Closed Bug 1415021 Opened 7 years ago Closed 7 years ago

Assertion failure: NS_IsMainThread(), at /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:4449

Categories

(Core :: DOM: Core & HTML, defect, P3)

Product:
Core
Component:
DOM: Core & HTML
Version:
54 Branch
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla58
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox56 --- disabled
firefox57 --- wontfix
firefox58 --- fixed

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

trigger.html
2.26 KB, text/html
Details
Attached file trigger.html 
Testcase found while fuzzing mozilla-central rev dc45ee24c55d.

==1794==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f15aa1fb2fd bp 0x7f1547693330 sp 0x7f1547693310 T38)
==1794==The signal is caused by a WRITE memory access.
==1794==Hint: address points to the zero page.
    #0 0x7f15aa1fb2fc in nsDocument::GetRootElementInternal() const /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:4449:3
    #1 0x7f15ad585765 in Gecko_IsRootElement /builds/worker/workspace/build/src/layout/style/ServoBindings.cpp:331:32
    #2 0x7f15b1e14a5c in _$LT$style..style_resolver..StyleResolverForElement$LT$$u27$a$C$$u20$$u27$ctx$C$$u20$$u27$le$C$$u20$E$GT$$GT$::cascade_style::hfcd3d8b1eea3246c /builds/worker/workspace/build/src/servo/components/style/style_resolver.rs:575
    #3 0x7f15b1e161ec in _$LT$style..style_resolver..StyleResolverForElement$LT$$u27$a$C$$u20$$u27$ctx$C$$u20$$u27$le$C$$u20$E$GT$$GT$::cascade_style_and_visited::hbcc3d5428d73dbf2 /builds/worker/workspace/build/src/servo/components/style/style_resolver.rs:307
    #4 0x7f15b1e1608e in _$LT$style..style_resolver..StyleResolverForElement$LT$$u27$a$C$$u20$$u27$ctx$C$$u20$$u27$le$C$$u20$E$GT$$GT$::cascade_primary_style::hdb0450e0a06b3713 /builds/worker/workspace/build/src/servo/components/style/style_resolver.rs:212
    #5 0x7f15b1e15d2a in style::style_resolver::{{impl}}::resolve_primary_style<style::gecko::wrapper::GeckoElement> /builds/worker/workspace/build/src/servo/components/style/style_resolver.rs:171
    #6 0x7f15b1e15d2a in _$LT$style..style_resolver..StyleResolverForElement$LT$$u27$a$C$$u20$$u27$ctx$C$$u20$$u27$le$C$$u20$E$GT$$GT$::resolve_style::hca47dc6843881f80 /builds/worker/workspace/build/src/servo/components/style/style_resolver.rs:229
    #7 0x7f15b1e16340 in style::style_resolver::{{impl}}::resolve_style_with_default_parents::{{closure}}<style::gecko::wrapper::GeckoElement> /builds/worker/workspace/build/src/servo/components/style/style_resolver.rs:267
    #8 0x7f15b1e16340 in style::style_resolver::with_default_parent_styles<style::gecko::wrapper::GeckoElement,closure,style::style_resolver::ResolvedElementStyles> /builds/worker/workspace/build/src/servo/components/style/style_resolver.rs:104
    #9 0x7f15b1e16340 in _$LT$style..style_resolver..StyleResolverForElement$LT$$u27$a$C$$u20$$u27$ctx$C$$u20$$u27$le$C$$u20$E$GT$$GT$::resolve_style_with_default_parents::h8d287bd989859987 /builds/worker/workspace/build/src/servo/components/style/style_resolver.rs:266
    #10 0x7f15b2514163 in style::traversal::compute_style::hb1c18cb61e3b45ed /builds/worker/workspace/build/src/servo/components/style/traversal.rs:695
    #11 0x7f15b1e2a295 in style::traversal::recalc_style_at<style::gecko::wrapper::GeckoElement,style::gecko::traversal::RecalcStyleOnly,closure> /builds/worker/workspace/build/src/servo/components/style/traversal.rs:496
    #12 0x7f15b1e2a295 in _$LT$style..gecko..traversal..RecalcStyleOnly$LT$$u27$recalc$GT$$u20$as$u20$style..traversal..DomTraversal$LT$style..gecko..wrapper..GeckoElement$LT$$u27$le$GT$$GT$$GT$::process_preorder::h9f13b1bc9d919d00 /builds/worker/workspace/build/src/servo/components/style/gecko/traversal.rs:37
    #13 0x7f15b1da1d03 in style::parallel::top_down_dom<style::gecko::wrapper::GeckoElement,style::gecko::traversal::RecalcStyleOnly> /builds/worker/workspace/build/src/servo/components/style/parallel.rs:191
    #14 0x7f15b1da1d03 in style::parallel::traverse_nodes::hcc7428c5d7663977 /builds/worker/workspace/build/src/servo/components/style/parallel.rs:270
    #15 0x7f15b1d7827c in style::parallel::top_down_dom<style::gecko::wrapper::GeckoElement,style::gecko::traversal::RecalcStyleOnly> /builds/worker/workspace/build/src/servo/components/style/parallel.rs:207
    #16 0x7f15b1d7827c in style::parallel::traverse_nodes::{{closure}}<style::gecko::wrapper::GeckoElement,style::gecko::traversal::RecalcStyleOnly,alloc::vec_deque::Drain<style::dom::SendNode<style::gecko::wrapper::GeckoNode>>> /builds/worker/workspace/build/src/servo/components/style/parallel.rs:285
    #17 0x7f15b1d7827c in rayon_core::scope::{{impl}}::execute_job_closure::{{closure}}<closure,()> /builds/worker/workspace/build/src/third_party/rust/rayon-core/src/scope/mod.rs:354
    #18 0x7f15b1d7827c in _$LT$std..panic..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h14fa14fc07d1669a /checkout/src/libstd/panic.rs:296
    #19 0x7f15b1e31f5d in std::panicking::try::do_call::ha86e8aa17081757d /checkout/src/libstd/panicking.rs:480
    #20 0x7f15b24a721b in __rust_maybe_catch_panic /checkout/src/libpanic_abort/lib.rs:38

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:4449:3 in nsDocument::GetRootElementInternal() const
Thread T38 (StyleThread#1) created by T0 here:
    #0 0x4a5836 in __interceptor_pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:245:3
    #1 0x7f15b24a10c5 in std::sys::imp::thread::Thread::new::h2c6998a77a036aca /checkout/src/libstd/sys/unix/thread.rs:72
    #2 0x7f15b24421d3 in std::thread::Builder::spawn::hd6fb93dd89f2c79b /checkout/src/libstd/thread/mod.rs:404
    #3 0x7f15b243fc44 in rayon_core::registry::Registry::new::h882acea1c31456c8 /builds/worker/workspace/build/src/third_party/rust/rayon-core/src/registry.rs:145
    #4 0x7f15b2443de7 in rayon_core::thread_pool::ThreadPool::new::hdd08dfbae25f5c69 /builds/worker/workspace/build/src/third_party/rust/rayon-core/src/thread_pool/mod.rs:56
    #5 0x7f15b21e11d1 in style::gecko::global_style_data::{{impl}}::deref::__static_ref_initialize /builds/worker/workspace/build/src/servo/components/style/gecko/global_style_data.rs:100
    #6 0x7f15b21e11d1 in core::ops::function::FnOnce::call_once<fn() -> style::gecko::global_style_data::StyleThreadPool,()> /checkout/src/libcore/ops/function.rs:223
    #7 0x7f15b21e11d1 in lazy_static::lazy::{{impl}}::get::{{closure}}<style::gecko::global_style_data::StyleThreadPool,fn() -> style::gecko::global_style_data::StyleThreadPool> /builds/worker/workspace/build/src/third_party/rust/lazy_static-0.2.8/src/lazy.rs:23
    #8 0x7f15b21e11d1 in std::sync::once::Once::call_once::_$u7b$$u7b$closure$u7d$$u7d$::h92616637572425d4 /checkout/src/libstd/sync/once.rs:227
    #9 0x7f15b248e54c in std::sync::once::Once::call_inner::h0387785e5237c55d /checkout/src/libstd/sync/once.rs:307
    #10 0x7f15b21e08ff in std::sync::once::Once::call_once::h084a0318aef8ef32 /checkout/src/libstd/sync/once.rs:227
    #11 0x7f15b23d17f2 in lazy_static::lazy::{{impl}}::get<style::gecko::global_style_data::StyleThreadPool,fn() -> style::gecko::global_style_data::StyleThreadPool> /builds/worker/workspace/build/src/third_party/rust/lazy_static-0.2.8/src/lazy.rs:22
    #12 0x7f15b23d17f2 in style::gecko::global_style_data::{{impl}}::deref::__stability /builds/worker/workspace/build/src/obj-firefox/toolkit/library/gtest/rust/<__lazy_static_internal macros>:20
    #13 0x7f15b23d17f2 in _$LT$style..gecko..global_style_data..STYLE_THREAD_POOL$u20$as$u20$core..ops..deref..Deref$GT$::deref::h1a21ac69bdce8579 /builds/worker/workspace/build/src/obj-firefox/toolkit/library/gtest/rust/<__lazy_static_internal macros>:21
    #14 0x7f15b1ddb929 in geckoservo::glue::traverse_subtree::h185e3a4b911f53a6 /builds/worker/workspace/build/src/servo/ports/geckolib/glue.rs:263
    #15 0x7f15b1ddbd3f in Servo_TraverseSubtree /builds/worker/workspace/build/src/servo/ports/geckolib/glue.rs:309
    #16 0x7f15ad5c313a in mozilla::ServoStyleSet::StyleNewSubtree(mozilla::dom::Element*) /builds/worker/workspace/build/src/layout/style/ServoStyleSet.cpp:1059:5
    #17 0x7f15ad899154 in nsCSSFrameConstructor::GetAnonymousContent(nsIContent*, nsIFrame*, nsTArray<nsIAnonymousContentCreator::ContentInfo>&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4415:19
    #18 0x7f15ad8982c0 in nsCSSFrameConstructor::BeginBuildingScrollFrame(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, nsAtom*, bool, nsContainerFrame*&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4725:28
    #19 0x7f15ad89601a in nsCSSFrameConstructor::SetUpDocElementContainingBlock(nsIContent*) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:3038:25
    #20 0x7f15ad893e32 in nsCSSFrameConstructor::ConstructDocElementFrame(mozilla::dom::Element*, nsILayoutHistoryState*) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:2537:3
    #21 0x7f15ad8a9c1c in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsIContent*, nsILayoutHistoryState*, nsCSSFrameConstructor::InsertionKind, TreeMatchContext*) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:8107:9
