1462401 - Assertion failure: aElement->HasServoData() (Element without Servo data on a post-traversal? How?), at src/layout/base/RestyleManager.cpp:2597

Status: RESOLVED WORKSFORME

(Core :: CSS Parsing and Computation, defect, P3)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found with m-c:
BuildID=20180515095353
SourceStamp=cf3ee14023483cbbb57129479537c713e22c1980

Assertion failure: aElement->HasServoData() (Element without Servo data on a post-traversal? How?), at src/layout/base/RestyleManager.cpp:2597

#0 mozilla::RestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ComputedStyle*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) src/layout/base/RestyleManager.cpp:2596:3
#1 mozilla::RestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ComputedStyle*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) src/layout/base/RestyleManager.cpp:2777:32
#2 mozilla::RestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ComputedStyle*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) src/layout/base/RestyleManager.cpp:2777:32
#3 mozilla::RestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ComputedStyle*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) src/layout/base/RestyleManager.cpp:2777:32
#4 mozilla::RestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ComputedStyle*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) src/layout/base/RestyleManager.cpp:2777:32
#5 mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) src/layout/base/RestyleManager.cpp:2984:28
#6 FlushThrottledStyles(nsIDocument*, void*) src/layout/base/PresShell.cpp:6668:38
#7 mozilla::PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) src/layout/base/PresShell.cpp:6932:9
#8 nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) src/view/nsViewManager.cpp:812:14
#9 nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) src/view/nsView.cpp:1141:9
#10 mozilla::widget::PuppetWidget::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&) src/widget/PuppetWidget.cpp:410:35
#11 mozilla::layers::APZCCallbackHelper::DispatchWidgetEvent(mozilla::WidgetGUIEvent&) src/gfx/layers/apz/util/APZCCallbackHelper.cpp:500:21
#12 mozilla::dom::TabChild::HandleRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) src/dom/ipc/TabChild.cpp:1739:3
#13 mozilla::dom::TabChild::RecvRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) src/dom/ipc/TabChild.cpp:1706:3
#14 mozilla::dom::TabChild::RecvSynthMouseMoveEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) src/dom/ipc/TabChild.cpp:1667:8
#15 mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBrowserChild.cpp:3535:20
#16 mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PContentChild.cpp:5316:28
#17 mozilla::dom::ContentChild::OnMessageReceived(IPC::Message const&) src/dom/ipc/ContentChild.cpp:3787:25
#18 mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2136:25
#19 mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2066:17
#20 mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1912:5
#21 mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1945:15
#22 mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:337:32
#23 nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1090:14
#24 NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10
#25 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
#26 MessageLoop::RunInternal() src/ipc/chromiumsrc/base/message_loop.cc:326:10
#27 MessageLoop::Run() src/ipc/chromiumsrc/base/message_loop.cc:299:3
#28 nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:157:27
#29 XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:893:22
#30 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:269:9
#31 MessageLoop::RunInternal() src/ipc/chromiumsrc/base/message_loop.cc:326:10
#32 MessageLoop::Run() src/ipc/chromiumsrc/base/message_loop.cc:299:3
#33 XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:719:34
#34 content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
#35 main src/browser/app/nsBrowserApp.cpp:282:18
#36 __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#37 _start (firefox+0x423444)

Comment 1

[Tyson Smith [:tsmith]]

Here is a log from a m-c ASan opt build:

==127344==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f9fdc7d2237 bp 0x7ffe043afad0 sp 0x7ffe043af740 T0)
==127344==The signal is caused by a WRITE memory access.
==127344==Hint: address points to the zero page.
    #0 0x7f9fdc7d2236 in WritePoisonAtOffset<4> src/obj-firefox/dist/include/mozilla/Maybe.h:44:5
    #1 0x7f9fdc7d2236 in poison src/obj-firefox/dist/include/mozilla/Maybe.h:54
    #2 0x7f9fdc7d2236 in poison src/obj-firefox/dist/include/mozilla/Maybe.h:55
    #3 0x7f9fdc7d2236 in poison src/obj-firefox/dist/include/mozilla/Maybe.h:55
    #4 0x7f9fdc7d2236 in poison src/obj-firefox/dist/include/mozilla/Maybe.h:55
    #5 0x7f9fdc7d2236 in poison src/obj-firefox/dist/include/mozilla/Maybe.h:55
    #6 0x7f9fdc7d2236 in PoisonObject<mozilla::ServoRestyleState> src/obj-firefox/dist/include/mozilla/Maybe.h:85
    #7 0x7f9fdc7d2236 in poison src/obj-firefox/dist/include/mozilla/Maybe.h:99
    #8 0x7f9fdc7d2236 in poisonData src/obj-firefox/dist/include/mozilla/Maybe.h:179
    #9 0x7f9fdc7d2236 in reset src/obj-firefox/dist/include/mozilla/Maybe.h:538
    #10 0x7f9fdc7d2236 in ~Maybe src/obj-firefox/dist/include/mozilla/Maybe.h:188
    #11 0x7f9fdc7d2236 in mozilla::RestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ComputedStyle*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) src/layout/base/RestyleManager.cpp:2831
    #12 0x7f9fdc7d0fd6 in mozilla::RestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ComputedStyle*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) src/layout/base/RestyleManager.cpp:2777:32
    #13 0x7f9fdc7d0fd6 in mozilla::RestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ComputedStyle*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) src/layout/base/RestyleManager.cpp:2777:32
    #14 0x7f9fdc7d0fd6 in mozilla::RestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ComputedStyle*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) src/layout/base/RestyleManager.cpp:2777:32
    #15 0x7f9fdc7d0fd6 in mozilla::RestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ComputedStyle*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) src/layout/base/RestyleManager.cpp:2777:32
    #16 0x7f9fdc7d3ea4 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) src/layout/base/RestyleManager.cpp:2984:28
    #17 0x7f9fdc78bfbd in ProcessPendingRestyles src/layout/base/RestyleManager.cpp:3078:3
    #18 0x7f9fdc78bfbd in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4315
    #19 0x7f9fd790b1e5 in FlushPendingNotifications src/obj-firefox/dist/include/nsIPresShell.h:582:5
    #20 0x7f9fd790b1e5 in mozilla::dom::Selection::ScrollIntoView(short, nsIPresShell::ScrollAxis, nsIPresShell::ScrollAxis, int) src/dom/base/Selection.cpp:3301
    #21 0x7f9fd7915d43 in mozilla::dom::Selection::ScrollSelectionIntoViewEvent::Run() src/dom/base/Selection.cpp:3226:15
    #22 0x7f9fdc71a896 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:1866:13
    #23 0x7f9fdc72b520 in TickDriver src/layout/base/nsRefreshDriver.cpp:337:13
    #24 0x7f9fdc72b520 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:307
    #25 0x7f9fdc72b0e6 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:329:5
    #26 0x7f9fdc72de5e in RunRefreshDrivers src/layout/base/nsRefreshDriver.cpp:770:5
    #27 0x7f9fdc72de5e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:683
    #28 0x7f9fdc72da5e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:584:9
    #29 0x7f9fdcfd3d9f in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) src/layout/ipc/VsyncChild.cpp:68:16
    #30 0x7f9fd5e01854 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:167:20
    #31 0x7f9fd5cd9763 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1988:28
    #32 0x7f9fd584978e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2136:25
    #33 0x7f9fd5846756 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2066:17
    #34 0x7f9fd5847f0c in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1912:5
    #35 0x7f9fd5848568 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1945:15
    #36 0x7f9fd4958113 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1090:14
    #37 0x7f9fd4973ce0 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10
    #38 0x7f9fd5851416 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:125:5
    #39 0x7f9fd57a5ec9 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10
    #40 0x7f9fd57a5ec9 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319
    #41 0x7f9fd57a5ec9 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299
    #42 0x7f9fdc1ceefa in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:157:27
    #43 0x7f9fe0436e4b in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:893:22
    #44 0x7f9fd57a5ec9 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10
    #45 0x7f9fd57a5ec9 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319
    #46 0x7f9fd57a5ec9 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299
    #47 0x7f9fe0436810 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:719:34
    #48 0x4f1875 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #49 0x4f1875 in main src/browser/app/nsBrowserApp.cpp:282
    #50 0x7f9ff405e82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #51 0x420f48 in _start (firefox+0x420f48)

Comment 2

[Emilio Cobos Álvarez (:emilio)]

Whohoo! Thanks for finding a test-case for this!

Comment 3

[Emilio Cobos Álvarez (:emilio)]

Alright, so this is because of the XBL optimization where we don't style the children:

  https://searchfox.org/mozilla-central/rev/da499aac682d0bbda5829327b60a865cbc491611/servo/components/style/traversal.rs#283

Which I never liked, but which I re-introduced in bug 1420496 to fix a stylo-chrome perf issue.

The annoying bit is that we insert the <marquee> in a leaf frame, and thus we never construct frames for it, nor load the XBL bindings, nor style its children.

That violates invariants, and we just need to get into a post-traversal in that subtree somehow without Servo styling it (which is actually non-trivial, I'm trying to reduce it) for the assertion to fire.

Comment 4

[Emilio Cobos Álvarez (:emilio)]

Any ideas here cam? I can't think of anything that isn't a wallpaper, removing the optimization, or a hack... I'd go with removing the optimization but...

Comment 7

[Cameron McCormack (:heycam)]

(In reply to Emilio Cobos Álvarez [:emilio] from comment #3)
> The annoying bit is that we insert the <marquee> in a leaf frame, and thus
> we never construct frames for it, nor load the XBL bindings, nor style its
> children.
> 
> That violates invariants, and we just need to get into a post-traversal in
> that subtree somehow without Servo styling it (which is actually
> non-trivial, I'm trying to reduce it) for the assertion to fire.

Is there a way we can easily know that we won't go ahead and construct frames for the element-with-the-binding, and skip the optimization in that case?  Probably not.  Or can we have the element whose descendants we skip styling be noted somewhere (inserted into some table off a post-traversal task? or can we set the dirty descendants bits at this point?) so that we can ensure it gets styled?

Would rather that than a hack that e.g. skips the assertion / post-traversal work for elements with bindings and no frame, or which styles them then and there, if we come across them during the post-traversal.

Comment 8

[Emilio Cobos Álvarez (:emilio)]

(In reply to Cameron McCormack (:heycam) from comment #7)
> (In reply to Emilio Cobos Álvarez [:emilio] from comment #3)
> > The annoying bit is that we insert the <marquee> in a leaf frame, and thus
> > we never construct frames for it, nor load the XBL bindings, nor style its
> > children.
> > 
> > That violates invariants, and we just need to get into a post-traversal in
> > that subtree somehow without Servo styling it (which is actually
> > non-trivial, I'm trying to reduce it) for the assertion to fire.
> 
> Is there a way we can easily know that we won't go ahead and construct
> frames for the element-with-the-binding, and skip the optimization in that
> case?  Probably not.

Not really.

> Or can we have the element whose descendants we skip
> styling be noted somewhere (inserted into some table off a post-traversal
> task? or can we set the dirty descendants bits at this point?) so that we
> can ensure it gets styled?

Post-traversal tasks don't run after frame construction, and I'd rather don't do the hack of passing around those up... Feels really hacky.

> Would rather that than a hack that e.g. skips the assertion / post-traversal
> work for elements with bindings and no frame, or which styles them then and
> there, if we come across them during the post-traversal.

A wallpaper in the post-traversal seems better than the hacks above to me, but still not great.

Comment 9

[Intermittent Failures Robot]

1 failures in 632 pushes (0.002 failures/push) were associated with this bug in the last 7 days.    

Repository breakdown:
* mozilla-inbound: 1

Platform breakdown:
* osx-10-10: 1

For more details, see:
https://treeherder.mozilla.org/intermittent-failures.html#/bugdetails?bug=1462401&startday=2018-05-21&endday=2018-05-27&tree=trunk

Comment 10

[Liz Henry (:lizzard) (relman/hg->git project)]

Cam, Emilio, are either of you working on this or waiting for feedback? Looks like bug 1458556 depends on what you decide for this bug.

