Closed
Bug 1383001
Opened 7 years ago
Closed 7 years ago
stylo: Crash in mozalloc_abort | abort | style::context::ElementCascadeInputs::new_from_element_data
Categories
(Core :: CSS Parsing and Computation, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla56
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox54 | --- | unaffected |
firefox55 | --- | unaffected |
firefox56 | --- | fixed |
People
(Reporter: Usul, Assigned: emilio)
References
(Blocks 1 open bug)
Details
(Keywords: crash)
Crash Data
Attachments
(3 files, 7 obsolete files)
This bug was filed from the Socorro interface and is report bp-be5a99cf-23b7-4ad7-8e58-e46f20170721. ============================================================= 0 firefox mozalloc_abort memory/mozalloc/mozalloc_abort.cpp:33 1 firefox abort memory/mozalloc/mozalloc_abort.cpp:80 2 libxul.so std::panicking::rust_panic libpanic_abort/lib.rs:61 3 libxul.so std::panicking::rust_panic_with_hook libstd/panicking.rs:565 4 libxul.so std::panicking::begin_panic<collections::string::String> libstd/panicking.rs:511 5 libxul.so std::panicking::begin_panic_fmt libstd/panicking.rs:495 6 libxul.so core::panicking::panic_fmt libstd/panicking.rs:471 7 libxul.so core::panicking::panic libcore/panicking.rs:49 8 libxul.so style::context::ElementCascadeInputs::new_from_element_data libcore/macros.rs:21 9 libxul.so style::traversal::compute_style<style::gecko::wrapper::GeckoElement> servo/components/style/traversal.rs:749 10 libxul.so geckoservo::glue::traverse_subtree servo/components/style/traversal.rs:544 11 libxul.so geckoservo::glue::Servo_TraverseSubtree servo/ports/geckolib/glue.rs:281 12 libxul.so mozilla::ServoStyleSet::PrepareAndTraverseSubtree layout/style/ServoStyleSet.cpp:319 13 libxul.so nsCSSFrameConstructor::StyleNewChildRange layout/base/nsCSSFrameConstructor.cpp:7533 14 libxul.so nsCSSFrameConstructor::ContentAppended(nsIContent*, nsIContent*, bool, bool, TreeMatchContext*) 15 libxul.so mozilla::PresShell::ContentAppended(nsIDocument*, nsIContent*, nsIContent*, int) 16 libxul.so nsNodeUtils::ContentAppended(nsIContent*, nsIContent*, int) 17 libxul.so nsHtml5TreeOperation::Append(nsIContent*, nsIContent*, nsHtml5DocumentBuilder*) 18 libxul.so nsHtml5TreeBuilder::appendToCurrentNodeAndPushElementMayFoster(nsHtml5ElementName*, nsHtml5HtmlAttributes*) 19 libxul.so nsHtml5TreeBuilder::startTag(nsHtml5ElementName*, nsHtml5HtmlAttributes*, bool) 20 libxul.so nsHtml5Tokenizer::emitCurrentTagToken(bool, int) 21 libxul.so nsHtml5Tokenizer::stateLoop<nsHtml5SilentPolicy> parser/html/nsHtml5Tokenizer.cpp:959 22 libxul.so nsHtml5Tokenizer::tokenizeBuffer(nsHtml5UTF16Buffer*) 23 libxul.so nsHtml5StringParser::Tokenize(nsAString const&, nsIDocument*, bool) 24 libxul.so nsContentUtils::ParseFragmentHTML dom/base/nsContentUtils.cpp:5066 25 libxul.so mozilla::dom::FragmentOrElement::SetInnerHTMLInternal(nsAString const&, mozilla::ErrorResult&) 26 libxul.so mozilla::dom::ElementBinding::set_innerHTML(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JSJitSetterCallArgs) 27 libxul.so mozilla::dom::GenericBindingSetter(JSContext*, unsigned int, JS::Value*) 28 libxul.so js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) 29 libxul.so js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) 30 libxul.so js::BaseProxyHandler::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) const 31 libxul.so js::Proxy::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) 32 libxul.so JSObject::nonNativeSetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) 33 libxul.so libxul.so@0x2af5931 34 libxul.so js::Proxy::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) 35 libxul.so JSObject::nonNativeSetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) 36 libxul.so libxul.so@0x2af5931 37 libxul.so js::Proxy::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) 38 libxul.so JSObject::nonNativeSetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) 39 libxul.so libxul.so@0x2af5931 40 libxul.so js::Proxy::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) 41 libxul.so JSObject::nonNativeSetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) 42 libxul.so js::jit::DoSetPropFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICSetProp_Fallback*, JS::Value*, JS::Handle<JS::Value>, JS::Handle<JS::Value>) 43 @0x19c23cd6c1c8 44 @0x19c23cd608a9 45 libxul.so EnterBaseline(JSContext*, js::jit::EnterJitData&) 46 libxul.so js::jit::EnterBaselineMethod(JSContext*, js::RunState&) 47 libxul.so Interpret(JSContext*, js::RunState&) 48 libxul.so js::RunScript(JSContext*, js::RunState&) 49 libxul.so js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) 50 libxul.so js::fun_apply(JSContext*, unsigned int, JS::Value*) 51 libxul.so js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) 52 libxul.so Interpret(JSContext*, js::RunState&) 53 libxul.so js::RunScript(JSContext*, js::RunState&) 54 libxul.so js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) 55 libxul.so JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) 56 libxul.so mozilla::dom::IdleRequestCallback::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::IdleDeadline&, mozilla::ErrorResult&) 57 libxul.so mozilla::dom::IdleRequestCallback::Call obj-firefox/dist/include/mozilla/dom/WindowBinding.h:635 58 libxul.so mozilla::dom::IdleRequest::IdleRun(nsPIDOMWindowInner*, double, bool) 59 libxul.so nsGlobalWindow::RunIdleRequest(mozilla::dom::IdleRequest*, double, bool) 60 libxul.so nsGlobalWindow::ExecuteIdleRequest(mozilla::TimeStamp) 61 libxul.so nsThread::ProcessNextEvent(bool, bool*) 62 libxul.so NS_ProcessNextEvent(nsIThread*, bool) 63 libxul.so mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) 64 libxul.so MessageLoop::Run() 65 libxul.so nsBaseAppShell::Run widget/nsBaseAppShell.cpp:156 66 libxul.so XRE_RunAppShell toolkit/xre/nsEmbedFunctions.cpp:893 67 libxul.so MessageLoop::Run() 68 libxul.so XRE_InitChildProcess toolkit/xre/nsEmbedFunctions.cpp:709 69 firefox content_process_main ipc/contentproc/plugin-container.cpp:64 70 firefox _init Γ 71 libc-2.25.so libc-2.25.so@0x204d9 72 firefox firefox@0x1136f 73 firefox firefox@0x1a2bf 74 firefox firefox@0x1136f 75 firefox mozilla::ReadAheadLib(char const*) Γ 76 ld-2.25.so ld-2.25.so@0x112cf 77 firefox firefox@0x1a2bf 78 firefox _start Show other threads Mozilla Crash Reports - Powered by Socorro - All dates are UTC User Documentation API Crontabber State Source Privacy Policy Google Sign-In Help STR: comment in bugzilla start the line with 1) adn at the end of the line press enter 1) blah This will die. I have grammerly enabled juts in case , it's messing things around.
Reporter | ||
Comment 1•7 years ago
|
||
I also got this one https://crash-stats.mozilla.com/report/index/3cf76ce7-93b9-4ed0-a4fc-572660170721 with stylo disbaled.
Comment 3•7 years ago
|
||
I got it on github, while submitting a review. => https://crash-stats.mozilla.com/report/index/c42ca3f6-9b59-4127-a60e-085e40170721
Updated•7 years ago
|
Crash Signature: [@ mozalloc_abort | abort | style::context::ElementCascadeInputs::new_from_element_data] → [@ mozalloc_abort | abort | style::context::ElementCascadeInputs::new_from_element_data]
[@ alloc::oom::default_oom_handler | style::context::ElementCascadeInputs::new_from_element_data ]
Comment 5•7 years ago
|
||
There have been about 25 crash reports with this crash signature over the past few days.
Blocks: stylo-site-issues
Crash Signature: [@ mozalloc_abort | abort | style::context::ElementCascadeInputs::new_from_element_data]
[@ alloc::oom::default_oom_handler | style::context::ElementCascadeInputs::new_from_element_data ] → [@ mozalloc_abort | abort | style::context::{{impl}}::new_from_element_data]
[@ mozalloc_abort | abort | style::context::ElementCascadeInputs::new_from_element_data]
[@ alloc::oom::default_oom_handler | style::context::ElementCascadeInputs::new_from_elβ¦
Priority: -- → P1
Assignee | ||
Comment 7•7 years ago
|
||
So I've been trying to construct a test-case and failing... I think I need to manage to get an animation-only restyle hint somewhere inside a contenteditable node, like bug 1383001, then insert new elements on it to trigger this. Hiro, do you know any reliable way to get an animation-only restyle hint posted? Meanwhile, there are no tests, but here are the patches... I guess we could land them as is, but it's kinda sad not having a test for this :(
Flags: needinfo?(hikezoe)
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment 11•7 years ago
|
||
(In reply to Emilio Cobos Γlvarez [:emilio] from comment #7) > So I've been trying to construct a test-case and failing... I think I need > to manage to get an animation-only restyle hint somewhere inside a > contenteditable node, like bug 1383001, then insert new elements on it to > trigger this. > > Hiro, do you know any reliable way to get an animation-only restyle hint > posted? > > Meanwhile, there are no tests, but here are the patches... I guess we could > land them as is, but it's kinda sad not having a test for this :( Element.animate() is suitable for the purpose I think. Here is a test case that causes this crash. The test case modified your test case in bug 1379553.
Flags: needinfo?(hikezoe)
Assignee | ||
Comment 12•7 years ago
|
||
(In reply to Hiroyuki Ikezoe (:hiro) from comment #11) > Element.animate() is suitable for the purpose I think. Here is a test case > that causes this crash. The test case modified your test case in bug 1379553. I guess you mean bug 1383319. Awesome Hiro, thanks for the test-case! I can confirm these patches fix the crash, though I'm not sure I can land the test-case just yet, because it also hits the debug assertion mentioned in bug 1383319, so we need to fix that assertion first. I guess I can land the test-case in that same bug if this lands before.
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Assignee | ||
Updated•7 years ago
|
Attachment #8889054 -
Attachment is obsolete: true
Attachment #8889054 -
Flags: review?(cam)
Comment hidden (mozreview-request) |
Comment 24•7 years ago
|
||
Add another crash signature for this bug: [@ style::context::ElementCascadeInputs::new_from_element_data ]
Crash Signature: style::context::ElementCascadeInputs::new_from_element_data ] → style::context::ElementCascadeInputs::new_from_element_data ]
[@ style::context::ElementCascadeInputs::new_from_element_data ]
Comment 25•7 years ago
|
||
mozreview-review |
Comment on attachment 8888987 [details] Bug 1383001: Stop claiming to support unstyled children traversals for throttled animations. https://reviewboard.mozilla.org/r/160012/#review165566
Attachment #8888987 -
Flags: review?(cam) → review+
Comment 26•7 years ago
|
||
mozreview-review |
Comment on attachment 8888988 [details] Bug 1383001: Improve the information the "styles not up-to-date" assertion gives back. https://reviewboard.mozilla.org/r/160014/#review165568
Attachment #8888988 -
Flags: review?(cam) → review+
Comment 27•7 years ago
|
||
mozreview-review |
Comment on attachment 8888989 [details] Bug 1383001: Don't try to do an animation-only restyle if we're styling newly-inserted content. https://reviewboard.mozilla.org/r/160016/#review165570
Attachment #8888989 -
Flags: review?(cam) → review+
Comment 28•7 years ago
|
||
mozreview-review |
Comment on attachment 8889051 [details] Bug 1383001: Minor reformatting. https://reviewboard.mozilla.org/r/160092/#review165572
Attachment #8889051 -
Flags: review?(cam) → review+
Comment 29•7 years ago
|
||
mozreview-review |
Comment on attachment 8889052 [details] Bug 1383001: Remove (mostly) unused has_current_styles. https://reviewboard.mozilla.org/r/160094/#review165574 ::: servo/components/style/traversal.rs:377 (Diff revision 2) > &self, > context: &mut StyleContext<E>, > parent: E, > parent_data: &ElementData, > ) -> bool { > // See the comment on `cascade_node` for why we allow this on Gecko. I'm not sure where this comment is meant to be pointing now. Can you update it?
Attachment #8889052 -
Flags: review?(cam) → review+
Comment 30•7 years ago
|
||
mozreview-review |
Comment on attachment 8889053 [details] Bug 1383001: Update has_current_styles_for_this_traversal to not look at animation hints in non-animation traversals. https://reviewboard.mozilla.org/r/160096/#review165576
Attachment #8889053 -
Flags: review?(cam) → review+
Comment 31•7 years ago
|
||
mozreview-review |
Comment on attachment 8889055 [details] Bug 1383001: Crashtests for this and bug 1383319. https://reviewboard.mozilla.org/r/160100/#review165578
Attachment #8889055 -
Flags: review?(cam) → review+
Comment 32•7 years ago
|
||
mozreview-review |
Comment on attachment 8889122 [details] Bug 1383001: Yet another crashtest. https://reviewboard.mozilla.org/r/160152/#review165580 r=me on this (and the previous patch) assuming you verified they fail without the fix. (I didn't read them closely.)
Attachment #8889122 -
Flags: review?(cam) → review+
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Assignee | ||
Updated•7 years ago
|
Attachment #8888987 -
Attachment is obsolete: true
Assignee | ||
Updated•7 years ago
|
Attachment #8888988 -
Attachment is obsolete: true
Assignee | ||
Updated•7 years ago
|
Attachment #8888989 -
Attachment is obsolete: true
Assignee | ||
Updated•7 years ago
|
Attachment #8889051 -
Attachment is obsolete: true
Assignee | ||
Updated•7 years ago
|
Attachment #8889052 -
Attachment is obsolete: true
Assignee | ||
Updated•7 years ago
|
Attachment #8889053 -
Attachment is obsolete: true
Comment 37•7 years ago
|
||
Pushed by ecoal95@gmail.com: https://hg.mozilla.org/integration/autoland/rev/4698135a21b7 Crashtests for this and bug 1383319. r=heycam https://hg.mozilla.org/integration/autoland/rev/cab53621bfee Yet another crashtest. r=heycam
Comment 38•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/4698135a21b7 https://hg.mozilla.org/mozilla-central/rev/cab53621bfee
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox56:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
Updated•7 years ago
|
status-firefox54:
--- → unaffected
status-firefox55:
--- → unaffected
status-firefox-esr52:
--- → unaffected
You need to log in
before you can comment on or make changes to this bug.
Description
•