stylo: Crash in mozilla::ReflowInput::InitConstraints

RESOLVED FIXED in Firefox 56

Status

()

Core
CSS Parsing and Computation
P1
critical
RESOLVED FIXED
13 days ago
a day ago

People

(Reporter: marcia, Unassigned)

Tracking

(Blocks: 1 bug, {crash})

Trunk
mozilla56
Unspecified
Windows 10
crash
Points:
---

Firefox Tracking Flags

(firefox54 unaffected, firefox55 unaffected, firefox56 fixed, firefox-esr52 unaffected)

Details

(crash signature)

(Reporter)

Description

13 days ago
This bug was filed from the Socorro interface and is 
report bp-721f016e-45ee-4644-9b58-9b25f0170708.
=============================================================

Seen while looking at crash stats - several crashes on nightly: http://bit.ly/2tJGOej

One user says he crashes when loading https://clips.twitch.tv/TiredSneakyHamburgerOMGScoots in full screen.
(Reporter)

Updated

13 days ago
Blocks: 1375906
Some of reports include APZ thing, some of them include Element::ClientWidth().  Also I noticed there is no crash since 20170710, I am not sure because there are a few samples.
When I watching the site <https://clips.twitch.tv/TiredSneakyHamburgerOMGScoots> with mouse movements,  I got an assertions;

thread '<unnamed>' panicked at '<div> (0x7fff9c8fe0d0) has still dirty bit true or animation-only dirty bit false', /home/ikezoe/central/servo/ports/geckolib/glue.rs:2998

The stack is;
#8  0x00007fffe7bd71f5 in geckoservo::glue::Servo_AssertTreeIsClean::assert_subtree_is_clean (el=...) at /home/ikezoe/central/servo/ports/geckolib/glue.rs:2998
#9  0x00007fffe7bd72d0 in geckoservo::glue::Servo_AssertTreeIsClean::assert_subtree_is_clean (el=...) at /home/ikezoe/central/servo/ports/geckolib/glue.rs:3003
#10 0x00007fffe7bd72d0 in geckoservo::glue::Servo_AssertTreeIsClean::assert_subtree_is_clean (el=...) at /home/ikezoe/central/servo/ports/geckolib/glue.rs:3003
#11 0x00007fffe7bd72d0 in geckoservo::glue::Servo_AssertTreeIsClean::assert_subtree_is_clean (el=...) at /home/ikezoe/central/servo/ports/geckolib/glue.rs:3003
#12 0x00007fffe7bd72d0 in geckoservo::glue::Servo_AssertTreeIsClean::assert_subtree_is_clean (el=...) at /home/ikezoe/central/servo/ports/geckolib/glue.rs:3003
#13 0x00007fffe7bd72d0 in geckoservo::glue::Servo_AssertTreeIsClean::assert_subtree_is_clean (el=...) at /home/ikezoe/central/servo/ports/geckolib/glue.rs:3003
#14 0x00007fffe7bd72d0 in geckoservo::glue::Servo_AssertTreeIsClean::assert_subtree_is_clean (el=...) at /home/ikezoe/central/servo/ports/geckolib/glue.rs:3003
#15 0x00007fffe7bd72d0 in geckoservo::glue::Servo_AssertTreeIsClean::assert_subtree_is_clean (el=...) at /home/ikezoe/central/servo/ports/geckolib/glue.rs:3003
#16 0x00007fffe7bd72d0 in geckoservo::glue::Servo_AssertTreeIsClean::assert_subtree_is_clean (el=...) at /home/ikezoe/central/servo/ports/geckolib/glue.rs:3003
#17 0x00007fffe7bd6d75 in geckoservo::glue::Servo_AssertTreeIsClean (root=0x7fffc06eacc0) at /home/ikezoe/central/servo/ports/geckolib/glue.rs:3008
#18 0x00007fffe3bd1bc5 in mozilla::ServoStyleSet::AssertTreeIsClean (this=0x7fffc06ead70) at /home/ikezoe/central/layout/style/ServoStyleSet.cpp:1024
#19 0x00007fffe3dbba72 in mozilla::ServoRestyleManager::DoProcessPendingRestyles (this=0x7fffd12cca60, aRestyleBehavior=mozilla::TraversalRestyleBehavior::Normal)
    at /home/ikezoe/central/layout/base/ServoRestyleManager.cpp:856
#20 0x00007fffe3dbbb45 in mozilla::ServoRestyleManager::ProcessPendingRestyles (this=0x7fffd12cca60) at /home/ikezoe/central/layout/base/ServoRestyleManager.cpp:875
#21 0x00007fffe3dc62b6 in mozilla::RestyleManager::ProcessPendingRestyles (this=0x7fffd12cca60) at /home/ikezoe/central/obj-firefox/dist/include/mozilla/RestyleManagerInlines.h:44
#22 0x00007fffe3d97fa8 in mozilla::PresShell::DoFlushPendingNotifications (this=0x7fffc12d9000, aFlush=...) at /home/ikezoe/central/layout/base/PresShell.cpp:4193
#23 0x00007fffe3d5a5a8 in nsIPresShell::FlushPendingNotifications (this=0x7fffc12d9000, aType=...) at /home/ikezoe/central/layout/base/nsIPresShell.h:587
#24 0x00007fffe3d9797c in mozilla::PresShell::DoFlushPendingNotifications (this=0x7fffc12d9000, aType=mozilla::FlushType::Layout) at /home/ikezoe/central/layout/base/PresShell.cpp:4069
#25 0x00007fffe15981cd in nsIPresShell::FlushPendingNotifications (this=0x7fffc12d9000, aType=mozilla::FlushType::Layout)
    at /home/ikezoe/central/obj-firefox/dist/include/nsIPresShell.h:578
#26 0x00007fffe18af2f1 in nsDocument::FlushPendingNotifications (this=0x7fffd20cc000, aType=mozilla::FlushType::Layout) at /home/ikezoe/central/dom/base/nsDocument.cpp:8089
#27 0x00007fffe1780620 in mozilla::dom::Element::GetPrimaryFrame (this=0x7fff9e47d000, aType=mozilla::FlushType::Layout) at /home/ikezoe/central/dom/base/Element.cpp:2262
#28 0x00007fffe177ac97 in mozilla::dom::Element::GetScrollFrame (this=0x7fff9e47d000, aStyledFrame=0x7fffffff7c90, aFlushType=mozilla::FlushType::Layout)
    at /home/ikezoe/central/dom/base/Element.cpp:681
#29 0x00007fffe177be1b in mozilla::dom::Element::GetClientAreaRect (this=0x7fff9e47d000) at /home/ikezoe/central/dom/base/Element.cpp:1012
#30 0x00007fffe24f9089 in mozilla::dom::Element::ClientWidth (this=0x7fff9e47d000) at /home/ikezoe/central/obj-firefox/dist/include/mozilla/dom/Element.h:1065
#31 0x00007fffe24d0ad3 in mozilla::dom::ElementBinding::get_clientWidth (cx=0x7fffd6a2e000, obj=..., self=0x7fff9e47d000, args=...)
    at /home/ikezoe/central/obj-firefox/dom/bindings/ElementBinding.cpp:2782

This is the ClientWidth() case, and as far as I can tell, it's not animation-only traversal, it's normal traversal.
I got another assertion with the same STR in comment 2.

