Crash in [@ mozilla::dom::Navigation::UpdateEntriesForSameDocumentNavigation]
Categories
(Core :: DOM: Navigation, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr140 | --- | unaffected |
| firefox145 | --- | unaffected |
| firefox146 | --- | disabled |
| firefox147 | --- | fix-optional |
| firefox148 | --- | fix-optional |
People
(Reporter: release-mgmt-account-bot, Assigned: avandolder, NeedInfo)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: crash, regression)
Crash Data
Crash report: https://crash-stats.mozilla.org/report/index/8db817c8-6dc6-4a8c-9b29-46d680251110
MOZ_CRASH Reason: MOZ_DIAGNOSTIC_ASSERT(aDestinationSHE->NavigationKey() == oldCurrentEntry->SessionHistoryInfo()->NavigationKey())
Top 10 frames of crashing thread:
0 xul.dll mozilla::dom::Navigation::UpdateEntriesForSameDocumentNavigation dom/navigation/Navigation.cpp:384
1 xul.dll nsDocShell::UpdateURLAndHistory docshell/base/nsDocShell.cpp:12168
2 xul.dll nsDocShell::AddState docshell/base/nsDocShell.cpp:11918
3 xul.dll nsHistory::PushOrReplaceState dom/base/nsHistory.cpp:202
4 xul.dll nsHistory::ReplaceState dom/base/nsHistory.cpp:164
4 xul.dll mozilla::dom::History_Binding::replaceState dom/bindings/HistoryBinding.cpp:424
5 xul.dll mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions> dom/bindings/BindingUtils.cpp:3306
6 xul.dll CallJSNative js/src/vm/Interpreter.cpp:490
6 xul.dll js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:586
6 xul.dll InternalCall js/src/vm/Interpreter.cpp:653
By querying Nightly crashes reported within the last 2 months, here are some insights about the signature:
- First crash report: 2025-11-10
- Process type: Content
- Is startup crash: No
- Has user comments: No
- Is null crash: No
By analyzing the backtrace, the regression may have been introduced by a patch [1] to fix Bug 1998680.
[1] https://hg.mozilla.org/mozilla-central/rev?node=42fe4a96c1da
:farre, since you are the author of the potential regressor, could you please take a look?
|
||
Updated•6 months ago
|
|
Reporter | |
Comment 1•6 months ago
|
||
The bug is marked as tracked for firefox146 (beta). However, the bug still isn't assigned.
:hsinyi, could you please find an assignee for this tracked bug? Given that it is a regression and we know the cause, we could also simply backout the regressor. If you disagree with the tracking decision, please talk with the release managers.
For more information, please visit BugBot documentation.
|
||
Comment 2•6 months ago
|
||
Adam (and the team) is investigating.
|
|
||
Comment 3•6 months ago
|
||
Setting S2 given the feature is riding the train currently.
|
||
Comment 4•6 months ago
|
||
What's the user-facing impact of this bug for builds with diagnostic asserts disabled?
|
Assignee | |
Comment 5•5 months ago
|
||
For websites which use the Navigation API, this bug has the potential to cause calls to navigation.traverseTo to fail if they pass the navigation API key for a history entry which has been replaced. Some sites may also use navigation API keys to construct their own history-tracking mechanisms, and so replace navigations not resulting in entries with the same keys could potentially break those.
It's unclear if those are actually behaviours currently present on the web, however.
|
|
Reporter | |
Comment 6•5 months ago
|
||
The bug is linked to a topcrash signature, which matches the following criterion:
- Top 10 AArch64 and ARM crashes on nightly
For more information, please visit BugBot documentation.
|
||
Comment 7•5 months ago
•
|
||
Disabled in Fx146, riding the train with Fx147 - see Bug 1997962
|
||
Comment 8•5 months ago
|
||
It looks like this spiked up a lot in the last few Nightlies. I don't know if something changed.
|
||
Comment 9•5 months ago
|
||
Could the recent crashes be from the changes in bug 2003017? The changelog also contains bug 2002946.
|
|
||
Comment 10•5 months ago
•
|
||
This is currently the #1 Nightly topcrash for both Desktop & Android.
