Crash in [@ mozilla::PresShell::DoFlushPendingNotifications]
Categories
(Core :: XUL, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox125 | --- | unaffected |
firefox126 | --- | affected |
firefox127 | --- | affected |
People
(Reporter: gsvelto, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, regressionwindow-wanted)
Crash Data
Crash report: https://crash-stats.mozilla.org/report/index/c2587373-3965-4539-a81a-7bdd20230901
MOZ_CRASH Reason: MOZ_DIAGNOSTIC_ASSERT(!mForbiddenToFlush) (This is bad!)
Top 10 frames of crashing thread:
0 xul.dll mozilla::PresShell::DoFlushPendingNotifications layout/base/PresShell.cpp:4183
1 xul.dll mozilla::PresShell::FlushPendingNotifications layout/base/PresShell.h:1472
1 xul.dll mozilla::dom::Document::FlushPendingNotifications dom/base/Document.cpp:10929
2 xul.dll mozilla::dom::Document::FlushPendingNotifications dom/base/Document.cpp:10861
2 xul.dll mozilla::dom::XULTreeElement::GetTreeBodyFrame dom/xul/XULTreeElement.cpp:92
3 xul.dll mozilla::dom::XULTreeElement::EndUpdateBatch dom/xul/XULTreeElement.cpp:385
4 xul.dll mozilla::dom::XULTreeElement_Binding::endUpdateBatch dom/bindings/XULTreeElementBinding.cpp:1349
5 xul.dll mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions> dom/bindings/BindingUtils.cpp:3327
6 xul.dll CallJSNative js/src/vm/Interpreter.cpp:486
6 xul.dll js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:580
This crash appears unrelated to bug 1845904. Crashes seem to be happening only on Windows and the stack crosses both JavaScript calls and Layout code. While this seems to happen predominantly on Windows I found macOS and Linux crashes too.
To isolate the crashes with this stack from the ones in bug 1845904 one can use this query
The first flush (caused by getting focus) causes restyles. Then, XULTreeElement.endUpdateBatch()
is called and the call of getting its body element causes another flush.
According to the stack, here causes calling endUpdateBatch
synchronously, however, I don't find the actual runner of JS (hidden by SharedStub
?).
Comment 2•8 months ago
|
||
The severity field is not set for this bug.
:enndeakin, could you have a look please?
For more information, please visit BugBot documentation.
Updated•8 months ago
|
Comment 3•6 months ago
|
||
This is the reentrancy that was causing the crash in release channel from bug 1809492. I think [:tnikkel] might have some plans for this, see bug 1809492 comment 42 "I pushed a patch that should fix this (at least at the immediate crash, the code is still not as good as I would like)". He fixed the release channel crash but the reentrancy still exists, thus explaining these early beta crashes.
Updated•6 months ago
|
Comment 4•5 months ago
|
||
The bug is linked to a topcrash signature, which matches the following criterion:
- Top 10 AArch64 and ARM crashes on nightly
:enndeakin, could you consider increasing the severity of this top-crash bug?
For more information, please visit BugBot documentation.
Comment 5•5 months ago
|
||
These are diagnostic assert crashes, we do not crash here on release. So I don't think it makes sense to increase the priority because of that.
Comment 6•4 months ago
|
||
Based on the topcrash criteria, the crash signature linked to this bug is not a topcrash signature anymore.
For more information, please visit BugBot documentation.
Updated•3 months ago
|
Comment 7•24 days ago
|
||
I'm able to reproduce this crash signature on the latest Nightly 127.0a1 and Beta 126.0b3, running on Windows 11 x64, when deleting a large amount of history from the Library menu.
Steps to reproduce:
Preconditions:
- Ensure you have a profile with a significant amount of history data (for instance, my profile has approximately 1600 items accessed within the past 7 days).
- Open the Library window in Firefox and navigate to the "This month" section from the left-hand menu.
- Select all entries by pressing "Ctrl + A" and then press the "Delete" key on your keyboard.
I will investigate further to pinpoint the regression range, as this issue is not reproducible on Firefox Release 125.0.2. You can view a screencast with the issue here.
Updated•23 days ago
|
Description
•