52	    MOZ_ASSERT((otherBits | ourBits) == otherBits, "otherBits should be a superset");
(gdb) bt
#0  0x00007fffe3dbfd56 in mozilla::ServoStyleContext::ResolveSameStructsAs (this=0x7fff900fef80, aPresContext=0x7fffad7ba800, aOther=0x7fff9b750980)
    at /home/ikezoe/central/obj-firefox/dist/include/mozilla/ServoStyleContext.h:52
#1  0x00007fffe3dbabd4 in mozilla::ServoRestyleManager::ProcessPostTraversal (this=0x7fffadbcf060, aElement=0x7fff9daff1f0, aParentContext=0x7fff8e008ac0, aRestyleState=..., 
    aRestyleBehavior=mozilla::TraversalRestyleBehavior::Normal) at /home/ikezoe/central/layout/base/ServoRestyleManager.cpp:545
#2  0x00007fffe3dbaf2d in mozilla::ServoRestyleManager::ProcessPostTraversal (this=0x7fffadbcf060, aElement=0x7fff9cc19780, aParentContext=0x7fffb65b8c00, aRestyleState=..., 
    aRestyleBehavior=mozilla::TraversalRestyleBehavior::Normal) at /home/ikezoe/central/layout/base/ServoRestyleManager.cpp:616
#3  0x00007fffe3dbaf2d in mozilla::ServoRestyleManager::ProcessPostTraversal (this=0x7fffadbcf060, aElement=0x7fff9cd92f70, aParentContext=0x7fffb65b8bc0, aRestyleState=..., 
    aRestyleBehavior=mozilla::TraversalRestyleBehavior::Normal) at /home/ikezoe/central/layout/base/ServoRestyleManager.cpp:616
#4  0x00007fffe3dbaf2d in mozilla::ServoRestyleManager::ProcessPostTraversal (this=0x7fffadbcf060, aElement=0x7fff9cd92ca0, aParentContext=0x7fff9eef8f40, aRestyleState=..., 
    aRestyleBehavior=mozilla::TraversalRestyleBehavior::Normal) at /home/ikezoe/central/layout/base/ServoRestyleManager.cpp:616
#5  0x00007fffe3dbaf2d in mozilla::ServoRestyleManager::ProcessPostTraversal (this=0x7fffadbcf060, aElement=0x7fffa7df1c50, aParentContext=0x7fffb65b8200, aRestyleState=..., 
    aRestyleBehavior=mozilla::TraversalRestyleBehavior::Normal) at /home/ikezoe/central/layout/base/ServoRestyleManager.cpp:616
#6  0x00007fffe3dbaf2d in mozilla::ServoRestyleManager::ProcessPostTraversal (this=0x7fffadbcf060, aElement=0x7fffa7df1b30, aParentContext=0x7fffb65b81c0, aRestyleState=..., 
    aRestyleBehavior=mozilla::TraversalRestyleBehavior::Normal) at /home/ikezoe/central/layout/base/ServoRestyleManager.cpp:616
#7  0x00007fffe3dbaf2d in mozilla::ServoRestyleManager::ProcessPostTraversal (this=0x7fffadbcf060, aElement=0x7fffa7df1aa0, aParentContext=0x7fff9eef8b80, aRestyleState=..., 
    aRestyleBehavior=mozilla::TraversalRestyleBehavior::Normal) at /home/ikezoe/central/layout/base/ServoRestyleManager.cpp:616
#8  0x00007fffe3dbaf2d in mozilla::ServoRestyleManager::ProcessPostTraversal (this=0x7fffadbcf060, aElement=0x7fffa7df1a10, aParentContext=0x7fffb65b8140, aRestyleState=..., 
    aRestyleBehavior=mozilla::TraversalRestyleBehavior::Normal) at /home/ikezoe/central/layout/base/ServoRestyleManager.cpp:616
#9  0x00007fffe3dbaf2d in mozilla::ServoRestyleManager::ProcessPostTraversal (this=0x7fffadbcf060, aElement=0x7fffa7df18f0, aParentContext=0x7fff9eef8180, aRestyleState=..., 
    aRestyleBehavior=mozilla::TraversalRestyleBehavior::Normal) at /home/ikezoe/central/layout/base/ServoRestyleManager.cpp:616
#10 0x00007fffe3dbaf2d in mozilla::ServoRestyleManager::ProcessPostTraversal (this=0x7fffadbcf060, aElement=0x7fffa7d50dc0, aParentContext=0x7fff9eef8080, aRestyleState=..., 
    aRestyleBehavior=mozilla::TraversalRestyleBehavior::Normal) at /home/ikezoe/central/layout/base/ServoRestyleManager.cpp:616
#11 0x00007fffe3dbaf2d in mozilla::ServoRestyleManager::ProcessPostTraversal (this=0x7fffadbcf060, aElement=0x7fffad235190, aParentContext=0x0, aRestyleState=..., 
    aRestyleBehavior=mozilla::TraversalRestyleBehavior::Normal) at /home/ikezoe/central/layout/base/ServoRestyleManager.cpp:616
