Skip to content

Crash with debug assertions enabled

tor-browser-102.2.0esr-12.0-1 crashes on my machine when I build with the debug assertions enabled.

My mozconfig 
. $topsrcdir/mozconfig-linux-x86_64-dev

ac_add_options --enable-debug
ac_add_options --enable-debug-js-modules
ac_add_options --disable-optimize
ac_add_options --disable-rust-simd

ac_add_options --without-wasm-sandboxed-libraries
Call trace 
RefPtr<mozilla::dom::BrowserParent>::operator->() const (/home/piero/Tor/geckoview/obj-x86_64-pc-linux-gnu/dist/include/mozilla/RefPtr.h:314)
mozilla::dom::BrowserHost::GetOwnerElement() const (/home/piero/Tor/geckoview/obj-x86_64-pc-linux-gnu/dist/include/mozilla/dom/BrowserHost.h:68)
mozilla::AppWindow::GetPrimaryRemoteTabSize(int*, int*) (/home/piero/Tor/geckoview/xpfe/appshell/AppWindow.cpp:2188)
mozilla::AppWindow::GetPrimaryContentSize(int*, int*) (/home/piero/Tor/geckoview/xpfe/appshell/AppWindow.cpp:2178)
mozilla::AppWindow::ForceRoundedDimensions() (/home/piero/Tor/geckoview/xpfe/appshell/AppWindow.cpp:1165)
mozilla::AppWindow::SizeShell() (/home/piero/Tor/geckoview/xpfe/appshell/AppWindow.cpp:2662)
mozilla::AppWindow::OnChromeLoaded() (/home/piero/Tor/geckoview/xpfe/appshell/AppWindow.cpp:1199)
mozilla::AppWindow::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) (/home/piero/Tor/geckoview/xpfe/appshell/AppWindow.cpp:3228)
nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) (/home/piero/Tor/geckoview/uriloader/base/nsDocLoader.cpp:1377)
nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) (/home/piero/Tor/geckoview/uriloader/base/nsDocLoader.cpp:986)
nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) (/home/piero/Tor/geckoview/uriloader/base/nsDocLoader.cpp:794)
nsDocLoader::OnStopRequest(nsIRequest*, nsresult) (/home/piero/Tor/geckoview/uriloader/base/nsDocLoader.cpp:677)
nsDocShell::OnStopRequest(nsIRequest*, nsresult) (/home/piero/Tor/geckoview/docshell/base/nsDocShell.cpp:13929)
mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) (/home/piero/Tor/geckoview/netwerk/base/nsLoadGroup.cpp:614)
mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) (/home/piero/Tor/geckoview/netwerk/base/nsLoadGroup.cpp:518)
mozilla::dom::Document::DoUnblockOnload() (/home/piero/Tor/geckoview/dom/base/Document.cpp:11697)
mozilla::dom::Document::UnblockOnload(bool) (/home/piero/Tor/geckoview/dom/base/Document.cpp:11635)
mozilla::css::Loader::UnblockOnload(bool) (/home/piero/Tor/geckoview/layout/style/Loader.cpp:2314)
mozilla::css::SheetLoadData::FireLoadEvent(nsIThreadInternal*) (/home/piero/Tor/geckoview/layout/style/Loader.cpp:456)
mozilla::css::SheetLoadData::AfterProcessNextEvent(nsIThreadInternal*, bool) (/home/piero/Tor/geckoview/layout/style/Loader.cpp:415)
nsThread::ProcessNextEvent(bool, bool*) (/home/piero/Tor/geckoview/xpcom/threads/nsThread.cpp:1204)
NS_ProcessNextEvent(nsIThread*, bool) (/home/piero/Tor/geckoview/xpcom/threads/nsThreadUtils.cpp:465)
mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) (/home/piero/Tor/geckoview/ipc/glue/MessagePump.cpp:85)
MessageLoop::RunInternal() (/home/piero/Tor/geckoview/ipc/chromium/src/base/message_loop.cc:380)
MessageLoop::RunHandler() (/home/piero/Tor/geckoview/ipc/chromium/src/base/message_loop.cc:373)
MessageLoop::Run() (/home/piero/Tor/geckoview/ipc/chromium/src/base/message_loop.cc:355)
nsBaseAppShell::Run() (/home/piero/Tor/geckoview/widget/nsBaseAppShell.cpp:137)
nsAppStartup::Run() (/home/piero/Tor/geckoview/toolkit/components/startup/nsAppStartup.cpp:295)
XREMain::XRE_mainRun() (/home/piero/Tor/geckoview/toolkit/xre/nsAppRunner.cpp:5940)
XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) (/home/piero/Tor/geckoview/toolkit/xre/nsAppRunner.cpp:6134)
XRE_main(int, char**, mozilla::BootstrapConfig const&) (/home/piero/Tor/geckoview/toolkit/xre/nsAppRunner.cpp:6202)
mozilla::BootstrapImpl::XRE_main(int, char**, mozilla::BootstrapConfig const&) (/home/piero/Tor/geckoview/toolkit/xre/Bootstrap.cpp:45)
do_main(int, char**, char**) (/home/piero/Tor/geckoview/browser/app/nsBrowserApp.cpp:227)
main (/home/piero/Tor/geckoview/browser/app/nsBrowserApp.cpp:406)
__libc_start_call_main (@__libc_start_call_main:26)
__libc_start_main_impl (@__libc_start_main@@GLIBC_2.34:42)
_start (@_start:14)

So, as you can see we have an assertion failing to avoid dereferencing a nullptr.

I think that actually it's some kind of race/timing issue, because actor of the browser is nullptr (or something like this). So, I think YMMV when trying to reproduce this bug.

On my machine it has been 100% reproducible, and with a git bisect I arrived to ef131605.

So, I have tried to git revert it on HEAD, and the crash disappeared.

In particular, the C++ part of that patch seems to be the culprit here, but I have tried to comment the code and it kept crashing. So, I believe some build cache issue is also in the middle. (I haven't had the time to nuke everything and try again - but I sorta did it before bisecting).

I have also tried to leave assertions off to see if I could get some UB due to the nullptr referencing, or some other strange phenomenon. However Firefox contains a test to make sure no networking code slip on the Rust code that was triggered with optimization off and debug off at the same time (not sure why, not sure how to disable it).