Closed
Bug 1466406
Opened 6 years ago
Closed 6 years ago
Crash in _$LT$style..invalidation..element..invalidator..TreeStyleInvalidator$LT$$u27$a$C$$u20$$u27$b$C$$u20$E$C$$u20$P$GT$$GT$::invalidate_descendants::h8da25118e80fb8ee
Categories
(Core :: CSS Parsing and Computation, defect)
Tracking
()
RESOLVED
FIXED
mozilla62
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox-esr60 | --- | unaffected |
firefox60 | --- | unaffected |
firefox61 | --- | unaffected |
firefox62 | --- | fixed |
People
(Reporter: jseward, Assigned: emilio)
References
Details
(Keywords: crash, regression)
Crash Data
Attachments
(2 files)
5.00 KB,
patch
|
Details | Diff | Splinter Review | |
59 bytes,
text/x-review-board-request
|
xidorn
:
review+
|
Details |
This bug was filed from the Socorro interface and is report bp-ef4f08d6-d3c0-49eb-813a-c3bed0180602. ============================================================= This is topcrash #1 in the Android nightly 20180531101443, with 9 different installations reporting 23 crashes. Top 10 frames of crashing thread: 0 libxul.so _$LT$style..invalidation..element..invalidator..TreeStyleInvalidator$LT$$u27$a$C$$u20$$u27$b$C$$u20$E$C$$u20$P$GT$$GT$::invalidate_descendants::h8da25118e80fb8ee servo/components/style/gecko/wrapper.rs:283 1 libxul.so _$LT$style..invalidation..element..invalidator..TreeStyleInvalidator$LT$$u27$a$C$$u20$$u27$b$C$$u20$E$C$$u20$P$GT$$GT$::invalidate_child::haccbd6408b3c48db servo/components/style/invalidation/element/invalidator.rs:411 2 libxul.so _$LT$style..invalidation..element..invalidator..TreeStyleInvalidator$LT$$u27$a$C$$u20$$u27$b$C$$u20$E$C$$u20$P$GT$$GT$::invalidate_descendants::h8da25118e80fb8ee servo/components/style/invalidation/element/invalidator.rs:458 3 libxul.so _$LT$style..invalidation..element..invalidator..TreeStyleInvalidator$LT$$u27$a$C$$u20$$u27$b$C$$u20$E$C$$u20$P$GT$$GT$::invalidate_child::haccbd6408b3c48db servo/components/style/invalidation/element/invalidator.rs:411 4 libxul.so _$LT$style..invalidation..element..invalidator..TreeStyleInvalidator$LT$$u27$a$C$$u20$$u27$b$C$$u20$E$C$$u20$P$GT$$GT$::invalidate_descendants::h8da25118e80fb8ee servo/components/style/invalidation/element/invalidator.rs:458 5 libxul.so style::data::ElementData::invalidate_style_if_needed::h3a9251c0652576a0 servo/components/style/invalidation/element/invalidator.rs:303 6 libxul.so geckoservo::glue::traverse_subtree::h5c371f58e3f528f6 servo/components/style/traversal.rs:157 7 libxul.so geckoservo::glue::Servo_TraverseSubtree servo/ports/geckolib/glue.rs:340 8 libxul.so mozilla::ServoStyleSet::StyleDocument layout/style/ServoStyleSet.cpp:996 9 libxul.so mozilla::RestyleManager::DoProcessPendingRestyles layout/base/RestyleManager.cpp:2962 =============================================================
Reporter | ||
Updated•6 years ago
|
Flags: needinfo?(emilio)
Assignee | ||
Comment 1•6 years ago
|
||
So the stack is not suspicious at all, and there's no panic or error message. The fact that these are android-only and have spiked only recently (I'm not aware of any suspicious recent change in that code) makes me a bit suspicious. The rough pushlog is: https://hg.mozilla.org/mozilla-central/pushloghtml?startdate=2018-05-28&enddate=2018-06-03 That includes enabling Shadow DOM in Nightly, and a new Android x86 stack walker, which both look somewhat suspicious. Given some of the URLs have polymer docs in the URL, and that the crash happens accessing mBoolFlags on a (dead?) node, it's presumably a Shadow DOM bug somewhere...
Assignee | ||
Comment 2•6 years ago
|
||
https://tipofthehats.org/ also uses Shadow DOM...
Blocks: shadowdom-initial-release
Assignee | ||
Comment 3•6 years ago
|
||
Oh, this is reproducible on that page on fennec! \o/
Assignee | ||
Comment 4•6 years ago
|
||
Not that that page displays anything with Shadow DOM disabled...
Assignee | ||
Comment 5•6 years ago
|
||
I have a theory of what's going on here...
Assignee: nobody → emilio
Assignee | ||
Comment 6•6 years ago
|
||
I couldn't manage to gdb fennec, but this crash stat confirms my suspicion: https://crash-stats.mozilla.com/report/index/d35562cb-8e7a-4698-8992-111830180604 The patch adds the assert about the offset of mAssignedNodes, and it fails... We really need to run the bindgen tests on Android...
Flags: needinfo?(emilio)
Comment hidden (mozreview-request) |
Comment 8•6 years ago
|
||
mozreview-review |
Comment on attachment 8983119 [details] Bug 1466406: Work around a bindgen bug on Android. https://reviewboard.mozilla.org/r/248952/#review255294 ::: servo/components/style/gecko/wrapper.rs:1125 (Diff revision 1) > + &slot.mAssignedNodes as *const _, > + ); > + > + &*slot.mAssignedNodes > + } else { > + unsafe { &**bindings::Gecko_GetAssignedNodes(self.0) } Please add a comment here linking to this bug, probably with an explanation that we have a bindgen bug for Android.
Attachment #8983119 -
Flags: review?(xidorn+moz) → review+
Pushed by ecoal95@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/f572c55e68ac Work around a bindgen bug on Android. r=xidorn
Updated•6 years ago
|
Crash Signature: [@ _$LT$style..invalidation..element..invalidator..TreeStyleInvalidator$LT$$u27$a$C$$u20$$u27$b$C$$u20$E$C$$u20$P$GT$$GT$::invalidate_descendants::h8da25118e80fb8ee] → [@ _$LT$style..invalidation..element..invalidator..TreeStyleInvalidator$LT$$u27$a$C$$u20$$u27$b$C$$u20$E$C$$u20$P$GT$$GT$::invalidate_descendants::h8da25118e80fb8ee]
[@ selectors::matching::matches_simple_selector::h42d98f0cfa45f726]
[@ selectors::match…
Comment 10•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/f572c55e68ac
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox62:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
Updated•6 years ago
|
status-firefox60:
--- → unaffected
status-firefox61:
--- → unaffected
status-firefox-esr52:
--- → unaffected
status-firefox-esr60:
--- → unaffected
Updated•6 years ago
|
Keywords: regression
You need to log in
before you can comment on or make changes to this bug.
Description
•