зеркало из https://github.com/mozilla/gecko-dev.git
fbbb775ffc
parser/htmlparser/tests/crashtests/515533-1.html most cleanly creates this crash if you repeat it many times.
It contains an iframe to a local file (so it's a same process iframe). The document in the iframe has an inline script that does
window.location.replace("data:text/plain,");
since crashtests have the pref browser.tabs.remote.dataUriInDefaultWebProcess set (to get more testing of fission) this makes the iframe now in a different process from it's parent.
When the bug happens we create the retained nsDisplaySubDocument before the process change, the document inside the iframe has a presshell, and importantly, it does not yet have a root frame. Then the remoteness change happens on the iframe, ResetFrameLoader is called on the nsSubDocumentFrame to remove the old frame loader. So now the nsSubDocumentFrame can't find a presshell (either via views or the frameloader).
The reason that the document in the iframe not having a root frame when the nsDisplaySubDocument is created is important is because if we had a root frame then the root frame would be the mFrame of the nsDisplaySubDocument and when the root frame got destroyed for the remoteness change that frame destruction would make sure that the nsDisplaySubDocument cannot be re-used. The nsSubDocumentFrame sticks around though, so the nsDisplaySubDocument doesn't think anything changed.
Differential Revision: https://phabricator.services.mozilla.com/D65888
--HG--
extra : moz-landing-system : lando
|
||
|---|---|---|
| .. | ||
| base | ||
| build | ||
| doc | ||
| forms | ||
| generic | ||
| inspector | ||
| ipc | ||
| mathml | ||
| media | ||
| painting | ||
| printing | ||
| reftests | ||
| style | ||
| svg | ||
| tables | ||
| tools | ||
| xul | ||
| moz.build | ||