stylo: Crash in mozilla::ReflowInput::ReflowInput

RESOLVED FIXED in Firefox 56

Status

()

Core
CSS Parsing and Computation
P1
critical
RESOLVED FIXED
17 days ago
a day ago

People

(Reporter: jseward, Assigned: hiro)

Tracking

(Blocks: 1 bug, {crash})

unspecified
mozilla56
Unspecified
All
crash
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox54 unaffected, firefox55 unaffected, firefox56 fixed, firefox-esr52 unaffected)

Details

(crash signature)

(Reporter)

Description

17 days ago
This bug was filed from the Socorro interface and is 
report bp-c4db0eb3-28be-4cba-8eb0-3c3390170707.
=============================================================

This is topcrash #7 in the Windows nightly of 20170706030206.
(Reporter)

Updated

17 days ago
Flags: needinfo?(dbaron)
The two crashes that I looked at both had stylo enabled.  (It's a huge pain to check multiple crashes thanks to bug 1376359 comment 11 plus the fact that that field can't be displayed as a column.  So I didn't check more than two.)
Component: Layout → CSS Parsing and Computation
Flags: needinfo?(dbaron)
Summary: Crash in mozilla::ReflowInput::ReflowInput → stylo: Crash in mozilla::ReflowInput::ReflowInput
Blocks: 1375906
Priority: -- → P1
I managed to get this twice today (I have Servo CSS enabled for testing).

https://crash-stats.mozilla.com/report/index/7a2cd382-1eee-43a9-b998-31ef30170716
https://crash-stats.mozilla.com/report/index/45d9e06b-48cc-49f3-ab2b-331770170716

I have not been able to figure out a minimised testcase for this and it seems to occur randomly. However I did notice that both of these crashes occurred when I was interacting with controls associated with a video element - one on Facebook and one on Youtube.

I'm not sure how helpful that is but it's all I have on this one right now.

Comment 3

8 days ago
May be related:
bp-64183507-ce38-4fa4-8d38-aa72f0170716 [@ libxul.so@0x1e775c3 | libxul.so@0x1e8ce92 | nsAbsoluteContainingBlock::Reflow ]
tab crash with this signature on Twitter today for the first time.
Flags: needinfo?(xidorn+moz)

Updated

8 days ago
See Also: → bug 1381327
Hit this in google docs: I had text selected and I pressed the link button. When I pasted to link into the popup this crash occurred.
(In reply to Jim Mathies [:jimm] from comment #4)
> Hit this in google docs: I had text selected and I pressed the link button.
> When I pasted to link into the popup this crash occurred.

s/to/the

Unfortunately I can't repo reliably.
This seems to have spiked in the last nightly (15th of July 2017). I had barely seen this crash before that version but since then it has been pretty often. I have at least 8 of these from today, including the two I listed in my last post.

Again, as far as I have noticed they all seem to be relating to interaction with video elements. Still no luck getting a reproducible testcase for this one.
I can reproduce it quite reliably, just move mouse pointer on from the speaker icon to the volume slider and back, repeat until it crashes.

Comment 8

8 days ago
(In reply to Kacper Michajłow [:kasper93] from comment #7)
> I can reproduce it quite reliably, just move mouse pointer on from the
> speaker icon to the volume slider and back, repeat until it crashes.

This step work for me, tab crashes with this crash signature. on YouTube player.
Yes, sorry for that, forgot to mention that it is YouTube player I'm talking about.
Yep, that works for me as well. I hit a panic in debug build:

thread '<unnamed>' panicked at 'Resolving style on element without current styles', .\servo\ports\geckolib\glue.rs:2783
stack backtrace:
   0: std::sys_common::backtrace::_print
             at C:\projects\rust\src\libstd\sys_common\backtrace.rs:94
   1: std::panicking::default_hook::{{closure}}
             at C:\projects\rust\src\libstd\panicking.rs:354
   2: std::panicking::default_hook
             at C:\projects\rust\src\libstd\panicking.rs:371
   3: std::panicking::rust_panic_with_hook
             at C:\projects\rust\src\libstd\panicking.rs:549
   4: std::panicking::begin_panic<&str>
             at C:\projects\rust\src\libstd\panicking.rs:511
   5: geckoservo::glue::Servo_ResolveStyle
             at .\servo\ports\geckolib\glue.rs:2783
   6: mozilla::ServoStyleSet::ResolveServoStyle
             at .\layout\style\servostyleset.cpp:1177
   7: mozilla::ServoRestyleManager::ProcessPostTraversal
             at .\layout\base\servorestylemanager.cpp:553
Hey, but that's an "assert", which should happen in a release build as well... So maybe it is not what you see, although when I tried the steps mentioned in comment 7, I only get this.
Oh, okay, this is a new assertion just added a day ago by emilio.
Flags: needinfo?(xidorn+moz)
Depends on: 1381357
FWIW, I can reproduce the assertion locally after a few seconds of flicking the mouse back and forth between the speaker and volume slider.  I applied Hiro's WIP patch from bug 1378064 locally and couldn't reproduce trying that for about 20 seconds, so it's possible that bug will fix this one.
Depends on: 1378064
I'm hitting this on OSX too. Same STR (mouse over the speaker icon/volume slider on the new youtube about 20 times). I've also hit this just from general youtube use, if you watch a bunch of videos for an hour or so with 'normal' interactions (i.e. it's not the weird STR that causes it, it will happening naturally too).

Updated

7 days ago
OS: Windows 10 → All
(In reply to Xidorn Quan [:xidorn] UTC+10 from comment #10)
> Yep, that works for me as well. I hit a panic in debug build:
> 
> thread '<unnamed>' panicked at 'Resolving style on element without current
> styles', .\servo\ports\geckolib\glue.rs:2783
> stack backtrace:

This is bug 1381475. Let's track such issues there, and file dependent bugs for issues we discover.
Hiro, do you think your fix for bug 1378064 will also fix this crash? heycam said in comment 13 that he was no longer able to reproduce this crash when testing with your fix for bug 1378064.
Assignee: nobody → hikezoe
Flags: needinfo?(hikezoe)
(Assignee)

Comment 17

7 days ago
I don't think the patch for bug 1378064 fixes this crash, the fix just changes the condition of an assertion.
I suppose some of crashes related to frame might need bug 1381431.
Flags: needinfo?(hikezoe)

Comment 18

6 days ago
(In reply to Kacper Michajłow [:kasper93] from comment #7)
> I can reproduce it quite reliably, just move mouse pointer on from the speaker icon to the volume slider and back, repeat until it crashes.

Tab crash in Nightly 56 x64 20170717100212 @ Debian Testing (Linux 4.11.0-1-amd64, Radeon RX480).

Seems to be fixed in Stylo opt/debug try builds from bug 1381431 comment 4. Don't see assertions or tab crashes.

Comment 19

6 days ago
(In reply to Darkspirit from comment #18)
I should have said that the STR from comment 7 at least does not lead to this crash anymore in those try builds. Can't say anything about this crash signature.
(Assignee)

Comment 20

5 days ago
Thank you Darkspirit for the check.  Yes, it's hard to tell bug 1381431 fixed this crash (but I hope).  Now bug 1381431 has been landed into mozilla-central but not yet included in the latest nightly.

Comment 21

4 days ago
Last crash seen with build 20170717063821 (build 2017-07-17) on https://crash-stats.mozilla.com/signature/?signature=mozilla%3A%3AReflowInput%3A%3AReflowInput so far.

(In reply to Darkspirit from comment #18)
> Tab crash in Nightly 56 x64 20170717100212 @ Debian Testing (Linux 4.11.0-1-amd64, Radeon RX480).
Maybe I got another crash signature in that build with the STR from comment 7, hm? Strange. Sorry, I should have been more attentive.
(Assignee)

Comment 22

2 days ago
Closing since, as Darkspirit commented in comment 21, we have no more crash reports since 20170717063821 (precisely it's 20170716100325, 20170717063821 is a buildid for firefox-55.0b). I guess bug 1371450 fixed this?
Status: NEW → RESOLVED
Last Resolved: 2 days ago
Resolution: --- → FIXED
status-firefox54: --- → unaffected
status-firefox55: --- → unaffected
status-firefox56: --- → fixed
status-firefox-esr52: --- → unaffected
Target Milestone: --- → mozilla56
You need to log in before you can comment on or make changes to this bug.