browser_bug2011921.js

"use strict";

// Bug 2011921 - Crash in BrowsingContextWebProgress::ContextReplaced

//

// When MaybeCheckUnloadingIsCanceled takes the async path for a BFCache

// navigation (because the current page has a beforeunload handler and the

// Navigation API is enabled), and another navigation replaces the browsing

// context before the callback fires, the callback calls FinishRestore →

// ReplacedBy on the already-replaced context whose mWebProgress is null.

//

// The race: two rapid back navigations both enter LoadURIs. The first takes

// the async MaybeCheckUnloadingIsCanceled path. The second may complete

// its BFCache restore (calling ReplacedBy and moving mWebProgress) before

// the first callback fires. When the first callback fires, it reaches

// FinishRestore at the unguarded direct call in MaybeLoadBFCache (which

// lacks the IsReplaced() check present in the PermitUnload callback), and

// dereferences the null mWebProgress.

const TEST_PATH = getRootDirectory(gTestPath).replace(

  "chrome://mochitests/content",

  "https://example.com"

);

add_task(async function test_rapid_back_with_beforeunload_bfcache() {

  await SpecialPowers.pushPrefEnv({

    set: [

      ["fission.bfcacheInParent", true],

      // Navigation API must be enabled for MaybeCheckUnloadingIsCanceled.

      ["dom.navigation.webidl.enabled", true],

      // Keep the default (true) for this pref so that beforeunload dialogs

      // are suppressed in automated tests (no user interaction), while the

      // beforeunload handler is still registered and NeedsBeforeUnload()

      // returns true.

      ["dom.require_user_interaction_for_beforeunload", true],

],

});

  // Run multiple iterations to increase the probability of hitting the race

  // window. The race depends on IPC message ordering between the beforeunload

  // check round-trip and the second navigation's HistoryGo arrival.

  const ITERATIONS = 10;

  for (let i = 0; i < ITERATIONS; i++) {

    info(`--- Iteration ${i + 1}/${ITERATIONS} ---`);

    let tab = await BrowserTestUtils.openNewForegroundTab(

      gBrowser,

      TEST_PATH + "dummy_page.html?page1"

);

    let browser = tab.linkedBrowser;

    // Navigate to page2 (page1 goes to BFCache).

    BrowserTestUtils.startLoadingURIString(

      browser,

      TEST_PATH + "dummy_page.html?page2"

);

    await BrowserTestUtils.browserLoaded(browser);

    // Navigate to page3 (page2 goes to BFCache).

    BrowserTestUtils.startLoadingURIString(

      browser,

      TEST_PATH + "dummy_page.html?page3"

);

    await BrowserTestUtils.browserLoaded(browser);

    // Register a beforeunload handler on the current page. This makes

    // NeedsBeforeUnload() return true on the WindowGlobalParent, which causes

    // MaybeCheckUnloadingIsCanceled to take the async path when navigating

    // away. With dom.require_user_interaction_for_beforeunload = true and no

    // user interaction, no dialog is shown but the async IPC round-trip still

    // occurs.

    await SpecialPowers.spawn(browser, [], () => {

      content.addEventListener("beforeunload", e => {

        e.preventDefault();

});

});

    // Strategy: trigger two back navigations from the content process,

    // separated by one event loop turn so they get different history epochs

    // (the ChildSHistory epoch increments via a dispatched runnable between

    // event turns). Both navigations proceed to the parent's HistoryGo →

    // LoadURIs. The first enters the async MaybeCheckUnloadingIsCanceled

    // path. The second arrives while the first is pending.

    SpecialPowers.spawn(browser, [], () => {

      content.history.back();

      content.setTimeout(() => {

        content.history.back();

      }, 0);

});

    // Wait for async callbacks and IPC round-trips to settle.

    // The crash, if triggered, happens during this window.

    // eslint-disable-next-line mozilla/no-arbitrary-setTimeout

    await new Promise(resolve => setTimeout(resolve, 1000));

    // Try a different strategy too: trigger goBack from the parent process

    // while a content-initiated back navigation may still be in flight.

    // First, set up fresh history again.

    BrowserTestUtils.startLoadingURIString(

      browser,

      TEST_PATH + "dummy_page.html?page4"

);

    await BrowserTestUtils.browserLoaded(browser);

    BrowserTestUtils.startLoadingURIString(

      browser,

      TEST_PATH + "dummy_page.html?page5"

);

    await BrowserTestUtils.browserLoaded(browser);

    await SpecialPowers.spawn(browser, [], () => {

      content.addEventListener("beforeunload", e => {

        e.preventDefault();

});

});

    // Trigger back from content and parent nearly simultaneously.

    // These use different IPC paths, potentially avoiding epoch dedup.

    SpecialPowers.spawn(browser, [], () => {

      content.history.back();

});

    browser.goBack();

    // eslint-disable-next-line mozilla/no-arbitrary-setTimeout

    await new Promise(resolve => setTimeout(resolve, 1000));

    BrowserTestUtils.removeTab(tab);

  ok(true, "Completed all iterations without crashing (bug 2011921)");

});