Closed Bug 1753366 Opened 3 years ago Closed 3 years ago

Assertion failure: docShell, at /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:956

Categories

(Core :: DOM: Content Processes, defect, P2)

defect

Tracking

()

VERIFIED FIXED
99 Branch
Tracking Status
firefox-esr91 --- unaffected
firefox97 --- wontfix
firefox98 --- wontfix
firefox99 --- verified

People

(Reporter: tsmith, Assigned: smaug)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

Attached file testcase.html

Found while fuzzing m-c 20220124-9b23d1bb84b2 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html --xvfb

Assertion failure: docShell, at /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:956

#0 0x7f82c623006a in mozilla::dom::BrowserChild::RecvLoadURL(nsDocShellLoadState*, mozilla::dom::ParentShowInfo const&) /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:956:3
#1 0x7f82c2d2a8df in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBrowserChild.cpp:4606:56
#2 0x7f82c271c86b in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8250:32
#3 0x7f82c258f35f in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2039:25
#4 0x7f82c258bc31 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1964:9
#5 0x7f82c258d10c in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1823:3
#6 0x7f82c258dd4d in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1851:14
#7 0x7f82c1afb91e in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:467:16
#8 0x7f82c1ad5776 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:770:26
#9 0x7f82c1ad4438 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:606:15
#10 0x7f82c1ad46b3 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:390:36
#11 0x7f82c1afe956 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:124:37
#12 0x7f82c1afe956 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#13 0x7f82c1aea073 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1195:16
#14 0x7f82c1af115a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:467:10
#15 0x7f82c2595166 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#16 0x7f82c24b5077 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
#17 0x7f82c24b4f82 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
#18 0x7f82c24b4f82 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
#19 0x7f82c6779198 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#20 0x7f82c87d5133 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:870:20
#21 0x7f82c259605a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#22 0x7f82c24b5077 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
#23 0x7f82c24b4f82 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
#24 0x7f82c24b4f82 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
#25 0x7f82c87d476c in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:707:34
#26 0x562415825029 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#27 0x562415825029 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:327:18
#28 0x7f82d7ac90b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#29 0x5624158007bc in _start (/home/worker/builds/m-c-20220124214229-fuzzing-debug/firefox-bin+0x157bc)
Flags: in-testsuite?

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220203152805-61491ef8a39c.
The bug appears to have been introduced in the following build range:

Start: d1c894f81d2a11efc998f4294fe137cb371c1d2b (20211213201156)
End: 6c0d753b10f45d377d10f02992567641e9526fa9 (20211213215115)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=d1c894f81d2a11efc998f4294fe137cb371c1d2b&tochange=6c0d753b10f45d377d10f02992567641e9526fa9

Whiteboard: [bugmon:bisected,confirmed]

Hi Olli, can you please help with triage here?

Flags: needinfo?(bugs)

Other places in BrowserChild explicitly just handle null docshell.
(The only special case is when we have just created WebBrowser object in Init())

Assignee: nobody → bugs
Status: NEW → ASSIGNED
Severity: -- → S3
Priority: -- → P2
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 99 Branch

:smaug, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(bugs)

Presumably another fission triggered assert.

Flags: needinfo?(bugs)
Regressed by: 1732358

Set release status flags based on info from the regressing bug 1732358

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220215092702-2bbcda1a3414.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon
Has Regression Range: --- → yes
Flags: in-testsuite? → in-testsuite-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: