Closed Bug 1461974 Opened 6 years ago Closed 3 years ago

Crash [@ core::sync::atomic::atomic_add::h30529863e93f4cce]

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Version:
59 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: jkratzer, Assigned: emilio)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Attachments

(2 files)

trigger.html
1.55 KB, text/html
Details
Bug 1461974: Account for ongoing shell destruction on both code paths.
59 bytes, text/x-review-board-request
emilio
: review?
hiro
Details
Attached file trigger.html 
Testcase found while fuzzing mozilla-central rev 3c9d69736f4a421218e5eb01b6571d535d38318a.

==25081==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fe48d197014 bp 0x7ffeafa31730 sp 0x7ffeafa31000 T0)
==25081==The signal is caused by a WRITE memory access.
==25081==Hint: address points to the zero page.
    #0 0x7fe48d197013 in core::sync::atomic::atomic_add::h30529863e93f4cce /checkout/src/libcore/sync/atomic.rs:1515
    #1 0x7fe48d197013 in core::sync::atomic::AtomicUsize::fetch_add::hc7a56cc6eb9e4e75 /checkout/src/libcore/sync/atomic.rs:1284
    #2 0x7fe48d197013 in atomic_refcell::AtomicBorrowRef::new::h9d574a4d93839cd7 /builds/worker/workspace/build/src/third_party/rust/atomic_refcell/src/lib.rs:125
    #3 0x7fe48d197013 in _$LT$atomic_refcell..AtomicRefCell$LT$T$GT$$GT$::borrow::h3b1d230fa4173aff /builds/worker/workspace/build/src/third_party/rust/atomic_refcell/src/lib.rs:88
    #4 0x7fe48d197013 in style::gecko::data::PerDocumentStyleData::borrow::h965ad54112d8b379 /builds/worker/workspace/build/src/servo/components/style/gecko/data.rs:153
    #5 0x7fe48d197013 in Servo_StyleSet_ResolveForDeclarations /builds/worker/workspace/build/src/servo/ports/geckolib/glue.rs:5004
    #6 0x7fe4873e8f92 in mozilla::ServoStyleSet::ResolveForDeclarations(mozilla::ComputedStyle const*, RawServoDeclarationBlock const*) /builds/worker/workspace/build/src/layout/style/ServoStyleSet.cpp:1443:10
    #7 0x7fe484d21bd3 in mozilla::dom::GetFontStyleForServo(mozilla::dom::Element*, nsTSubstring<char16_t> const&, nsIPresShell*, nsTSubstring<char16_t>&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/canvas/CanvasRenderingContext2D.cpp:2716:7
    #8 0x7fe484d215dc in mozilla::dom::CanvasRenderingContext2D::ParseFilter(nsTSubstring<char16_t> const&, nsTArray<nsStyleFilter>&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/canvas/CanvasRenderingContext2D.cpp:2791:5
    #9 0x7fe484d21e51 in mozilla::dom::CanvasRenderingContext2D::SetFilter(nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/canvas/CanvasRenderingContext2D.cpp:2819:7
    #10 0x7fe483a78689 in mozilla::dom::CanvasRenderingContext2DBinding::set_filter(JSContext*, JS::Handle<JSObject*>, mozilla::dom::CanvasRenderingContext2D*, JSJitSetterCallArgs) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/CanvasRenderingContext2DBinding.cpp:3714:9
    #11 0x7fe484c20f93 in bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::NormalThisPolicy>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3204:8
    #12 0x7fe48b4d5847 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:280:15
    #13 0x7fe48b4d5847 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:467
    #14 0x7fe48b4d8476 in InternalCall /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:516:12
    #15 0x7fe48b4d8476 in Call /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535
    #16 0x7fe48b4d8476 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:664
    #17 0x7fe48c49448c in SetExistingProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyResult>, JS::ObjectOpResult&) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2722:10
    #18 0x7fe48c48c24b in bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2750:20
    #19 0x7fe48b4b7ea5 in SetProperty /builds/worker/workspace/build/src/js/src/vm/NativeObject.h:1689:12
    #20 0x7fe48b4b7ea5 in SetPropertyOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:264
    #21 0x7fe48b4b7ea5 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2881
    #22 0x7fe48b4a6803 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12
    #23 0x7fe48b4d55c5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15
    #24 0x7fe48b4d6842 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535:10
    #25 0x7fe48c018afa in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2989:12
    #26 0x7fe4843d0c25 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:51:8
    #27 0x7fe48535268e in HandleEvent<mozilla::dom::EventTarget *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
    #28 0x7fe48535268e in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1121
    #29 0x7fe485353e1b in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1291:20
    #30 0x7fe48533ddcf in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:482:12
    #31 0x7fe485341f23 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:961:9
    #32 0x7fe48534445b in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp
    #33 0x7fe482808ef8 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1077:5
    #34 0x7fe485362c83 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&) /builds/worker/workspace/build/src/dom/events/EventTarget.cpp:204:13
    #35 0x7fe4852ddcbc in mozilla::AsyncEventDispatcher::Run() /builds/worker/workspace/build/src/dom/events/AsyncEventDispatcher.cpp:68:12
    #36 0x7fe48236a9ff in nsContentUtils::RemoveScriptBlocker() /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:5625:15
    #37 0x7fe4827390f2 in nsDocument::EndUpdate() /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:5042:3
    #38 0x7fe4857380ec in nsHTMLDocument::EndUpdate() /builds/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:2103:15
    #39 0x7fe48254f02a in ~mozAutoDocUpdate /builds/worker/workspace/build/src/dom/base/mozAutoDocUpdate.h:37:18
    #40 0x7fe48254f02a in mozilla::dom::Element::SetAttr(int, nsAtom*, nsAtom*, nsTSubstring<char16_t> const&, nsIPrincipal*, bool) /builds/worker/workspace/build/src/dom/base/Element.cpp:2546
    #41 0x7fe4826c50b7 in SetAttr /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Element.h:838:12
    #42 0x7fe4826c50b7 in nsDOMAttributeMap::SetNamedItemNS(mozilla::dom::Attr&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsDOMAttributeMap.cpp:282
    #43 0x7fe484506e40 in mozilla::dom::ElementBinding::setAttributeNode(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/ElementBinding.cpp:2317:56
    #44 0x7fe484c23891 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3260:13
    #45 0x7fe48b4d5847 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:280:15
    #46 0x7fe48b4d5847 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:467
    #47 0x7fe48b4c0040 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:12
    #48 0x7fe48b4c0040 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3086
    #49 0x7fe48b4a6803 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12
    #50 0x7fe48b4d55c5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15
    #51 0x7fe48b4d6842 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535:10
    #52 0x7fe48c018afa in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2989:12
    #53 0x7fe4843d0c25 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:51:8
    #54 0x7fe48535268e in HandleEvent<mozilla::dom::EventTarget *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
    #55 0x7fe48535268e in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1121
    #56 0x7fe485353e1b in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1291:20
    #57 0x7fe48533ddcf in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:482:12
    #58 0x7fe485341f23 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:961:9
    #59 0x7fe48534445b in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp
    #60 0x7fe482808ef8 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1077:5
    #61 0x7fe485362c83 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&) /builds/worker/workspace/build/src/dom/events/EventTarget.cpp:204:13
    #62 0x7fe4852ddcbc in mozilla::AsyncEventDispatcher::Run() /builds/worker/workspace/build/src/dom/events/AsyncEventDispatcher.cpp:68:12
    #63 0x7fe48236a9ff in nsContentUtils::RemoveScriptBlocker() /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:5625:15
    #64 0x7fe4827390f2 in nsDocument::EndUpdate() /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:5042:3
    #65 0x7fe4857380ec in nsHTMLDocument::EndUpdate() /builds/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:2103:15
    #66 0x7fe48745932d in ~mozAutoDocConditionalContentUpdateBatch /builds/worker/workspace/build/src/dom/base/mozAutoDocUpdate.h:78:18
    #67 0x7fe48745932d in ModifyDeclaration<(lambda at /builds/worker/workspace/build/src/layout/style/nsDOMCSSDeclaration.cpp:289:5)> /builds/worker/workspace/build/src/layout/style/nsDOMCSSDeclaration.cpp:279
    #68 0x7fe48745932d in nsDOMCSSDeclaration::ParsePropertyValue(nsCSSPropertyID, nsTSubstring<char16_t> const&, bool, nsIPrincipal*) /builds/worker/workspace/build/src/layout/style/nsDOMCSSDeclaration.cpp:287
    #69 0x7fe482cda69f in SetMargin /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ServoCSSPropList.h:418:1
    #70 0x7fe482cda69f in mozilla::dom::CSS2PropertiesBinding::set_margin(JSContext*, JS::Handle<JSObject*>, nsDOMCSSDeclaration*, JSJitSetterCallArgs) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/CSS2PropertiesBinding.cpp:31017
    #71 0x7fe484c20f93 in bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::NormalThisPolicy>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3204:8
    #72 0x7fe48b4d5847 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:280:15
    #73 0x7fe48b4d5847 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:467
    #74 0x7fe48b4d8476 in InternalCall /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:516:12
    #75 0x7fe48b4d8476 in Call /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535
    #76 0x7fe48b4d8476 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:664
    #77 0x7fe48c49448c in SetExistingProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyResult>, JS::ObjectOpResult&) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2722:10
    #78 0x7fe48c48c24b in bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2750:20
    #79 0x7fe48c0baf30 in SetProperty /builds/worker/workspace/build/src/js/src/vm/NativeObject.h:1689:12
    #80 0x7fe48c0baf30 in js::SetPropertyIgnoringNamedGetter(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyDescriptor>, JS::ObjectOpResult&) /builds/worker/workspace/build/src/js/src/proxy/BaseProxyHandler.cpp:182
    #81 0x7fe484c484d5 in mozilla::dom::DOMProxyHandler::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) const /builds/worker/workspace/build/src/dom/bindings/DOMJSProxyHandler.cpp:220:10
    #82 0x7fe48c0d6385 in setInternal /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:403:21
    #83 0x7fe48c0d6385 in js::Proxy::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:413
    #84 0x7fe48b4b7e82 in SetProperty /builds/worker/workspace/build/src/js/src/vm/NativeObject.h:1688:16
    #85 0x7fe48b4b7e82 in SetPropertyOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:264
    #86 0x7fe48b4b7e82 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2881
    #87 0x7fe48b4a6803 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12
    #88 0x7fe48b4d55c5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15
    #89 0x7fe48b4d6842 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535:10
    #90 0x7fe48c018afa in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2989:12
    #91 0x7fe4843d0c25 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:51:8
    #92 0x7fe48535268e in HandleEvent<mozilla::dom::EventTarget *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
    #93 0x7fe48535268e in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1121
    #94 0x7fe485353e1b in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1291:20
    #95 0x7fe48533e127 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:528:16
    #96 0x7fe485341f23 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:961:9
    #97 0x7fe4876269f8 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1060:7
    #98 0x7fe48a783112 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7171:21
    #99 0x7fe48a77f539 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6964:7
    #100 0x7fe48a786d3f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
    #101 0x7fe48137edc7 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1313:3
    #102 0x7fe48137de4a in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:856:14
    #103 0x7fe48137aa28 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:745:9
    #104 0x7fe48137c9ec in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:631:5
    #105 0x7fe48137da0c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp
    #106 0x7fe47f7389ca in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:629:28
    #107 0x7fe48275b3fa in DoUnblockOnload /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:8340:18
    #108 0x7fe48275b3fa in nsDocument::UnblockOnload(bool) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:8262
    #109 0x7fe486a1b409 in nsBindingManager::DoProcessAttachedQueue() /builds/worker/workspace/build/src/dom/xbl/nsBindingManager.cpp:414:10
    #110 0x7fe486a7e484 in applyImpl<nsBindingManager, void (nsBindingManager::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1165:12
    #111 0x7fe486a7e484 in apply<nsBindingManager, void (nsBindingManager::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1171
    #112 0x7fe486a7e484 in mozilla::detail::RunnableMethodImpl<nsBindingManager*, void (nsBindingManager::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1216
    #113 0x7fe47f530771 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
    #114 0x7fe47f54f096 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1090:14
    #115 0x7fe47f56afd0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #116 0x7fe48044b21a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #117 0x7fe48039e8a9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #118 0x7fe48039e8a9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #119 0x7fe48039e8a9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #120 0x7fe486fa04da in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
    #121 0x7fe48b1ed68b in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:893:22
    #122 0x7fe48039e8a9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #123 0x7fe48039e8a9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #124 0x7fe48039e8a9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #125 0x7fe48b1ed050 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:719:34
    #126 0x4f50dc in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #127 0x4f50dc in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:282
    #128 0x7fe49f2be82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
Flags: in-testsuite?
I can't repro, is there anything in particular from your setup that's needed to reproduce  this?
Flags: needinfo?(jkratzer)
Ah, yes.  I forgot to mention that you need to serve the testcase via a local webserver in order to reproduce.
Flags: needinfo?(jkratzer)
I needed to also window.open the url, but with that I managed to crash the tab. Thank you!
Flags: needinfo?(emilio)
Assignee: nobody → emilio
Flags: needinfo?(emilio)
Comment on attachment 8976160 [details]
Bug 1461974: Account for ongoing shell destruction on both code paths.

https://reviewboard.mozilla.org/r/244360/#review250548

This change makes sense to me.  But still I don't understand where the pres shell started being destroyed?

If the pres shell has already started being destroyed before we call GetFontStyleForServo (e.g. in ParseFilter), we should check IsDestroying() there instead?  (Or should we return nullptr in GetPresShell() in the case?)

Also we should land the test case along with the fix (we can write a crash test with the window.open hack?)
(In reply to Hiroyuki Ikezoe (:hiro) from comment #5)
> Comment on attachment 8976160 [details]
> Bug 1461974: Account for ongoing shell destruction on both code paths.
> 
> https://reviewboard.mozilla.org/r/244360/#review250548
> 
> This change makes sense to me.  But still I don't understand where the pres
> shell started being destroyed?
> 
> If the pres shell has already started being destroyed before we call
> GetFontStyleForServo (e.g. in ParseFilter), we should check IsDestroying()
> there instead?  (Or should we return nullptr in GetPresShell() in the case?)

Yes, it's already being destroyed there.

I'm not sure it's totally worth to do that given otherwise we'd also need to add the check to SetFont etc. If you prefer that I can though.

> Also we should land the test case along with the fix (we can write a crash
> test with the window.open hack?)

I can try...
Component: Canvas: 2D → Layout

Hey Jason,
Can you still reproduce this issue or can we close it?

Flags: needinfo?(jkratzer)

(In reply to Andrei Purice from comment #7)

Hey Jason,
Can you still reproduce this issue or can we close it?

I am unable to reproduce this issue using mozilla-central rev 2ad6d795630d (20210621). I think we can safely close this issue.

Flags: needinfo?(jkratzer)

Markking this as Resolved > Worksforme as per comment 8.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: