1631232 - Crash in [@ style::rule_tree::core::{{impl}}::drop]

Status: VERIFIED FIXED

(Core :: CSS Parsing and Computation, defect)

Description

[Calixte Denizet (:calixte)]

This bug is for crash report bp-286c4943-fbf3-4fcd-937a-de0500200418.

Top 10 frames of crashing thread:

0 xul.dll style::rule_tree::core::{{impl}}::drop servo/components/style/rule_tree/core.rs:673
1 xul.dll servo_arc::Arc<style::gecko_properties::ComputedValues>::drop_slow<style::gecko_properties::ComputedValues> servo/components/servo_arc/lib.rs:357
2 xul.dll style::gecko::arc_types::Servo_ComputedStyle_Release servo/components/style/gecko/arc_types.rs:132
3 xul.dll nsDisplayBackgroundImage::~nsDisplayBackgroundImage layout/painting/nsDisplayList.cpp:3920
4 xul.dll nsDisplayBackgroundImage::~nsDisplayBackgroundImage layout/painting/nsDisplayList.cpp:3915
5 xul.dll nsDisplayList::DeleteAll layout/painting/nsDisplayList.cpp:3170
6 xul.dll nsDisplayWrapList::Destroy layout/painting/nsDisplayList.h:5403
7 xul.dll nsDisplayList::DeleteAll layout/painting/nsDisplayList.cpp:3170
8 xul.dll nsDisplayWrapList::Destroy layout/painting/nsDisplayList.h:5403
9 xul.dll nsDisplayList::DeleteAll layout/painting/nsDisplayList.cpp:3170

There are 369 crashes (from 201 installations) in nightly 77 with buildid 20200418094905. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1631154.

[1] https://hg.mozilla.org/mozilla-central/rev?node=2c69480819af

Comment 1

[Pulsebot]

Pushed by emilio@crisal.io:
https://hg.mozilla.org/integration/autoland/rev/617d8f220514
Always upgrade existing weak child references in the rule tree. r=emilio

Comment 2

[Emilio Cobos Álvarez [:emilio]]

The patch I pushed is a cherry-pick of https://github.com/servo/servo/pull/26220, which should've fixed this.

Comment 4

[Cristina Coroiu [:ccoroiu]]

https://hg.mozilla.org/mozilla-central/rev/617d8f220514

Comment 5

[Julien Cristau [:jcristau] (back on 2026-01-06)]

Still seeing crashes in the 20200419213349 build which includes this patch.

Comment 6

[Emilio Cobos Álvarez [:emilio]]

Attachment: Bug 1631232 - Ensure that we hold an actual reference to the root, not to a field of a node we can just GC below. r=nox

Comment 7

[Pulsebot]

Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ab5ec3be52a8
Ensure that we hold an actual reference to the root, not to a field of a node we can just GC below. r=nox

Comment 8

[mac198442]

IS there anyway to get this landed on mozilla-central and a new nightly built? it is practically impossible to use yahoo mail on Nightly.

Comment 9

[Emilio Cobos Álvarez [:emilio]]

301 Julien ^?

Comment 10

[mac198442]

Thanks crashes every time a new mail comes in if i am not on the yahoo tab when that happened as soon as i switched back to the yahoo mail tab.

Comment 11

[Julien Cristau [:jcristau] (back on 2026-01-06)]

https://hg.mozilla.org/mozilla-central/rev/ab5ec3be52a8629e975ebfcf8ebc38201b4104f1

Comment 13

[Calixte Denizet (:calixte)]

There still are few crashes on windows (see [1]) with signature style::rule_tree::core::{{impl}}::drop.

[1] https://crash-stats.mozilla.org/search/?build_id=%3E%3D20200420153711&release_channel=nightly&signature=%3Dstyle%3A%3Arule_tree%3A%3Acore%3A%3A%7B%7Bimpl%7D%7D%3A%3Adrop&product=Firefox&date=%3E%3D2020-04-14T00%3A00%3A00.000Z&date=%3C2020-04-21T08%3A35%3A00.000Z&_sort=-date&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports

Comment 14

[Julien Cristau [:jcristau] (back on 2026-01-06)]

(In reply to Calixte Denizet (:calixte) from comment #13)

There still are few crashes on windows (see [1]) with signature style::rule_tree::core::{{impl}}::drop.

I'm not sure I'd trust those, they look incomplete (null install time, uptime, ...).

Comment 15

[Calixte Denizet (:calixte)]

:jcristau, agreed, I was wondering if it could be because the crash happened very early.
:gsvelto, do you think those crashes are garbage ?

Comment 16

[Gabriele Svelto [:gsvelto]]

Those crashes don't have the install time field populated, so they're orphaned crashes, they're coming from an older version that most likely didn't have the fix.

Comment 17

[Julien Cristau [:jcristau] (back on 2026-01-06)]

I think we can mark this verified at this point.

Comment 18

[BugBot [:suhaib / :marco/ :calixte]]

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Comment 19

[mac198442]

Well thanks for asking and then say I don;t have permission! This is exactly
why I really no longer really contribute to Mozilla/Firefox!

Comment 20

[Emilio Cobos Álvarez [:emilio]]

(In reply to mac198442 from comment #19)

Well thanks for asking and then say I don;t have permission! This is exactly
why I really no longer really contribute to Mozilla/Firefox!

That form was intended for me, I believe, fwiw :)

Comment 21

[Emilio Cobos Álvarez [:emilio]]

Freddy, anyhow, can we make sure that non-moco people can have access to that form? I've fixed sec bugs in the past while not being an employee :)

Comment 22

[mac198442]

Well was not sent to you was posted in the bug!

Comment 23

[Emilio Cobos Álvarez [:emilio]]

(In reply to mac198442 from comment #22)

Well was not sent to you was posted in the bug!

While tagging me with the needinfo? flag ("Request information from" checkbox).

Comment 24

[mac198442]

I consider a request psoted inthe bug to be a request for all of those following the bug. Just Sayin!

Comment 25

[mac198442]

and your attitude is yet another reason i really don;t contribute anymore.

Comment 26

[Emilio Cobos Álvarez [:emilio]]

(In reply to mac198442 from comment #25)
(In reply to mac198442 from comment #24)

Sorry if I somehow offended you or something, I didn't try to be disrespectful. I was just trying to point out that the request was directed at someone (which in this case was me), because it used the "Request information from" flag, which is very explicit.

Not everything that's posted on a bug is directed at everyone, we post it on the bug so that there's a record of it, so that other people can follow along, and because Bugzilla is where we work. For example, I'm pretty sure you don't expect comment 21 to be directed at you. It's a question/request for Freddy, from our security team, so that he can potentially open up the form for external contributors.

Anyhow sorry again if I somehow offended you or I was overly aggressive, didn't mean to.

Comment 27

[mac198442]

Sorry should not have been directed at you. This is my frustration about not being able to participate fully anymore because of a personal issue with the Moziila contributors person identified that not of us contributors ever got a vote
on.

Comment 28

[mac198442]

Sorry should not have been directed at you. This is my frustration about not being able to participate fully anymore because of a personal issue with the Mozilla contributors person identified that not of us contributors ever got a vote
on.

Comment 29

[Frederik Braun [:freddy]]

(In reply to mac198442 from comment #19)

Well thanks for asking and then say I don;t have permission!

Sorry about this confusion. That's my mistake. The survey was indeed intended at the patch author. Let me tweak the message so that it addresses the patch author specifically, with a wording like "<Name>, as the patch auditor, we are asking you...". Good feedback!

I will also figure out how to make the survey open to contributors, but that will require more tweaking.

Comment 30

[Christian Holler (:decoder)]

Fwiw, there is a PHC crash available for this at 3a8006a6-2a85-4f91-a91e-84afd0200419 in case this turns out to be incomplete. I can symbolize the traces if required, just needinfo me.