Open Bug 1851430 Opened 9 months ago Updated 23 days ago

Crash in [@ mozilla::PresShell::DoFlushPendingNotifications]

Categories

(Core :: XUL, defect)

Product:
Core
Component:
XUL
Platform:
Unspecified
All
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox125 --- unaffected
firefox126 --- affected
firefox127 --- affected

People

(Reporter: gsvelto, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regressionwindow-wanted)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/c2587373-3965-4539-a81a-7bdd20230901

MOZ_CRASH Reason: MOZ_DIAGNOSTIC_ASSERT(!mForbiddenToFlush) (This is bad!)

Top 10 frames of crashing thread:

0  xul.dll  mozilla::PresShell::DoFlushPendingNotifications  layout/base/PresShell.cpp:4183
1  xul.dll  mozilla::PresShell::FlushPendingNotifications  layout/base/PresShell.h:1472
1  xul.dll  mozilla::dom::Document::FlushPendingNotifications  dom/base/Document.cpp:10929
2  xul.dll  mozilla::dom::Document::FlushPendingNotifications  dom/base/Document.cpp:10861
2  xul.dll  mozilla::dom::XULTreeElement::GetTreeBodyFrame  dom/xul/XULTreeElement.cpp:92
3  xul.dll  mozilla::dom::XULTreeElement::EndUpdateBatch  dom/xul/XULTreeElement.cpp:385
4  xul.dll  mozilla::dom::XULTreeElement_Binding::endUpdateBatch  dom/bindings/XULTreeElementBinding.cpp:1349
5  xul.dll  mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>  dom/bindings/BindingUtils.cpp:3327
6  xul.dll  CallJSNative  js/src/vm/Interpreter.cpp:486
6  xul.dll  js::InternalCallOrConstruct  js/src/vm/Interpreter.cpp:580

This crash appears unrelated to bug 1845904. Crashes seem to be happening only on Windows and the stack crosses both JavaScript calls and Layout code. While this seems to happen predominantly on Windows I found macOS and Linux crashes too.

To isolate the crashes with this stack from the ones in bug 1845904 one can use this query

The first flush (caused by getting focus) causes restyles. Then, XULTreeElement.endUpdateBatch() is called and the call of getting its body element causes another flush.

According to the stack, here causes calling endUpdateBatch synchronously, however, I don't find the actual runner of JS (hidden by SharedStub?).

Component: DOM: Events → XUL
Blocks: 1723836

The severity field is not set for this bug.
:enndeakin, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(enndeakin)
Severity: -- → S3
Flags: needinfo?(enndeakin)

This is the reentrancy that was causing the crash in release channel from bug 1809492. I think [:tnikkel] might have some plans for this, see bug 1809492 comment 42 "I pushed a patch that should fix this (at least at the immediate crash, the code is still not as good as I would like)". He fixed the release channel crash but the reentrancy still exists, thus explaining these early beta crashes.

Flags: needinfo?(tnikkel)

The bug is linked to a topcrash signature, which matches the following criterion:

  • Top 10 AArch64 and ARM crashes on nightly

:enndeakin, could you consider increasing the severity of this top-crash bug?

For more information, please visit BugBot documentation.

Flags: needinfo?(enndeakin)
Keywords: topcrash

These are diagnostic assert crashes, we do not crash here on release. So I don't think it makes sense to increase the priority because of that.

Flags: needinfo?(enndeakin)
See Also: → 1872155

Based on the topcrash criteria, the crash signature linked to this bug is not a topcrash signature anymore.

For more information, please visit BugBot documentation.

Keywords: topcrash
Flags: needinfo?(tnikkel)

I'm able to reproduce this crash signature on the latest Nightly 127.0a1 and Beta 126.0b3, running on Windows 11 x64, when deleting a large amount of history from the Library menu.

Steps to reproduce:

Preconditions:

  • Ensure you have a profile with a significant amount of history data (for instance, my profile has approximately 1600 items accessed within the past 7 days).
  1. Open the Library window in Firefox and navigate to the "This month" section from the left-hand menu.
  2. Select all entries by pressing "Ctrl + A" and then press the "Delete" key on your keyboard.

I will investigate further to pinpoint the regression range, as this issue is not reproducible on Firefox Release 125.0.2. You can view a screencast with the issue here.

status-firefox125: --- → unaffected
status-firefox126: --- → affected
status-firefox127: --- → affected
Keywords: regressionwindow-wanted
QA Whiteboard: [qa-regression-triage]
You need to log in before you can comment on or make changes to this bug.