Crash in [@ java.lang.NegativeArraySizeException: at org.mozilla.geckoview.GeckoSession$SessionState.spliceSessionHistory(GeckoSession.java)]
Categories
(GeckoView :: General, defect)
Tracking
(firefox134 unaffected, firefox135 unaffected, firefox136 disabled)
| Tracking | Status | |
|---|---|---|
| firefox134 | --- | unaffected |
| firefox135 | --- | unaffected |
| firefox136 | --- | disabled |
People
(Reporter: mccr8, Unassigned)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: crash, leave-open, regression, Whiteboard: [fxdroid][geckoview])
Crash Data
Attachments
(1 file, 1 obsolete file)
Crash report: https://crash-stats.mozilla.org/report/index/b66ce08e-1ff4-4901-989e-84c280250116
Top 10 frames:
0 org.mozilla.geckoview.GeckoSession$SessionState spliceSessionHistory GeckoSession.java:10
1 org.mozilla.geckoview.GeckoSession$SessionState getPartiallyUpdatedHistoryChange GeckoSession.java:47
2 org.mozilla.geckoview.GeckoSession$SessionState updateSessionState GeckoSession.java:51
3 org.mozilla.geckoview.GeckoSession$2 handleMessage GeckoSession.java:18
4 org.mozilla.geckoview.GeckoSession$2 handleMessage GeckoSession.java:1
5 org.mozilla.geckoview.GeckoSessionHandler handleMessage GeckoSessionHandler.java:2
6 org.mozilla.gecko.EventDispatcher$3 run EventDispatcher.java:13
7 android.os.Handler handleCallback Handler.java:739
8 android.os.Handler dispatchMessage Handler.java:95
9 android.os.Looper loop Looper.java:145
Looks like this first appeared in the 20250114093520 Nightly build.
|
Reporter | |
Updated•1 year ago
|
|
|
Reporter | |
Comment 1•1 year ago
|
||
Looks like this session store splice stuff was recently enabled via bug 1933630.
|
|
Reporter | |
Updated•1 year ago
|
|
||
Comment 2•1 year ago
•
|
||
Yes, looks like there's some issue with the fromIdx coming from the platform side possibly due to the old index used in OnHistoryNewEntry (some code refs from the codepath). The minimum integer value is forwarded to the GV layer and Java's min integer is set to be the size of the array (for the result of splice operation). I'll put up a patch to backout enabling partial updates, and try to fix it next week (will be out on Fri, Jan 17).
|
|
||
Comment 3•1 year ago
|
||
This reverts commit 3cbba36b19ba7955c5a221d7a809b3755a56923d.
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
||
Comment 4•1 year ago
|
||
The regressor Bug 1933630 was backed out
|
||
Comment 5•1 year ago
|
||
The bug is linked to a topcrash signature, which matches the following criterion:
- Top 10 AArch64 and ARM crashes on nightly
For more information, please visit BugBot documentation.
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
|
||
Comment 6•11 months ago
|
||
Based on the topcrash criteria, the crash signature linked to this bug is not a topcrash signature anymore.
For more information, please visit BugBot documentation.
|
|
||
Comment 7•11 months ago
|
||
|
|
||
Comment 8•11 months ago
|
||
Since the crash volume is low (less than 15 per week), the severity is downgraded to S3. Feel free to change it back if you think the bug is still critical.
For more information, please visit BugBot documentation.
|
|
||
Comment 9•6 months ago
|
||
Closing because no crashes reported for 12 weeks.
|
|
||
Comment 11•1 month ago
|
||
We will not receive any crash reports for this, for now - as we've backed out the regressor (which disables the buggy codepath and does not really fix it). I'm reopening this ticket (and leaving it open) as this bug still exists in the code that does not get executed at the moment. The attached WIP patch is a starter for fixing the potential issue causing the negative array exception. Once we decide re-enabling the partial history state updates on Android - that's not currently an urgency or a blocker - we need to apply this fix to the codepath and monitor the crashes closely. Resetting assignee and priority.
Description
•