Closed Bug 1438326 Opened 2 years ago Closed 2 years ago

Intermittent dom/tests/mochitest/webcomponents/test_xul_custom_element.xul | application crashed [@ mozilla::UniquePtr<AutoTArray<RefPtr<mozilla::dom::Element>

Categories

(Core :: DOM: Core & HTML, defect, critical)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla60
Tracking Status
firefox-esr52 --- unaffected
firefox58 --- unaffected
firefox59 --- unaffected
firefox60 --- fixed

People

(Reporter: intermittent-bug-filer, Assigned: bzbarsky)

Details

(Keywords: crash, intermittent-failure, Whiteboard: [stockwell fixed:product])

Crash Data

Attachments

(1 file, 1 obsolete file)

Filed by: ccoroiu [at] mozilla.com

https://treeherder.mozilla.org/logviewer.html#?job_id=162191214&repo=autoland

https://queue.taskcluster.net/v1/task/PSvQItTaQIOdMjDQGOLCJQ/runs/0/artifacts/public/test_info//mochitest-chrome_errorsummary.log

[task 2018-02-14T19:28:17.075Z] 19:28:17     INFO -  mozcrash Copy/paste: /usr/local/bin/linux64-minidump_stackwalk /tmp/tmpAy5aGL/5b009bed-1348-21a1-d131-56325f95db08.dmp /builds/worker/workspace/build/symbols
[task 2018-02-14T19:28:27.717Z] 19:28:27     INFO -  mozcrash Saved minidump as /builds/worker/workspace/build/blobber_upload_dir/5b009bed-1348-21a1-d131-56325f95db08.dmp
[task 2018-02-14T19:28:27.718Z] 19:28:27     INFO -  mozcrash Saved app info as /builds/worker/workspace/build/blobber_upload_dir/5b009bed-1348-21a1-d131-56325f95db08.extra
[task 2018-02-14T19:28:27.718Z] 19:28:27  WARNING -  PROCESS-CRASH | dom/tests/mochitest/webcomponents/test_xul_custom_element.xul | application crashed [@ mozilla::UniquePtr<AutoTArray<RefPtr<mozilla::dom::Element>, 1>, mozilla::DefaultDelete<AutoTArray<RefPtr<mozilla::dom::Element>, 1> > >::operator-> + 0x20]
[task 2018-02-14T19:28:27.719Z] 19:28:27     INFO -  Crash dump filename: /tmp/tmpAy5aGL/5b009bed-1348-21a1-d131-56325f95db08.dmp
[task 2018-02-14T19:28:27.719Z] 19:28:27     INFO -  Operating system: Android
[task 2018-02-14T19:28:27.719Z] 19:28:27     INFO -                    0.0.0 Linux 2.6.29-gea477bb #1 Wed Sep 26 11:04:45 PDT 2012 armv7l
[task 2018-02-14T19:28:27.719Z] 19:28:27     INFO -  CPU: arm
[task 2018-02-14T19:28:27.720Z] 19:28:27     INFO -       ARMv7 ARM Cortex-A8 features: swp,half,thumb,fastmult,vfpv2,edsp,neon,vfpv3
[task 2018-02-14T19:28:27.720Z] 19:28:27     INFO -       1 CPU
[task 2018-02-14T19:28:27.720Z] 19:28:27     INFO -  GPU: UNKNOWN
[task 2018-02-14T19:28:27.720Z] 19:28:27     INFO -  Crash reason:  SIGSEGV
[task 2018-02-14T19:28:27.720Z] 19:28:27     INFO -  Crash address: 0x0
[task 2018-02-14T19:28:27.720Z] 19:28:27     INFO -  Process uptime: not available
[task 2018-02-14T19:28:27.720Z] 19:28:27     INFO -  Thread 11 (crashed)
[task 2018-02-14T19:28:27.721Z] 19:28:27     INFO -   0  libxul.so!mozilla::UniquePtr<AutoTArray<RefPtr<mozilla::dom::Element>, 1>, mozilla::DefaultDelete<AutoTArray<RefPtr<mozilla::dom::Element>, 1> > >::operator-> + 0x20
[task 2018-02-14T19:28:27.721Z] 19:28:27     INFO -       r0 = 0x00000000    r1 = 0x5b40510d    r2 = 0x56b41cfd    r3 = 0x00000140
[task 2018-02-14T19:28:27.721Z] 19:28:27     INFO -       r4 = 0x00000140    r5 = 0x00000000    r6 = 0x6532e378    r7 = 0x52be87d8
[task 2018-02-14T19:28:27.721Z] 19:28:27     INFO -       r8 = 0x00000000    r9 = 0x64d91800   r10 = 0x65c6c4c0   r12 = 0x00000003
[task 2018-02-14T19:28:27.722Z] 19:28:27     INFO -       fp = 0x00000001    sp = 0x52be87d0    lr = 0x533ab745    pc = 0x53e7144c
[task 2018-02-14T19:28:27.722Z] 19:28:27     INFO -      Found by: given as instruction pointer in context
[task 2018-02-14T19:28:27.723Z] 19:28:27     INFO -   1  libxul.so!mozilla::dom::CustomElementRegistry::CreateCustomElementCallback [CustomElementRegistry.cpp:2c081ff593c6ef33a5874c72381b2e35abc82d6d : 375 + 0x5]
[task 2018-02-14T19:28:27.723Z] 19:28:27     INFO -       r4 = 0x52be881c    r5 = 0x00000000    r6 = 0x6532e378    r7 = 0x52be8800
[task 2018-02-14T19:28:27.723Z] 19:28:27     INFO -       r8 = 0x00000000    r9 = 0x64d91800   r10 = 0x65c6c4c0    fp = 0x00000001
[task 2018-02-14T19:28:27.723Z] 19:28:27     INFO -       sp = 0x52be87e0    lr = 0x53e71eb1    pc = 0x53e71eb1
[task 2018-02-14T19:28:27.723Z] 19:28:27     INFO -      Found by: call frame info
[task 2018-02-14T19:28:27.723Z] 19:28:27     INFO -   2  libxul.so!mozilla::dom::CustomElementRegistry::EnqueueLifecycleCallback [CustomElementRegistry.cpp:2c081ff593c6ef33a5874c72381b2e35abc82d6d : 429 + 0xd]
[task 2018-02-14T19:28:27.723Z] 19:28:27     INFO -       r4 = 0x00000000    r5 = 0x6532e360    r6 = 0x00000001    r7 = 0x52be8838
[task 2018-02-14T19:28:27.723Z] 19:28:27     INFO -       r8 = 0x00000000    r9 = 0x64d91800   r10 = 0x65c6c4c0    fp = 0x00000001
[task 2018-02-14T19:28:27.724Z] 19:28:27     INFO -       sp = 0x52be8808    lr = 0x53e72073    pc = 0x53e72073
[task 2018-02-14T19:28:27.724Z] 19:28:27     INFO -      Found by: call frame info
[task 2018-02-14T19:28:27.724Z] 19:28:27     INFO -   3  libxul.so!mozilla::dom::Element::UnbindFromTree [Element.cpp:2c081ff593c6ef33a5874c72381b2e35abc82d6d : 2055 + 0xf]
[task 2018-02-14T19:28:27.725Z] 19:28:27     INFO -       r2 = 0x00000000    r3 = 0x6532e360    r4 = 0x00000001    r5 = 0x00000000
[task 2018-02-14T19:28:27.725Z] 19:28:27     INFO -       r6 = 0x00000000    r7 = 0x52be8888    r8 = 0x65c6c4c0    r9 = 0x64d91800
[task 2018-02-14T19:28:27.725Z] 19:28:27     INFO -      r10 = 0x00000001    fp = 0x00000001    sp = 0x52be8840    lr = 0x53e86943
[task 2018-02-14T19:28:27.725Z] 19:28:27     INFO -       pc = 0x53e86943
[task 2018-02-14T19:28:27.726Z] 19:28:27     INFO -      Found by: call frame info
[task 2018-02-14T19:28:27.726Z] 19:28:27     INFO -   4  libxul.so!nsXULElement::UnbindFromTree [nsXULElement.cpp:2c081ff593c6ef33a5874c72381b2e35abc82d6d : 823 + 0x9]
[task 2018-02-14T19:28:27.726Z] 19:28:27     INFO -       r4 = 0x6532c380    r5 = 0x00000000    r6 = 0x65c6c4c0    r7 = 0x52be88b8
[task 2018-02-14T19:28:27.726Z] 19:28:27     INFO -       r8 = 0x52be8894    r9 = 0x00000001   r10 = 0x00000000    fp = 0x00000001
[task 2018-02-14T19:28:27.727Z] 19:28:27     INFO -       sp = 0x52be8890    lr = 0x54a2876b    pc = 0x54a2876b
[task 2018-02-14T19:28:27.727Z] 19:28:27     INFO -      Found by: call frame info
[task 2018-02-14T19:28:27.727Z] 19:28:27     INFO -   5  libxul.so!mozilla::dom::FragmentOrElement::cycleCollection::Unlink [FragmentOrElement.cpp:2c081ff593c6ef33a5874c72381b2e35abc82d6d : 1439 + 0xb]
[task 2018-02-14T19:28:27.727Z] 19:28:27     INFO -       r4 = 0x52be88c4    r5 = 0x52be88c0    r6 = 0x00000004    r7 = 0x52be88e8
[task 2018-02-14T19:28:27.728Z] 19:28:27     INFO -       r8 = 0x651b41d8    r9 = 0x651b41a0   r10 = 0x00000000    fp = 0x0000bde1
[task 2018-02-14T19:28:27.728Z] 19:28:27     INFO -       sp = 0x52be88c0    lr = 0x53e96197    pc = 0x53e96197
[task 2018-02-14T19:28:27.728Z] 19:28:27     INFO -      Found by: call frame info
So the basic failure here is:

1) We're under FragmentOrElement::cycleCollection::Unlink
2) We call UnbindFromTree on our kids.
3) Our kids try to EnqueueLifecycleCallback 
4) This tries to touch aDefinition->mCallbacks->stuff in
   CustomElementRegistry::CreateCustomElementCallback which crashes because aDefinition has
   been unlinked, so aDefinition->mCallbacks is null.

OK, so why are we trying to EnqueueLifecycleCallback in UnbindFromTree?  This is the eDisconnected callback.  It's supposed to only happen when unbinding from the document, which should happen way before we manage to unlink.  The problem is that we condition on "document" and it's set to:

  nsIDocument* document =
    HasFlag(NODE_FORCE_XBL_BINDINGS) ? OwnerDoc() : GetComposedDoc();

which means it might be non-null even when we're unbound from the document already.
Assignee: nobody → bzbarsky
MozReview-Commit-ID: FLf6CJcpcVQ
Attachment #8954947 - Flags: review?(bugs)
(In reply to Boris Zbarsky [:bz] (no decent commit message means r-) from comment #3)

> OK, so why are we trying to EnqueueLifecycleCallback in UnbindFromTree? 
> This is the eDisconnected callback.  It's supposed to only happen when
> unbinding from the document, which should happen way before we manage to
> unlink.
How so. We do deconstruct document by unbinding it during unlink.
But we do have a flag to tell whether we're actually unlinking
Comment on attachment 8954947 [details] [diff] [review]
Don't try to enqueue custom element callbacks when unlinking elements

I'm having hard time to see why this would fix the issue in all the cases. If we're unlinking document, GetComposedDoc() does still return non-null, but we may have unlinked other stuff in CC graph already (since the ordering isn't guaranteed)
Attachment #8954947 - Flags: review?(bugs) → review-
OK, that's fair.  I guess we should just add a null-check here for now.
Attachment #8954947 - Attachment is obsolete: true
Attachment #8955185 - Flags: review?(bugs) → review+
Pushed by bzbarsky@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/f9d520b575f1
Don't try to enqueue custom element callbacks when the custom element definition has been unlinked.  r=smaug
https://hg.mozilla.org/mozilla-central/rev/f9d520b575f1
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
Whiteboard: [stockwell needswork:owner] → [stockwell fixed:product]
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.