Closed
Bug 1665823
Opened 4 years ago
Closed 4 years ago
Hit MOZ_CRASH(Resolving style on unstyled element) at servo/ports/geckolib/glue.rs:5349
Categories
(Core :: CSS Parsing and Computation, defect)
Core
CSS Parsing and Computation
Tracking
()
VERIFIED
FIXED
82 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox-esr78 | --- | unaffected |
| firefox80 | --- | unaffected |
| firefox81 | --- | wontfix |
| firefox82 | --- | verified |
People
(Reporter: jkratzer, Assigned: emilio)
References
(Blocks 1 open bug, Regression)
Details
(4 keywords, Whiteboard: [bugmon:bisected,confirmed])
Crash Data
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev 084477976b2d (built with --enable-debug).
Hit MOZ_CRASH(Resolving style on unstyled element) at servo/ports/geckolib/glue.rs:5349
#0 0x7feac104c8e5 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:254:3
#1 0x7feac104c8e5 in RustMozCrash /builds/worker/checkouts/gecko/mozglue/static/rust/wrappers.cpp:17:3
#2 0x7feac104c894 in mozglue_static::panic_hook::h9c593699a8525ff8 /builds/worker/checkouts/gecko/mozglue/static/rust/lib.rs:89:8
#3 0x7feac104c18b in core::ops::function::Fn::call::h1a501563fc6b3009 /rustc/4fb7144ed159f94491249e86d5bbd033b5d60550/src/libcore/ops/function.rs:72:4
#4 0x7feac252cf24 in std::panicking::rust_panic_with_hook::hb976084785e50594 /rustc/4fb7144ed159f94491249e86d5bbd033b5d60550/src/libstd/panicking.rs:474:16
#5 0x7feac252ca3a in rust_begin_unwind /rustc/4fb7144ed159f94491249e86d5bbd033b5d60550/src/libstd/panicking.rs:378:4
#6 0x7feac2554b20 in core::panicking::panic_fmt::h45f7d6868edb5678 /rustc/4fb7144ed159f94491249e86d5bbd033b5d60550/src/libcore/panicking.rs:85:13
#7 0x7feac2554702 in core::option::expect_failed::h9a8bff6ff005b30d /rustc/4fb7144ed159f94491249e86d5bbd033b5d60550/src/libcore/option.rs:1203:4
#8 0x7feac1e5b132 in core::option::Option$LT$T$GT$::expect::hdb6555b9ab30c4cb /rustc/4fb7144ed159f94491249e86d5bbd033b5d60550/src/libcore/option.rs:347:20
#9 0x7feac1e5b132 in Servo_ResolveStyle /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:5349:15
#10 0x7feabdbfc6a7 in ResolveServoStyle /builds/worker/workspace/obj-build/dist/include/mozilla/ServoStyleSetInlines.h:22:10
#11 0x7feabdbfc6a7 in nsCSSFrameConstructor::ResolveComputedStyle(nsIContent*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:4647:12
#12 0x7feabdbf9315 in AddFrameConstructionItems /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5182:41
#13 0x7feabdbf9315 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9585:9
#14 0x7feabdc0299a in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:3762:9
#15 0x7feabdc0700c in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5652:3
#16 0x7feabdbf88c5 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9438:5
#17 0x7feabdc0b1d0 in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:7193:3
#18 0x7feabdbd4a34 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:1484:25
#19 0x7feabdbdb57b in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3037:9
#20 0x7feabdbb5b60 in ProcessPendingRestyles /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3116:3
#21 0x7feabdbb5b60 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4196:39
#22 0x7feabdb81ad7 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2109:22
#23 0x7feabdb88f91 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:372:13
#24 0x7feabdb88f91 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:351:7
#25 0x7feabdb88e7c in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:366:5
#26 0x7feabdb8e688 in RunRefreshDrivers /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:818:5
#27 0x7feabdb8e688 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:736:16
#28 0x7feabdb8df81 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:638:7
#29 0x7feabdb871fd in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:537:20
#30 0x7feab93e340f in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:242:16
#31 0x7feab93e148a in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:512:26
#32 0x7feab93e05e4 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:371:15
#33 0x7feab93e0797 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:168:36
#34 0x7feab93e8146 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:83:37
#35 0x7feab93e8146 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
#36 0x7feab93fb54f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1234:14
#37 0x7feab9400efa in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:513:10
#38 0x7feab9cfce86 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
#39 0x7feab9c6fb73 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
#40 0x7feab9c6fa8d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
#41 0x7feab9c6fa8d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
#42 0x7feabd8e7a38 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#43 0x7feabf0c0763 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
#44 0x7feab9cfdc49 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:237:9
#45 0x7feab9c6fb73 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
#46 0x7feab9c6fa8d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
#47 0x7feab9c6fa8d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
#48 0x7feabf0c0348 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
#49 0x55d5b79397c7 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#50 0x55d5b79397c7 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:303:18
#51 0x7feacdb3b0b2 in __libc_start_main /build/glibc-YYA7BZ/glibc-2.31/csu/../csu/libc-start.c:308:16
#52 0x55d5b7917579 in _start (/home/worker/builds/m-c-20200912092623-fuzzing-debug/firefox-bin+0x17579)
Flags: in-testsuite?
|
||
Comment 1•4 years ago
|
||
Got a crash : https://crash-stats.mozilla.org/report/index/f0f44820-80e9-44f7-9537-c68140200918#tab-details
Crash Signature: [@ core::option::expect_failed | geckoservo::glue::Servo_ResolveStyle ]
Keywords: crash
|
Reporter | |
Comment 2•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200917142508-084477976b2d.
The bug appears to have been introduced in the following build range:
Start: 4462bac0fc59f25feab3764f9e2b9226dc2d22d2 (20200810181507)
End: fb03c1e39a43bef192497f65a695506bb05d72ee (20200810181618)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=4462bac0fc59f25feab3764f9e2b9226dc2d22d2&tochange=fb03c1e39a43bef192497f65a695506bb05d72ee
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
Assignee | |
Updated•4 years ago
|
Assignee: nobody → emilio
Flags: needinfo?(emilio)
|
||
Updated•4 years ago
|
Has Regression Range: --- → yes
|
||
Comment 3•4 years ago
|
||
Set release status flags based on info from the regressing bug 1655751
status-firefox80:
--- → unaffected
status-firefox81:
--- → affected
status-firefox-esr68:
--- → unaffected
status-firefox-esr78:
--- → unaffected
|
|
Assignee | |
Comment 4•4 years ago
|
||
Is there any chance there is an slightly more reduced test-case? The current one I can't land as a crashtest (because it relies on setInterval), and I failed at making it a bit more reliable.
Flags: needinfo?(emilio) → needinfo?(jkratzer)
|
|
Assignee | |
Comment 5•4 years ago
|
||
This is mostly a band-aid, though it also serves sorta as an
optimization.
The issue here is basically bug 1393323. By re-cascading, right now we
can't come up with the right before-change style if CSSOM has mutated
the rules. We really need a better way to come up with the before-change
style, as the animation-only traversal is not really sustainable (nor
fast, for that matter...).
But this avoids crashing and prevents the regression easily, so let's do
that for now.
Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/ab4f6932ea8a Consider display: none elements as having current style for animation-only traversal. r=hiro
|
||
Comment 7•4 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → 82 Branch
|
|
Reporter | |
Comment 8•4 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200919212721-ab4f6932ea8a.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
|
|
||
Updated•4 years ago
|
Keywords: regression
|
||
Updated•4 years ago
|
|
|
Reporter | |
Comment 9•4 years ago
|
||
(In reply to Emilio Cobos Álvarez (:emilio) from comment #4)
Is there any chance there is an slightly more reduced test-case? The current one I can't land as a crashtest (because it relies on setInterval), and I failed at making it a bit more reliable.
Apologies for the delay - I was on PTO last week. As for the testcase, unfortunately not. Once a bug is marked as FIXED and VERIFIED, we delete previous crashes as part of an automatic cleanup process. I checked this morning and the bucket of crashes matching this signature has already been removed.
Flags: needinfo?(jkratzer)
You need to log in
before you can comment on or make changes to this bug.
Description
•