Closed Bug 1376212 Opened 7 years ago Closed 7 years ago

stylo: Crash [@ nsAbsoluteContainingBlock::RemoveFrame ]

Categories

(Core :: Layout, defect, P1)

Product:
Core
Component:
Layout
Platform:
Unspecified
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla56
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox54 --- unaffected
firefox55 --- unaffected
firefox56 --- fixed

People

(Reporter: johnp, Assigned: xidorn)

References

(Blocks 1 open bug)

Details

(Keywords: crash)

Crash Data

This bug was filed from the Socorro interface and is 
report bp-d8aba41d-f7b2-4b22-a631-c4c370170625.
=============================================================
0 	libxul.so 	nsAbsoluteContainingBlock::RemoveFrame(nsIFrame*, mozilla::layout::FrameChildListID, nsIFrame*) 	
1 	libxul.so 	nsFrameManager::RemoveFrame 	layout/base/nsFrameManager.cpp:426
2 	libxul.so 	nsPlaceholderFrame::DestroyFrom(nsIFrame*) 	
3 	libxul.so 	nsBlockFrame::DoRemoveFrame(nsIFrame*, unsigned int) 	
4 	libxul.so 	nsBlockFrame::RemoveFrame(mozilla::layout::FrameChildListID, nsIFrame*) 	
5 	libxul.so 	nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags, bool*, nsIContent**) 	
6 	libxul.so 	nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, bool, nsCSSFrameConstructor::RemoveFlags, nsIContent**) 	
7 	libxul.so 	mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) 	
8 	libxul.so 	mozilla::ServoRestyleManager::DoProcessPendingRestyles 	layout/base/ServoRestyleManager.cpp:629
9 	libxul.so 	libxul.so@0x1e08e93 	
10 	libxul.so 	nsRefreshDriver::Tick(long, mozilla::TimeStamp) 	
11 	libxul.so 	mozilla::RefreshDriverTimer::TickRefreshDrivers 	layout/base/nsRefreshDriver.cpp:327
12 	libxul.so 	mozilla::RefreshDriverTimer::Tick 	layout/base/nsRefreshDriver.cpp:319
13 	libxul.so 	mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver 	layout/base/nsRefreshDriver.cpp:750
14 	libxul.so 	mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync 	layout/base/nsRefreshDriver.cpp:564
15 	libxul.so 	mozilla::layout::VsyncChild::RecvNotify 	layout/ipc/VsyncChild.cpp:67
16 	libxul.so 	mozilla::layout::PVsyncChild::OnMessageReceived 	obj-firefox/ipc/ipdl/PVsyncChild.cpp:155
17 	libxul.so 	mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) 	
18 	libxul.so 	mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) 	
19 	libxul.so 	libxul.so@0xc71261 	
20 	libxul.so 	mozilla::ipc::MessageChannel::MessageTask::Run() 	
21 	libxul.so 	nsThread::ProcessNextEvent(bool, bool*) 	
22 	libxul.so 	NS_ProcessNextEvent(nsIThread*, bool) 	
23 	libxul.so 	mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) 	
24 	libxul.so 	MessageLoop::Run() 	
25 	libxul.so 	nsBaseAppShell::Run 	widget/nsBaseAppShell.cpp:156
26 	libxul.so 	XRE_RunAppShell 	toolkit/xre/nsEmbedFunctions.cpp:896
27 	libxul.so 	MessageLoop::Run() 	
28 	libxul.so 	XRE_InitChildProcess 	toolkit/xre/nsEmbedFunctions.cpp:712
29 	firefox 	content_process_main 	ipc/contentproc/plugin-container.cpp:64
30 	firefox 	_init 	
Ø 31 	libc-2.25.so 	libc-2.25.so@0x204d9 	
32 	firefox 	firefox@0x1196f 	
33 	firefox 	firefox@0x1afdf 	
34 	firefox 	firefox@0x1196f 	
35 	firefox 	mozilla::ReadAheadLib(char const*) 	
Ø 36 	ld-2.25.so 	ld-2.25.so@0x1132f 	
37 	firefox 	firefox@0x1afdf 	
38 	firefox 	_start

Fwiw, at the same time, two crash reports were generated. This is the second one: 

bp-fd072b5b-7f8f-4c95-b5cc-9e6920170625
=============================================================
0 	libxul.so 	nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>::SwapArrayElements<nsTArrayInfallibleAllocator, nsTArrayInfallibleAllocator> 	xpcom/ds/nsTArray-inl.h:338
1 	libxul.so 	nsCOMArray_base::Clear() 	
2 	libxul.so 	nsMutationReceiver::RemoveClones 	dom/base/nsDOMMutationObserver.h:378
3 	libxul.so 	nsMutationReceiver::Disconnect 	dom/base/nsDOMMutationObserver.cpp:114
4 	libxul.so 	nsMutationReceiver::~nsMutationReceiver 	dom/base/nsDOMMutationObserver.h:346
5 	libxul.so 	nsMutationReceiver::~nsMutationReceiver 	dom/base/nsDOMMutationObserver.h:346
6 	libxul.so 	nsMutationReceiver::Release 	dom/base/nsDOMMutationObserver.cpp:87
7 	libxul.so 	nsCOMArray_base::~nsCOMArray_base() 	
8 	libxul.so 	nsTHashtable<nsBaseHashtableET<nsISupportsHashKey, nsAutoPtr<nsCOMArray<nsMutationReceiver> > > >::s_ClearEntry 	xpcom/ds/nsCOMArray.h:246
9 	libxul.so 	PLDHashTable::Clear() 	
10 	libxul.so 	nsDOMMutationObserver::HandleMutation 	xpcom/ds/nsTHashtable.h:272
11 	libxul.so 	nsDOMMutationObserver::HandleMutationsInternal 	dom/base/nsDOMMutationObserver.cpp:906
12 	libxul.so 	mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) 	
13 	libxul.so 	XPCJSContext::AfterProcessTask 	js/xpconnect/src/XPCJSContext.cpp:1007
14 	libxul.so 	nsThread::ProcessNextEvent(bool, bool*) 	
15 	libxul.so 	NS_ProcessNextEvent(nsIThread*, bool) 	
16 	libxul.so 	mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) 	
17 	libxul.so 	MessageLoop::Run() 	
18 	libxul.so 	nsBaseAppShell::Run 	widget/nsBaseAppShell.cpp:156
19 	libxul.so 	XRE_RunAppShell 	toolkit/xre/nsEmbedFunctions.cpp:896
20 	libxul.so 	MessageLoop::Run() 	
21 	libxul.so 	XRE_InitChildProcess 	toolkit/xre/nsEmbedFunctions.cpp:712
22 	firefox 	content_process_main 	ipc/contentproc/plugin-container.cpp:64
23 	firefox 	_init 	
Ø 24 	libc-2.25.so 	libc-2.25.so@0x204d9 	
25 	firefox 	firefox@0x1196f 	
26 	firefox 	firefox@0x1afdf 	
Ø 27 	locale-archive 	locale-archive@0x3cc0fff 	
28 	firefox 	firefox@0x1196f 	
29 	firefox 	mozilla::ReadAheadLib(char const*) 	
Ø 30 	ld-2.25.so 	ld-2.25.so@0x1132f 	
31 	firefox 	firefox@0x1afdf 	
32 	firefox 	_start
STR:
1. Visit flipboard tp read news feed.(signed in)
2. Doing random feeds reading back and forth.
3. Crashed tab observed.

The reproduced rate is low but generally it can happen in 3~5 mins.
Blocks: stylo-site-issues
Crash reports for reference:
d706dd03-615e-41d4-9db7-64a750170628
df0d6644-3eee-4568-921f-33c9d0170628
be84f5dc-2a63-4ce8-ba07-39ab70170628
62f626d6-cdc9-4343-ad3e-a6f6f0170628
Sounds like something is going bad with frame constructor.

It would be great if there could be some simplified testcase.
astley, could you try reproducing this issue with a debug build and see if there is any assertion around?
Flags: needinfo?(aschen)
Assignee: nobody → xidorn+moz
Priority: -- → P1
(In reply to Xidorn Quan [:xidorn] UTC+10 from comment #4)
> astley, could you try reproducing this issue with a debug build and see if
> there is any assertion around?

Yes, working on it.
I could easily reproduce this crash on Stylo macOS build as well.
Here comes the crash stack trace.

[Child 54191] WARNING: stylo: HasStateDependentStyle always returns zero!: file /Users/Astley/Mozilla/projects/mozilla-central/layout/style/ServoStyleSet.cpp, line 957
thread '<unnamed>' panicked at 'Resolving style on element without current styles with lazy computation forbidden.', /Users/Astley/Mozilla/projects/mozilla-central/servo/ports/geckolib/glue.rs:2603
stack backtrace:
   0: std::sys::imp::backtrace::tracing::imp::unwind_backtrace
   1: std::panicking::default_hook::{{closure}}
   2: std::panicking::default_hook
   3: std::panicking::rust_panic_with_hook
   4: std::panicking::begin_panic
   5: Servo_ResolveStyle
   6: _ZN7mozilla13ServoStyleSet17ResolveServoStyleEPNS_3dom7ElementE
   7: _ZN7mozilla19ServoRestyleManager20ProcessPostTraversalEPNS_3dom7ElementEP14nsStyleContextRNS_17ServoRestyleStateE
   8: _ZN7mozilla19ServoRestyleManager20ProcessPostTraversalEPNS_3dom7ElementEP14nsStyleContextRNS_17ServoRestyleStateE
   9: _ZN7mozilla19ServoRestyleManager20ProcessPostTraversalEPNS_3dom7ElementEP14nsStyleContextRNS_17ServoRestyleStateE
  10: _ZN7mozilla19ServoRestyleManager20ProcessPostTraversalEPNS_3dom7ElementEP14nsStyleContextRNS_17ServoRestyleStateE
  11: _ZN7mozilla19ServoRestyleManager20ProcessPostTraversalEPNS_3dom7ElementEP14nsStyleContextRNS_17ServoRestyleStateE
  12: _ZN7mozilla19ServoRestyleManager20ProcessPostTraversalEPNS_3dom7ElementEP14nsStyleContextRNS_17ServoRestyleStateE
  13: _ZN7mozilla19ServoRestyleManager20ProcessPostTraversalEPNS_3dom7ElementEP14nsStyleContextRNS_17ServoRestyleStateE
  14: _ZN7mozilla19ServoRestyleManager20ProcessPostTraversalEPNS_3dom7ElementEP14nsStyleContextRNS_17ServoRestyleStateE
  15: _ZN7mozilla19ServoRestyleManager20ProcessPostTraversalEPNS_3dom7ElementEP14nsStyleContextRNS_17ServoRestyleStateE
  16: _ZN7mozilla19ServoRestyleManager20ProcessPostTraversalEPNS_3dom7ElementEP14nsStyleContextRNS_17ServoRestyleStateE
  17: _ZN7mozilla19ServoRestyleManager20ProcessPostTraversalEPNS_3dom7ElementEP14nsStyleContextRNS_17ServoRestyleStateE
  18: _ZN7mozilla19ServoRestyleManager20ProcessPostTraversalEPNS_3dom7ElementEP14nsStyleContextRNS_17ServoRestyleStateE
  19: _ZN7mozilla19ServoRestyleManager20ProcessPostTraversalEPNS_3dom7ElementEP14nsStyleContextRNS_17ServoRestyleStateE
  20: _ZN7mozilla19ServoRestyleManager20ProcessPostTraversalEPNS_3dom7ElementEP14nsStyleContextRNS_17ServoRestyleStateE
  21: _ZN7mozilla19ServoRestyleManager24DoProcessPendingRestylesENS_24TraversalRestyleBehaviorE
  22: _ZN7mozilla9PresShell11HandleEventEP8nsIFramePNS_14WidgetGUIEventEbP13nsEventStatusPP10nsIContent
  23: _ZN7mozilla9PresShell11HandleEventEP8nsIFramePNS_14WidgetGUIEventEbP13nsEventStatusPP10nsIContent
  24: _ZN13nsViewManager13DispatchEventEPN7mozilla14WidgetGUIEventEP6nsViewP13nsEventStatus
  25: _ZN6nsView11HandleEventEPN7mozilla14WidgetGUIEventEb
  26: _ZN7mozilla6widget12PuppetWidget13DispatchEventEPNS_14WidgetGUIEventER13nsEventStatus
  27: _ZN7mozilla6layers18APZCCallbackHelper19DispatchWidgetEventERNS_14WidgetGUIEventE
  28: _ZN7mozilla3dom8TabChild24RecvRealMouseButtonEventERKNS_16WidgetMouseEventERKNS_6layers19ScrollableLayerGuidERKy
  29: _ZThn96_N7mozilla3dom8TabChild22RecvRealMouseMoveEventERKNS_16WidgetMouseEventERKNS_6layers19ScrollableLayerGuidERKy
  30: _ZN7mozilla3dom13PBrowserChild17OnMessageReceivedERKN3IPC7MessageE
  31: _ZN7mozilla3dom13PContentChild17OnMessageReceivedERKN3IPC7MessageE
  32: _ZN7mozilla3ipc14MessageChannel20DispatchAsyncMessageERKN3IPC7MessageE
  33: _ZN7mozilla3ipc14MessageChannel15DispatchMessageEON3IPC7MessageE
  34: _ZN7mozilla3ipc14MessageChannel10RunMessageERNS1_11MessageTaskE
  35: _ZN7mozilla3ipc14MessageChannel11MessageTask3RunEv
  36: _ZN7mozilla14SchedulerGroup8Runnable3RunEv
  37: _ZN8nsThread16ProcessNextEventEbPb
  38: _Z23NS_ProcessPendingEventsP9nsIThreadj
  39: _ZN14nsBaseAppShell19NativeEventCallbackEv
  40: _ZN10nsAppShell18ProcessGeckoEventsEPv
  41: __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__
  42: __CFRunLoopDoSources0
  43: __CFRunLoopRun
  44: CFRunLoopRunSpecific
  45: RunCurrentEventLoopInMode
  46: ReceiveNextEventCommon
  47: _BlockUntilNextEventMatchingListInModeWithFilter
  48: _DPSNextEvent
  49: -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:]
  50: -[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:]
  51: -[NSApplication run]
  52: _ZN10nsAppShell3RunEv
  53: _Z15XRE_RunAppShellv
  54: _ZN7mozilla3ipc26MessagePumpForChildProcess3RunEPN4base11MessagePump8DelegateE
  55: _ZN11MessageLoop3RunEv
  56: _Z20XRE_InitChildProcessiPPcPK12XREChildData
  57: main
Redirecting call to abort() to mozalloc_abort

Hit MOZ_CRASH() at /Users/Astley/Mozilla/projects/mozilla-central/memory/mozalloc/mozalloc_abort.cpp:33
Status: NEW → ASSIGNED
Flags: needinfo?(aschen)
It seems the stack trace in comment 6 is different from the one I encountered on Linux64 build.
I'm testing on a debug build on macOS, not sure if it's the case.
If not related, I'll fine another bug for follow-up.
That is an assertion added in bug 1345695. It is possible that you are hitting a different bug, or violation of that assertion is the root cause of the crash of this frame constructor issue.

astley, what did you see with you Linux64 build? Is that a debug build?

heycam, it seems you added the assertion mentioned in comment 6, what would you expect to happen if that assertion is violated? Is this bug (the crash with stack in comment 0) looks like something which can be related to that?
Flags: needinfo?(cam)
Flags: needinfo?(aschen)
The panic place in comment 6 is exactly same as bug 1371450 also the stack includes APZ thing, so I am suspecting this was caused by the same root cause, at least for Astley case.
(In reply to Xidorn Quan [:xidorn] UTC+10 from comment #8)
> That is an assertion added in bug 1345695. It is possible that you are
> hitting a different bug, or violation of that assertion is the root cause of
> the crash of this frame constructor issue.
> 
> astley, what did you see with you Linux64 build? Is that a debug build?

I'm encountering the same crash on my local Stylo Linux64 debug build. Presumably, you are guessing right...
I'm trying to have a non-debug build and see what happens.
Given comment 6 and comment 9, make bug 1371450 block this. We can see if this still happens after that gets fixed.
Depends on: 1371450
Tab crash on facebook. No STR yet.
bp-fd6ad759-09d7-4f69-90f2-e077a0170703 03.07.17 18:55 [@ nsAbsoluteContainingBlock::RemoveFrame ]
bp-19920cbc-277c-40d2-8d8e-e6f5f0170703 03.07.17 18:55 [@ nsAbsoluteContainingBlock::RemoveFrame ]
Closing bug 1371450 seems to fix this crash.
Flags: needinfo?(cam)
Flags: needinfo?(aschen)
Oops.
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
status-firefox54: --- → unaffected
status-firefox55: --- → unaffected
status-firefox56: --- → fixed
status-firefox-esr52: --- → unaffected
Target Milestone: --- → mozilla56
You need to log in before you can comment on or make changes to this bug.