Closed Bug 1466406 Opened 6 years ago Closed 6 years ago

Crash in _$LT$style..invalidation..element..invalidator..TreeStyleInvalidator$LT$$u27$a$C$$u20$$u27$b$C$$u20$E$C$$u20$P$GT$$GT$::invalidate_descendants::h8da25118e80fb8ee

Categories

(Core :: CSS Parsing and Computation, defect)

Product:
Core
Component:
CSS Parsing and Computation
Platform:
Unspecified
Android
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla62
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 --- unaffected
firefox60 --- unaffected
firefox61 --- unaffected
firefox62 --- fixed

People

(Reporter: jseward, Assigned: emilio)

References

Details

(Keywords: crash, regression)

Crash Data

Attachments

(2 files)

Diagnostic patch
5.00 KB, patch
Details | Diff | Splinter Review
Bug 1466406: Work around a bindgen bug on Android.
59 bytes, text/x-review-board-request
xidorn
: review+
Details 
This bug was filed from the Socorro interface and is
report bp-ef4f08d6-d3c0-49eb-813a-c3bed0180602.
=============================================================

This is topcrash #1 in the Android nightly 20180531101443, with 9 different
installations reporting 23 crashes.

Top 10 frames of crashing thread:

0 libxul.so _$LT$style..invalidation..element..invalidator..TreeStyleInvalidator$LT$$u27$a$C$$u20$$u27$b$C$$u20$E$C$$u20$P$GT$$GT$::invalidate_descendants::h8da25118e80fb8ee servo/components/style/gecko/wrapper.rs:283
1 libxul.so _$LT$style..invalidation..element..invalidator..TreeStyleInvalidator$LT$$u27$a$C$$u20$$u27$b$C$$u20$E$C$$u20$P$GT$$GT$::invalidate_child::haccbd6408b3c48db servo/components/style/invalidation/element/invalidator.rs:411
2 libxul.so _$LT$style..invalidation..element..invalidator..TreeStyleInvalidator$LT$$u27$a$C$$u20$$u27$b$C$$u20$E$C$$u20$P$GT$$GT$::invalidate_descendants::h8da25118e80fb8ee servo/components/style/invalidation/element/invalidator.rs:458
3 libxul.so _$LT$style..invalidation..element..invalidator..TreeStyleInvalidator$LT$$u27$a$C$$u20$$u27$b$C$$u20$E$C$$u20$P$GT$$GT$::invalidate_child::haccbd6408b3c48db servo/components/style/invalidation/element/invalidator.rs:411
4 libxul.so _$LT$style..invalidation..element..invalidator..TreeStyleInvalidator$LT$$u27$a$C$$u20$$u27$b$C$$u20$E$C$$u20$P$GT$$GT$::invalidate_descendants::h8da25118e80fb8ee servo/components/style/invalidation/element/invalidator.rs:458
5 libxul.so style::data::ElementData::invalidate_style_if_needed::h3a9251c0652576a0 servo/components/style/invalidation/element/invalidator.rs:303
6 libxul.so geckoservo::glue::traverse_subtree::h5c371f58e3f528f6 servo/components/style/traversal.rs:157
7 libxul.so geckoservo::glue::Servo_TraverseSubtree servo/ports/geckolib/glue.rs:340
8 libxul.so mozilla::ServoStyleSet::StyleDocument layout/style/ServoStyleSet.cpp:996
9 libxul.so mozilla::RestyleManager::DoProcessPendingRestyles layout/base/RestyleManager.cpp:2962

=============================================================
Flags: needinfo?(emilio)
So the stack is not suspicious at all, and there's no panic or error message. The fact that these are android-only and have spiked only recently (I'm not aware of any suspicious recent change in that code) makes me a bit suspicious.

The rough pushlog is:

  https://hg.mozilla.org/mozilla-central/pushloghtml?startdate=2018-05-28&enddate=2018-06-03

That includes enabling Shadow DOM in Nightly, and a new Android x86 stack walker, which both look somewhat suspicious.

Given some of the URLs have polymer docs in the URL, and that the crash happens accessing mBoolFlags on a (dead?) node, it's presumably a Shadow DOM bug somewhere...
Oh, this is reproducible on that page on fennec! \o/
Not that that page displays anything with Shadow DOM disabled...
See Also: → 1466414
I have a theory of what's going on here...
Assignee: nobody → emilio
Attached patch Diagnostic patchSplinter Review 
I couldn't manage to gdb fennec, but this crash stat confirms my suspicion:

  https://crash-stats.mozilla.com/report/index/d35562cb-8e7a-4698-8992-111830180604

The patch adds the assert about the offset of mAssignedNodes, and it fails... We really need to run the bindgen tests on Android...
Flags: needinfo?(emilio)
See Also: → 1466580
Comment on attachment 8983119 [details]
Bug 1466406: Work around a bindgen bug on Android.

https://reviewboard.mozilla.org/r/248952/#review255294

::: servo/components/style/gecko/wrapper.rs:1125
(Diff revision 1)
> +                    &slot.mAssignedNodes as *const _,
> +                );
> +
> +                &*slot.mAssignedNodes
> +            } else {
> +                unsafe { &**bindings::Gecko_GetAssignedNodes(self.0) }

Please add a comment here linking to this bug, probably with an explanation that we have a bindgen bug for Android.
Attachment #8983119 - Flags: review?(xidorn+moz) → review+
Pushed by ecoal95@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/f572c55e68ac
Work around a bindgen bug on Android. r=xidorn
Crash Signature: [@ _$LT$style..invalidation..element..invalidator..TreeStyleInvalidator$LT$$u27$a$C$$u20$$u27$b$C$$u20$E$C$$u20$P$GT$$GT$::invalidate_descendants::h8da25118e80fb8ee] → [@ _$LT$style..invalidation..element..invalidator..TreeStyleInvalidator$LT$$u27$a$C$$u20$$u27$b$C$$u20$E$C$$u20$P$GT$$GT$::invalidate_descendants::h8da25118e80fb8ee] [@ selectors::matching::matches_simple_selector::h42d98f0cfa45f726] [@ selectors::match…
https://hg.mozilla.org/mozilla-central/rev/f572c55e68ac
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox62: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: