Closed Bug 1383001 Opened 7 years ago Closed 7 years ago

stylo: Crash in mozalloc_abort | abort | style::context::ElementCascadeInputs::new_from_element_data

Categories

(Core :: CSS Parsing and Computation, defect, P1)

Product:
Core
Component:
CSS Parsing and Computation
Platform:
Unspecified
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla56
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox54 --- unaffected
firefox55 --- unaffected
firefox56 --- fixed

People

(Reporter: Usul, Assigned: emilio)

References

(Blocks 1 open bug)

Details

(Keywords: crash)

Crash Data

Attachments

(3 files, 7 obsolete files)

A test case
525 bytes, text/html
Details
Bug 1383001: Crashtests for this and bug 1383319.
59 bytes, text/x-review-board-request
heycam
: review+
Details
Bug 1383001: Yet another crashtest.
59 bytes, text/x-review-board-request
heycam
: review+
Details
This bug was filed from the Socorro interface and is report bp-be5a99cf-23b7-4ad7-8e58-e46f20170721. ============================================================= 0 firefox mozalloc_abort memory/mozalloc/mozalloc_abort.cpp:33 1 firefox abort memory/mozalloc/mozalloc_abort.cpp:80 2 libxul.so std::panicking::rust_panic libpanic_abort/lib.rs:61 3 libxul.so std::panicking::rust_panic_with_hook libstd/panicking.rs:565 4 libxul.so std::panicking::begin_panic<collections::string::String> libstd/panicking.rs:511 5 libxul.so std::panicking::begin_panic_fmt libstd/panicking.rs:495 6 libxul.so core::panicking::panic_fmt libstd/panicking.rs:471 7 libxul.so core::panicking::panic libcore/panicking.rs:49 8 libxul.so style::context::ElementCascadeInputs::new_from_element_data libcore/macros.rs:21 9 libxul.so style::traversal::compute_style<style::gecko::wrapper::GeckoElement> servo/components/style/traversal.rs:749 10 libxul.so geckoservo::glue::traverse_subtree servo/components/style/traversal.rs:544 11 libxul.so geckoservo::glue::Servo_TraverseSubtree servo/ports/geckolib/glue.rs:281 12 libxul.so mozilla::ServoStyleSet::PrepareAndTraverseSubtree layout/style/ServoStyleSet.cpp:319 13 libxul.so nsCSSFrameConstructor::StyleNewChildRange layout/base/nsCSSFrameConstructor.cpp:7533 14 libxul.so nsCSSFrameConstructor::ContentAppended(nsIContent*, nsIContent*, bool, bool, TreeMatchContext*) 15 libxul.so mozilla::PresShell::ContentAppended(nsIDocument*, nsIContent*, nsIContent*, int) 16 libxul.so nsNodeUtils::ContentAppended(nsIContent*, nsIContent*, int) 17 libxul.so nsHtml5TreeOperation::Append(nsIContent*, nsIContent*, nsHtml5DocumentBuilder*) 18 libxul.so nsHtml5TreeBuilder::appendToCurrentNodeAndPushElementMayFoster(nsHtml5ElementName*, nsHtml5HtmlAttributes*) 19 libxul.so nsHtml5TreeBuilder::startTag(nsHtml5ElementName*, nsHtml5HtmlAttributes*, bool) 20 libxul.so nsHtml5Tokenizer::emitCurrentTagToken(bool, int) 21 libxul.so nsHtml5Tokenizer::stateLoop<nsHtml5SilentPolicy> parser/html/nsHtml5Tokenizer.cpp:959 22 libxul.so nsHtml5Tokenizer::tokenizeBuffer(nsHtml5UTF16Buffer*) 23 libxul.so nsHtml5StringParser::Tokenize(nsAString const&, nsIDocument*, bool) 24 libxul.so nsContentUtils::ParseFragmentHTML dom/base/nsContentUtils.cpp:5066 25 libxul.so mozilla::dom::FragmentOrElement::SetInnerHTMLInternal(nsAString const&, mozilla::ErrorResult&) 26 libxul.so mozilla::dom::ElementBinding::set_innerHTML(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JSJitSetterCallArgs) 27 libxul.so mozilla::dom::GenericBindingSetter(JSContext*, unsigned int, JS::Value*) 28 libxul.so js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) 29 libxul.so js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) 30 libxul.so js::BaseProxyHandler::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) const 31 libxul.so js::Proxy::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) 32 libxul.so JSObject::nonNativeSetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) 33 libxul.so libxul.so@0x2af5931 34 libxul.so js::Proxy::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) 35 libxul.so JSObject::nonNativeSetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) 36 libxul.so libxul.so@0x2af5931 37 libxul.so js::Proxy::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) 38 libxul.so JSObject::nonNativeSetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) 39 libxul.so libxul.so@0x2af5931 40 libxul.so js::Proxy::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) 41 libxul.so JSObject::nonNativeSetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) 42 libxul.so js::jit::DoSetPropFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICSetProp_Fallback*, JS::Value*, JS::Handle<JS::Value>, JS::Handle<JS::Value>) 43 @0x19c23cd6c1c8 44 @0x19c23cd608a9 45 libxul.so EnterBaseline(JSContext*, js::jit::EnterJitData&) 46 libxul.so js::jit::EnterBaselineMethod(JSContext*, js::RunState&) 47 libxul.so Interpret(JSContext*, js::RunState&) 48 libxul.so js::RunScript(JSContext*, js::RunState&) 49 libxul.so js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) 50 libxul.so js::fun_apply(JSContext*, unsigned int, JS::Value*) 51 libxul.so js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) 52 libxul.so Interpret(JSContext*, js::RunState&) 53 libxul.so js::RunScript(JSContext*, js::RunState&) 54 libxul.so js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) 55 libxul.so JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) 56 libxul.so mozilla::dom::IdleRequestCallback::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::IdleDeadline&, mozilla::ErrorResult&) 57 libxul.so mozilla::dom::IdleRequestCallback::Call obj-firefox/dist/include/mozilla/dom/WindowBinding.h:635 58 libxul.so mozilla::dom::IdleRequest::IdleRun(nsPIDOMWindowInner*, double, bool) 59 libxul.so nsGlobalWindow::RunIdleRequest(mozilla::dom::IdleRequest*, double, bool) 60 libxul.so nsGlobalWindow::ExecuteIdleRequest(mozilla::TimeStamp) 61 libxul.so nsThread::ProcessNextEvent(bool, bool*) 62 libxul.so NS_ProcessNextEvent(nsIThread*, bool) 63 libxul.so mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) 64 libxul.so MessageLoop::Run() 65 libxul.so nsBaseAppShell::Run widget/nsBaseAppShell.cpp:156 66 libxul.so XRE_RunAppShell toolkit/xre/nsEmbedFunctions.cpp:893 67 libxul.so MessageLoop::Run() 68 libxul.so XRE_InitChildProcess toolkit/xre/nsEmbedFunctions.cpp:709 69 firefox content_process_main ipc/contentproc/plugin-container.cpp:64 70 firefox _init Ø 71 libc-2.25.so libc-2.25.so@0x204d9 72 firefox firefox@0x1136f 73 firefox firefox@0x1a2bf 74 firefox firefox@0x1136f 75 firefox mozilla::ReadAheadLib(char const*) Ø 76 ld-2.25.so ld-2.25.so@0x112cf 77 firefox firefox@0x1a2bf 78 firefox _start Show other threads Mozilla Crash Reports - Powered by Socorro - All dates are UTC User Documentation API Crontabber State Source Privacy Policy Google Sign-In Help STR: comment in bugzilla start the line with 1) adn at the end of the line press enter 1) blah This will die. I have grammerly enabled juts in case , it's messing things around.
This seems to happen during animation-only restyle.
Crash Signature: [@ mozalloc_abort | abort | style::context::ElementCascadeInputs::new_from_element_data] → [@ mozalloc_abort | abort | style::context::ElementCascadeInputs::new_from_element_data] [@ alloc::oom::default_oom_handler | style::context::ElementCascadeInputs::new_from_element_data ]
There have been about 25 crash reports with this crash signature over the past few days.
Blocks: stylo-site-issues
Crash Signature: [@ mozalloc_abort | abort | style::context::ElementCascadeInputs::new_from_element_data] [@ alloc::oom::default_oom_handler | style::context::ElementCascadeInputs::new_from_element_data ] → [@ mozalloc_abort | abort | style::context::{{impl}}::new_from_element_data] [@ mozalloc_abort | abort | style::context::ElementCascadeInputs::new_from_element_data] [@ alloc::oom::default_oom_handler | style::context::ElementCascadeInputs::new_from_el…
Priority: -- → P1
I think I see the issue...
Assignee: nobody → emilio+bugs
See Also: → 1383319
So I've been trying to construct a test-case and failing... I think I need to manage to get an animation-only restyle hint somewhere inside a contenteditable node, like bug 1383001, then insert new elements on it to trigger this. Hiro, do you know any reliable way to get an animation-only restyle hint posted? Meanwhile, there are no tests, but here are the patches... I guess we could land them as is, but it's kinda sad not having a test for this :(
Flags: needinfo?(hikezoe)
Attached file A test case
