Closed Bug 1528613 Opened 6 years ago Closed 6 years ago

Crash in [@ mozilla::PresShell::ContentStateChanged] from failing MOZ_RELEASE_ASSERT(!mInStyleRefresh)

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
Unspecified
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla67
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox65 --- unaffected
firefox66 --- verified
firefox67 --- verified

People

(Reporter: calixte, Assigned: emilio)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(2 files)

Reduced test-case.
233 bytes, text/html
Details
Bug 1528613 - Downgrade two assertions from release assert for now.
47 bytes, text/x-phabricator-request
lizzard
: approval-mozilla-beta+
Details | Review

This bug is for crash report bp-c63d4ec7-0c72-4afd-a4ad-06e3c0190217.

Top 10 frames of crashing thread:

0 libxul.so mozilla::PresShell::ContentStateChanged layout/base/RestyleManager.cpp:3202
1 libxul.so mozilla::dom::Document::ContentStateChanged dom/base/Document.cpp:4948
2 libxul.so mozilla::dom::Element::UpdateState dom/base/Element.cpp:289
3 libxul.so mozilla::dom::HTMLFormElement::UpdateValidity dom/html/HTMLFormElement.cpp:1915
4 libxul.so nsIConstraintValidation::SetValidityState dom/html/nsIConstraintValidation.cpp:206
5 libxul.so mozilla::dom::HTMLInputElement::UpdateAllValidityStatesButNotElementState dom/html/HTMLInputElement.cpp:6665
6 libxul.so mozilla::dom::HTMLInputElement::UpdateAllValidityStates dom/html/HTMLInputElement.cpp:6656
7 libxul.so mozilla::dom::HTMLInputElement::OnValueChanged dom/html/HTMLInputElement.cpp:6759
8 libxul.so nsTextEditorState::SetValue dom/html/nsTextEditorState.cpp:2459
9 libxul.so nsTextEditorState::UnbindFromFrame dom/html/nsTextEditorState.cpp:2036

There is 1 crash in nightly 67 with buildid 20190216093716. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1525509.

[1] https://hg.mozilla.org/mozilla-central/rev?node=95b6997c334a

Flags: needinfo?

There are 13 crashes in nightly 67 for Windows starting with buildid 20190216093716.
The MOZ_CRASH_REASON is always: MOZ_RELEASE_ASSERT(!mInStyleRefresh).

Flags: needinfo?
OS: Android → All
Flags: needinfo?(emilio)
Attached file Reduced test-case.

(Just type to crash)

There's something very fishy here.

We can re-downgrade this particular assertion if I don't get to this early enough to avoid crashing release builds worse-case, but...

Summary: Crash in [@ mozilla::PresShell::ContentStateChanged] → Crash in [@ mozilla::PresShell::ContentStateChanged] from failing MOZ_RELEASE_ASSERT(!mInStyleRefresh)
Blocks: 1528644

These assertions can happen in certain circumstances (see the referenced bug).

These assertions are not security sensitive, but they affect correctness.

They're old (from before my change), so I prefer dealing with them in a public
bug and stop crashing release for now.

Filed bug 1528644 to fix the longstanding correctness issue here.

Assignee: nobody → emilio
Flags: needinfo?(emilio)

https://hg.mozilla.org/mozilla-central/rev/22e77b65286a

Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox67: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla67

Comment on attachment 9044530 [details]
Bug 1528613 - Downgrade two assertions from release assert for now.

Beta/Release Uplift Approval Request

Feature/Bug causing the regression

Bug 1525509

User impact if declined

Unnecessary crashes

Is this code covered by automated tests?

No

Has the fix been verified in Nightly?

Yes

Needs manual test from QE?

Yes

If yes, steps to reproduce

Open test-case and type.

List of other uplifts needed

None

Risk to taking this patch

Low

Why is the change risky/not risky? (and alternatives if risky)

Just reverting the change to assertions that were changed to release asserts in bug 1525509, since they exposed a pre-existing correctness issue (but non-security issue).

String changes made/needed

Attachment #9044530 - Flags: approval-mozilla-beta?

Comment on attachment 9044530 [details]
Bug 1528613 - Downgrade two assertions from release assert for now.

OK for uplift for beta 10. Can we unhide this, if it isn't a security issue?

Attachment #9044530 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

IMO, yes, though I don't have the privileges to do so.

Group: core-security-release

User Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:67.0) Gecko/20100101 Firefox/67.0
Build ID: 20190221215439

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:66.0) Gecko/20100101 Firefox/66.0
Build ID: 20190221160854

Verified as fixed on the latest Nightly build and on the latest Beta build (66b10).

Status: RESOLVED → VERIFIED
status-firefox66: fixedverified
status-firefox67: fixedverified
Flags: qe-verify+

the signature here with MOZ_RELEASE_ASSERT(!mInStyleRefresh) is continuing to rise during 67.0b. should this go into a different bug or can we reopen this one?

Flags: needinfo?(emilio)

Please reopen a new one and ni? me.

Flags: needinfo?(emilio)

s/reopen/open :)

See Also: → 1544818
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: