Closed Bug 1450121 Opened 7 years ago Closed 6 years ago

Crash in static bool style::gecko_bindings::structs::root::mozilla::ServoElementSnapshot::attr_matches

Categories

(Core :: CSS Parsing and Computation, defect, P5)

Product:
Core
Component:
CSS Parsing and Computation
Platform:
Unspecified
Windows 10
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: mccr8, Unassigned)

Details

(Keywords: crash)

Crash Data

This bug was filed from the Socorro interface and is report bp-39e8a749-50a8-44ea-aa3c-5ab590180329. ============================================================= Top 10 frames of crashing thread: 0 xul.dll static bool style::gecko_bindings::structs::root::mozilla::ServoElementSnapshot::attr_matches servo/components/style/gecko/snapshot.rs:134 1 xul.dll static bool selectors::matching::matches_simple_selector<style::invalidation::element::element_wrapper::ElementWrapper<style::gecko::wrapper::GeckoElement>, closure> servo/components/selectors/matching.rs:760 2 xul.dll static selectors::matching::SelectorMatchingResult selectors::matching::matches_complex_selector_internal<style::invalidation::element::element_wrapper::ElementWrapper<style::gecko::wrapper::GeckoElement>, closure> servo/components/selectors/matching.rs:493 3 xul.dll static bool style::invalidation::element::state_and_attributes::Collector<style::gecko::wrapper::GeckoElement>::check_dependency<style::gecko::wrapper::GeckoElement> servo/components/style/invalidation/element/state_and_attributes.rs:466 4 xul.dll static void style::invalidation::element::state_and_attributes::Collector<style::gecko::wrapper::GeckoElement>::scan_dependency<style::gecko::wrapper::GeckoElement> servo/components/style/invalidation/element/state_and_attributes.rs:494 5 xul.dll static void style::invalidation::element::state_and_attributes::Collector<style::gecko::wrapper::GeckoElement>::collect_dependencies_in_invalidation_map<style::gecko::wrapper::GeckoElement> servo/components/style/invalidation/element/state_and_attributes.rs:370 6 xul.dll static struct style::invalidation::element::invalidator::InvalidationResult style::data::ElementData::invalidate_style_if_needed<style::gecko::wrapper::GeckoElement> servo/components/style/data.rs:284 7 xul.dll static void geckoservo::glue::traverse_subtree servo/ports/geckolib/glue.rs:286 8 xul.dll bool geckoservo::glue::Servo_TraverseSubtree servo/ports/geckolib/glue.rs:345 9 xul.dll mozilla::ServoStyleSet::StyleDocument layout/style/ServoStyleSet.cpp:1046 ============================================================= There are about 10 crashes, all from the same installation. One of them has a comment that says "Firefox crashing when I clicking on th Show Sidebar button, I also use Firefox Pilot + Note extensions."
Any ideas, Emilio? The URL https://renewcanceltv.com/category/renewed/ shows up a few times, but I wasn't able to reproduce a crash by going there in Nightly.
Flags: needinfo?(emilio)
I have no idea what EXCEPTION_PRIV_INSTRUCTION is... Maybe Rust not playing well with amd64? But it'd be unlikely that it's just this particular user...
Flags: needinfo?(emilio)
Given some code in our codebase[1][2], this is probably that we are hitting some privilege instruction (while we are in non-privileged mode for sure). It's worth investigating what the instruction is, and if that is really a privilege instruction, that's likely a rust compiler codegen bug... [1] https://searchfox.org/mozilla-central/rev/57bbc1ac58816dc054df242948f3ecf75e12df5f/toolkit/crashreporter/google-breakpad/src/processor/minidump_processor.cc#1174-1176 [2] https://searchfox.org/mozilla-central/rev/57bbc1ac58816dc054df242948f3ecf75e12df5f/third_party/rust/winapi/src/um/minwinbase.rs#308
dmajor, could you help checking what the instruction is here?
Flags: needinfo?(dmajor)
If you have crash access you can just open the minidump in a debugger and it will show you the crashing instruction, much easier than waiting for me. Or you can follow these steps which is what I do without crash access: - Go to the Raw Dump tab in the crash report - Find "module_offset": "0x3b5d82" - Find the BuildID and get the .zip from archive.mo - Open xul.dll in a debugger - Dump the instruction at this module_offset: `u xul+0x3b5d82` 0:000> u xul+0x3b5d82 xul!style::gecko_bindings::structs::root::mozilla::ServoElementSnapshot::attr_matches+0x122 [z:\build\build\src\servo\components\style\gecko\snapshot.rs @ 134]: 00000001`803b5d82 ee out dx,al This `out` instruction wouldn't be generated by our compilers. It's probably garbage from not being on an intended instruction boundary. Scanning around rip a bit, this was probably the intended code: 0:000> u xul+0x3b5d82-1 xul!style::gecko_bindings::structs::root::mozilla::ServoElementSnapshot::attr_matches+0x121 [z:\build\build\src\servo\components\style\gecko\snapshot.rs @ 134]: 00000001`803b5d81 e8ee013c02 call xul!Gecko_SnapshotAttrHasSuffix (00000001`82775f74) 00000001`803b5d86 90 nop 00000001`803b5d87 4883c430 add rsp,30h 00000001`803b5d8b 5d pop rbp 00000001`803b5d8c c3 ret
Flags: needinfo?(dmajor)
Thanks for the analysis. So we are jumping to some weird position... Looking at the crash reports, it seems all 17 reports yet are all from a single install, so it's possible that just the binary is somehow broken...
Not much to do here for now then.
Priority: -- → P5
Closing because no crashes reported for 12 weeks.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.