#12 0x00007fffe3dbb797 in mozilla::ServoRestyleManager::DoProcessPendingRestyles (this=0x7fffadbcf060, aRestyleBehavior=mozilla::TraversalRestyleBehavior::Normal)
    at /home/ikezoe/central/layout/base/ServoRestyleManager.cpp:805
#13 0x00007fffe3dbbb45 in mozilla::ServoRestyleManager::ProcessPendingRestyles (this=0x7fffadbcf060) at /home/ikezoe/central/layout/base/ServoRestyleManager.cpp:875
#14 0x00007fffe3dc62a0 in mozilla::RestyleManager::ProcessPendingRestyles (this=0x7fffadbcf060) at /home/ikezoe/central/obj-firefox/dist/include/mozilla/RestyleManagerInlines.h:44
#15 0x00007fffe3d97fa8 in mozilla::PresShell::DoFlushPendingNotifications (this=0x7fffad229000, aFlush=...) at /home/ikezoe/central/layout/base/PresShell.cpp:4193
#16 0x00007fffe3d5a5a8 in nsIPresShell::FlushPendingNotifications (this=0x7fffad229000, aType=...) at /home/ikezoe/central/layout/base/nsIPresShell.h:587
#17 0x00007fffe3d9797c in mozilla::PresShell::DoFlushPendingNotifications (this=0x7fffad229000, aType=mozilla::FlushType::InterruptibleLayout)
    at /home/ikezoe/central/layout/base/PresShell.cpp:4069
#18 0x00007fffe15981cd in nsIPresShell::FlushPendingNotifications (this=0x7fffad229000, aType=mozilla::FlushType::InterruptibleLayout)
    at /home/ikezoe/central/obj-firefox/dist/include/nsIPresShell.h:578
#19 0x00007fffe29a3ebb in mozilla::EventStateManager::FlushPendingEvents (this=0x7fffad815fa0, aPresContext=0x7fffad7ba800)
    at /home/ikezoe/central/dom/events/EventStateManager.cpp:5106
#20 0x00007fffe2995b27 in mozilla::EventStateManager::PreHandleEvent (this=0x7fffad815fa0, aPresContext=0x7fffad7ba800, aEvent=0x7fffffffc160, aTargetFrame=0x7fff9cd42310, 
    aTargetContent=0x7fff9daff510, aStatus=0x7fffffffbf7c) at /home/ikezoe/central/dom/events/EventStateManager.cpp:750
#21 0x00007fffe3da67e5 in mozilla::PresShell::HandleEventInternal (this=0x7fffad229000, aEvent=0x7fffffffc160, aStatus=0x7fffffffbf7c, aIsHandlingNativeEvent=true)
    at /home/ikezoe/central/layout/base/PresShell.cpp:8143
#22 0x00007fffe3da5d9d in mozilla::PresShell::HandlePositionedEvent (this=0x7fffad229000, aTargetFrame=0x7fff9cd42310, aEvent=0x7fffffffc160, aEventStatus=0x7fffffffbf7c)
    at /home/ikezoe/central/layout/base/PresShell.cpp:7940
#23 0x00007fffe3da4ff8 in mozilla::PresShell::HandleEvent (this=0x7fffc77f4000, aFrame=0x7fffc77f7118, aEvent=0x7fffffffc160, aDontRetargetEvents=false, aEventStatus=0x7fffffffbf7c, 
    aTargetContent=0x0) at /home/ikezoe/central/layout/base/PresShell.cpp:7726
#24 0x00007fffe3934ac1 in nsViewManager::DispatchEvent (this=0x7fffc77ccb00, aEvent=0x7fffffffc160, aView=0x7fffc77e7000, aStatus=0x7fffffffbf7c)
    at /home/ikezoe/central/view/nsViewManager.cpp:804

This crash definitely is not related to animation-only restyle triggered by event handling since I did comment out DoProcessPendingRestyles in ServoRestyleManager::UpdateOnlyAnimationStyles().

So, I am convinced now that there are two kind of crashes triggered by event handling, one is bug 1371450 which is caused by animation-only restyle by event handling, the other is related to this assertion.
These assertions might be fixed by Emilio's refactor in bug 1379505.  I can't reproduce the assertions with the debug build on a try in bud 1379505 comment 93.
See Also: → bug 1379505
Priority: -- → P1
No longer happened since 20170716100325. I guess two causes of this crashes, bug 1371450 and bug 1379505 fixed this?
Status: NEW → RESOLVED
Last Resolved: 2 days ago
Resolution: --- → FIXED
status-firefox54: --- → unaffected
status-firefox55: --- → unaffected
status-firefox56: affected → fixed
status-firefox-esr52: --- → unaffected
Target Milestone: --- → mozilla56
You need to log in before you can comment on or make changes to this bug.