Comment 11

[Emilio Cobos Álvarez (:emilio)]

This crash is the result of the diagnostic assertion added in bug 1458556, so they're both the same bug.

I'm still thinking about what the best way to fix this is, but I can wallpaper it you think it's worth it.

Comment 12

[Intermittent Failures Robot]

3 failures in 655 pushes (0.005 failures/push) were associated with this bug in the last 7 days.    

Repository breakdown:
* autoland: 3

Platform breakdown:
* osx-10-10: 2
* windows10-64: 1

For more details, see:
https://treeherder.mozilla.org/intermittent-failures.html#/bugdetails?bug=1462401&startday=2018-05-28&endday=2018-06-03&tree=trunk

Comment 13

[Intermittent Failures Robot]

2 failures in 669 pushes (0.003 failures/push) were associated with this bug in the last 7 days.    

Repository breakdown:
* try: 1
* autoland: 1

Platform breakdown:
* linux64-qr: 2

For more details, see:
https://treeherder.mozilla.org/intermittent-failures.html#/bugdetails?bug=1462401&startday=2018-06-04&endday=2018-06-10&tree=trunk

Comment 14

[Intermittent Failures Robot]

1 failures in 408 pushes (0.002 failures/push) were associated with this bug in the last 7 days.    

Repository breakdown:
* mozilla-inbound: 1

Platform breakdown:
* linux64-qr: 1

For more details, see:
https://treeherder.mozilla.org/intermittent-failures.html#/bugdetails?bug=1462401&startday=2018-06-11&endday=2018-06-17&tree=trunk

Comment 15

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Comment 16

[Intermittent Failures Robot]

1 failures in 3007 pushes (0.0 failures/push) were associated with this bug in the last 7 days.

Repository breakdown:
* mozilla-inbound: 1

Platform breakdown:
* android-em-4-3-armv7-api16: 1

For more details, see:
https://treeherder.mozilla.org/intermittent-failures.html#/bugdetails?bug=1462401&startday=2018-11-05&endday=2018-11-11&tree=all

Comment 17

[Intermittent Failures Robot]

1 failures in 2627 pushes (0.0 failures/push) were associated with this bug in the last 7 days.

Repository breakdown:

• autoland: 1

Platform breakdown:

• linux64: 1

For more details, see:
https://treeherder.mozilla.org/intermittent-failures.html#/bugdetails?bug=1462401&startday=2019-01-07&endday=2019-01-13&tree=all

Comment 18

[Intermittent Failures Robot]

1 failures in 2658 pushes (0.0 failures/push) were associated with this bug in the last 7 days.

Repository breakdown:

• mozilla-central: 1

Platform breakdown:

• linux64: 1

For more details, see:
https://treeherder.mozilla.org/intermittent-failures.html#/bugdetails?bug=1462401&startday=2019-02-04&endday=2019-02-10&tree=all

Comment 19

[Intermittent Failures Robot]

1 failures in 2818 pushes (0.0 failures/push) were associated with this bug in the last 7 days.

Repository breakdown:

• autoland: 1

Platform breakdown:

• linux64: 1

For more details, see:
https://treeherder.mozilla.org/intermittent-failures.html#/bugdetails?bug=1462401&startday=2019-03-04&endday=2019-03-10&tree=all

Comment 20

[Intermittent Failures Robot]

1 failures in 5265 pushes (0.0 failures/push) were associated with this bug in the last 7 days.

Repository breakdown:

• mozilla-central: 1

Platform breakdown:

• linux1804-64-asan: 1

For more details, see:
https://treeherder.mozilla.org/intermittent-failures.html#/bugdetails?bug=1462401&startday=2020-07-06&endday=2020-07-12&tree=all

Comment 21

[Jason Kratzer [:jkratzer]]

The testcase for this issue no longer reproduces and the last crash found matching this signature is from 2019-01-20. I think we can safely close this issue for now.