Closed Bug 1383001 Opened 7 years ago Closed 7 years ago

stylo: Crash in mozalloc_abort | abort | style::context::ElementCascadeInputs::new_from_element_data

Categories

(Core :: CSS Parsing and Computation, defect, P1)

Unspecified
Linux
defect

Tracking

()

RESOLVED FIXED
mozilla56
Tracking Status
firefox-esr52 --- unaffected
firefox54 --- unaffected
firefox55 --- unaffected
firefox56 --- fixed

People

(Reporter: Usul, Assigned: emilio)

References

(Blocks 1 open bug)

Details

(Keywords: crash)

Crash Data

Attachments

(3 files, 7 obsolete files)

525 bytes, text/html
Details
59 bytes, text/x-review-board-request
heycam
: review+
Details
59 bytes, text/x-review-board-request
heycam
: review+
Details
This bug was filed from the Socorro interface and is 
report bp-be5a99cf-23b7-4ad7-8e58-e46f20170721.
=============================================================
0 	firefox 	mozalloc_abort 	memory/mozalloc/mozalloc_abort.cpp:33
1 	firefox 	abort 	memory/mozalloc/mozalloc_abort.cpp:80
2 	libxul.so 	std::panicking::rust_panic 	libpanic_abort/lib.rs:61
3 	libxul.so 	std::panicking::rust_panic_with_hook 	libstd/panicking.rs:565
4 	libxul.so 	std::panicking::begin_panic<collections::string::String> 	libstd/panicking.rs:511
5 	libxul.so 	std::panicking::begin_panic_fmt 	libstd/panicking.rs:495
6 	libxul.so 	core::panicking::panic_fmt 	libstd/panicking.rs:471
7 	libxul.so 	core::panicking::panic 	libcore/panicking.rs:49
8 	libxul.so 	style::context::ElementCascadeInputs::new_from_element_data 	libcore/macros.rs:21
9 	libxul.so 	style::traversal::compute_style<style::gecko::wrapper::GeckoElement> 	servo/components/style/traversal.rs:749
10 	libxul.so 	geckoservo::glue::traverse_subtree 	servo/components/style/traversal.rs:544
11 	libxul.so 	geckoservo::glue::Servo_TraverseSubtree 	servo/ports/geckolib/glue.rs:281
12 	libxul.so 	mozilla::ServoStyleSet::PrepareAndTraverseSubtree 	layout/style/ServoStyleSet.cpp:319
13 	libxul.so 	nsCSSFrameConstructor::StyleNewChildRange 	layout/base/nsCSSFrameConstructor.cpp:7533
14 	libxul.so 	nsCSSFrameConstructor::ContentAppended(nsIContent*, nsIContent*, bool, bool, TreeMatchContext*) 	
15 	libxul.so 	mozilla::PresShell::ContentAppended(nsIDocument*, nsIContent*, nsIContent*, int) 	
16 	libxul.so 	nsNodeUtils::ContentAppended(nsIContent*, nsIContent*, int) 	
17 	libxul.so 	nsHtml5TreeOperation::Append(nsIContent*, nsIContent*, nsHtml5DocumentBuilder*) 	
18 	libxul.so 	nsHtml5TreeBuilder::appendToCurrentNodeAndPushElementMayFoster(nsHtml5ElementName*, nsHtml5HtmlAttributes*) 	
19 	libxul.so 	nsHtml5TreeBuilder::startTag(nsHtml5ElementName*, nsHtml5HtmlAttributes*, bool) 	
20 	libxul.so 	nsHtml5Tokenizer::emitCurrentTagToken(bool, int) 	
21 	libxul.so 	nsHtml5Tokenizer::stateLoop<nsHtml5SilentPolicy> 	parser/html/nsHtml5Tokenizer.cpp:959
22 	libxul.so 	nsHtml5Tokenizer::tokenizeBuffer(nsHtml5UTF16Buffer*) 	
23 	libxul.so 	nsHtml5StringParser::Tokenize(nsAString const&, nsIDocument*, bool) 	
24 	libxul.so 	nsContentUtils::ParseFragmentHTML 	dom/base/nsContentUtils.cpp:5066
25 	libxul.so 	mozilla::dom::FragmentOrElement::SetInnerHTMLInternal(nsAString const&, mozilla::ErrorResult&) 	
26 	libxul.so 	mozilla::dom::ElementBinding::set_innerHTML(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JSJitSetterCallArgs) 	
27 	libxul.so 	mozilla::dom::GenericBindingSetter(JSContext*, unsigned int, JS::Value*) 	
28 	libxul.so 	js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) 	
29 	libxul.so 	js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) 	
30 	libxul.so 	js::BaseProxyHandler::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) const 	
31 	libxul.so 	js::Proxy::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) 	
32 	libxul.so 	JSObject::nonNativeSetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) 	
33 	libxul.so 	libxul.so@0x2af5931 	
34 	libxul.so 	js::Proxy::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) 	
35 	libxul.so 	JSObject::nonNativeSetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) 	
36 	libxul.so 	libxul.so@0x2af5931 	
37 	libxul.so 	js::Proxy::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) 	
38 	libxul.so 	JSObject::nonNativeSetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) 	
39 	libxul.so 	libxul.so@0x2af5931 	
40 	libxul.so 	js::Proxy::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) 	
41 	libxul.so 	JSObject::nonNativeSetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) 	
42 	libxul.so 	js::jit::DoSetPropFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICSetProp_Fallback*, JS::Value*, JS::Handle<JS::Value>, JS::Handle<JS::Value>) 	
43 		@0x19c23cd6c1c8 	
44 		@0x19c23cd608a9 	
45 	libxul.so 	EnterBaseline(JSContext*, js::jit::EnterJitData&) 	
46 	libxul.so 	js::jit::EnterBaselineMethod(JSContext*, js::RunState&) 	
47 	libxul.so 	Interpret(JSContext*, js::RunState&) 	
48 	libxul.so 	js::RunScript(JSContext*, js::RunState&) 	
49 	libxul.so 	js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) 	
50 	libxul.so 	js::fun_apply(JSContext*, unsigned int, JS::Value*) 	
51 	libxul.so 	js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) 	
52 	libxul.so 	Interpret(JSContext*, js::RunState&) 	
53 	libxul.so 	js::RunScript(JSContext*, js::RunState&) 	
54 	libxul.so 	js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) 	
55 	libxul.so 	JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) 	
56 	libxul.so 	mozilla::dom::IdleRequestCallback::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::IdleDeadline&, mozilla::ErrorResult&) 	
57 	libxul.so 	mozilla::dom::IdleRequestCallback::Call 	obj-firefox/dist/include/mozilla/dom/WindowBinding.h:635
58 	libxul.so 	mozilla::dom::IdleRequest::IdleRun(nsPIDOMWindowInner*, double, bool) 	
59 	libxul.so 	nsGlobalWindow::RunIdleRequest(mozilla::dom::IdleRequest*, double, bool) 	
60 	libxul.so 	nsGlobalWindow::ExecuteIdleRequest(mozilla::TimeStamp) 	
61 	libxul.so 	nsThread::ProcessNextEvent(bool, bool*) 	
62 	libxul.so 	NS_ProcessNextEvent(nsIThread*, bool) 	
63 	libxul.so 	mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) 	
64 	libxul.so 	MessageLoop::Run() 	
65 	libxul.so 	nsBaseAppShell::Run 	widget/nsBaseAppShell.cpp:156
66 	libxul.so 	XRE_RunAppShell 	toolkit/xre/nsEmbedFunctions.cpp:893
67 	libxul.so 	MessageLoop::Run() 	
68 	libxul.so 	XRE_InitChildProcess 	toolkit/xre/nsEmbedFunctions.cpp:709
69 	firefox 	content_process_main 	ipc/contentproc/plugin-container.cpp:64
70 	firefox 	_init 	
Ø 71 	libc-2.25.so 	libc-2.25.so@0x204d9 	
72 	firefox 	firefox@0x1136f 	
73 	firefox 	firefox@0x1a2bf 	
74 	firefox 	firefox@0x1136f 	
75 	firefox 	mozilla::ReadAheadLib(char const*) 	
Ø 76 	ld-2.25.so 	ld-2.25.so@0x112cf 	
77 	firefox 	firefox@0x1a2bf 	
78 	firefox 	_start 	

Show other threads
Mozilla Crash Reports - Powered by Socorro - All dates are UTC

    User Documentation API Crontabber State Source Privacy Policy Google Sign-In Help 



STR:
comment in bugzilla start the line with 1) adn at the end of the line press enter

1) blah

This will die. I have grammerly enabled juts in case , it's messing things around.
This seems to happen during animation-only restyle.
Crash Signature: [@ mozalloc_abort | abort | style::context::ElementCascadeInputs::new_from_element_data] → [@ mozalloc_abort | abort | style::context::ElementCascadeInputs::new_from_element_data] [@ alloc::oom::default_oom_handler | style::context::ElementCascadeInputs::new_from_element_data ]
There have been about 25 crash reports with this crash signature over the past few days.
Crash Signature: [@ mozalloc_abort | abort | style::context::ElementCascadeInputs::new_from_element_data] [@ alloc::oom::default_oom_handler | style::context::ElementCascadeInputs::new_from_element_data ] → [@ mozalloc_abort | abort | style::context::{{impl}}::new_from_element_data] [@ mozalloc_abort | abort | style::context::ElementCascadeInputs::new_from_element_data] [@ alloc::oom::default_oom_handler | style::context::ElementCascadeInputs::new_from_el…
Priority: -- → P1
I think I see the issue...
Assignee: nobody → emilio+bugs
See Also: → 1383319
So I've been trying to construct a test-case and failing... I think I need to manage to get an animation-only restyle hint somewhere inside a contenteditable node, like bug 1383001, then insert new elements on it to trigger this.

Hiro, do you know any reliable way to get an animation-only restyle hint posted?

Meanwhile, there are no tests, but here are the patches... I guess we could land them as is, but it's kinda sad not having a test for this :(
Flags: needinfo?(hikezoe)
Attached file A test case
(In reply to Emilio Cobos Álvarez [:emilio] from comment #7)
> So I've been trying to construct a test-case and failing... I think I need
> to manage to get an animation-only restyle hint somewhere inside a
> contenteditable node, like bug 1383001, then insert new elements on it to
> trigger this.
> 
> Hiro, do you know any reliable way to get an animation-only restyle hint
> posted?
> 
> Meanwhile, there are no tests, but here are the patches... I guess we could
> land them as is, but it's kinda sad not having a test for this :(

Element.animate() is suitable for the purpose I think.  Here is a test case that causes this crash. The test case modified your test case in bug 1379553.
Flags: needinfo?(hikezoe)
(In reply to Hiroyuki Ikezoe (:hiro) from comment #11)
> Element.animate() is suitable for the purpose I think.  Here is a test case
> that causes this crash. The test case modified your test case in bug 1379553.

I guess you mean bug 1383319. Awesome Hiro, thanks for the test-case!

I can confirm these patches fix the crash, though I'm not sure I can land the test-case just yet, because it also hits the debug assertion mentioned in bug 1383319, so we need to fix that assertion first.

I guess I can land the test-case in that same bug if this lands before.
Let's just do that here...
Attachment #8889054 - Attachment is obsolete: true
Attachment #8889054 - Flags: review?(cam)
Add another crash signature for this bug:

[@ style::context::ElementCascadeInputs::new_from_element_data ]
Crash Signature: style::context::ElementCascadeInputs::new_from_element_data ] → style::context::ElementCascadeInputs::new_from_element_data ] [@ style::context::ElementCascadeInputs::new_from_element_data ]
Comment on attachment 8888987 [details]
Bug 1383001: Stop claiming to support unstyled children traversals for throttled animations.

https://reviewboard.mozilla.org/r/160012/#review165566
Attachment #8888987 - Flags: review?(cam) → review+
Comment on attachment 8888988 [details]
Bug 1383001: Improve the information the "styles not up-to-date" assertion gives back.

https://reviewboard.mozilla.org/r/160014/#review165568
Attachment #8888988 - Flags: review?(cam) → review+
Comment on attachment 8888989 [details]
Bug 1383001: Don't try to do an animation-only restyle if we're styling newly-inserted content.

https://reviewboard.mozilla.org/r/160016/#review165570
Attachment #8888989 - Flags: review?(cam) → review+
Comment on attachment 8889051 [details]
Bug 1383001: Minor reformatting.

https://reviewboard.mozilla.org/r/160092/#review165572
Attachment #8889051 - Flags: review?(cam) → review+
Comment on attachment 8889052 [details]
Bug 1383001: Remove (mostly) unused has_current_styles.

https://reviewboard.mozilla.org/r/160094/#review165574

::: servo/components/style/traversal.rs:377
(Diff revision 2)
>          &self,
>          context: &mut StyleContext<E>,
>          parent: E,
>          parent_data: &ElementData,
>      ) -> bool {
>          // See the comment on `cascade_node` for why we allow this on Gecko.

I'm not sure where this comment is meant to be pointing now.  Can you update it?
Attachment #8889052 - Flags: review?(cam) → review+
Comment on attachment 8889053 [details]
Bug 1383001: Update has_current_styles_for_this_traversal to not look at animation hints in non-animation traversals.

https://reviewboard.mozilla.org/r/160096/#review165576
Attachment #8889053 - Flags: review?(cam) → review+
Comment on attachment 8889055 [details]
Bug 1383001: Crashtests for this and bug 1383319.

https://reviewboard.mozilla.org/r/160100/#review165578
Attachment #8889055 - Flags: review?(cam) → review+
Comment on attachment 8889122 [details]
Bug 1383001: Yet another crashtest.

https://reviewboard.mozilla.org/r/160152/#review165580

r=me on this (and the previous patch) assuming you verified they fail without the fix.  (I didn't read them closely.)
Attachment #8889122 - Flags: review?(cam) → review+
And thank you for the nicely split up patches, I appreciate it!
Attachment #8888987 - Attachment is obsolete: true
Attachment #8888988 - Attachment is obsolete: true
Attachment #8888989 - Attachment is obsolete: true
Attachment #8889051 - Attachment is obsolete: true
Attachment #8889052 - Attachment is obsolete: true
Attachment #8889053 - Attachment is obsolete: true
https://hg.mozilla.org/mozilla-central/rev/4698135a21b7
https://hg.mozilla.org/mozilla-central/rev/cab53621bfee
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
You need to log in before you can comment on or make changes to this bug.