2024044 - Assertion failure: mEvent == mNavigation->mOngoingNavigateEvent, at /builds/worker/checkouts/gecko/dom/navigation/Navigation.cpp:733

Status: VERIFIED FIXED

(Core :: DOM: Navigation, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20260313-f48076e3b372 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

Assertion failure: mEvent == mNavigation->mOngoingNavigateEvent, at /builds/worker/checkouts/gecko/dom/navigation/Navigation.cpp:733

#0 0x7ffb428a1779 in mozilla::dom::NavigationWaitForAllScope::CommitNavigateEventSuccessSteps /builds/worker/checkouts/gecko/dom/navigation/Navigation.cpp:733
#1 0x7ffb428a11e4 in std::_Func_impl_no_alloc<`lambda at /builds/worker/checkouts/gecko/dom/navigation/Navigation.cpp:822:7',void,const mozilla::Span<JS::Heap<JS::Value>,18446744073709551615> &>::_Do_call /builds/worker/fetches/vs/VC/Tools/MSVC/14.50.35717/include/functional:883
#2 0x7ffb41fbde84 in mozilla::dom::`anonymous namespace'::NativeThenHandler<`lambda at /builds/worker/checkouts/gecko/dom/promise/Promise.cpp:308:9',`lambda at /builds/worker/checkouts/gecko/dom/promise/Promise.cpp:268:7',std::tuple<RefPtr<mozilla::dom::WaitForAllResults>,nsCOMPtr<nsISupports> >,std::tuple<> >::CallResolveCallback /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Promise-inl.h:184
#3 0x7ffb41faffa1 in mozilla::dom::PromiseNativeThenHandlerBase::ResolvedCallback /builds/worker/checkouts/gecko/dom/promise/Promise.cpp:368
#4 0x7ffb41fbb8bb in mozilla::dom::`anonymous namespace'::PromiseNativeHandlerShim::ResolvedCallback /builds/worker/checkouts/gecko/dom/promise/Promise.cpp:545
#5 0x7ffb41fbc4a6 in mozilla::dom::NativeHandlerCallback /builds/worker/checkouts/gecko/dom/promise/Promise.cpp:486
#6 0x7ffb48448448 in js::InternalCallOrConstruct /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:586
#7 0x7ffb48449dc8 in js::Call /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:685
#8 0x7ffb45ea045e in JS::RunJSMicroTask /builds/worker/checkouts/gecko/js/src/builtin/Promise.cpp:8153
#9 0x7ffb370cb0df in mozilla::MustConsumeMicroTask::RunAndConsumeJSMicroTask /builds/worker/workspace/obj-build/dist/include/mozilla/CycleCollectedJSContext.h:257
#10 0x7ffb37096caa in mozilla::RunMicroTask /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:750
#11 0x7ffb37091289 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:1262
#12 0x7ffb3e90cb7e in mozilla::EventListenerManager::HandleEventSingleListener /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1284
#13 0x7ffb3e90efde in mozilla::EventListenerManager::HandleEventWithListenerArray /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1588
#14 0x7ffb3e90dbb2 in mozilla::EventListenerManager::HandleEventInternal /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1493
#15 0x7ffb3e8f419c in mozilla::EventTargetChainItem::HandleEvent /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:364
#16 0x7ffb3e8f2415 in mozilla::EventTargetChainItem::HandleEventTargetChain /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:605
#17 0x7ffb3e8f89f1 in mozilla::EventDispatcher::Dispatch /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1268
#18 0x7ffb3e900979 in mozilla::EventDispatcher::DispatchDOMEvent /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1410
#19 0x7ffb3ba8f435 in nsINode::DispatchEvent /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1551
#20 0x7ffb3b37d0db in nsContentUtils::DispatchEvent /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:5734
#21 0x7ffb3b37cdd9 in nsContentUtils::DispatchTrustedEvent /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:5699
#22 0x7ffb3b6d6dcf in mozilla::dom::Document::DispatchContentLoadedEvents /builds/worker/checkouts/gecko/dom/base/Document.cpp:8643
#23 0x7ffb371625ba in mozilla::detail::RunnableMethodImpl<nsMemoryReporterManager *,nsresult (nsMemoryReporterManager::*)(),1,0>::Run /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1132
#24 0x7ffb372e0f6e in mozilla::RunnableTask::Run /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:721
#25 0x7ffb372c6718 in mozilla::TaskController::RunTask /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:212
#26 0x7ffb372d1293 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:1360
#27 0x7ffb372cdb48 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:1183
#28 0x7ffb372f5eba in mozilla::detail::RunnableFunction<`lambda at /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:349:7'>::Run /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:549
#29 0x7ffb3731c3d7 in nsThread::ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1181
#30 0x7ffb37328a31 in NS_ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:467
#31 0x7ffb3896bd94 in mozilla::ipc::MessagePump::Run /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85
#32 0x7ffb38882923 in MessageLoop::RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:366
#33 0x7ffb38882733 in MessageLoop::Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:348
#34 0x7ffb429a8b0c in nsBaseAppShell::Run /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:152
#35 0x7ffb42be2a2a in nsAppShell::Run /builds/worker/checkouts/gecko/widget/windows/nsAppShell.cpp:673
#36 0x7ffb45028f38 in XRE_RunAppShell /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:652
#37 0x7ffb38882923 in MessageLoop::RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:366
#38 0x7ffb38882733 in MessageLoop::Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:348
#39 0x7ffb45027241 in XRE_InitChildProcess /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:590
#40 0x7ff7b4f53b55 in NS_internal_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:467
#41 0x7ff7b4f52404 in wmain /builds/worker/checkouts/gecko/toolkit/xre/nsWindowsWMain.cpp:150

Comment 1

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20260317212032-ffa0522d513b.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 168ba991246a5312e3d77a2ffc2a19d0abbb663a (20250319204742)
End: f48076e3b372d7ca9e76d363eb23edea973cd91c (20260313213158)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False, searchfox=False, afl=False)

Comment 2

[Mayank Bansal]

Got a crash from the testcase on Nightly: https://crash-stats.mozilla.org/report/index/dbb5332a-7e68-4a2c-a390-e0ae40260318

Comment 3

[Mayank Bansal]

Bisection:
Bug 2020364 - Part 3: Check if ongoing navigation is NavigationID. r=dom-core,smaug

Differential Revision: https://phabricator.services.mozilla.com/D285988

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 2020364

Comment 5

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 2020364

Comment 6

[BugBot [:suhaib / :marco/ :calixte]]

The bug is linked to a topcrash signature, which matches the following criteria:

• Top 20 desktop browser crashes on beta
• Top 10 content process crashes on beta
• Top 5 desktop browser crashes on Windows on beta

For more information, please visit BugBot documentation.

Comment 7

[BugBot [:suhaib / :marco/ :calixte]]

The bug is marked as tracked for firefox150 (beta). However, the bug still isn't assigned.

:hsinyi, could you please find an assignee for this tracked bug? Given that it is a regression and we know the cause, we could also simply backout the regressor. If you disagree with the tracking decision, please talk with the release managers.

For more information, please visit BugBot documentation.

Comment 8

[Dianna Smith [:diannaS]]

These crashes are high in beta. b5 builds Friday. Thoughts on backing out the regressor?

Comment 9

[Andreas Farre [:farre]]

Attachment: Bug 2024044 - Don't run #navigate-event-intercept-commit-handler-steps from document.open r=#dom-core!

Comment 10

[Phabricator Automation]

firefox-beta Uplift Approval Request

• User impact if declined/Reason for urgency: Double navigate event commit handlers run
• Code covered by automated testing?: yes
• Fix verified in Nightly?: no
• Needs manual QE testing?: no
• Steps to reproduce for manual QE testing:
• Risk associated with taking this patch: low
• Explanation of risk level: Essentially just a check to not do work
• String changes made/needed?: None
• Is Android affected?: yes

Comment 11

[Andreas Farre [:farre]]

Attachment: Bug 2024044 - Don't run #navigate-event-intercept-commit-handler-steps from document.open

Original Revision: https://phabricator.services.mozilla.com/D291687

Comment 12

[Pulsebot]

Pushed by afarre@mozilla.com:
https://github.com/mozilla-firefox/firefox/commit/477bab48edb9
https://hg.mozilla.org/integration/autoland/rev/54ec24067cd0
Don't run #navigate-event-intercept-commit-handler-steps from document.open r=dom-core,jjaschke

Comment 13

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/58951 for changes under testing/web-platform/tests

Comment 14

[amarc]

https://hg.mozilla.org/mozilla-central/rev/54ec24067cd0

Comment 15

[Pulsebot]

https://github.com/mozilla-firefox/firefox/commit/7681e2f3791a
https://hg.mozilla.org/releases/mozilla-beta/rev/3f349fa34864

Comment 16

[Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)]

Upstream PR merged by moz-wptsync-bot

Comment 17

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20260403092323-a7aeacfbb1b3.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 18

[Dianna Smith [:diannaS]]

:farre this landed for b5 and there were still crashes. Can you take a look?

Comment 19

[Dianna Smith [:diannaS]]

Not sure why, but it stopped in b6 which is odd because it landed for b5

Comment 20

[Dianna Smith [:diannaS]]

:farre could you to take a look actually? I thought maybe this could be an early beta crash but I do not see anything that points to that being the case. if so, do you know what it could be driven by?
This patch is in fact in b5 and I do not seem to understand why it crashed there but not in b6/b7.

Comment 21

[Andreas Farre [:farre]]

This is a MOZ_DIAGNOSTIC_ASSERT which is only on for nightly and early beta. Would that explain it?

Comment 22

[Dianna Smith [:diannaS]]

Yes that could def explain it. Wouldn't that also mean though that the fix didn't work and would prob spike again when 151 goes to Beta? (It doesnt seems to happen that often in nightly.

Comment 23

[Andreas Farre [:farre]]

Could it be just bad timing for when it landed? It could also be that for this to fully go away we need https://phabricator.services.mozilla.com/D294179.