    #22 0x7f15ad8a8b43 in nsCSSFrameConstructor::ContentInserted(nsIContent*, nsIContent*, nsILayoutHistoryState*, nsCSSFrameConstructor::InsertionKind) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:7980:3
    #23 0x7f15ad813cbd in mozilla::PresShell::Initialize(int, int) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:1783:26
    #24 0x7f15aa1a55ef in nsContentSink::StartLayout(bool) /builds/worker/workspace/build/src/dom/base/nsContentSink.cpp:1288:26
    #25 0x7f15a9493e21 in nsHtml5TreeOpExecutor::StartLayout(bool*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:665:18
    #26 0x7f15a9491d99 in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOperation.cpp:1210:17
    #27 0x7f15a948fb27 in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:492:29
    #28 0x7f15a9499324 in nsHtml5ExecutorFlusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5StreamParser.cpp:130:20
    #29 0x7f15a7b08cff in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14
    #30 0x7f15a7b29910 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10
    #31 0x7f15a86c6025 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #32 0x7f15a8618177 in MessageLoop::RunInternal() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #33 0x7f15a8618009 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299:3
    #34 0x7f15ad2aae1a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
    #35 0x7f15b04cefe1 in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:288:30
    #36 0x7f15b0643b68 in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4675:22
    #37 0x7f15b064578a in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4837:8
    #38 0x7f15b06466b9 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4932:21
    #39 0x4ed558 in do_main(int, char**, char**) /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:231:22
    #40 0x4ece7b in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:304:16
Flags: in-testsuite?
The assertion was added for stylo in bug 1333183. 
Emilio, could you please take a look?
Flags: needinfo?(emilio)
Blocks: 1333183
Has Regression Range: --- → yes
status-firefox56: --- → disabled
status-firefox57: --- → wontfix
status-firefox58: --- → fix-optional
status-firefox-esr52: --- → unaffected
Priority: -- → P3
Version: 52 Branch → 54 Branch
I haven't been able to repro, Jason, any particular pref or tip? Can you repro on current trunk? Thanks!
Flags: needinfo?(emilio) → needinfo?(jkratzer)
I spoke with Emilio offline and provided him with the prefs that I used to originally reproduce the issue.  Please raise an NI again if you still can't reproduce it.
Flags: needinfo?(jkratzer)
ni? to check again
Flags: needinfo?(emilio)
Still couldn't repro :(
Flags: needinfo?(emilio) → needinfo?(jkratzer)
(In reply to Emilio Cobos Álvarez [:emilio] from comment #5)
> Still couldn't repro :(

Neither can I now.  This may have been fixed since initially reported?
Flags: needinfo?(jkratzer)
Yeah, that sounds likely... Oh well.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WORKSFORME
Actually, let's land the crashtest.
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
Pushed by ecoal95@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/25bc5a2fff2f
Enable webcomponents in the crashtest since it calls createShadowRoot. r=me
Pushed by ecoal95@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/91a4c7a72f31
Re-disable web-components in the crashtest for leaks, see bug 1416296. r=me on a CLOSED TREE
https://hg.mozilla.org/mozilla-central/rev/aca928db9dd6
https://hg.mozilla.org/mozilla-central/rev/25bc5a2fff2f
https://hg.mozilla.org/mozilla-central/rev/91a4c7a72f31
Status: REOPENED → RESOLVED
Closed: 7 years ago7 years ago
status-firefox58: fix-optionalfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: