Closed Bug 1719963 Opened 4 years ago Closed 4 years ago

Crash in [@ style::stylesheets::import_rule::ImportSheet::rules]

Categories

(Core :: DOM: CSS Object Model, defect)

Product:
Core
Component:
DOM: CSS Object Model
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
93 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox-esr91 --- unaffected
firefox89 --- unaffected
firefox90 --- unaffected
firefox91 + fixed
firefox92 + fixed
firefox93 + fixed

People

(Reporter: aryx, Assigned: emilio)

References

(Regression)

Details

(Keywords: crash, regression, Whiteboard: [stockwell fixed:backout])

Crash Data

Attachments

(3 files)

Bug 1719963 - Better wallpaper for now.
48 bytes, text/x-phabricator-request
Details | Review
Bug 1719963 - Fix CSSImportRule CC setup. r=jfkthame
48 bytes, text/x-phabricator-request
Details | Review
Bug 1719963 - Restore EnsureUniqueInner() call for now. r=jfkthame
48 bytes, text/x-phabricator-request
Details | Review

5 crashes from 5 installations (both Windows and macOS), all with the latest Nightly version (91.0a1 20210709214006).

This should be from bug 1711437.

Crash report: https://crash-stats.mozilla.org/report/index/e585cc03-602b-4d44-a8f5-e92b90210710

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0 xul.dll style::stylesheets::import_rule::ImportSheet::rules servo/components/style/stylesheets/import_rule.rs:73
1 xul.dll style::stylesheets::rules_iterator::{{impl}}::next<style::stylesheets::rules_iterator::EffectiveRules> servo/components/style/stylesheets/rules_iterator.rs:132
2 xul.dll style::stylist::CascadeData::add_stylesheet<style::gecko::data::GeckoStyleSheet> servo/components/style/stylist.rs:2169
3 xul.dll style::stylist::CascadeData::rebuild<style::gecko::data::GeckoStyleSheet> servo/components/style/stylist.rs:2025
4 xul.dll geckoservo::glue::Servo_StyleSet_FlushStyleSheets servo/ports/geckolib/glue.rs:1938
5 xul.dll mozilla::ServoStyleSet::UpdateStylist layout/style/ServoStyleSet.cpp:1193
6 xul.dll mozilla::PresShell::DoFlushPendingNotifications layout/base/PresShell.cpp:4159
7 xul.dll nsRefreshDriver::Tick layout/base/nsRefreshDriver.cpp:2296
8 xul.dll mozilla::RefreshDriverTimer::TickRefreshDrivers layout/base/nsRefreshDriver.cpp:326
9 xul.dll mozilla::RefreshDriverTimer::Tick layout/base/nsRefreshDriver.cpp:342
Severity: -- → S2

Should be fixed by the backout of Bug 1711437:
https://hg.mozilla.org/mozilla-central/rev/7b8721ff033aa37d5036caa4d2bfa5127356dd62

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Whiteboard: [stockwell fixed:backout]
Regressed by: 1711437
Has Regression Range: --- → yes

Here we go again.

Status: RESOLVED → REOPENED
status-firefox92: --- → affected
Flags: needinfo?(emilio)
Resolution: FIXED → ---
Target Milestone: 91 Branch → ---
Crash Signature: [@ style::stylesheets::import_rule::ImportSheet::rules] → [@ style::stylesheets::import_rule::ImportSheet::rules] [@ style::stylist::Stylist::media_features_change_changed_style]
Crash Signature: [@ style::stylesheets::import_rule::ImportSheet::rules] [@ style::stylist::Stylist::media_features_change_changed_style] → [@ style::stylesheet_set::DocumentStylesheetSet<T>::collect_invalidations_for<T>] [@ style::stylesheets::import_rule::ImportSheet::rules] [@ style::stylist::Stylist::media_features_change_changed_style]
Crash Signature: [@ style::stylesheet_set::DocumentStylesheetSet<T>::collect_invalidations_for<T>] [@ style::stylesheets::import_rule::ImportSheet::rules] [@ style::stylist::Stylist::media_features_change_changed_style] → [@ style::stylesheet_set::DocumentStylesheetSet<T>::collect_invalidations_for<T>] [@ style::stylesheets::import_rule::ImportSheet::rules] [@ style::stylesheets::rules_iterator::{{impl}}::next<T> ] [@ <style::stylesheets::rules_iterator::RulesIterator<C…

Fixed by backout of bug 1711437.

