x7ff81f8661bc in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:906:14
    #35 0x7ff81f862490 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:726:9
    #36 0x7ff81f864cc3 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:614:5
    #37 0x7ff81f865d4c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp
    #38 0x7ff81d125f17 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:604:22
    #39 0x7ff81d129127 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:511:10
    #40 0x7ff820dd9aff in mozilla::dom::Document::DoUnblockOnload() /builds/worker/workspace/build/src/dom/base/Document.cpp:10707:18
    #41 0x7ff820d8f8cc in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/workspace/build/src/dom/base/Document.cpp:10639:9
    #42 0x7ff820db4bcc in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/Document.cpp:7312:3
    #43 0x7ff820e7ff64 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1163:12
    #44 0x7ff820e7ff64 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1169:12
    #45 0x7ff820e7ff64 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1215:13
    #46 0x7ff81ce688b3 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:282:20
    #47 0x7ff81ce9d038 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1220:14
    #48 0x7ff81cea7e4c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #49 0x7ff81e0f5cbf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:87:21
    #50 0x7ff81dff0047 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #51 0x7ff81dff0047 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
    #52 0x7ff81dff0047 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
    #53 0x7ff8250a31a8 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
    #54 0x7ff828bb3e06 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:943:20
    #55 0x7ff81dff0047 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #56 0x7ff81dff0047 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
    #57 0x7ff81dff0047 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
    #58 0x7ff828bb34af in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:778:34
    #59 0x558e155f9401 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #60 0x558e155f9401 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:303:18
    #61 0x7ff83f8cab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/docshell/base/BrowsingContext.cpp:1464:5 in mozilla::ipc::IPDLParamTraits<mozilla::dom::BrowsingContext*>::Write(IPC::Message*, mozilla::ipc::IProtocol*, mozilla::dom::BrowsingContext*)

This is sort of an issue with session-history-in-parent, but more so this shows that synced field transaction usage is error prone. One would
need to check the state of BrowsingContext always before using the fields.
Should Transaction::Commit perhaps check the state of the BrowsingContext?

If we're trying to set a synced field on a bc, and that bc has been discarded should we:

1. Quietly ignore the set
2. Have every synced field setter return a result to indicate success

I'll have a look and see if we can say anything general.

Looks like we have crashes on wild too, bug 1613323

https://hg.mozilla.org/mozilla-central/rev/641b9a29f6ee#l1.346

This brings back https://hg.mozilla.org/mozilla-central/rev/641b9a29f6ee#l1.346 for now.
The patch is based on code auditing, since haven't managed to reproduce the crash.

To sort out what behavior is wanted eventually, see
https://bugzilla.mozilla.org/show_bug.cgi?id=1613431

https://hg.mozilla.org/mozilla-central/rev/1188d4a56335

Is the attached testcase something we could land in-tree?

This is hard to reproduce, that is an issue. So testcase itself might run most of the time without catching the issue.

It doesn't seem that the fix had an effect on crashes, we actually have more crashes on Nightly than last week, should we reopen the bug or file another one?

(In reply to Pascal Chevrel:pascalc from comment #12)

It doesn't seem that the fix had an effect on crashes, we actually have more crashes on Nightly than last week, should we reopen the bug or file another one?

I filed bug 1615480 for the residual crashes. The assertion is different. Kris said it is a different issue.