Closed
Bug 1667491
Opened 4 years ago
Closed 4 years ago
crash at null in [@ mozilla::dom::BrowsingContext::PreOrderWalk]
Categories
(Core :: DOM: Navigation, defect)
Core
DOM: Navigation
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox81 | --- | unaffected |
| firefox82 | --- | unaffected |
| firefox83 | --- | verified |
People
(Reporter: tsmith, Assigned: kmag)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: crash, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Crash Data
Attachments
(2 files)
Found with m-c 20200922-fa0bf905d4cb
==21714==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f5388312792 bp 0x7ffd5d53ee30 sp 0x7ffd5d53ed80 T0)
==21714==The signal is caused by a READ memory access.
==21714==Hint: address points to the zero page.
#0 0x7f5388312792 in operator() src/layout/base/nsDocumentViewer.cpp:1222:27
#1 0x7f5388312792 in std::_Function_handler<void (mozilla::dom::BrowsingContext*), nsDocumentViewer::PermitUnload(nsIContentViewer::PermitUnloadAction, bool*)::$_21>::_M_invoke(std::_Any_data const&, mozilla::dom::BrowsingContext*&&) /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/7.4.0/../../../../include/c++/7.4.0/bits/std_function.h:316:2
#2 0x7f538ae4d863 in operator() /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/7.4.0/../../../../include/c++/7.4.0/bits/std_function.h:706:14
#3 0x7f538ae4d863 in mozilla::dom::BrowsingContext::PreOrderWalk(std::function<void (mozilla::dom::BrowsingContext*)> const&) src/docshell/base/BrowsingContext.cpp:848:3
#4 0x7f538ae4da07 in mozilla::dom::BrowsingContext::PreOrderWalk(std::function<void (mozilla::dom::BrowsingContext*)> const&) src/docshell/base/BrowsingContext.cpp:854:12
#5 0x7f5388290e63 in nsDocumentViewer::PermitUnload(nsIContentViewer::PermitUnloadAction, bool*) src/layout/base/nsDocumentViewer.cpp:1219:7
#6 0x7f5383239cc2 in PermitUnload /builds/worker/workspace/obj-build/dist/include/nsIContentViewer.h:91:14
#7 0x7f5383239cc2 in nsGlobalWindowOuter::CanClose() src/dom/base/nsGlobalWindowOuter.cpp:6263:23
#8 0x7f538323a469 in nsGlobalWindowOuter::CloseOuter(bool) src/dom/base/nsGlobalWindowOuter.cpp:6321:35
#9 0x7f538497019e in mozilla::dom::Window_Binding::close(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/WindowBinding.cpp:1924:24
#10 0x7f53851b2c33 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::CrossOriginThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3229:13
#11 0x7f538bbcf154 in CallJSNative src/js/src/vm/Interpreter.cpp:508:13
#12 0x7f538bbcf154 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:600:12
#13 0x7f538bbd152e in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:665:10
#14 0x7f538bbd18b0 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:682:8
#15 0x7f538bd624c2 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2821:10
#16 0x7f5384e664f4 in mozilla::dom::Function::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/FunctionBinding.cpp:45:8
#17 0x7f53835bbcaa in void mozilla::dom::Function::Call<nsCOMPtr<nsIGlobalObject> >(nsCOMPtr<nsIGlobalObject> const&, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/FunctionBinding.h:73:12
#18 0x7f53835bb913 in mozilla::dom::CallbackTimeoutHandler::Call(char const*) src/dom/base/TimeoutHandler.cpp:167:29
#19 0x7f53831e8ab3 in nsGlobalWindowInner::RunTimeoutHandler(mozilla::dom::Timeout*, nsIScriptContext*) src/dom/base/nsGlobalWindowInner.cpp:6091:38
#20 0x7f53835b6d9a in mozilla::dom::TimeoutManager::RunTimeout(mozilla::TimeStamp const&, mozilla::TimeStamp const&, bool) src/dom/base/TimeoutManager.cpp:916:44
#21 0x7f53835b5925 in mozilla::dom::TimeoutExecutor::MaybeExecute() src/dom/base/TimeoutExecutor.cpp:179:11
#22 0x7f53835b94a6 in Notify src/dom/base/TimeoutExecutor.cpp:246:5
#23 0x7f53835b94a6 in non-virtual thunk to mozilla::dom::TimeoutExecutor::Notify(nsITimer*) src/dom/base/TimeoutExecutor.cpp
#24 0x7f537fd0e7d9 in nsTimerImpl::Fire(int) src/xpcom/threads/nsTimerImpl.cpp:565:39
#25 0x7f537fd0dfbd in nsTimerEvent::Run() src/xpcom/threads/TimerThread.cpp:251:11
#26 0x7f537fd4af53 in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() src/xpcom/threads/ThrottledEventQueue.cpp:254:22
