Closed Bug 1665792 Opened 4 years ago Closed 4 years ago

crash near null in [@ mozilla::dom::Document::CloneDocHelper]

Categories

(Core :: Print Preview, defect)

defect

Tracking

()

RESOLVED FIXED
83 Branch
Tracking Status
firefox-esr78 --- unaffected
firefox82 --- fixed
firefox83 --- fixed

People

(Reporter: tsmith, Assigned: emilio)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, crash, testcase, Whiteboard: [print2020_v82][old-ui?])

Crash Data

Attachments

(2 files)

Attached file testcase.html (deleted) —

Reproduced with m-c 20200917-084477976b2d

==1356098==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000040 (pc 0x7fe10b4c9cf2 bp 0x7ffc853f1c30 sp 0x7ffc853f1b80 T0)
==1356098==The signal is caused by a READ memory access.
==1356098==Hint: address points to the zero page.
    #0 0x7fe10b4c9cf2 in nsDOMNavigationTiming::CloneNavigationTime(nsDocShell*) const src/dom/base/nsDOMNavigationTiming.h
    #1 0x7fe10b4c8dc4 in mozilla::dom::Document::CloneDocHelper(mozilla::dom::Document*) const src/dom/base/Document.cpp:11196:18
    #2 0x7fe10dd889b4 in nsHTMLDocument::Clone(mozilla::dom::NodeInfo*, nsINode**) const src/dom/html/nsHTMLDocument.cpp:673:17
    #3 0x7fe10b798eb9 in nsINode::CloneAndAdopt(nsINode*, bool, bool, nsNodeInfoManager*, JS::Handle<JSObject*>, nsINode*, mozilla::ErrorResult&) src/dom/base/nsINode.cpp:3103:26
    #4 0x7fe10b7982a5 in Clone src/dom/base/nsINode.cpp:3405:10
    #5 0x7fe10b7982a5 in nsINode::CloneNode(bool, mozilla::ErrorResult&) src/dom/base/nsINode.cpp:2981:10
    #6 0x7fe10b4d2b3d in mozilla::dom::Document::CreateStaticClone(nsIDocShell*, nsIContentViewer*, bool*) src/dom/base/Document.cpp:12293:40
    #7 0x7fe10b76a8db in nsFrameLoader::FinishStaticClone(nsFrameLoader*, bool*) src/dom/base/nsFrameLoader.cpp:2797:12
    #8 0x7fe10b4d3afa in mozilla::dom::Document::CreateStaticClone(nsIDocShell*, nsIContentViewer*, bool*) src/dom/base/Document.cpp:12366:32
    #9 0x7fe10b2efe1a in nsGlobalWindowOuter::Print(nsIPrintSettings*, nsIWebProgressListener*, nsIDocShell*, nsGlobalWindowOuter::IsPreview, nsGlobalWindowOuter::BlockUntilDone, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&, mozilla::ErrorResult&) src/dom/base/nsGlobalWindowOuter.cpp:5451:21
    #10 0x7fe10b2969bb in nsGlobalWindowInner::PrintPreview(nsIPrintSettings*, nsIWebProgressListener*, nsIDocShell*, mozilla::ErrorResult&) src/dom/base/nsGlobalWindowInner.cpp:3622:3
    #11 0x7fe10ca219fe in mozilla::dom::Window_Binding::printPreview(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/WindowBinding.cpp:3208:59
    #12 0x7fe10d25fc48 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3229:13
    #13 0x7fe113974068 in CallJSNative src/js/src/vm/Interpreter.cpp:508:13
    #14 0x7fe113974068 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:600:12
    #15 0x7fe11397638b in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:665:10
    #16 0x7fe11395d101 in CallFromStack src/js/src/vm/Interpreter.cpp:669:10
    #17 0x7fe11395d101 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3337:16
    #18 0x7fe11393dcd0 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:469:13
    #19 0x7fe1139741f9 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:637:13
    #20 0x7fe11397638b in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:665:10
    #21 0x7fe113976710 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:682:8
    #22 0x7fe113b05a32 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2821:10
    #23 0x7fe10c803b24 in mozilla::dom::IdleRequestCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::IdleDeadline&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/WindowBinding.cpp:868:8
    #24 0x7fe10b382a1f in mozilla::dom::IdleRequestCallback::Call(mozilla::dom::IdleDeadline&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WindowBinding.h:784:12
    #25 0x7fe10b54a2c9 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WindowBinding.h:797:12
    #26 0x7fe10b54a2c9 in mozilla::dom::IdleRequest::IdleRun(nsPIDOMWindowInner*, double, bool) src/dom/base/IdleRequest.cpp:62:13
    #27 0x7fe10b276030 in nsGlobalWindowInner::RunIdleRequest(mozilla::dom::IdleRequest*, double, bool) src/dom/base/nsGlobalWindowInner.cpp:672:12
    #28 0x7fe10b274e1b in nsGlobalWindowInner::ExecuteIdleRequest(mozilla::TimeStamp) src/dom/base/nsGlobalWindowInner.cpp:700:3
    #29 0x7fe10b274af5 in IdleRequestExecutor::Run() src/dom/base/nsGlobalWindowInner.cpp:541:13
    #30 0x7fe107af4b59 in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:244:16
    #31 0x7fe107ab39f3 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:514:26
    #32 0x7fe107ab156d in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:396:15
    #33 0x7fe107ab182d in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:170:36
    #34 0x7fe107b026f1 in operator() src/xpcom/threads/TaskController.cpp:84:37
    #35 0x7fe107b026f1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
    #36 0x7fe107ad6e03 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1234:14
    #37 0x7fe107ae0efc in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:513:10
    #38 0x7fe108db6a8f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:87:21
    #39 0x7fe108cbb281 in RunInternal src/ipc/chromium/src/base/message_loop.cc:334:10
    #40 0x7fe108cbb281 in RunHandler src/ipc/chromium/src/base/message_loop.cc:327:3
    #41 0x7fe108cbb281 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:309:3
    #42 0x7fe10fa1cee7 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
    #43 0x7fe11370e9ef in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:913:20
    #44 0x7fe108cbb281 in RunInternal src/ipc/chromium/src/base/message_loop.cc:334:10
    #45 0x7fe108cbb281 in RunHandler src/ipc/chromium/src/base/message_loop.cc:327:3
    #46 0x7fe108cbb281 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:309:3
    #47 0x7fe11370df8c in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:744:34
    #48 0x55ba5548901d in content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #49 0x55ba55489457 in main src/browser/app/nsBrowserApp.cpp:304:18

