Open Bug 1942196 Opened 5 months ago Updated 4 months ago

Crash in [@ java.lang.NegativeArraySizeException: at org.mozilla.geckoview.GeckoSession$SessionState.spliceSessionHistory(GeckoSession.java)]

Categories

(GeckoView :: General, defect, P1)

Product:
GeckoView
Component:
General
Platform:
Unspecified
Android
Type:
defect

Tracking

(firefox134 unaffected, firefox135 unaffected, firefox136 disabled)

Status:
ASSIGNED
Tracking Flags:
Tracking Status
firefox134 --- unaffected
firefox135 --- unaffected
firefox136 --- disabled

People

(Reporter: mccr8, Assigned: kaya)

References

(Regression)

Details

(Keywords: crash, regression, Whiteboard: [fxdroid][group1])

Crash Data

Attachments

(1 file, 1 obsolete file)

WIP: Bug 1942196 - Fix bugs in partial history state update.
48 bytes, text/x-phabricator-request
Details | Review

Crash report: https://crash-stats.mozilla.org/report/index/b66ce08e-1ff4-4901-989e-84c280250116

Top 10 frames:

0  org.mozilla.geckoview.GeckoSession$SessionState  spliceSessionHistory  GeckoSession.java:10
1  org.mozilla.geckoview.GeckoSession$SessionState  getPartiallyUpdatedHistoryChange  GeckoSession.java:47
2  org.mozilla.geckoview.GeckoSession$SessionState  updateSessionState  GeckoSession.java:51
3  org.mozilla.geckoview.GeckoSession$2  handleMessage  GeckoSession.java:18
4  org.mozilla.geckoview.GeckoSession$2  handleMessage  GeckoSession.java:1
5  org.mozilla.geckoview.GeckoSessionHandler  handleMessage  GeckoSessionHandler.java:2
6  org.mozilla.gecko.EventDispatcher$3  run  EventDispatcher.java:13
7  android.os.Handler  handleCallback  Handler.java:739
8  android.os.Handler  dispatchMessage  Handler.java:95
9  android.os.Looper  loop  Looper.java:145

Looks like this first appeared in the 20250114093520 Nightly build.

Product: Fenix → GeckoView

Looks like this session store splice stuff was recently enabled via bug 1933630.

Flags: needinfo?(kkaya)
Regressed by: 1933630

Yes, looks like there's some issue with the fromIdx coming from the platform side possibly due to the old index used in OnHistoryNewEntry (some code refs from the codepath). The minimum integer value is forwarded to the GV layer and Java's min integer is set to be the size of the array (for the result of splice operation). I'll put up a patch to backout enabling partial updates, and try to fix it next week (will be out on Fri, Jan 17).

Flags: needinfo?(kkaya)

This reverts commit 3cbba36b19ba7955c5a221d7a809b3755a56923d.

Assignee: nobody → kkaya
Status: NEW → ASSIGNED
Attachment #9460103 - Attachment is obsolete: true

The regressor Bug 1933630 was backed out

status-firefox136: affecteddisabled

The bug is linked to a topcrash signature, which matches the following criterion:

  • Top 10 AArch64 and ARM crashes on nightly

For more information, please visit BugBot documentation.

Keywords: topcrash
Severity: -- → S2
Priority: -- → P1
Whiteboard: [fxdroid][group1]

Based on the topcrash criteria, the crash signature linked to this bug is not a topcrash signature anymore.

For more information, please visit BugBot documentation.

Keywords: topcrash

Since the crash volume is low (less than 15 per week), the severity is downgraded to S3. Feel free to change it back if you think the bug is still critical.

For more information, please visit BugBot documentation.

Severity: S2 → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: