Closed Bug 1514086 Opened 6 years ago Closed 6 years ago

Hit MOZ_CRASH(Resolving style on unstyled element) at libcore/option.rs:1000

Categories

(Core :: CSS Parsing and Computation, defect, P3)

Product:
Core
Component:
CSS Parsing and Computation
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla66
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox64 --- unaffected
firefox65 --- fixed
firefox66 --- fixed

People

(Reporter: tsmith, Assigned: emilio)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, crash, testcase, Whiteboard: [fuzzblocker])

Crash Data

Attachments

(2 files, 1 obsolete file)

testcase.html
365 bytes, text/html
Details
Bug 1514086 - The 'all' property is not animatable.
47 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-beta+
Details | Review
Attached file testcase.html (obsolete) — 
Hit MOZ_CRASH(Resolving style on unstyled element) at libcore/option.rs:1000

#0 MOZ_CrashOOL(char const*, int, char const*) src/obj-firefox/dist/include/mozilla/Assertions.h:314:3
#1 GeckoCrashOOL src/toolkit/xre/nsAppRunner.cpp:5124:3
#2 gkrust_shared::panic_hook::h80f9b4ed5c0796b3 src/toolkit/library/rust/shared/lib.rs:234:8
#3 core::ops::function::Fn::call::hac0477c01f4e8ad0 src/libcore/ops/function.rs:78:4
#4 std::panicking::rust_panic_with_hook::h0e12cb2fc86d00fa /rustc/da5f414c2c0bfe5198934493f04c676e2b23ff2e/src/libstd/panicking.rs:481:16
#5 std::panicking::continue_panic_fmt::h141671b29fe0e27d /rustc/da5f414c2c0bfe5198934493f04c676e2b23ff2e/src/libstd/panicking.rs:391:4
#6 rust_begin_unwind /rustc/da5f414c2c0bfe5198934493f04c676e2b23ff2e/src/libstd/panicking.rs:326:4
#7 core::panicking::panic_fmt::h429a06507aba9228 /rustc/da5f414c2c0bfe5198934493f04c676e2b23ff2e/src/libcore/panicking.rs:77:13
#8 core::option::expect_failed::h4c79c3aae6612643 /rustc/da5f414c2c0bfe5198934493f04c676e2b23ff2e/src/libcore/option.rs:1000:4
#9 _$LT$core..option..Option$LT$T$GT$$GT$::expect::h2780ce7edfdba78b src/libcore/option.rs:312:20
#10 Servo_ResolveStyle src/servo/ports/geckolib/glue.rs:4847
#11 mozilla::ServoStyleSet::ResolveServoStyle(mozilla::dom::Element const&) src/obj-firefox/dist/include/mozilla/ServoStyleSetInlines.h:23:10
#12 nsCSSFrameConstructor::ResolveComputedStyle(nsIContent*) src/layout/base/nsCSSFrameConstructor.cpp:4583:22
#13 nsCSSFrameConstructor::BuildInlineChildItems(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, bool, bool) src/layout/base/nsCSSFrameConstructor.cpp:11107:42
#14 nsCSSFrameConstructor::AddFrameConstructionItemsInternal(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, bool, mozilla::ComputedStyle*, unsigned int, nsCSSFrameConstructor::FrameConstructionItemList&) src/layout/base/nsCSSFrameConstructor.cpp:5481:5
#15 nsCSSFrameConstructor::DoAddFrameConstructionItems(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, bool, nsContainerFrame*, nsCSSFrameConstructor::FrameConstructionItemList&) src/layout/base/nsCSSFrameConstructor.cpp:5091:3
#16 nsCSSFrameConstructor::AddFrameConstructionItems(nsFrameConstructorState&, nsIContent*, bool, nsCSSFrameConstructor::InsertionPoint const&, nsCSSFrameConstructor::FrameConstructionItemList&) src/layout/base/nsCSSFrameConstructor.cpp:5105:3
#17 nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsILayoutHistoryState*, nsCSSFrameConstructor::InsertionKind) src/layout/base/nsCSSFrameConstructor.cpp:7156:5
#18 nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) src/layout/base/nsCSSFrameConstructor.cpp:8617:7
#19 mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) src/layout/base/RestyleManager.cpp:1502:25
#20 mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) src/layout/base/RestyleManager.cpp:2974:9
#21 mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4033:39
#22 nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:1757:18
#23 mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:304:7
#24 mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:321:5
#25 mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:646:16
#26 mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) src/layout/base/nsRefreshDriver.cpp:546:9
#27 mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&) src/layout/ipc/VsyncChild.cpp:65:16
#28 mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:167:20
#29 mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2788:28
#30 mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2159:21
#31 mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2086:9
#32 mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1935:3
#33 mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1966:13
#34 nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1157:14
#35 NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:468:10
#36 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:88:21
#37 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:314:10
#38 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:289:3
#39 nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#40 XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:915:20
#41 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:238:9
#42 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:314:10
#43 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:289:3
#44 XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:753:34
#45 content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:49:28
#46 main src/browser/app/nsBrowserApp.cpp:265:18
#47 __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#48 _start (firefox+0x349f4)
Flags: in-testsuite?
Component: Graphics: WebRender → CSS Parsing and Computation
Priority: -- → P3
Flags: needinfo?(emilio)
This doesn't seem like the right test-case? This crashes with:

  Assertion failure: aTextRun->GetFlags2() & nsTextFrameUtils::Flags::TEXT_IS_TRANSFORMED, at /builds/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:10028

And doesn't crash on opt, while the unstyled element thing should crash opt as well.
Flags: needinfo?(emilio) → needinfo?(twsmith)
Attached file testcase.html 
Hey someone has gotta keep you on your toes :) (sorry about that)
Attachment #9031309 - Attachment is obsolete: true
Flags: needinfo?(twsmith)
bp-3effad7a-62d3-4fc2-9a64-828630181214
Crash Signature: [@ core::option::expect_failed | Servo_ResolveStyle ]
NP! That does sound like a more suspicious test-case.
Flags: needinfo?(emilio)
Regressed by bug 1504536.
Assignee: nobody → emilio
Blocks: 1504536
Since it allows to animate display, which is not good.

This is a regression from:

  https://hg.mozilla.org/mozilla-central/rev/6884ba750aa3

Actually I wonder if the logic shouldn't be the other way around, i.e., a
shorthand is animatable if all the longhands are, not if just one.

In any case this rolls back to the previous behavior, should we do that, it
should be another bug.
Flags: needinfo?(emilio)
Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/c6569a81a66c
The 'all' property is not animatable. r=hiro
Comment on attachment 9031600 [details]
Bug 1514086 - The 'all' property is not animatable.

[Beta/Release Uplift Approval Request]

Feature/Bug causing the regression: Bug 1504536

User impact if declined: Crash

Is this code covered by automated tests?: Yes

Has the fix been verified in Nightly?: No

Needs manual test from QE?: No

If yes, steps to reproduce: 

List of other uplifts needed: none

Risk to taking this patch: Low

Why is the change risky/not risky? (and alternatives if risky): Trivial patch that restores behavior to the one before bug 1504536.

String changes made/needed: none
Attachment #9031600 - Flags: approval-mozilla-beta?
status-firefox64: --- → unaffected
status-firefox-esr60: --- → unaffected
Flags: in-testsuite? → in-testsuite+
https://hg.mozilla.org/mozilla-central/rev/c6569a81a66c
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox66: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla66
Comment on attachment 9031600 [details]
Bug 1514086 - The 'all' property is not animatable.

[Triage Comment]
Fixes a crash, approved for 65.0b5. Thanks for including a crashtest.
Attachment #9031600 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Regressions: 1536688
No longer regressions: 1536688
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: