Open Bug 1831297 Opened 1 year ago Updated 1 day ago

Crash in [@ mozilla::dom::syncedcontext::Transaction<T>::Commit | mozilla::dom::BrowsingContext::SetHasSiblings ] (when loading browser.xhtml in a tab)

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox113 --- wontfix
firefox114 --- wontfix
firefox115 --- wontfix

People

(Reporter: pehrsons, Unassigned)

References

(Regression)

Details

(Keywords: crash, regression)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/57f56f42-f4c7-44c9-861e-8c7720230504

MOZ_CRASH Reason: CanSet failed for field(s): HasSiblings

Top 10 frames of crashing thread:

0  libxul.so  MOZ_Crash  mfbt/Assertions.h:261
0  libxul.so  mozilla::dom::syncedcontext::Transaction<mozilla::dom::BrowsingContext>::Commit  docshell/base/SyncedContextInlines.h:103
1  libxul.so  mozilla::dom::BrowsingContext::SetHasSiblings  docshell/base/BrowsingContext.h:285
2  libxul.so  mozilla::dom::BrowsingContext::SetHasSiblings  docshell/base/BrowsingContext.h:285
2  libxul.so  mozilla::dom::BrowsingContext_Binding::set_hasSiblings  dom/bindings/BrowsingContextBinding.cpp:1461
3  libxul.so  mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::NormalThisPolicy>  dom/bindings/BindingUtils.cpp:3283
4  libxul.so  CallJSNative  js/src/vm/Interpreter.cpp:486
4  libxul.so  js::InternalCallOrConstruct  js/src/vm/Interpreter.cpp:580
4  libxul.so  InternalCall  js/src/vm/Interpreter.cpp:647
4  libxul.so  js::Call  js/src/vm/Interpreter.cpp:679

Steps to reproduce:

  1. In a new tab open chrome://browser/content/browser.xhtml
  2. Click the icon for Firefox View on the top left

Expected:
Something not so dramatic

Actual:
Parent process crash

Severity: -- → S3

Regression range:
Bug 1718082 - track current tab using browserId instead of top browsing context id for network prioritization purposes, r=nika,mconley,necko-reviewers,kershaw,valentin

Keywords: regression
Regressed by: 1718082

Within the xhtml tabs, If for some reason you dont see the Firefox view button, right click on the tab-bar- > Click on "Customize Toolbar" to repro the crash.
Or Right Click->Duplicate tab

:Gijs, since you are the author of the regressor, bug 1718082, could you take a look?

For more information, please visit BugBot documentation.

Flags: needinfo?(gijskruitbosch+bugs)

Set release status flags based on info from the regressing bug 1718082

status-firefox113: --- → affected
status-firefox114: --- → affected
status-firefox115: --- → affected
status-firefox-esr102: --- → unaffected

One day, when I have nothing better to do, I'll prevent people from deliberately loading browser.xhtml in a tab altogether, because it is not a useful thing to do and it breaks lots and lots of assumptions that we have no intention of fixing.

But today is not that day.

status-firefox113: affectedwontfix
status-firefox114: affectedwontfix
status-firefox115: affectedwontfix
Flags: needinfo?(gijskruitbosch+bugs)

FWIW, the Fenix attributed crashes cannot be related to the STR in comment 0 so I think they may warrant a separate investigation. Looks like that's being done in bug 1823817. The desktop volume for this specific crash is non-existent, unlike the Fenix volume for the OpenerPolicy version.

Keywords: topcrash
Summary: Crash in [@ mozilla::dom::syncedcontext::Transaction<T>::Commit] with CanSet failed for field(s): HasSiblings → Crash in [@ mozilla::dom::syncedcontext::Transaction<T>::Commit] with CanSet failed for field(s): HasSiblings (when loading browser.xhtml in a tab)

(In reply to BugBot [:suhaib / :marco/ :calixte] from comment #8)

The bug is linked to a topcrash signature, which matches the following criterion:

  • Top 10 AArch64 and ARM crashes on release

For more information, please visit BugBot documentation.

How can we teach the crash matching to take the moz_crash reason into account, and/or get it to stop flagging bugs that we've already assessed?

Flags: needinfo?(smujahid)

(In reply to :Gijs (he/him) from comment #9)

How can we teach the crash matching to take the moz_crash reason into account, and/or get it to stop flagging bugs that we've already assessed?

We could update the criteria on https://wiki.mozilla.org/index.php?title=CrashKill%2FTopcrash to skip crashes with the moz_crash reasons that we want to ignore. Next, I will reflect that on the topcrash rule in BugBot.

Flags: needinfo?(smujahid)

Another tact to take would be to get Socorro signature generation changed to include the field name. That might take longer to get done, though.

Based on the topcrash criteria, the crash signature linked to this bug is not a topcrash signature anymore.

For more information, please visit BugBot documentation.

Keywords: topcrash

Thanks for bug 1834536, the signature has changed.

Crash Signature: [@ mozilla::dom::syncedcontext::Transaction<T>::Commit] → [@ mozilla::dom::syncedcontext::Transaction<T>::Commit | mozilla::dom::BrowsingContext::SetHasSiblings ]
See Also: → 1834536
Summary: Crash in [@ mozilla::dom::syncedcontext::Transaction<T>::Commit] with CanSet failed for field(s): HasSiblings (when loading browser.xhtml in a tab) → Crash in [@ mozilla::dom::syncedcontext::Transaction<T>::Commit | mozilla::dom::BrowsingContext::SetHasSiblings ] (when loading browser.xhtml in a tab)
See Also: → 1892593
You need to log in before you can comment on or make changes to this bug.