#27 0x7f537fd3df4f in mozilla::ThrottledEventQueue::Inner::Executor::Run() src/xpcom/threads/ThrottledEventQueue.cpp:81:15
#28 0x7f537fd3f6b9 in mozilla::RunnableTask::Run() src/xpcom/threads/TaskController.cpp:244:16
#29 0x7f537fcfe553 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:514:26
#30 0x7f537fcfbf37 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) src/xpcom/threads/TaskController.cpp:373:15
#31 0x7f537fcfc38d in mozilla::TaskController::ProcessPendingMTTask(bool) src/xpcom/threads/TaskController.cpp:170:36
#32 0x7f537fd4d284 in operator() src/xpcom/threads/TaskController.cpp:87:37
#33 0x7f537fd4d284 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
#34 0x7f537fd21963 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1234:14
#35 0x7f537fd2ba5c in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:513:10
#36 0x7f5380ff5024 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:109:5
#37 0x7f5380ef95a1 in RunInternal src/ipc/chromium/src/base/message_loop.cc:334:10
#38 0x7f5380ef95a1 in RunHandler src/ipc/chromium/src/base/message_loop.cc:327:3
#39 0x7f5380ef95a1 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:309:3
#40 0x7f5387c5fe07 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#41 0x7f538b968f1f in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:913:20
#42 0x7f5380ef95a1 in RunInternal src/ipc/chromium/src/base/message_loop.cc:334:10
#43 0x7f5380ef95a1 in RunHandler src/ipc/chromium/src/base/message_loop.cc:327:3
#44 0x7f5380ef95a1 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:309:3
#45 0x7f538b9684bc in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:744:34
#46 0x5615d55bf01d in content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#47 0x5615d55bf457 in main src/browser/app/nsBrowserApp.cpp:304:18
Flags: in-testsuite?
|
||
Comment 1•4 years ago
|
||
This looks like a similar stack to bug 1667334, which is a crash we're seeing on Nightly.
|
|
||
Comment 2•4 years ago
|
||
From the stack, I'm guessing that this might be a regression from bug 1655866.
Flags: needinfo?(kmaglione+bmo)
|
Reporter | |
Comment 3•4 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/t7WcYxvKr8szb_5PQFhkig/index.html
|
||
Comment 4•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200925214743-b7717ee20ba9.
The bug appears to have been introduced in the following build range:
Start: e90b3bde17b8f3464d8761673b86c38fc22ef34f (20200922002028)
End: 091a4043d78af274fd5639829f17e4195d262e4a (20200922010000)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=e90b3bde17b8f3464d8761673b86c38fc22ef34f&tochange=091a4043d78af274fd5639829f17e4195d262e4a
Whiteboard: [bugmon:bisected,confirmed]
|
||
Updated•4 years ago
|
Has Regression Range: --- → yes
|
||
Comment 6•4 years ago
|
||
Set release status flags based on info from the regressing bug 1655866
status-firefox81:
--- → unaffected
status-firefox82:
--- → unaffected
status-firefox-esr78:
--- → unaffected
|
||
Comment 7•4 years ago
|
||
Tracking for Fission M6c since we're tracking related bug 1667334 for M6c.
Fission Milestone: --- → M6c
|
Assignee | |
Comment 8•4 years ago
|
||
|
||
Updated•4 years ago
|
Assignee: nobody → kmaglione+bmo
Status: NEW → ASSIGNED
|
|
Reporter | |
Updated•4 years ago
|
Crash Signature: [@ std::_Func_impl_no_alloc<T>::_Do_call ]
|
||
Comment 10•4 years ago
|
||
Pushed by maglione.k@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/736e01530c6d
Fix null pointer deref. r=nika
|
||
Comment 11•4 years ago
|
||
|
|
Assignee | |
Updated•4 years ago
|
Flags: needinfo?(kmaglione+bmo)
|
|
||
Comment 12•4 years ago
|
||
Pushed by maglione.k@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/4054397df437
Fix null pointer deref. r=nika
|
||
Updated•4 years ago
|
Crash Signature: [@ std::_Func_impl_no_alloc<T>::_Do_call ] → [@ std::_Func_impl_no_alloc<T>::_Do_call ]
[@ std::_Func_impl_no_alloc<T>::_Do_call | mozilla::dom::BrowsingContext::PreOrderWalk ]
|
||
Comment 13•4 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → 83 Branch
|
|
||
Comment 14•4 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20201001094020-ba35799faec2.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
|
||
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•