Closed
Bug 1375902
Opened 7 years ago
Closed 7 years ago
stylo: Crash in mozalloc_abort | abort | geckoservo::glue::Servo_TraverseSubtree
Categories
(Core :: CSS Parsing and Computation, defect, P1)
Tracking
()
VERIFIED
FIXED
mozilla56
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox54 | --- | unaffected |
firefox55 | --- | unaffected |
firefox56 | --- | fixed |
People
(Reporter: Usul, Assigned: hiro)
References
(Blocks 1 open bug)
Details
(Keywords: crash)
Crash Data
Attachments
(2 files)
This bug was filed from the Socorro interface and is report bp-35db4048-99ba-46d3-b9fb-a0f930170623. ============================================================= Frame Module Signature Source 0 firefox mozalloc_abort memory/mozalloc/mozalloc_abort.cpp:33 1 firefox abort memory/mozalloc/mozalloc_abort.cpp:80 2 libxul.so std::panicking::rust_panic /checkout/src/libpanic_abort/lib.rs:61 3 libxul.so std::panicking::rust_panic_with_hook /checkout/src/libstd/panicking.rs:565 4 libxul.so std::panicking::begin_panic<collections::string::String> /checkout/src/libstd/panicking.rs:511 5 libxul.so std::panicking::begin_panic_fmt /checkout/src/libstd/panicking.rs:495 6 libxul.so core::panicking::panic_fmt /checkout/src/libstd/panicking.rs:471 7 libxul.so core::panicking::panic /checkout/src/libcore/panicking.rs:49 8 libxul.so geckoservo::glue::Servo_TraverseSubtree /checkout/src/libcore/macros.rs:21 9 libxul.so mozilla::ServoStyleSet::PrepareAndTraverseSubtree layout/style/ServoStyleSet.cpp:446 10 libxul.so libxul.so@0x1e28b25 11 libxul.so nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) 12 libxul.so nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) 13 libxul.so nsCSSFrameConstructor::ConstructFramesFromItemList layout/base/nsCSSFrameConstructor.cpp:6313 14 libxul.so nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) 15 libxul.so nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, nsStyleContext*, nsContainerFrame**, nsFrameItems&, nsIFrame*, PendingBinding*) 16 libxul.so nsCSSFrameConstructor::ConstructNonScrollableBlockWithConstructor(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&, nsBlockFrame* (*)(nsIPresShell*, nsStyleContext*)) 17 libxul.so nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) 18 libxul.so nsCSSFrameConstructor::ConstructFramesFromItemList layout/base/nsCSSFrameConstructor.cpp:6313 19 libxul.so nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) 20 libxul.so nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) 21 libxul.so nsCSSFrameConstructor::ConstructFramesFromItemList layout/base/nsCSSFrameConstructor.cpp:6313 22 libxul.so nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) 23 libxul.so nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) 24 libxul.so nsCSSFrameConstructor::ConstructFramesFromItemList layout/base/nsCSSFrameConstructor.cpp:6313 25 libxul.so nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) 26 libxul.so nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, nsStyleContext*, nsContainerFrame**, nsFrameItems&, nsIFrame*, PendingBinding*) 27 libxul.so nsCSSFrameConstructor::ConstructNonScrollableBlockWithConstructor(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&, nsBlockFrame* (*)(nsIPresShell*, nsStyleContext*)) 28 libxul.so nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) 29 libxul.so nsCSSFrameConstructor::ConstructFramesFromItemList layout/base/nsCSSFrameConstructor.cpp:6313 30 libxul.so nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) 31 libxul.so nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, nsStyleContext*, nsContainerFrame**, nsFrameItems&, nsIFrame*, PendingBinding*) 32 libxul.so nsCSSFrameConstructor::ConstructNonScrollableBlockWithConstructor(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&, nsBlockFrame* (*)(nsIPresShell*, nsStyleContext*)) 33 libxul.so nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) 34 libxul.so nsCSSFrameConstructor::ConstructFramesFromItemList layout/base/nsCSSFrameConstructor.cpp:6313 35 libxul.so nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) 36 libxul.so nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, nsStyleContext*, nsContainerFrame**, nsFrameItems&, nsIFrame*, PendingBinding*) 37 libxul.so nsCSSFrameConstructor::ConstructDocElementFrame(mozilla::dom::Element*, nsILayoutHistoryState*) 38 libxul.so nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsIContent*, nsILayoutHistoryState*, bool, bool, TreeMatchContext*) 39 libxul.so nsCSSFrameConstructor::ContentInserted layout/base/nsCSSFrameConstructor.h:276 40 libxul.so mozilla::PresShell::Initialize(int, int) 41 libxul.so nsContentSink::StartLayout(bool) 42 libxul.so nsContentSink::StyleSheetLoaded(mozilla::StyleSheet*, bool, nsresult) 43 libxul.so mozilla::css::Loader::SheetComplete(mozilla::css::SheetLoadData*, nsresult) 44 libxul.so mozilla::css::Loader::ParseSheet(nsAString const&, mozilla::css::SheetLoadData*, bool&) 45 libxul.so mozilla::css::SheetLoadData::OnStreamComplete(nsIUnicharStreamLoader*, nsISupports*, nsresult, nsAString const&) 46 libxul.so nsUnicharStreamLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) 47 libxul.so mozilla::net::nsHTTPCompressConv::OnStopRequest netwerk/streamconv/converters/nsHTTPCompressConv.cpp:170 48 libxul.so mozilla::net::HttpChannelChild::DoOnStopRequest netwerk/protocol/http/HttpChannelChild.cpp:1114 49 libxul.so mozilla::net::HttpChannelChild::OnStopRequest netwerk/protocol/http/HttpChannelChild.cpp:1043 50 libxul.so mozilla::net::ChannelEventQueue::RunOrEnqueue netwerk/ipc/ChannelEventQueue.h:215 51 libxul.so mozilla::net::HttpBackgroundChannelChild::RecvOnStopRequest netwerk/protocol/http/HttpBackgroundChannelChild.cpp:251 52 libxul.so mozilla::net::PHttpBackgroundChannelChild::OnMessageReceived obj-firefox/ipc/ipdl/PHttpBackgroundChannelChild.cpp:172 53 libxul.so mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) 54 libxul.so mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) 55 libxul.so libxul.so@0xc71121 56 libxul.so mozilla::ipc::MessageChannel::MessageTask::Run() 57 libxul.so nsThread::ProcessNextEvent(bool, bool*) 58 libxul.so NS_ProcessNextEvent(nsIThread*, bool) 59 libxul.so mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) 60 libxul.so MessageLoop::Run() 61 libxul.so nsBaseAppShell::Run widget/nsBaseAppShell.cpp:156 62 libxul.so XRE_RunAppShell toolkit/xre/nsEmbedFunctions.cpp:896 63 libxul.so MessageLoop::Run() 64 libxul.so XRE_InitChildProcess toolkit/xre/nsEmbedFunctions.cpp:712 65 firefox content_process_main ipc/contentproc/plugin-container.cpp:64 66 firefox _init Ø 67 libc-2.25.so libc-2.25.so@0x204d9 68 firefox firefox@0x1182f 69 firefox firefox@0x1aeef 70 firefox firefox@0x1182f 71 firefox mozilla::ReadAheadLib(char const*) Ø 72 ld-2.25.so ld-2.25.so@0x1105f 73 firefox firefox@0x1aeef 74 firefox _start This was on loading linkedin it crashed 3 times then let it load. I have layout.css.servo.enabled enabled.
Updated•7 years ago
|
Blocks: stylo
Component: Untriaged → CSS Parsing and Computation
Summary: Crash in mozalloc_abort | abort | geckoservo::glue::Servo_TraverseSubtree → stylo: Crash in mozalloc_abort | abort | geckoservo::glue::Servo_TraverseSubtree
Updated•7 years ago
|
Blocks: stylo-site-issues
Comment 1•7 years ago
|
||
I can't repro this consistently, but this seems to be panicking in the borrow_data().unwrap() in Servo_TraverseSubtree... Cameron, you poked at that last time, and I've definitely seen that before (though I never reported because I couldn't find STR). Do you think it's reasonable to just return false if the data is None? That'd get rid of some complexity re. the ForNewlyBoundElement thing.
Updated•7 years ago
|
Flags: needinfo?(cam)
Assignee | ||
Comment 2•7 years ago
|
||
I post a test case to cause the panic at borrow_data().unwrap() in bug 1374175. I am not sure it's the same issue as this.
Comment 3•7 years ago
|
||
Hello! Managed to reproduce this crash on Ubuntu 16.04 x64, using Firefox 56.0a1 (2017-06-26) every time I followed the next steps: 1. Launch Firefox 2. Go to about:config and set layout.css.servo.enabled to true 3. Restart Firefox using the same profile 4. Go to https://www.linkedin.com/ and attempt to login 5. Go to https://www.linkedin.com/feed/; https://www.linkedin.com/mynetwork/; https://www.linkedin.com/jobs/; https://www.linkedin.com/messaging; https://www.linkedin.com/notifications/ and then reload each page Result: - The Linkedin tab crashes after step 4 and step 5. - The same tab crashes every 2 reloads. If following the same steps with layout.css.servo.enabled set to false, the crash is not reproducible.
Updated•7 years ago
|
Priority: -- → P1
Assignee | ||
Comment 4•7 years ago
|
||
While loading linkedin with login state, I got the panic in bug 1371450.
Comment 6•7 years ago
|
||
Fwiw, I can reproduce this reliably by visiting http://prestodb.rocks/code/simd/.
Assignee | ||
Comment 7•7 years ago
|
||
OK, the site in comment 6 is interesting. I thought bug 1374175 fixes the panic, but the current patches I have for bug 1374175 does not fix the case in comment 6. The stack is slightly different. It seems not related to animations?
Comment 8•7 years ago
|
||
Attached a greatly-reduced testcase derived from http://prestodb.rocks/code/simd/ .
Assignee | ||
Comment 9•7 years ago
|
||
Thank you Brad for the simplified test case. The test case does not cause any crashes with patches for bug 1374175. So I think the site has two issues, one is bug 1374175 and the other is bug 1377197.
Comment 10•7 years ago
|
||
Currently I can't scroll down on https://twitter.com/janboehm and get tab crashes. A retweeted tweet with a livestream inside it isn't displayed (it's a white place) between the other tweets. bp-c954bb1f-87a9-4155-bea6-4af7d0170706 06.07.17 20:53 bp-41c2f4a5-edfa-4e9b-b327-04e720170706 06.07.17 20:53 bp-c8dc23ea-77ef-4cf5-adac-7ea9e0170706 06.07.17 20:52 bp-3fafbe2e-5d9f-4045-bdc7-5fd340170706 06.07.17 20:52 bp-9e472bf1-a627-4904-b94c-c463c0170706 06.07.17 20:52 bp-9b33d651-b8ce-4688-bccc-af1df0170706 06.07.17 20:52 bp-edfad13f-4d61-4dbd-a67e-793f40170706 06.07.17 20:52
Assignee | ||
Comment 13•7 years ago
|
||
Fixed by bug 1374175.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Comment 14•7 years ago
|
||
Verified in comment 13. (Marked as verified for better overview in stylo-site-issues because of bug 1375983 comment 5.)
Status: RESOLVED → VERIFIED
Version: 48 Branch → Trunk
Updated•7 years ago
|
status-firefox54:
--- → unaffected
status-firefox55:
--- → unaffected
status-firefox56:
--- → fixed
status-firefox-esr52:
--- → unaffected
Target Milestone: --- → mozilla56
Updated•6 years ago
|
Flags: needinfo?(cam)
You need to log in
before you can comment on or make changes to this bug.
Description
•