(In reply to Emilio Cobos Álvarez [:emilio] from comment #7) > So I've been trying to construct a test-case and failing... I think I need > to manage to get an animation-only restyle hint somewhere inside a > contenteditable node, like bug 1383001, then insert new elements on it to > trigger this. > > Hiro, do you know any reliable way to get an animation-only restyle hint > posted? > > Meanwhile, there are no tests, but here are the patches... I guess we could > land them as is, but it's kinda sad not having a test for this :( Element.animate() is suitable for the purpose I think. Here is a test case that causes this crash. The test case modified your test case in bug 1379553.
Flags: needinfo?(hikezoe)
(In reply to Hiroyuki Ikezoe (:hiro) from comment #11) > Element.animate() is suitable for the purpose I think. Here is a test case > that causes this crash. The test case modified your test case in bug 1379553. I guess you mean bug 1383319. Awesome Hiro, thanks for the test-case! I can confirm these patches fix the crash, though I'm not sure I can land the test-case just yet, because it also hits the debug assertion mentioned in bug 1383319, so we need to fix that assertion first. I guess I can land the test-case in that same bug if this lands before.
Let's just do that here...
Attachment #8889054 - Attachment is obsolete: true
Attachment #8889054 - Flags: review?(cam)
Add another crash signature for this bug: [@ style::context::ElementCascadeInputs::new_from_element_data ]
Crash Signature: style::context::ElementCascadeInputs::new_from_element_data ] → style::context::ElementCascadeInputs::new_from_element_data ] [@ style::context::ElementCascadeInputs::new_from_element_data ]
Comment on attachment 8888987 [details] Bug 1383001: Stop claiming to support unstyled children traversals for throttled animations. https://reviewboard.mozilla.org/r/160012/#review165566
Attachment #8888987 - Flags: review?(cam) → review+
Comment on attachment 8888988 [details] Bug 1383001: Improve the information the "styles not up-to-date" assertion gives back. https://reviewboard.mozilla.org/r/160014/#review165568
Attachment #8888988 - Flags: review?(cam) → review+
Comment on attachment 8888989 [details] Bug 1383001: Don't try to do an animation-only restyle if we're styling newly-inserted content. https://reviewboard.mozilla.org/r/160016/#review165570
Attachment #8888989 - Flags: review?(cam) → review+
Comment on attachment 8889051 [details] Bug 1383001: Minor reformatting. https://reviewboard.mozilla.org/r/160092/#review165572
Attachment #8889051 - Flags: review?(cam) → review+
Comment on attachment 8889052 [details] Bug 1383001: Remove (mostly) unused has_current_styles. https://reviewboard.mozilla.org/r/160094/#review165574 ::: servo/components/style/traversal.rs:377 (Diff revision 2) > &self, > context: &mut StyleContext<E>, > parent: E, > parent_data: &ElementData, > ) -> bool { > // See the comment on `cascade_node` for why we allow this on Gecko. I'm not sure where this comment is meant to be pointing now. Can you update it?
Attachment #8889052 - Flags: review?(cam) → review+
Comment on attachment 8889053 [details] Bug 1383001: Update has_current_styles_for_this_traversal to not look at animation hints in non-animation traversals. https://reviewboard.mozilla.org/r/160096/#review165576
Attachment #8889053 - Flags: review?(cam) → review+
Comment on attachment 8889055 [details] Bug 1383001: Crashtests for this and bug 1383319. https://reviewboard.mozilla.org/r/160100/#review165578
Attachment #8889055 - Flags: review?(cam) → review+
Comment on attachment 8889122 [details] Bug 1383001: Yet another crashtest. https://reviewboard.mozilla.org/r/160152/#review165580 r=me on this (and the previous patch) assuming you verified they fail without the fix. (I didn't read them closely.)
Attachment #8889122 - Flags: review?(cam) → review+
And thank you for the nicely split up patches, I appreciate it!
Attachment #8888987 - Attachment is obsolete: true
Attachment #8888988 - Attachment is obsolete: true
Attachment #8888989 - Attachment is obsolete: true
Attachment #8889051 - Attachment is obsolete: true
Attachment #8889052 - Attachment is obsolete: true
Attachment #8889053 - Attachment is obsolete: true
https://hg.mozilla.org/mozilla-central/rev/4698135a21b7 https://hg.mozilla.org/mozilla-central/rev/cab53621bfee
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox56: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: