Closed Bug 1708997 Opened 3 years ago Closed 3 years ago

Crash in [@ atomic_refcell::AtomicBorrowRef::do_panic]

Categories

(Core :: CSS Parsing and Computation, defect)

defect

Tracking

()

RESOLVED DUPLICATE of bug 1677555
Tracking Status
firefox-esr78 --- fixed
firefox88 --- wontfix
firefox89 --- wontfix
firefox90 --- fixed

People

(Reporter: aryx, Unassigned)

Details

(Keywords: crash)

Crash Data

Not a new signature, 500-700 crash reports per release cycle on the release channel. 6/6 of the crash reports checked went through mozilla::image::SVGDocumentWrapper::~SVGDocumentWrapper()

Crash report: https://crash-stats.mozilla.org/report/index/3c56fa92-b3d0-47c3-b862-8fab70210502

MOZ_CRASH Reason: already mutably borrowed

Top 10 frames of crashing thread:

0 xul.dll RustMozCrash mozglue/static/rust/wrappers.cpp:16
1 xul.dll mozglue_static::panic_hook mozglue/static/rust/lib.rs:89
2 xul.dll core::ops::function::Fn::call<fn ../2fd73fabe469357a12c2c974c140f67e7cdd76d0/library/core/src/ops/function.rs:227
3 xul.dll std::panicking::rust_panic_with_hook ../2fd73fabe469357a12c2c974c140f67e7cdd76d0//library/std/src/panicking.rs:595
4 xul.dll std::panicking::begin_panic::{{closure}}<str> ../2fd73fabe469357a12c2c974c140f67e7cdd76d0/library/std/src/panicking.rs:520
5 xul.dll std::sys_common::backtrace::__rust_end_short_backtrace<closure-0, !> ../2fd73fabe469357a12c2c974c140f67e7cdd76d0/library/std/src/sys_common/backtrace.rs:141
6 xul.dll std::panicking::begin_panic<str> ../2fd73fabe469357a12c2c974c140f67e7cdd76d0/library/std/src/panicking.rs:519
7 xul.dll atomic_refcell::AtomicBorrowRef::do_panic third_party/rust/atomic_refcell/src/lib.rs:161
8 xul.dll style::shared_lock::SharedRwLock::read servo/components/style/shared_lock.rs:116
9 xul.dll geckoservo::glue::Servo_StyleSet_RemoveStyleSheet servo/ports/geckolib/glue.rs:1891
 0 	xul.dll	RustMozCrash(char const*, int, char const*)	mozglue/static/rust/wrappers.cpp:16 	context
1 	xul.dll	mozglue_static::panic_hook(core::panic::PanicInfo*)	mozglue/static/rust/lib.rs:89 	cfi
2 	xul.dll	core::ops::function::Fn::call<fn(core::panic::PanicInfo*), tuple<core::panic::PanicInfo*>>(void (**)(core::panic::PanicInfo*), core::panic::PanicInfo*)	../2fd73fabe469357a12c2c974c140f67e7cdd76d0/library/core/src/ops/function.rs:227 	cfi
3 	xul.dll	std::panicking::rust_panic_with_hook()	../2fd73fabe469357a12c2c974c140f67e7cdd76d0//library/std/src/panicking.rs:595 	cfi
4 	xul.dll	std::panicking::begin_panic::{{closure}}<str>(std::panicking::begin_panic::closure-0)	../2fd73fabe469357a12c2c974c140f67e7cdd76d0/library/std/src/panicking.rs:520 	cfi
5 	xul.dll	std::sys_common::backtrace::__rust_end_short_backtrace<closure-0, !>(std::panicking::begin_panic::closure-0)	../2fd73fabe469357a12c2c974c140f67e7cdd76d0/library/std/src/sys_common/backtrace.rs:141 	cfi
6 	xul.dll	std::panicking::begin_panic<str>(str, core::panic::Location*)	../2fd73fabe469357a12c2c974c140f67e7cdd76d0/library/std/src/panicking.rs:519 	cfi
7 	xul.dll	atomic_refcell::AtomicBorrowRef::do_panic(core::sync::atomic::AtomicUsize*, unsigned long long)	third_party/rust/atomic_refcell/src/lib.rs:161 	cfi
8 	xul.dll	style::shared_lock::SharedRwLock::read()	servo/components/style/shared_lock.rs:116 	cfi
9 	xul.dll	geckoservo::glue::Servo_StyleSet_RemoveStyleSheet(style::gecko_bindings::structs::root::RawServoStyleSet*, style::gecko_bindings::structs::root::mozilla::StyleSheet*)	servo/ports/geckolib/glue.rs:1891 	cfi
10 	xul.dll	mozilla::ServoStyleSet::ShellDetachedFromDocument()	layout/style/ServoStyleSet.cpp:148 	cfi
11 	xul.dll	mozilla::dom::Document::DeletePresShell()	dom/base/Document.cpp:6764 	cfi
12 	xul.dll	mozilla::PresShell::Destroy()	layout/base/PresShell.cpp:1423 	cfi
13 	xul.dll	nsDocumentViewer::DestroyPresShell()	layout/base/nsDocumentViewer.cpp:3571 	cfi
14 	xul.dll	nsDocumentViewer::Destroy()	layout/base/nsDocumentViewer.cpp:1741 	cfi
15 	xul.dll	mozilla::image::SVGDocumentWrapper::~SVGDocumentWrapper()	image/SVGDocumentWrapper.cpp:50 	cfi
16 	xul.dll	mozilla::image::VectorImage::~VectorImage()	image/VectorImage.cpp:319 	cfi
17 	xul.dll	mozilla::image::VectorImage::Release()	image/VectorImage.cpp:300 	cfi
18 	xul.dll	imgRequest::~imgRequest()	image/imgRequest.cpp:84 	cfi
19 	xul.dll	imgRequest::Release()	image/imgRequest.cpp:50 	cfi
20 	xul.dll	RefPtr<imgCacheEntry>::~RefPtr()	mfbt/RefPtr.h:83 	cfi
21 	xul.dll	imgLoader::SetHasNoProxies(imgRequest*, imgCacheEntry*)	image/imgLoader.cpp:1569 	cfi
22 	xul.dll	imgRequest::RemoveProxy(imgRequestProxy*, nsresult)	image/imgRequest.cpp:248 	cfi
23 	xul.dll	imgRequestProxy::CancelAndForgetObserver(nsresult)	image/imgRequestProxy.cpp:465 	cfi
24 	xul.dll	static mozilla::css::ImageLoader::UnloadImage(imgRequestProxy*)	layout/style/ImageLoader.cpp:463 	cfi
25 	xul.dll	Gecko_LoadData_Drop(mozilla::StyleLoadData*)	layout/style/nsStyleStruct.cpp:193 	cfi
26 	xul.dll	servo_arc::Arc<style::gecko::url::CssUrlData>::drop_slow<style::gecko::url::CssUrlData>()	servo/components/servo_arc/lib.rs:357 	cfi
27 	xul.dll	core::ptr::drop_in_place<style::properties::PropertyDeclaration>(style::properties::PropertyDeclaration*)	../2fd73fabe469357a12c2c974c140f67e7cdd76d0/library/core/src/ptr/mod.rs:179 	cfi
28 	xul.dll	style::properties::declaration_block::PropertyDeclarationBlock::update(style::properties::SourcePropertyDeclarationDrain, style::properties::declaration_block::Importance, style::properties::declaration_block::SourcePropertyDeclarationUpdate*)	servo/components/style/properties/declaration_block.rs:720 	cfi
29 	xul.dll	geckoservo::glue::set_property(style::gecko_bindings::structs::root::RawServoDeclarationBlock*, style::properties::PropertyId, nsstring::nsACString*, bool, style::stylesheets::UrlExtraData*, unsigned char, selectors::context::QuirksMode, style::gecko_bindings::structs::root::mozilla::css::Loader*, style::stylesheets::CssRuleType, style::gecko_bindings::structs::root::mozilla::DeclarationBlockMutationClosure)	servo/ports/geckolib/glue.rs:4549 	cfi
30 	xul.dll	geckoservo::glue::Servo_DeclarationBlock_SetPropertyById(style::gecko_bindings::structs::root::RawServoDeclarationBlock*, style::gecko_bindings::structs::root::nsCSSPropertyID, nsstring::nsACString*, bool, style::gecko_bindings::structs::root::mozilla::URLExtraData*, unsigned char, style::gecko_bindings::structs::root::nsCompatibility, style::gecko_bindings::structs::root::mozilla::css::Loader*, unsigned short, style::gecko_bindings::structs::root::mozilla::DeclarationBlockMutationClosure)	servo/ports/geckolib/glue.rs:4620 	cfi
31 	xul.dll	nsDOMCSSAttributeDeclaration::SetPropertyValue(const nsCSSPropertyID, nsTSubstring<char> const&, nsIPrincipal*, mozilla::ErrorResult&)	layout/style/nsDOMCSSAttrDeclaration.cpp:207 	cfi
32 	xul.dll	mozilla::dom::CSS2Properties_Binding::set_background(JSContext*, JS::Handle<JSObject*>, void*, JSJitSetterCallArgs)	dom/bindings/CSS2PropertiesBinding.cpp:36052 	cfi
33 	xul.dll	mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::NormalThisPolicy>(JSContext*, unsigned int, JS::Value*)	dom/bindings/BindingUtils.cpp:3180 	cfi
34 	xul.dll	js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)	js/src/vm/Interpreter.cpp:522 	cfi
35 	xul.dll	SetExistingProperty(JSContext*, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, js::PropertyResult const&, JS::ObjectOpResult&)	js/src/vm/NativeObject.cpp:2661 	cfi
36 	xul.dll	js::NativeSetProperty<js::Qualified>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&)	js/src/vm/NativeObject.cpp:2695 	cfi
37 	xul.dll	js::SetPropertyIgnoringNamedGetter(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<mozilla::Maybe<JS::PropertyDescriptor> >, JS::ObjectOpResult&)	js/src/proxy/BaseProxyHandler.cpp:173 	cfi
38 	xul.dll	mozilla::dom::DOMProxyHandler::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) const	dom/bindings/DOMJSProxyHandler.cpp:247 	cfi
39 	xul.dll	static js::Proxy::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&)	js/src/proxy/Proxy.cpp:552 	cfi
40 	xul.dll	Interpret(JSContext*, js::RunState&)	js/src/vm/Interpreter.cpp:3013 	cfi
41 	xul.dll	js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason)	js/src/vm/Interpreter.cpp:554 	cfi
42 	xul.dll	js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>)	js/src/jit/BaselineIC.cpp:1834 	cfi

Looks like it may be to do with stylesheet management in relation to SVG docs (some kind of race, or confusion about ownership, maybe?). I see Servo_StyleSet_RemoveStyleSheet in all the stacks I looked at, when we're apparently in the process of tearing down an SVGDocumentWrapper.

Marking S2 as the crash rate is uncomfortably high, particularly on Android, although we should at least be crashing safely due to the Rust panic, rather than running off into undefined-behavior territory.

Severity: -- → S2
Flags: needinfo?(emilio)

Won't you have seen this crash by any chance? Thanks

Flags: needinfo?(emilio) → needinfo?(twsmith)

Jason logged Bug 1677555, is that it?

Flags: needinfo?(twsmith)

Yeah, I somehow forgot to ni? myself there. Thanks!

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.