|
||
Comment 11•5 months ago
|
||
The first affected buildid of the spike is 20251107212309, this aligns with the landing of bug 1998680 which introduced the assertion we're hitting, that's most likely the regressor. Andreas can you have a look please?
|
||
Comment 12•5 months ago
|
||
The regressor should be bug 2002946, at least for some of the crashes (the ones which originate from nsDocShell::OnLinkClickSync(). We're investigating.
|
|
||
Updated•5 months ago
|
|
||
Comment 13•5 months ago
|
||
My guess is we should see a (noticeable) drop-off in assertions failing now that has landed https://bugzilla.mozilla.org/show_bug.cgi?id=2004902.
|
|
||
Comment 14•5 months ago
|
||
Just ran into this alot in 147.0b1 on MacOS Sequoia 15.6
STR:
- go to a reddit thread (e.g. https://www.reddit.com/r/firefox/comments/fxu5ja/it_seems_there_is_a_whitehot_need_for_an/)
- Double triple quadruple click on the back button next to the firefox logo of the thread
- tab crash https://crash-stats.mozilla.org/report/index/3e141ce2-ca64-45e4-a5f4-e39e40251210#tab-annotations
|
|
||
Comment 15•5 months ago
|
||
This should be fixed in current nightly (bug 2004902), and should be uplifted to beta.
|
|
||
Comment 16•5 months ago
•
|
||
Unfortunately, I can still reproduce this in Nightly on 20251210095635 (which i think includes bug 2004902). It is a little bit more difficult to run into because the Back button doesn't immediately load, but it does happen.
New STR:
- go to a reddit search, search for anything, open a search result in a new tab (i used cmd+click)
- Once the back button loads/appears, Double triple quadruple click on the back button next to the firefox logo of the thread
- tab crash https://crash-stats.mozilla.org/report/index/77ad9790-7f6e-42c7-81a4-9fb170251210
| Comment hidden (obsolete) |
|
|
||
Comment 18•5 months ago
|
||
That’s a different stack trace. Thanks for the STR, we‘ll look into it!
|
|
||
Comment 19•5 months ago
|
||
I can't reproduce comment 16 on Linux. Is this a Mac only thing, perhaps?
|
|
||
Comment 20•5 months ago
|
||
Hi Dianna,
since you can reproduce this crash (I also failed to reproduce): Could you go to about:logging, set NavigationAPI:5, and then record a profiler session for the crash? Maybe the log messages tell us something interesting.
|
|
||
Comment 22•5 months ago
|
||
Bug 2005771 should fix a few more of the crashes, in particular the ones mentioned in comment 16.
|
|
||
Comment 23•5 months ago
|
||
S3: As comment 22 said, it's also clear that the crash volume is down significantly from the crash stat.
|
|
||
Comment 24•5 months ago
|
||
Do you want to use this bug to track the remaining work or take that to a follow-up bug? I'm clearing the tracking flags as the main causes for this crash have been resolved and uplifted.
|
|
Reporter | |
Comment 25•5 months ago
|
||
The bug is linked to a topcrash signature, which matches the following criteria:
- Top 20 desktop browser crashes on beta
- Top 10 desktop browser crashes on nightly
- Top 10 content process crashes on beta
- Top 5 desktop browser crashes on Mac on beta
- Top 5 desktop browser crashes on Windows on beta
- Top 10 AArch64 and ARM crashes on nightly
- Top 10 AArch64 and ARM crashes on beta
For more information, please visit BugBot documentation.
|
|
Assignee | |
Comment 26•4 months ago
|
||
Considering the remaining crash numbers are still significant (if much lower) I think it still makes sense to keep tracking this here.
|
|
Reporter | |
Comment 27•4 months ago
|
||
Based on the topcrash criteria, the crash signature linked to this bug is not a topcrash signature anymore.
For more information, please visit BugBot documentation.
|
|
||
Comment 28•1 month ago
|
||
Hey Adam, have you had a chance to look at this recently? It remains a topcrash for Nightly and early Beta builds.
|
||
Comment 29•1 month ago
|
||
It's very possible that we might fix this with the patch in bug 2031699. We should monitor that that's the case.
Description
•