The attached test case also triggers:

Assertion failure: mTiming (Timing should have been setup before making a static clone), at src/dom/base/Document.cpp:11194

#0 0x7f5a5ffdf871 in mozilla::dom::Document::CloneDocHelper(mozilla::dom::Document*) const src/dom/base/Document.cpp:11193:5
#1 0x7f5a6189a7b4 in nsHTMLDocument::Clone(mozilla::dom::NodeInfo*, nsINode**) const src/dom/html/nsHTMLDocument.cpp:673:17
#2 0x7f5a60155f18 in nsINode::CloneAndAdopt(nsINode*, bool, bool, nsNodeInfoManager*, JS::Handle<JSObject*>, nsINode*, mozilla::ErrorResult&) src/dom/base/nsINode.cpp:3103:26
#3 0x7f5a60155a14 in Clone src/dom/base/nsINode.cpp:3405:10
#4 0x7f5a60155a14 in nsINode::CloneNode(bool, mozilla::ErrorResult&) src/dom/base/nsINode.cpp:2981:10
#5 0x7f5a5ffe3ee3 in mozilla::dom::Document::CreateStaticClone(nsIDocShell*, nsIContentViewer*, bool*) src/dom/base/Document.cpp:12293:40
#6 0x7f5a6013e5dd in nsFrameLoader::FinishStaticClone(nsFrameLoader*, bool*) src/dom/base/nsFrameLoader.cpp:2797:12
#7 0x7f5a5ffe4a1d in mozilla::dom::Document::CreateStaticClone(nsIDocShell*, nsIContentViewer*, bool*) src/dom/base/Document.cpp:12366:32
#8 0x7f5a5fef2d93 in nsGlobalWindowOuter::Print(nsIPrintSettings*, nsIWebProgressListener*, nsIDocShell*, nsGlobalWindowOuter::IsPreview, nsGlobalWindowOuter::BlockUntilDone, std::function<void (mozilla::dom::PrintPreviewResultInfo const&)>&&, mozilla::ErrorResult&) src/dom/base/nsGlobalWindowOuter.cpp:5451:21
#9 0x7f5a5fec4a7b in nsGlobalWindowInner::PrintPreview(nsIPrintSettings*, nsIWebProgressListener*, nsIDocShell*, mozilla::ErrorResult&) src/dom/base/nsGlobalWindowInner.cpp:3622:3
#10 0x7f5a60d7843b in mozilla::dom::Window_Binding::printPreview(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/WindowBinding.cpp:3208:59
#11 0x7f5a61305405 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3229:13
#12 0x7f5a640f9de1 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) src/js/src/vm/Interpreter.cpp:508:13
#13 0x7f5a640f9559 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:600:12
#14 0x7f5a640fb0b1 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:665:10
#15 0x7f5a640ef0dc in CallFromStack src/js/src/vm/Interpreter.cpp:669:10
#16 0x7f5a640ef0dc in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3337:16
#17 0x7f5a640e64b3 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:469:13
#18 0x7f5a640f952a in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:637:13
#19 0x7f5a640fb0b1 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:665:10
#20 0x7f5a640fb2ef in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:682:8
#21 0x7f5a641ffe17 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2821:10
#22 0x7f5a60c1c73f in mozilla::dom::IdleRequestCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::IdleDeadline&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/WindowBinding.cpp:868:8
#23 0x7f5a5ff4193a in mozilla::dom::IdleRequestCallback::Call(mozilla::dom::IdleDeadline&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WindowBinding.h:784:12
#24 0x7f5a600296e9 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WindowBinding.h:797:12
#25 0x7f5a600296e9 in mozilla::dom::IdleRequest::IdleRun(nsPIDOMWindowInner*, double, bool) src/dom/base/IdleRequest.cpp:62:13
#26 0x7f5a5feb3370 in nsGlobalWindowInner::RunIdleRequest(mozilla::dom::IdleRequest*, double, bool) src/dom/base/nsGlobalWindowInner.cpp:672:12
#27 0x7f5a5feb2805 in nsGlobalWindowInner::ExecuteIdleRequest(mozilla::TimeStamp) src/dom/base/nsGlobalWindowInner.cpp:700:3
#28 0x7f5a5feb2634 in IdleRequestExecutor::Run() src/dom/base/nsGlobalWindowInner.cpp:541:13
#29 0x7f5a5e2f0403 in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:244:16
#30 0x7f5a5e2cbd44 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:514:26
#31 0x7f5a5e2cae85 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:396:15
#32 0x7f5a5e2caf83 in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:170:36
#33 0x7f5a5e2f5556 in operator() src/xpcom/threads/TaskController.cpp:84:37
#34 0x7f5a5e2f5556 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
#35 0x7f5a5e2df4a7 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1234:14
#36 0x7f5a5e2e4cba in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:513:10
#37 0x7f5a5ebda396 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:87:21
#38 0x7f5a5eb4d063 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:334:10
#39 0x7f5a5eb4cf7d in RunHandler src/ipc/chromium/src/base/message_loop.cc:327:3
#40 0x7f5a5eb4cf7d in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:309:3
#41 0x7f5a627d82b8 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#42 0x7f5a63fc1be3 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:913:20
#43 0x7f5a5ebdb159 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:237:9
#44 0x7f5a5eb4d063 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:334:10
#45 0x7f5a5eb4cf7d in RunHandler src/ipc/chromium/src/base/message_loop.cc:327:3
#46 0x7f5a5eb4cf7d in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:309:3
#47 0x7f5a63fc17c8 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:744:34
#48 0x555fde8c2917 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#49 0x555fde8c2917 in main src/browser/app/nsBrowserApp.cpp:304:18
#50 0x7f5a749460b2 in __libc_start_main /build/glibc-YYA7BZ/glibc-2.31/csu/../csu/libc-start.c:308:16
#51 0x555fde8a06c9 in _start (/home/user/workspace/browsers/m-c-20200917142508-fuzzing-debug/firefox-bin+0x176c9)
Keywords: assertion

CCing Emily.

