Closed
Bug 1382357
Opened 7 years ago
Closed 7 years ago
stylo: Crash in GetInnerText/IsOrHasAncestorWithDisplayNone with AdBlock Plus enabled
Categories
(Core :: CSS Parsing and Computation, defect, P1)
Core
CSS Parsing and Computation
Tracking
()
RESOLVED
FIXED
mozilla56
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox54 | --- | unaffected |
| firefox55 | --- | unaffected |
| firefox56 | --- | fixed |
People
(Reporter: bholley, Assigned: bholley)
References
(Blocks 1 open bug)
Details
(Keywords: crash)
Attachments
(3 files)
|
4.41 KB,
patch
|
heycam
:
review+
|
Details | Diff | Splinter Review |
|
2.54 KB,
patch
|
heycam
:
review+
|
Details | Diff | Splinter Review |
|
1.55 KB,
patch
|
heycam
:
review+
|
Details | Diff | Splinter Review |
I crashed on this. https://crash-stats.mozilla.com/report/index/a041abc8-7b37-46ea-a749-52f0d0170719 Fix is straightforward, will work it up.
|
Assignee | |
Comment 1•7 years ago
|
||
Actually, the simple failure mode that I thought we were hitting can't happen, so this is more complex. I have an (large) rr trace of it though, so it should be just a matter of time to work through it.
|
|
Assignee | |
Comment 2•7 years ago
|
||
(This seems to only happen with ABP, but the cause might be a deeper issue, we'll see).
Summary: stylo: Crash in GetInnerText/IsOrHasAncestorWithDisplayNone → stylo: Crash in GetInnerText/IsOrHasAncestorWithDisplayNone with AdBlock Plus enabled
|
|
Assignee | |
Comment 3•7 years ago
|
||
This was removed recently in the ComputedValues patch, and makes traversal logging rather unusable. MozReview-Commit-ID: 5Jisfj9QxBM
Attachment #8888151 -
Flags: review?(cam)
|
|
Assignee | |
Comment 4•7 years ago
|
||
The issue here is that the DestroyFramesFor call does a ClearServoDataFromSubtree, and then we subsequently fail to load the bindings, leaving ourselves with an unstyled subtree that isn't marked with descendant bits and isn't rooted at a display:none element, which is forbidden. This can trigger crashes when we call the innerText getter on one of the unstyled elements, since that will first flush layout (which won't find the unstyled subtree), and then invoke IsOrHasAncestorWithDisplayNone, which passes LazyComputeBehavior::Assert. MozReview-Commit-ID: 7roBkH9fTGZ
Attachment #8888152 -
Flags: review?(cam)
|
|
Assignee | |
Comment 5•7 years ago
|
||
MozReview-Commit-ID: IUqzytg3SqL
Attachment #8888153 -
Flags: review?(cam)
|
||
Updated•7 years ago
|
Attachment #8888151 -
Flags: review?(cam) → review+
|
|
||
Comment 6•7 years ago
|
||
Comment on attachment 8888152 [details] [diff] [review] Part 2 - Wait to destroy frames until after we've successfully fetched the binding. v1 Review of attachment 8888152 [details] [diff] [review]: ----------------------------------------------------------------- Looks reasonable.
Attachment #8888152 -
Flags: review?(cam) → review+
|
|
||
Updated•7 years ago
|
Attachment #8888153 -
Flags: review?(cam) → review+
Pushed by bholley@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/5a43e98b2000 Wait to destroy frames until after we've successfully fetched the binding. r=heycam https://hg.mozilla.org/integration/autoland/rev/747035414236 Crashtest. r=heycam
|
||
Comment 8•7 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/5a43e98b2000 https://hg.mozilla.org/mozilla-central/rev/747035414236
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox56:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
|
||
Updated•7 years ago
|
status-firefox54:
--- → unaffected
status-firefox55:
--- → unaffected
status-firefox-esr52:
--- → unaffected
You need to log in
before you can comment on or make changes to this bug.
Description
•