Status: REOPENED → RESOLVED
Closed: 4 years ago4 years ago
status-firefox92: affectedfixed
Resolution: --- → FIXED

Do you know if we had any ASAN reports that could look like this, or if the fuzzers hit this these last couple days?

Flags: needinfo?(jkratzer)
Flags: needinfo?(emilio)
Flags: needinfo?(choller)

Nothing I could see in ASan Nightly.

Flags: needinfo?(choller)

Nothing reported by the fuzzers either.

Flags: needinfo?(jkratzer)

20-50 crash reports per Nightly.

Status: RESOLVED → REOPENED
status-firefox92: fixedaffected
Flags: needinfo?(emilio)
Resolution: FIXED → ---

Hmm, so the null pointer is not the one I thought. Will fix.

Assignee: nobody → emilio
Attachment #9232779 - Attachment description: WIP: Bug 1719963 - Better wallpaper for now. → Bug 1719963 - Better wallpaper for now.
Flags: needinfo?(emilio)

https://hg.mozilla.org/mozilla-central/rev/4b53d6459297

Status: REOPENED → RESOLVED
Closed: 4 years ago4 years ago
status-firefox92: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 92 Branch

Backed out for causing topcrash bug 1722150.
https://hg.mozilla.org/mozilla-central/rev/03637911a02a3d366a3f66869bbb76c7626a55ee

Status: RESOLVED → REOPENED
status-firefox92: fixedaffected
Flags: needinfo?(emilio)
Resolution: FIXED → ---
Target Milestone: 92 Branch → ---

We'll need to keep an eye on the crash rate for Beta92 and may need to backout bug 1711437 from there as well depending on the frequency.

status-firefox93: --- → affected
tracking-firefox93: --- → +
Crash Signature: [@ style::stylesheet_set::DocumentStylesheetSet<T>::collect_invalidations_for<T>] [@ style::stylesheets::import_rule::ImportSheet::rules] [@ style::stylesheets::rules_iterator::{{impl}}::next<T> ] [@ → [@ enum$<T>::rules ] [@ style::stylesheet_set::DocumentStylesheetSet<T>::collect_invalidations_for<T>] [@ style::stylesheets::import_rule::ImportSheet::rules] [@ style::stylesheets::rules_iterator::{{impl}}::next<T> ] [@

I went ahead and did the backout for 92.0b2. Nightly still has bug 1711437 on it, however.
https://hg.mozilla.org/releases/mozilla-beta/rev/0b48d14c2361

status-firefox92: affectedfixed
status-firefox-esr91: --- → unaffected
tracking-firefox91: --- → +

I think we should go ahead and back out 1711437 from nightly 93 at this point.

Flags: needinfo?(aryx.bugmail)

I think I just found a repro thanks to Bomsy (https://phabricator.services.mozilla.com/D122327 causes this bug to show up on automation), can we wait one more day please?

Flags: needinfo?(aryx.bugmail)

Right now, CSSImportRule was reporting two references to its child
sheet, one from mChildSheet, one from mRawRule. mRawRule however
is kept alive by the StyleSheetContents, so it's more correct to
report it from TraverseInner instead, and ensure that
DropSheetReference takes care of also dropping
CSSImportRule::mRawRule.

Flags: needinfo?(emilio)

This effectively reverts the behavior to the one before bug 1711437
(making the CC setup sound again), but without a big backout.

Fixing the CC setup of @import rules properly is a bit more involved
than what I anticipated and I don't want to have DevTools folks blocked
for too long, nor have this crash in-tree for too long either.

Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/0dffe73ea4df Restore EnsureUniqueInner() call for now. r=jfkthame
Pushed by emilio@crisal.io: https://hg.mozilla.org/integration/autoland/rev/2fc1d893c851 Followup so that getMatchedCSSRules keeps working.

https://hg.mozilla.org/mozilla-central/rev/0dffe73ea4df
https://hg.mozilla.org/mozilla-central/rev/2fc1d893c851

Status: REOPENED → RESOLVED
Closed: 4 years ago4 years ago
status-firefox93: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 93 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: