Closed Bug 1517319 Opened 6 years ago Closed 6 years ago

Hit MOZ_CRASH(Invoking Servo_Element_IsDisplayNone on unstyled element) at libcore/option.rs:1008

Categories

(Core :: CSS Parsing and Computation, defect)

Product:
Core
Component:
CSS Parsing and Computation
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla67
Tracking Flags:
Tracking Status
firefox-esr60 --- wontfix
firefox65 --- wontfix
firefox66 + wontfix
firefox67 --- fixed

People

(Reporter: tsmith, Assigned: emilio)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, crash, testcase)

Crash Data

Attachments

(1 file)

testcase.html
149 bytes, text/html
Details
Attached file testcase.html
Hit MOZ_CRASH(Invoking Servo_Element_IsDisplayNone on unstyled element) at libcore/option.rs:1008 #0 MOZ_CrashOOL(char const*, int, char const*) src/obj-firefox/dist/include/mozilla/Assertions.h:314:3 #1 GeckoCrashOOL src/toolkit/xre/nsAppRunner.cpp:5118:3 #2 gkrust_shared::panic_hook::h5a4d849108b3ffe5 src/toolkit/library/rust/shared/lib.rs:232:8 #3 core::ops::function::Fn::call::he11c018bc740e580 src/libcore/ops/function.rs:78:4 #4 std::panicking::rust_panic_with_hook::h71214e7ce0f7ac01 /rustc/abe02cefd6cd1916df62ad7dc80161bea50b72e8/src/libstd/panicking.rs:480:16 #5 std::panicking::continue_panic_fmt::ha8b8442f4ea9bcac /rustc/abe02cefd6cd1916df62ad7dc80161bea50b72e8/src/libstd/panicking.rs:390:4 #6 rust_begin_unwind /rustc/abe02cefd6cd1916df62ad7dc80161bea50b72e8/src/libstd/panicking.rs:325:4 #7 core::panicking::panic_fmt::h0c93626b89c38af6 /rustc/abe02cefd6cd1916df62ad7dc80161bea50b72e8/src/libcore/panicking.rs:77:13 #8 core::option::expect_failed::h143b3841283cabae /rustc/abe02cefd6cd1916df62ad7dc80161bea50b72e8/src/libcore/option.rs:1008:4 #9 _$LT$core..option..Option$LT$T$GT$$GT$::expect::h934ecc972448d2ee src/libcore/option.rs:322:20 #10 Servo_Element_IsDisplayNone src/servo/ports/geckolib/glue.rs:1282 #11 nsCSSFrameConstructor::MaybeConstructLazily(nsCSSFrameConstructor::Operation, nsIContent*) src/layout/base/nsCSSFrameConstructor.cpp:6409:7 #12 nsCSSFrameConstructor::ContentAppended(nsIContent*, nsCSSFrameConstructor::InsertionKind) src/layout/base/nsCSSFrameConstructor.cpp:6659:9 #13 mozilla::PresShell::ContentAppended(nsIContent*) src/layout/base/PresShell.cpp:4276:22 #14 nsNodeUtils::ContentAppended(nsIContent*, nsIContent*) src/dom/base/nsNodeUtils.cpp:177:3 #15 nsINode::InsertChildBefore(nsIContent*, nsIContent*, bool) src/dom/base/nsINode.cpp:1300:7 #16 nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) src/dom/base/nsINode.cpp:2397:14 #17 mozilla::dom::Node_Binding::appendChild(JSContext*, JS::Handle<JSObject*>, nsINode*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/NodeBinding.cpp:1018:45 #18 bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3062:13 #19 CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/vm/Interpreter.cpp:443:13 #20 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:535:12 #21 InternalCall(JSContext*, js::AnyInvokeArgs const&) src/js/src/vm/Interpreter.cpp:590:10 #22 Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3320:16 #23 js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:423:10 #24 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:563:13 #25 InternalCall(JSContext*, js::AnyInvokeArgs const&) src/js/src/vm/Interpreter.cpp:590:10 #26 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:606:8 #27 JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2649:10 #28 mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:265:37 #29 void mozilla::dom::EventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12 #30 mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) src/dom/events/JSEventHandler.cpp:205:12 #31 mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1043:51 #32 mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1238:17 #33 mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:350:17 #34 mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:552:16 #35 mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1042:11 #36 nsDocumentViewer::LoadComplete(nsresult) src/layout/base/nsDocumentViewer.cpp:1104:7 #37 nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) src/docshell/base/nsDocShell.cpp:6709:21 #38 nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp:6513:7 #39 non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp #40 nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) src/uriloader/base/nsDocLoader.cpp:1235:3 #41 nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:794:14 #42 nsDocLoader::DocLoaderIsEmpty(bool) src/uriloader/base/nsDocLoader.cpp:693:9 #43 nsDocLoader::DocLoaderIsEmpty(bool) src/uriloader/base/nsDocLoader.cpp:696:19 #44 nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp:589:5 #45 non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp #46 mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:575:22 #47 nsIDocument::DoUnblockOnload() src/dom/base/nsDocument.cpp:7745:18 #48 nsIDocument::UnblockOnload(bool) src/dom/base/nsDocument.cpp:7677:9 #49 nsIDocument::DispatchContentLoadedEvents() src/dom/base/nsDocument.cpp:4835:3 #50 mozilla::detail::RunnableMethodImpl<nsIDocument*, void (nsIDocument::*)(), true, (mozilla::RunnableKind)0>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:1158:13 #51 mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:299:32 #52 nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1157:14 #53 NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:468:10 #54 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:88:21 #55 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:314:10 #56 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:289:3 #57 nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27 #58 XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:915:20 #59 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:238:9 #60 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:314:10 #61 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:289:3 #62 XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:753:34 #63 content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:49:28 #64 main src/browser/app/nsBrowserApp.cpp:265:18 #65 __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #66 _start (firefox+0x349f4)
Flags: in-testsuite?
Oh boy, so fun. Nice test-case :)
Flags: needinfo?(emilio)

For reference, best fix is just disallowing -moz-binding in content: https://hg.mozilla.org/try/rev/6cdfef68b3eac1d0f9b628611fdd931a9e76e921.

But I need to green up all the stuff in https://treeherder.mozilla.org/#/jobs?repo=try&revision=8467bc1f578c2427df6d5b8548a0ca93725e6550, which I haven't had the time to go through yet.

Depends on: 1523712

Should be fixed with bug 1523712, will land a crashtest.

Flags: needinfo?(emilio)

Adding a crash signature for this one since it shows up in nightly crash stats.

Crash Signature: [@ core::option::expect_failed | Servo_Element_IsDisplayNone]

https://hg.mozilla.org/mozilla-central/rev/a449f5d81761

Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox67: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla67

No crashes on beta yet, is this something that would show up in nightly only?

status-firefox65: --- → unaffected
tracking-firefox66: --- → +
Flags: needinfo?(emilio)

Crashes are probably just me testing on Nightly, if they don't show up in other channels. This crash should be around since 57-ish IIRC.

Flags: needinfo?(emilio)

OK, let me know if you think it might be good to uplift to beta. Thanks!

Assignee: nobody → emilio
status-firefox65: unaffectedwontfix
status-firefox-esr60: --- → wontfix
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: