1682882 - Hit MOZ_CRASH(Invoking Servo_Element_IsDisplayContents on unstyled element) at servo/ports/geckolib/glue.rs:1468

Status: VERIFIED FIXED

(Core :: CSS Parsing and Computation, defect)

Description

[Jason Kratzer [:jkratzer]]

Attachment: testcase.html

Testcase found while fuzzing mozilla-central rev 5e25722bcc7c (built with --enable-debug). Testcase must be served via HTTP.

Hit MOZ_CRASH(Invoking Servo_Element_IsDisplayContents on unstyled element) at servo/ports/geckolib/glue.rs:1468

    #0 0x7f6974a558b5 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:254:3
    #1 0x7f6974a558b5 in RustMozCrash /builds/worker/checkouts/gecko/mozglue/static/rust/wrappers.cpp:17:3
    #2 0x7f6974a55864 in mozglue_static::panic_hook::ha757622518ce090b /builds/worker/checkouts/gecko/mozglue/static/rust/lib.rs:89:9
    #3 0x7f6974a5518b in core::ops::function::Fn::call::h2f0433a5b64f4daf /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:70:5
    #4 0x7f6975a2d8b5 in std::panicking::rust_panic_with_hook::h2bdec87b60580584 /rustc/7eac88abb2e57e752f3302f02be5f3ce3d7adfb4/library/std/src/panicking.rs:581:17
    #5 0x7f6975a2d438 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h101ca09d9df5db47 /rustc/7eac88abb2e57e752f3302f02be5f3ce3d7adfb4/library/std/src/panicking.rs:484:9
    #6 0x7f6975a2872b in std::sys_common::backtrace::__rust_end_short_backtrace::h3bb85654c20113ca /rustc/7eac88abb2e57e752f3302f02be5f3ce3d7adfb4/library/std/src/sys_common/backtrace.rs:153:18
    #7 0x7f6975a2d3f8 in rust_begin_unwind /rustc/7eac88abb2e57e752f3302f02be5f3ce3d7adfb4/library/std/src/panicking.rs:483:5
    #8 0x7f6975a93100 in core::panicking::panic_fmt::h48c31e1e3d550146 /rustc/7eac88abb2e57e752f3302f02be5f3ce3d7adfb4/library/core/src/panicking.rs:85:14
    #9 0x7f6975a92ce2 in core::option::expect_failed::hf3f43f1792267e24 /rustc/7eac88abb2e57e752f3302f02be5f3ce3d7adfb4/library/core/src/option.rs:1226:5
    #10 0x7f697535b204 in core::option::Option$LT$T$GT$::expect::hc3e6ac4c8eae84d3 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/option.rs:346:21
    #11 0x7f697535b204 in Servo_Element_IsDisplayContents /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:1465:16
    #12 0x7f697120414a in nsPlaceholderFrame::GetParentComputedStyleForOutOfFlow(nsIFrame**) const /builds/worker/checkouts/gecko/layout/generic/nsPlaceholderFrame.cpp:205:24
    #13 0x7f69711ab5da in nsIFrame::DoGetParentComputedStyle(nsIFrame**) const /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:10014:23
    #14 0x7f6971005f60 in mozilla::RestyleManager::DoReparentComputedStyleForFirstLine(nsIFrame*, mozilla::ServoStyleSet&) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3443:15
    #15 0x7f6971005f2d in mozilla::RestyleManager::DoReparentComputedStyleForFirstLine(nsIFrame*, mozilla::ServoStyleSet&) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3435:7
    #16 0x7f69710064a9 in mozilla::RestyleManager::ReparentFrameDescendants(nsIFrame*, nsIFrame*, mozilla::ServoStyleSet&) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3573:9
    #17 0x7f6971006168 in mozilla::RestyleManager::DoReparentComputedStyleForFirstLine(nsIFrame*, mozilla::ServoStyleSet&) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3553:3
    #18 0x7f69710064a9 in mozilla::RestyleManager::ReparentFrameDescendants(nsIFrame*, nsIFrame*, mozilla::ServoStyleSet&) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3573:9
    #19 0x7f6971006168 in mozilla::RestyleManager::DoReparentComputedStyleForFirstLine(nsIFrame*, mozilla::ServoStyleSet&) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3553:3
    #20 0x7f6971005f2d in mozilla::RestyleManager::DoReparentComputedStyleForFirstLine(nsIFrame*, mozilla::ServoStyleSet&) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3435:7
    #21 0x7f69710f39da in nsBlockFrame::UpdatePseudoElementStyles(mozilla::ServoRestyleState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7783:16
    #22 0x7f69710033a5 in UpdateFramePseudoElementStyles /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:2493:17
    #23 0x7f69710033a5 in mozilla::RestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:2824:7
    #24 0x7f6971004c8d in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3005:28
    #25 0x7f6970fdef27 in ProcessPendingRestyles /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3112:3
    #26 0x7f6970fdef27 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4205:39
    #27 0x7f696f98d74b in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1403:5
    #28 0x7f696f98d74b in mozilla::EventStateManager::FlushLayout(nsPresContext*) /builds/worker/checkouts/gecko/dom/events/EventStateManager.cpp:5729:16
    #29 0x7f696f98a056 in mozilla::EventStateManager::PreHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*, nsIContent*) /builds/worker/checkouts/gecko/dom/events/EventStateManager.cpp:707:7
    #30 0x7f6970ff2e79 in mozilla::PresShell::EventHandler::DispatchEvent(mozilla::EventStateManager*, mozilla::WidgetEvent*, bool, nsEventStatus*, nsIContent*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:8215:39
    #31 0x7f6970fed4bb in mozilla::PresShell::EventHandler::HandleEventWithCurrentEventInfo(mozilla::WidgetEvent*, nsEventStatus*, bool, nsIContent*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:8184:17
    #32 0x7f6970fecd55 in mozilla::PresShell::EventHandler::HandleEventUsingCoordinates(nsIFrame*, mozilla::WidgetGUIEvent*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:7091:30
    #33 0x7f6970feb952 in mozilla::PresShell::EventHandler::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6894:12
    #34 0x7f6970feb172 in mozilla::PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6819:23
    #35 0x7f6970cb7ee2 in nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:750:18
    #36 0x7f6970cb7c08 in nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) /builds/worker/checkouts/gecko/view/nsView.cpp:1133:9
    #37 0x7f6970cf1911 in mozilla::widget::PuppetWidget::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&) /builds/worker/checkouts/gecko/widget/PuppetWidget.cpp:379:37
    #38 0x7f696ddb7ded in mozilla::layers::APZCCallbackHelper::DispatchWidgetEvent(mozilla::WidgetGUIEvent&) /builds/worker/checkouts/gecko/gfx/layers/apz/util/APZCCallbackHelper.cpp:479:21
    #39 0x7f69707d2558 in DispatchWidgetEventViaAPZ /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:1740:10
    #40 0x7f69707d2558 in mozilla::dom::BrowserChild::HandleRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:1679:3
    #41 0x7f69707d3841 in mozilla::dom::BrowserChild::RecvRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:1646:3
    #42 0x7f69707d39a9 in mozilla::dom::BrowserChild::RecvSynthMouseMoveEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:1611:8
    #43 0x7f696d7230da in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBrowserChild.cpp:5473:56
    #44 0x7f696d1a1c3d in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8616:32
    #45 0x7f696d023bee in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2153:25
    #46 0x7f696d0201ed in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2077:9
    #47 0x7f696d021696 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1925:3
    #48 0x7f696d0223db in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1956:13
    #49 0x7f696c70815f in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:459:16
    #50 0x7f696c70675a in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:739:26
    #51 0x7f696c705804 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:598:15
    #52 0x7f696c7059b7 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:382:36
    #53 0x7f696c70ba06 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:123:37
    #54 0x7f696c70ba06 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
    #55 0x7f696c71cff5 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1200:14
    #56 0x7f696c7230aa in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
    #57 0x7f696d0294c6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
    #58 0x7f696cf959b3 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #59 0x7f696cf958cd in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #60 0x7f696cf958cd in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #61 0x7f6970d03968 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #62 0x7f6972509ac3 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:902:20
    #63 0x7f696d02a3a9 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:237:9
    #64 0x7f696cf959b3 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #65 0x7f696cf958cd in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #66 0x7f696cf958cd in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #67 0x7f69725096a8 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:733:34
    #68 0x55c79ed87e07 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #69 0x55c79ed87e07 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:305:18
    #70 0x7f69813300b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16

Comment 1

[Jason Kratzer [:jkratzer]]

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20201216105947-5e25722bcc7c.
Failed to bisect testcase (Testcase reproduces on start build!):

Start: 35af0b925215124a619bc054aeeb8d01e99b4e63 (20191218005103)
End: 837d98b6844bc83c781b4cd3ebcb249f3da0baa1 (20201216004309)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False)

Comment 2

[Emilio Cobos Álvarez (:emilio)]

I don't seem to be able to repro this on a debug build nor on a release build?

Comment 3

[Jason Kratzer [:jkratzer]]

(In reply to Emilio Cobos Álvarez (:emilio) from comment #2)

I don't seem to be able to repro this on a debug build nor on a release build?

The testcase needs to be served over HTTP due to the use of XHR. I've updated comment 0 to include that information. If it still doesn't repro for you, please let me know.

Comment 4

[Emilio Cobos Álvarez (:emilio)]

Attachment: Bug 1682882 - Don't crash when trying to figure out the parent style of a node about to be reframed. r=#style

This is basically the situation described here:

https://searchfox.org/mozilla-central/rev/8d722de75886d6bffc116772a1db8854e34ee6a7/layout/generic/nsIFrame.cpp#9961-9964

Comment 5

[Pulsebot]

Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0e4443a87251
Don't crash when trying to figure out the parent style of a node about to be reframed. r=heycam

Comment 6

[Andreea Pavel [:apavel]]

https://hg.mozilla.org/mozilla-central/rev/0e4443a87251

Comment 7

[Bugmon [:jkratzer for issues]]

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20201223212750-d6081a1bef2d.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Comment 8

[BugBot [:suhaib / :marco/ :calixte]]

:emilio, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Comment 9

[Marco Castelluccio [:marco]]

Sorry, bug in the bot.