[tbb-bugs] #29334 [Applications/Tor Browser]: Exception when running the garbage collection during new identity

[Tor Bug Tracker & Wiki]

#29334: Exception when running the garbage collection during new identity
-------------------------------------+-------------------------------------
     Reporter:  gk                   |      Owner:  tbb-team
         Type:  defect               |     Status:  new
     Priority:  Medium               |  Milestone:
    Component:  Applications/Tor     |    Version:
  Browser                            |   Keywords:  tbb-torbutton, tbb-
     Severity:  Normal               |  newnym
Actual Points:                       |  Parent ID:
       Points:                       |   Reviewer:
      Sponsor:                       |
-------------------------------------+-------------------------------------
 During `New Identity` we run some fancy code to make sure we are really
 have a clean state after closing and reopening the browser:
 {{{
   // Run garbage collection and cycle collection after window is gone.
   // This ensures that blob URIs are forgotten.
   window.addEventListener("unload", function (event) {
     torbutton_log(3, "Initiating New Identity GC pass");
     // Clear out potential pending sInterSliceGCTimer:
     m_tb_domWindowUtils.runNextCollectorTimer();

     // Clear out potential pending sICCTimer:
     m_tb_domWindowUtils.runNextCollectorTimer();

     // Schedule a garbage collection in 4000-1000ms...
     m_tb_domWindowUtils.garbageCollect();

     // To ensure the GC runs immediately instead of 4-10s from now, we
 need
     // to poke it at least 11 times.
     // We need 5 pokes for GC, 1 poke for the interSliceGC, and 5 pokes
 for CC.
     // See nsJSContext::RunNextCollectorTimer() in
     // https://mxr.mozilla.org/mozilla-
 central/source/dom/base/nsJSEnvironment.cpp#1970.
     // XXX: We might want to make our own method for immediate full GC...
     for (let poke = 0; poke < 11; poke++) {
        m_tb_domWindowUtils.runNextCollectorTimer();
     }

     // And now, since the GC probably actually ran *after* the CC last
 time,
     // run the whole thing again.
     m_tb_domWindowUtils.garbageCollect();
     for (let poke = 0; poke < 11; poke++) {
        m_tb_domWindowUtils.runNextCollectorTimer();
     }
 }}}
 That leads to an exception in `chrome://extensions/content/ext-tabs-
 base.js` in some cases at
 {{{
 get frameLoader() {
     return this.browser.frameLoader;
 }}}
 as it is not guaranteed that `browser` is still a thing during that
 operation. An example where this occurs is

 1) On `about:page` open the link to our newsletter in a new tab
 2) Open the browser console
 3) Hit `New Identity`

 This got reported on our blog
 https://blog.torproject.org/comment/279507#comment-279507 ff.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29334>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online