Closed
Bug 1545979
Opened 6 years ago
Closed 6 years ago
Some chrome tests hang with a deadlock after bug 1544546
Categories
(Core :: CSS Parsing and Computation, defect, P2)
Core
CSS Parsing and Computation
Tracking
()
RESOLVED
FIXED
People
(Reporter: emilio, Assigned: emilio)
References
(Regression)
Details
(Keywords: regression)
Attachments
(1 file)
Bug 1544546 introduces a FlushStyleSet() call from DestroyPresShell(). Problem is, that can end up reentering in DestroyPresShell() for another document, via the URLValue destructor.
The stack looks like:
06:11:35 INFO - 1 XUL!Servo_StyleSet_FlushStyleSheets [mutex.rs:91856ed52c58aa5ba66a015354d1cc69e9779bdf : 56 + 0x5]
06:11:35 INFO - rbp = 0x00007fff5022e130 rsp = 0x00007fff5022ba00
06:11:35 INFO - rip = 0x00000001105ab81b
06:11:35 INFO - Found by: previous frame's frame pointer
06:11:35 INFO - 2 XUL!mozilla::ServoStyleSet::UpdateStylist() [ServoStyleSet.cpp:2099599a5ad519efa9e85f900d6ea51136469001 : 1201 + 0x9]
06:11:35 INFO - rbx = 0x000000013871c660 rbp = 0x00007fff5022e190
06:11:35 INFO - rsp = 0x00007fff5022e140 r12 = 0x0000000000000001
06:11:35 INFO - r13 = 0x0000000000000000 r14 = 0xffffffffffffffff
06:11:35 INFO - r15 = 0x000000013871c660 rip = 0x0000000113e9ddf2
06:11:35 INFO - Found by: call frame info
06:11:35 INFO - 3 XUL!mozilla::ServoStyleSet::ShellDetachedFromDocument() [ServoStyleSet.cpp:2099599a5ad519efa9e85f900d6ea51136469001 : 134 + 0xf]
06:11:35 INFO - rbp = 0x00007fff5022e1e0 rsp = 0x00007fff5022e1a0
06:11:35 INFO - rip = 0x0000000113e9a928
06:11:35 INFO - Found by: previous frame's frame pointer
06:11:35 INFO - 4 XUL!mozilla::dom::Document::DeletePresShell() [Document.cpp:2099599a5ad519efa9e85f900d6ea51136469001 : 4008 + 0xc]
06:11:35 INFO - rbp = 0x00007fff5022e270 rsp = 0x00007fff5022e1f0
06:11:35 INFO - rip = 0x0000000111f635a2
06:11:35 INFO - Found by: previous frame's frame pointer
06:11:35 INFO - 5 XUL!mozilla::PresShell::Destroy() [PresShell.cpp:2099599a5ad519efa9e85f900d6ea51136469001 : 1323 + 0x9]
06:11:35 INFO - rbp = 0x00007fff5022e330 rsp = 0x00007fff5022e280
06:11:35 INFO - rip = 0x0000000113efee08
06:11:35 INFO - Found by: previous frame's frame pointer
06:11:35 INFO - 6 XUL!nsDocumentViewer::DestroyPresShell() [nsDocumentViewer.cpp:2099599a5ad519efa9e85f900d6ea51136469001 : 4162 + 0x9]
06:11:35 INFO - rbp = 0x00007fff5022e360 rsp = 0x00007fff5022e340
06:11:35 INFO - rip = 0x0000000113f67d2b
06:11:35 INFO - Found by: previous frame's frame pointer
06:11:35 INFO - 7 XUL!nsDocumentViewer::Destroy() [nsDocumentViewer.cpp:2099599a5ad519efa9e85f900d6ea51136469001 : 1805 + 0x8]
06:11:35 INFO - rbp = 0x00007fff5022e3c0 rsp = 0x00007fff5022e370
06:11:35 INFO - rip = 0x0000000113f62502
06:11:35 INFO - Found by: previous frame's frame pointer
06:11:35 INFO - 8 XUL!mozilla::image::SVGDocumentWrapper::~SVGDocumentWrapper() [SVGDocumentWrapper.cpp:2099599a5ad519efa9e85f900d6ea51136469001 : 46 + 0x39]
06:11:35 INFO - rbp = 0x00007fff5022e3f0 rsp = 0x00007fff5022e3d0
06:11:35 INFO - rip = 0x0000000111dcb7a0
06:11:35 INFO - Found by: previous frame's frame pointer
06:11:35 INFO - 9 XUL!mozilla::image::VectorImage::~VectorImage() [VectorImage.cpp:2099599a5ad519efa9e85f900d6ea51136469001 : 365 + 0xff]
06:11:35 INFO - rbp = 0x00007fff5022e460 rsp = 0x00007fff5022e400
06:11:35 INFO - rip = 0x0000000111dd1800
06:11:35 INFO - Found by: previous frame's frame pointer
06:11:35 INFO - 10 XUL!mozilla::image::VectorImage::~VectorImage() [VectorImage.cpp:2099599a5ad519efa9e85f900d6ea51136469001 : 362 + 0xe]
06:11:35 INFO - rbp = 0x00007fff5022e480 rsp = 0x00007fff5022e470
06:11:35 INFO - rip = 0x0000000111dd19ae
06:11:35 INFO - Found by: previous frame's frame pointer
06:11:35 INFO - 11 XUL!<name omitted> [VectorImage.cpp:2099599a5ad519efa9e85f900d6ea51136469001 : 346 + 0x2c]
06:11:35 INFO - rbp = 0x00007fff5022e490 rsp = 0x00007fff5022e490
06:11:35 INFO - rip = 0x0000000111dd138c
06:11:35 INFO - Found by: previous frame's frame pointer
06:11:35 INFO - 12 XUL!imgRequest::~imgRequest() [imgRequest.cpp:2099599a5ad519efa9e85f900d6ea51136469001 : 82 + 0x12]
06:11:35 INFO - rbp = 0x00007fff5022e4d0 rsp = 0x00007fff5022e4a0
06:11:35 INFO - rip = 0x0000000111df219c
6:11:35 INFO - 15 XUL!imgRequestProxy::~imgRequestProxy() [imgRequestProxy.cpp:2099599a5ad519efa9e85f900d6ea51136469001 : 162 + 0x67]
06:11:35 INFO - rbp = 0x00007fff5022e530 rsp = 0x00007fff5022e520
06:11:35 INFO - rip = 0x0000000111df6a07
06:11:35 INFO - Found by: previous frame's frame pointer
06:11:35 INFO - 16 XUL!<name omitted> [imgRequestProxy.cpp:2099599a5ad519efa9e85f900d6ea51136469001 : 123 + 0xe]
06:11:35 INFO - rbp = 0x00007fff5022e550 rsp = 0x00007fff5022e540
06:11:35 INFO - rip = 0x0000000111df6cbe
06:11:35 INFO - Found by: previous frame's frame pointer
06:11:35 INFO - 17 XUL!<name omitted> [imgRequestProxy.cpp:2099599a5ad519efa9e85f900d6ea51136469001 : 93 + 0x23]
06:11:35 INFO - rbp = 0x00007fff5022e560 rsp = 0x00007fff5022e560
06:11:35 INFO - rip = 0x0000000111df6493
06:11:35 INFO - Found by: previous frame's frame pointer
06:11:35 INFO - 18 XUL!nsTHashtable<nsBaseHashtableET<nsUint64HashKey, nsAutoPtr<mozilla::css::ImageLoader::ImageTableEntry> > >::s_ClearEntry(PLDHashTable*, PLDHashEntryHdr*) [RefPtr.h:2099599a5ad519efa9e85f900d6ea51136469001 : 46 + 0x6]
06:11:35 INFO - rbp = 0x00007fff5022e5a0 rsp = 0x00007fff5022e570
06:11:35 INFO - rip = 0x0000000113e9530a
06:11:35 INFO - Found by: previous frame's frame pointer
06:11:35 INFO - 19 XUL!PLDHashTable::RemoveEntry(PLDHashEntryHdr*) [PLDHashTable.cpp:2099599a5ad519efa9e85f900d6ea51136469001 : 625 + 0x41]
06:11:35 INFO - rbp = 0x00007fff5022e5d0 rsp = 0x00007fff5022e5b0
06:11:35 INFO - rip = 0x00000001109ca422
06:11:35 INFO - Found by: previous frame's frame pointer
06:11:35 INFO - 20 XUL!mozilla::css::ImageLoader::DeregisterCSSImageFromAllLoaders(unsigned long long) [nsTHashtable.h:2099599a5ad519efa9e85f900d6ea51136469001 : 214 + 0xb]
06:11:35 INFO - rbp = 0x00007fff5022e640 rsp = 0x00007fff5022e5e0
06:11:35 INFO - rip = 0x0000000113e83713
06:11:35 INFO - Found by: previous frame's frame pointer
06:11:35 INFO - 21 XUL!Gecko_ReleaseCSSURLValueArbitraryThread [nsCSSValue.cpp:2099599a5ad519efa9e85f900d6ea51136469001 : 711 + 0x8]
06:11:35 INFO - rbp = 0x00007fff5022e660 rsp = 0x00007fff5022e650
06:11:35 INFO - rip = 0x0000000113e7be93
06:11:35 INFO - Found by: previous frame's frame pointer
06:11:35 INFO - 22 XUL!core::ptr::real_drop_in_place [ptr.rs:91856ed52c58aa5ba66a015354d1cc69e9779bdf : 193 + 0x1d]
06:11:35 INFO - rbp = 0x00007fff5022e690 rsp = 0x00007fff5022e670
06:11:35 INFO - rip = 0x00000001106a66ce
06:11:35 INFO - Found by: previous frame's frame pointer
06:11:35 INFO - 23 XUL!core::ptr::real_drop_in_place [ptr.rs:91856ed52c58aa5ba66a015354d1cc69e9779bdf : 193 + 0x98]
06:11:35 INFO - rbx = 0x000000013b4eac80 rbp = 0x00007fff5022e6f0
06:11:35 INFO - rsp = 0x00007fff5022e6a0 r14 = 0x0000000000000018
06:11:35 INFO - r15 = 0x0000000139f9a8a0 rip = 0x00000001106a55f8
06:11:35 INFO - Found by: call frame info
06:11:35 INFO - 24 XUL!<servo_arc::Arc<T>>::drop_slow [lib.rs:2099599a5ad519efa9e85f900d6ea51136469001 : 286 + 0x4f]
06:11:35 INFO - rbx = 0x0000000139f9a8c0 rbp = 0x00007fff5022e720
06:11:35 INFO - rsp = 0x00007fff5022e700 r12 = 0x0000000000000004
06:11:35 INFO - r13 = 0x0000000000000060 r14 = 0x0000000139f8cee0
06:11:35 INFO - r15 = 0x0000000000000100 rip = 0x00000001106a463c
06:11:35 INFO - Found by: call frame info
06:11:35 INFO - 25 XUL!<servo_arc::Arc<T>>::drop_slow [lib.rs:2099599a5ad519efa9e85f900d6ea51136469001 : 286 + 0x52]
06:11:35 INFO - rbx = 0x0000000139faf340 rbp = 0x00007fff5022e740
06:11:35 INFO - 24 XUL!<servo_arc::Arc<T>>::drop_slow [lib.rs:2099599a5ad519efa9e85f900d6ea51136469001 : 286 + 0x4f]
06:11:35 INFO - rbx = 0x0000000139f9a8c0 rbp = 0x00007fff5022e720
06:11:35 INFO - rsp = 0x00007fff5022e700 r12 = 0x0000000000000004
06:11:35 INFO - r13 = 0x0000000000000060 r14 = 0x0000000139f8cee0
06:11:35 INFO - r15 = 0x0000000000000100 rip = 0x00000001106a463c
06:11:35 INFO - Found by: call frame info
06:11:35 INFO - 25 XUL!<servo_arc::Arc<T>>::drop_slow [lib.rs:2099599a5ad519efa9e85f900d6ea51136469001 : 286 + 0x52]
06:11:35 INFO - rbx = 0x0000000139faf340 rbp = 0x00007fff5022e740
06:11:35 INFO - rsp = 0x00007fff5022e730 r12 = 0x0000000000000004
06:11:35 INFO - r13 = 0x0000000000000060 r14 = 0x0000000139fd2700
06:11:35 INFO - r15 = 0x00007fff5022e758 rip = 0x00000001106a45cb
06:11:35 INFO - Found by: call frame info
06:11:35 INFO - 26 XUL!core::ptr::real_drop_in_place [ptr.rs:91856ed52c58aa5ba66a015354d1cc69e9779bdf : 193 + 0x8e]
06:11:35 INFO - rbx = 0x0000000139fd2708 rbp = 0x00007fff5022e790
06:11:35 INFO - rsp = 0x00007fff5022e750 r12 = 0x0000000000000004
06:11:35 INFO - r13 = 0x0000000000000060 r14 = 0x0000000139fd2700
06:11:35 INFO - r15 = 0x00007fff5022e758 rip = 0x000000011083e98e
06:11:35 INFO - Found by: call frame info
06:11:35 INFO - 27 XUL!core::ptr::real_drop_in_place [ptr.rs:91856ed52c58aa5ba66a015354d1cc69e9779bdf : 193 + 0x61]
06:11:35 INFO - rbx = 0x0000000139fd1940 rbp = 0x00007fff5022e7c0
06:11:35 INFO - rsp = 0x00007fff5022e7a0 r12 = 0x0000000139fd1108
06:11:35 INFO - r13 = 0x0000000000000000 r14 = 0x0000000139fff050
06:11:35 INFO - r15 = 0x0000000000000017 rip = 0x000000011083eaa1
06:11:35 INFO - Found by: call frame info
06:11:35 INFO - 28 XUL!<servo_arc::Arc<T>>::drop_slow [lib.rs:2099599a5ad519efa9e85f900d6ea51136469001 : 286 + 0x1b]
06:11:35 INFO - rbx = 0x0000000139fff000 rbp = 0x00007fff5022e820
06:11:35 INFO - rsp = 0x00007fff5022e7d0 r12 = 0x0000000000000001
06:11:35 INFO - r13 = 0x0000000000000000 r14 = 0x0000000000000000
06:11:35 INFO - r15 = 0x0000000000000004 rip = 0x000000011083e41f
06:11:35 INFO - Found by: call frame info
06:11:35 INFO - 29 XUL!Servo_StyleSet_FlushStyleSheets [lib.rs:2099599a5ad519efa9e85f900d6ea51136469001 : 446 + 0x10]
06:11:35 INFO - rbx = 0x0000000000000003 rbp = 0x00007fff50230f60
06:11:35 INFO - rsp = 0x00007fff5022e830 r12 = 0x0000000000000001
06:11:35 INFO - r13 = 0x0000000000000000 r14 = 0x0000000000000000
06:11:35 INFO - r15 = 0x0000000000000004 rip = 0x00000001105ad2fc
06:11:35 INFO - Found by: call frame info
06:11:35 INFO - 30 XUL!mozilla::ServoStyleSet::UpdateStylist() [ServoStyleSet.cpp:2099599a5ad519efa9e85f900d6ea51136469001 : 1201 + 0x9]
06:11:35 INFO - rbx = 0x0000000136986660 rbp = 0x00007fff50230fc0
06:11:35 INFO - rsp = 0x00007fff50230f70 r12 = 0x0000000000000001
06:11:35 INFO - r13 = 0x0000000000000000 r14 = 0xffffffffffffffff
06:11:35 INFO - r15 = 0x0000000136986660 rip = 0x0000000113e9ddf2
06:11:35 INFO - Found by: call frame info
06:11:35 INFO - 31 XUL!mozilla::ServoStyleSet::ShellDetachedFromDocument() [ServoStyleSet.cpp:2099599a5ad519efa9e85f900d6ea51136469001 : 134 + 0xf]
06:11:35 INFO - rbp = 0x00007fff50231010 rsp = 0x00007fff50230fd0
06:11:35 INFO - rip = 0x0000000113e9a928
06:11:35 INFO - Found by: previous frame's frame pointer
06:11:35 INFO - 32 XUL!mozilla::dom::Document::DeletePresShell() [Document.cpp:2099599a5ad519efa9e85f900d6ea51136469001 : 4008 + 0xc]
06:11:35 INFO - rbp = 0x00007fff502310a0 rsp = 0x00007fff50231020
06:11:35 INFO - rip = 0x0000000111f635a2
06:11:35 INFO - Found by: previous frame's frame pointer
06:11:35 INFO - 33 XUL!mozilla::PresShell::Destroy() [PresShell.cpp:2099599a5ad519efa9e85f900d6ea51136469001 : 1323 + 0x9]
06:11:35 INFO - rbp = 0x00007fff50231160 rsp = 0x00007fff502310b0
06:11:35 INFO - rip = 0x0000000113efee08
06:11:35 INFO - Found by: previous frame's frame pointer
06:11:35 INFO - 34 XUL!nsDocumentViewer::DestroyPresShell() [nsDocumentViewer.cpp:2099599a5ad519efa9e85f900d6ea51136469001 : 4162 + 0x9]
06:11:35 INFO - rbp = 0x00007fff50231190 rsp = 0x00007fff50231170
06:11:35 INFO - rip = 0x0000000113f67d2b
06:11:35 INFO - Found by: previous frame's frame pointer
06:11:35 INFO - 35 XUL!nsDocumentViewer::Destroy() [nsDocumentViewer.cpp:2099599a5ad519efa9e85f900d6ea51136469001 : 1805 + 0x8]
06:11:35 INFO - rbp = 0x00007fff502311f0 rsp = 0x00007fff502311a0
06:11:35 INFO - rip = 0x0000000113f62502
Pushed by emilio@crisal.io:
https://hg.mozilla.org/integration/autoland/rev/133b9a6eafeb
Comment out a line that causes some deadlocks in some edge cases while I work on a proper fix. r=bustage
|
Assignee | |
Updated•6 years ago
|
|
|
Assignee | |
Updated•6 years ago
|
Flags: needinfo?(emilio)
|
||
Comment 2•6 years ago
|
||
I found that browser_heartbeat.js would trigger this on windows10-opt on try consistently- removing that test would allow green runs again.
|
||
Comment 3•6 years ago
|
||
| bugherder | ||
|
|
Assignee | |
Comment 4•6 years ago
|
||
We want to drop the cascade data memory as soon as possible, so bug 1544546
introduced an UpdateStylistIfNeeded call from ShellDetachedFromDocument.
Unfortunately, this call can reenter into the global user-agent cascade data if
some of the CSS values kept alive by the cascade data keep alive an SVG
document, see the stack on this bug for an example. Make sure to drop the
user-agent cascade datas when not holding the cache lock to avoid this
situation.
Before bug 1535788, we just destroyed the stylist, so we kept holding a
reference from the cache, and that reference will be dropped sometime later when
other document updated their user-agent stylesheets (if they happened not to
match the cache of course).
Seems to me this doesn't ended up happening in our automation, but it could
happen in the wild, in theory at least.
It's nice that Rust made this a safe deadlock caught by our tests rather than a
very subtle and infrequent memory corruption.
The relevant SVG documents are probably the <input type=number> rules:
|
|
Assignee | |
Updated•6 years ago
|
Flags: needinfo?(emilio)
| Comment hidden (Intermittent Failures Robot) |
Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/24161afba7af
Drop unused user-agent cascade datas when not holding the cache lock. r=bholley
|
||
Comment 7•6 years ago
|
||
| bugherder | ||
|
|
Assignee | |
Updated•6 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
|
||
Updated•6 years ago
|
Keywords: leave-open
|
|
||
Updated•3 years ago
|
Has Regression Range: --- → yes
|
||
Updated•3 years ago
|
Keywords: regression
You need to log in
before you can comment on or make changes to this bug.
Description
•