1381386 - stylo: Crash in mozalloc_abort | abort | style::properties::{{impl}}::to_css<T>

Status: RESOLVED FIXED

(Core :: CSS Parsing and Computation, defect, P2)

Description

[Chris Peterson [:cpeterson]]

This bug was filed from the Socorro interface and is 
report bp-1f17713b-905a-4695-bc6e-12c9f0170715.
=============================================================

Comment 1

[Xidorn Quan [:xidorn] UTC+11]

This isn't quite actionable... It is unknown which to_css aborts from the information in the report... It would be much helpful if it is from a post-20170715 build, so that we can at least have some panic message.

Comment 2

[Hiroyuki Ikezoe (:hiro)]

This is definitely a report I sent!
The crash happened when I try to check bug 1381196. With opening devtools' animation inspector and moving mouse over photos.

I guess this will easily fixed.

Comment 3

[Xidorn Quan [:xidorn] UTC+11]

So there is another report bp-7105f07a-9a6d-482b-b529-57a010170717 with the panic message showing "internal error: entered unreachable code", so we are probably hitting an unreachable!() here. It is possible that animation can generate something that isn't supposed to be serializable in CSS. It would be helpful if we know at least what {{impl}} it is...

Comment 4

[Hiroyuki Ikezoe (:hiro)]

(In reply to Xidorn Quan [:xidorn] UTC+10 from comment #3)
> So there is another report bp-7105f07a-9a6d-482b-b529-57a010170717 with the
> panic message showing "internal error: entered unreachable code", so we are
> probably hitting an unreachable!() here.

That one is also mine. :)

Comment 5

[Hiroyuki Ikezoe (:hiro)]

Jeremy, if you are looking for find bugs related to crashes or real site issues, I think this bug is a good one for you.

STR

1) Open https://www.yelp.com/biz/golden-gate-bridge-san-francisco
2) Open animation inspector in devtools
3) Move mouse over images in the page

Comment 6

[Jeremy Chen (chenpighead@gmail.com)]

Hi Hiro, I'd be happy to investigate this one. However, I just built stylo with the latest autoland, but I can't reproduce this on my Mac. Is this a Linux specific issue? Are you able to reproduce this still?

Comment 7

[Hiroyuki Ikezoe (:hiro)]

OK, I can reproduce this on linux, so I will look into this next week.

Comment 8

[Hiroyuki Ikezoe (:hiro)]

Checked this on gdb.  We are trying to serialize InterpolateMatrix. Boris, would you mind taking this?

Comment 9

[Boris Chiou [:boris]]

(In reply to Hiroyuki Ikezoe (:hiro) from comment #8)
> Checked this on gdb.  We are trying to serialize InterpolateMatrix. Boris,
> would you mind taking this?

Sure. I can take this.

Comment 10

[Boris Chiou [:boris]]

(In reply to Boris Chiou [:boris] from comment #9)
> (In reply to Hiroyuki Ikezoe (:hiro) from comment #8)
> > Checked this on gdb.  We are trying to serialize InterpolateMatrix. Boris,
> > would you mind taking this?
> 
> Sure. I can take this.

Oh. It seems this only happens on Linux. I will try to reproduce this on my desktop (linux).

Comment 11

[Boris Chiou [:boris]]

My call stack on MacOS:

thread '<unnamed>' panicked at 'internal error: entered unreachable code', /Users/boris/projects/firefox/gecko/objdirs/obj-browser-stylo-debug/toolkit/library/x86_64-apple-darwin/debug/build/style-4d1510e2bb79ef6a/out/properties.rs:14291
stack backtrace:
   0: std::sys::imp::backtrace::tracing::imp::unwind_backtrace
   1: std::panicking::default_hook::{{closure}}
   2: std::panicking::default_hook
   3: std::panicking::rust_panic_with_hook
   4: std::panicking::begin_panic
   5: <style::properties::longhands::transform::SpecifiedOperation as style_traits::values::ToCss>::to_css
   6: <style::properties::longhands::transform::SpecifiedValue as style_traits::values::ToCss>::to_css
   7: <style::properties::PropertyDeclaration as style_traits::values::ToCss>::to_css
   8: style::properties::declaration_block::PropertyDeclarationBlock::single_value_to_css
   9: Servo_AnimationValue_Serialize
  10: _ZN7mozilla3domL19CreatePropertyValueE15nsCSSPropertyIDfRKNS_5MaybeINS_22ComputedTimingFunctionEEERKNS_14AnimationValueENS0_18CompositeOperationERNS0_29AnimationPropertyValueDetailsE
  11: _ZNK7mozilla3dom22KeyframeEffectReadOnly13GetPropertiesER8nsTArrayINS0_24AnimationPropertyDetailsEERNS_11ErrorResultE
  12: _ZN7mozilla3dom29KeyframeEffectReadOnlyBindingL13getPropertiesEP9JSContextN2JS6HandleIP8JSObjectEEPNS0_22KeyframeEffectReadOnlyERK19JSJitMethodCallArgs
  13: _ZN7mozilla3dom20GenericBindingMethodEP9JSContextjPN2JS5ValueE

Comment 12

[Boris Chiou [:boris]]

At least this happens on Linux and MacOS

Comment 13

[Boris Chiou [:boris]]

Looks like we have to implement the serialization of interpolatmatrix and accumulatematrix. I checked how Gecko did, and it seems Gecko serialize interpolatematrix as something like:

"interpolatematrix(scale(0.88) translateZ(0px), translateZ(1px), 94.7901%)"

So I will following the same idea from Gecko because KeyframeEffectReadOnly::GetProperties() is a ChromeOnly API.

Comment 14

[Boris Chiou [:boris]]

Attachment: Bug 1381386 - Implement ToCss for SpecifiedOperation::{InterpolateMatrix|AccumulateMatrix}.

DevTools may serialize an InterpolateMatrix or AccumulateMatrix by
KeyframeEffectReadOnly::GetProperties(), so we have to implement both.

Review commit: https://reviewboard.mozilla.org/r/162372/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/162372/

Comment 15

[Brian Birtles (:birtles, Feb 26~ parental leave)]

Comment on attachment 8891177 [details]
Bug 1381386 - Implement ToCss for SpecifiedOperation::{InterpolateMatrix|AccumulateMatrix}.

https://reviewboard.mozilla.org/r/162372/#review167654

Comment 16

[Boris Chiou [:boris]]

Attachment: Servo PR, #17903

Comment 17

[Boris Chiou [:boris]]

landed in m-c:
https://hg.mozilla.org/mozilla-central/rev/57339111e7b9