(In reply to Tyson Smith [:tsmith] from comment #1)

The attached test case also triggers:

Assertion failure: mTiming (Timing should have been setup before making a static clone), at src/dom/base/Document.cpp:11194

It looks like we don't need to care the null mTiming. We can just ignore all animations in such cases (presumably).

Blocks: 1631440
Severity: -- → S3
Whiteboard: [print2020][old-ui?]

Oh wait, it's not just a debug assertion. :/

Severity: S3 → S2

A Pernosco session is available here: https://pernos.co/debug/_9yAS0LgiBtBkbsk3kNPxA/index.html

Same as bug 1667902? That crash looks pretty bad on thunderbird, not nearly as much on firefox.

Assignee: nobody → emilio

Timing is nulled out in the docshell mid load, with a stack like:

#0  0x00007fc2e8833375 in RefPtr<nsDOMNavigationTiming>::assign_assuming_AddRef (this=0x55ced1849fc8, aNewPtr=0x0) at /home/twsmith/code/mozilla-central/objdir-ff-debug/dist/include/mozilla/RefPtr.h:67
#1  0x00007fc2f1747205 in RefPtr<nsDOMNavigationTiming>::operator=(decltype(nullptr)) (this=0x55ced1849fc8) at /home/twsmith/code/mozilla-central/objdir-ff-debug/dist/include/mozilla/RefPtr.h:168
#2  0x00007fc2f170bd08 in nsDocShell::EndPageLoad (this=0x55ced1849d60, aProgress=0x55ced1849d88, aChannel=0x55ced124b468, aStatus=-2142568446) at /home/twsmith/code/mozilla-central/docshell/base/nsDocShell.cpp:6231
#3  0x00007fc2f170b6bb in nsDocShell::OnStateChange (this=0x55ced1849d60, aProgress=0x55ced1849d88, aRequest=0x55ced124b468, aStateFlags=131088, aStatus=-2142568446) at /home/twsmith/code/mozilla-central/docshell/base/nsDocShell.cpp:5610
#4  0x00007fc2e9ff9ca1 in nsDocLoader::DoFireOnStateChange (this=0x55ced1849d60, aProgress=0x55ced1849d88, aRequest=0x55ced124b468, aStateFlags=@0x7ffff664b58c: 131088, aStatus=-2142568446) at /home/twsmith/code/mozilla-central/uriloader/base/nsDocLoader.cpp:1348
#5  0x00007fc2e9ff94a4 in nsDocLoader::doStopDocumentLoad (this=0x55ced1849d60, request=0x55ced124b468, aStatus=-2142568446) at /home/twsmith/code/mozilla-central/uriloader/base/nsDocLoader.cpp:954
#6  0x00007fc2e9ff7492 in nsDocLoader::DocLoaderIsEmpty (this=0x55ced1849d60, aFlushLayout=true, aOverrideStatus=...) at /home/twsmith/code/mozilla-central/uriloader/base/nsDocLoader.cpp:757
#7  0x00007fc2e9ff8d06 in nsDocLoader::OnStopRequest (this=0x55ced1849d60, aRequest=0x55ced124b468, aStatus=-2142568446) at /home/twsmith/code/mozilla-central/uriloader/base/nsDocLoader.cpp:640
#8  0x00007fc2e7cbc2dd in mozilla::net::nsLoadGroup::NotifyRemovalObservers (this=0x55ced15c9d60, request=0x55ced124b468, aStatus=-2142568446) at /home/twsmith/code/mozilla-central/netwerk/base/nsLoadGroup.cpp:615
#9  0x00007fc2e7cbb79a in mozilla::net::nsLoadGroup::Cancel (this=0x55ced15c9d60, status=-2142568446) at /home/twsmith/code/mozilla-central/netwerk/base/nsLoadGroup.cpp:249
#10 0x00007fc2e9ff6ce4 in nsDocLoader::Stop (this=0x55ced1849d60) at /home/twsmith/code/mozilla-central/uriloader/base/nsDocLoader.cpp:253
#11 0x00007fc2f1748ff8 in nsDocShell::Stop (this=0x55ced1849d60) at /home/twsmith/code/mozilla-central/docshell/base/nsDocShell.h:207
#12 0x00007fc2f16db027 in nsDocShell::Stop (this=0x55ced1849d60, aStopFlags=3) at /home/twsmith/code/mozilla-central/docshell/base/nsDocShell.cpp:4014
#13 0x00007fc2eb0b2014 in nsGlobalWindowOuter::StopOuter (this=0x55ced14255d0, aError=...) at /home/twsmith/code/mozilla-central/dom/base/nsGlobalWindowOuter.cpp:5202
#14 0x00007fc2eb0666cd in nsGlobalWindowInner::Stop (this=0x55ced158b2a0, aError=...) at /home/twsmith/code/mozilla-central/dom/base/nsGlobalWindowInner.cpp:3604
#15 0x00007fc2ec2ee6d5 in mozilla::dom::Window_Binding::stop (cx=0x55ced120b190, obj=..., void_self=0x55ced158b2a0, args=...) at WindowBinding.cpp:2011
#16 0x00007fc2eca521ca in mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy, mozilla::dom::binding_detail::ThrowExceptions> (cx=0x55ced120b190, argc=0, vp=0x55ced16d5950) at /home/twsmith/code/mozilla-central/dom/bindings/BindingUtils.cpp:3229
#17 0x00007fc2f22cf3a3 in CallJSNative (cx=0x55ced120b190, native=0x7fc2eca51e50 <mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)>, reason=js::CallReason::Call, args=...) at /home/twsmith/code/mozilla-central/js/src/vm/Interpreter.cpp:508
#18 0x00007fc2f22b908a in js::InternalCallOrConstruct (cx=0x55ced120b190, args=..., construct=js::NO_CONSTRUCT, reason=js::CallReason::Call) at /home/twsmith/code/mozilla-central/js/src/vm/Interpreter.cpp:600
#19 0x00007fc2f22b984e in InternalCall (cx=0x55ced120b190, args=..., reason=js::CallReason::Call) at /home/twsmith/code/mozilla-central/js/src/vm/Interpreter.cpp:665
#20 0x00007fc2f22b9622 in js::CallFromStack (cx=0x55ced120b190, args=...) at /home/twsmith/code/mozilla-central/js/src/vm/Interpreter.cpp:669
#21 0x00007fc2f22ac92c in Interpret (cx=0x55ced120b190, state=...) at /home/twsmith/code/mozilla-central/js/src/vm/Interpreter.cpp:3337
#22 0x00007fc2f22a1549 in js::RunScript (cx=0x55ced120b190, state=...) at /home/twsmith/code/mozilla-central/js/src/vm/Interpreter.cpp:469
#23 0x00007fc2f22b92f8 in js::InternalCallOrConstruct (cx=0x55ced120b190, args=..., construct=js::NO_CONSTRUCT, reason=js::CallReason::Call) at /home/twsmith/code/mozilla-central/js/src/vm/Interpreter.cpp:637
#24 0x00007fc2f22b984e in InternalCall (cx=0x55ced120b190, args=..., reason=js::CallReason::Call) at /home/twsmith/code/mozilla-central/js/src/vm/Interpreter.cpp:665
#25 0x00007fc2f22b98f7 in js::Call (cx=0x55ced120b190, fval=..., thisv=..., args=..., rval=..., reason=js::CallReason::Call) at /home/twsmith/code/mozilla-central/js/src/vm/Interpreter.cpp:682
#26 0x00007fc2f2484d29 in JS::Call (cx=0x55ced120b190, thisv=..., fval=..., args=..., rval=...) at /home/twsmith/code/mozilla-central/js/src/jsapi.cpp:2821
#27 0x00007fc2ec7031e9 in mozilla::dom::EventHandlerNonNull::Call (this=0x55ced180c410, cx=..., aThisVal=..., event=..., aRetVal=..., aRv=...) at EventHandlerBinding.cpp:278
#28 0x00007fc2ed11b72c in mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> > (this=0x55ced180c410, thisVal=..., event=..., aRetVal=..., aRv=..., aExecutionReason=0x7fc2e131926a "EventHandlerNonNull", aExceptionHandling=mozilla::dom::CallbackObject::eReportExceptions, aRealm=0x0) at /home/twsmith/code/mozilla-central/objdir-ff-debug/dist/include/mozilla/dom/EventHandlerBinding.h:367
#29 0x00007fc2ed10769a in mozilla::JSEventHandler::HandleEvent (this=0x55ced16fca50, aEvent=0x55ced186b940) at /home/twsmith/code/mozilla-central/dom/events/JSEventHandler.cpp:201
#30 0x00007fc2ed0e6c9e in mozilla::EventListenerManager::HandleEventSubType (this=0x55ced12d8b00, aListener=0x55ced12d8b30, aDOMEvent=0x55ced186b940, aCurrentTarget=0x55ced158b2a0) at /home/twsmith/code/mozilla-central/dom/events/EventListenerManager.cpp:1088
#31 0x00007fc2ed0e77a5 in mozilla::EventListenerManager::HandleEventInternal (this=0x55ced12d8b00, aPresContext=0x0, aEvent=0x55ced15f0330, aDOMEvent=0x7ffff6650570, aCurrentTarget=0x55ced158b2a0, aEventStatus=0x7ffff6650578, aItemInShadowTree=false) at /home/twsmith/code/mozilla-central/dom/events/EventListenerManager.cpp:1279
#32 0x00007fc2ed11e4d0 in mozilla::EventListenerManager::HandleEvent (this=0x55ced12d8b00, aPresContext=0x0, aEvent=0x55ced15f0330, aDOMEvent=0x7ffff6650570, aCurrentTarget=0x55ced158b2a0, aEventStatus=0x7ffff6650578, aItemInShadowTree=false) at /home/twsmith/code/mozilla-central/objdir-ff-debug/dist/include/mozilla/EventListenerManager.h:354
#33 0x00007fc2ed110c5d in mozilla::EventTargetChainItem::HandleEvent (this=0x55ced142bdf8, aVisitor=..., aCd=...) at /home/twsmith/code/mozilla-central/dom/events/EventDispatcher.cpp:356
#34 0x00007fc2ed0dcdc6 in mozilla::EventTargetChainItem::HandleEventTargetChain (aChain=..., aVisitor=..., aCallback=0x0, aCd=...) at /home/twsmith/code/mozilla-central/dom/events/EventDispatcher.cpp:558
#35 0x00007fc2ed0df3db in mozilla::EventDispatcher::Dispatch (aTarget=0x55ced14255d0, aPresContext=0x0, aEvent=0x55ced15f0330, aDOMEvent=0x55ced186b940, aEventStatus=0x0, aCallback=0x0, aTargets=0x0) at /home/twsmith/code/mozilla-central/dom/events/EventDispatcher.cpp:1058
#36 0x00007fc2ed0e112d in mozilla::EventDispatcher::DispatchDOMEvent (aTarget=0x55ced14255d0, aEvent=0x0, aDOMEvent=0x55ced186b940, aPresContext=0x0, aEventStatus=0x0) at /home/twsmith/code/mozilla-central/dom/events/EventDispatcher.cpp:1160
#37 0x00007fc2eb20ccb9 in mozilla::dom::Document::DispatchPageTransition (this=0x55ced16fa580, aDispatchTarget=0x55ced14255d0, aType=..., aInFrameSwap=false, aPersisted=false, aOnlySystemGroup=false) at /home/twsmith/code/mozilla-central/dom/base/Document.cpp:10874
#38 0x00007fc2eb20d8ca in mozilla::dom::Document::OnPageHide (this=0x55ced16fa580, aPersisted=false, aDispatchStartTarget=0x0, aOnlySystemGroup=false) at /home/twsmith/code/mozilla-central/dom/base/Document.cpp:11012
#39 0x00007fc2ef3b202e in nsDocumentViewer::PageHide (this=0x55ced1875b60, aIsUnload=true) at /home/twsmith/code/mozilla-central/layout/base/nsDocumentViewer.cpp:1388
#40 0x00007fc2f16eff4d in nsDocShell::FirePageHideNotificationInternal (this=0x55ced1849d60, aIsUnload=true, aSkipCheckingDynEntries=false) at /home/twsmith/code/mozilla-central/docshell/base/nsDocShell.cpp:1038
#41 0x00007fc2f16efe37 in nsDocShell::FirePageHideNotification (this=0x55ced1849d60, aIsUnload=true) at /home/twsmith/code/mozilla-central/docshell/base/nsDocShell.cpp:1022
#42 0x00007fc2f16e63f6 in nsDocShell::CreateContentViewer (this=0x55ced1849d60, aContentType=..., aRequest=0x55ced124b468, aContentHandler=0x55ced17e5168) at /home/twsmith/code/mozilla-central/docshell/base/nsDocShell.cpp:7593
#43 0x00007fc2f16e5c58 in nsDSURIContentListener::DoContent (this=0x55ced158d480, aContentType=..., aIsContentPreferred=false, aRequest=0x55ced124b468, aContentHandler=0x55ced17e5168, aAbortProcess=0x7ffff6651457) at /home/twsmith/code/mozilla-central/docshell/base/nsDSURIContentListener.cpp:182
#44 0x00007fc2e9fff291 in nsDocumentOpenInfo::TryContentListener (this=0x55ced17e5140, aListener=0x55ced158d480, aChannel=0x55ced124b468) at /home/twsmith/code/mozilla-central/uriloader/base/nsURILoader.cpp:597
#45 0x00007fc2e9fffd59 in nsDocumentOpenInfo::TryDefaultContentListener (this=0x55ced17e5140, aChannel=0x55ced124b468) at /home/twsmith/code/mozilla-central/uriloader/base/nsURILoader.cpp:626
#46 0x00007fc2e9ffd844 in nsDocumentOpenInfo::DispatchContent (this=0x55ced17e5140, request=0x55ced124b468, aCtxt=0x0) at /home/twsmith/code/mozilla-central/uriloader/base/nsURILoader.cpp:276
#47 0x00007fc2e9ffcf95 in nsDocumentOpenInfo::OnStartRequest (this=0x55ced17e5140, request=0x55ced124b468) at /home/twsmith/code/mozilla-central/uriloader/base/nsURILoader.cpp:154
#48 0x00007fc2e7c96906 in nsBaseChannel::OnStartRequest (this=0x55ced124b420, request=0x55ced1879240) at /home/twsmith/code/mozilla-central/netwerk/base/nsBaseChannel.cpp:834
#49 0x00007fc2e7cb90cf in nsInputStreamPump::OnStateStart (this=0x55ced1879240) at /home/twsmith/code/mozilla-central/netwerk/base/nsInputStreamPump.cpp:481

That is, we're sending pagehide notifications and nulling out the navigation timing even if we're during a load which is about to use the timing. We should probably not null it out in this case, but also we should just be null-checking it during clones, since there are legit reasons for mTiming to be null.

There's no guarantee that mTiming is non-null. This can happen for a
variety of reasons.

Crash Signature: [@ mozilla::dom::Document::CloneDocHelper]
Flags: needinfo?(emilio)
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → 83 Branch

Is this worth getting on 82 for thunderbird's benefit?

Flags: needinfo?(emilio)

Comment on attachment 9180370 [details]
Bug 1665792 - Null-check mTiming before clone. r=jwatt

Beta/Release Uplift Approval Request

  • User impact if declined: Crashes
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: none
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): null-check
  • String changes made/needed: none
Flags: needinfo?(emilio)
Attachment #9180370 - Flags: approval-mozilla-beta?

Comment on attachment 9180370 [details]
Bug 1665792 - Null-check mTiming before clone. r=jwatt

approved for 82 rc1.

Attachment #9180370 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Whiteboard: [print2020][old-ui?] → [print2020_v82][old-ui?]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: