Open Bug 1789779 Opened 2 years ago Updated 9 months ago

PROCESS-CRASH | pid: <bound method FirefoxBrowser.pid of <wptrunner.browsers.firefox.FirefoxBrowser object at 0x7f5d57397dd8>> | application crashed [@ mozilla::RestyleManager::RebuildAllStyleData(nsChangeHint, mozilla::StyleRestyleHint)]

Categories

(Firefox Build System :: Toolchains, task)

Product:
Firefox Build System
Component:
Toolchains
Type:
task

Tracking

(Not tracked)

Status:
REOPENED

People

(Reporter: glandium, Assigned: glandium)

References

Details

Attachments

(1 obsolete file)

This happens on all 32-bits desktop platforms when building with both PGO and LTO with clang 15:

[task 2022-09-07T00:47:29.865Z] 00:47:29     INFO - PROCESS-CRASH | pid: <bound method FirefoxBrowser.pid of <wptrunner.browsers.firefox.FirefoxBrowser object at 0x7f5d57397dd8>> | application crashed [@ mozilla::RestyleManager::RebuildAllStyleData(nsChangeHint, mozilla::StyleRestyleHint)]
[task 2022-09-07T00:47:29.866Z] 00:47:29     INFO - Crash dump filename: /tmp/tmp0_u_9ttm/minidumps/5b6016d1-f304-27ca-2c7f-764433b1751f.dmp
[task 2022-09-07T00:47:29.866Z] 00:47:29     INFO - Operating system: Linux
[task 2022-09-07T00:47:29.866Z] 00:47:29     INFO -                   4.4.0-1014-aws #14taskcluster1-Ubuntu SMP Tue Apr 3 10:27:00 UTC 2018
[task 2022-09-07T00:47:29.866Z] 00:47:29     INFO - CPU: x86
[task 2022-09-07T00:47:29.866Z] 00:47:29     INFO -      GenuineIntel family 6 model 85 stepping 7
[task 2022-09-07T00:47:29.866Z] 00:47:29     INFO -      4 CPUs
[task 2022-09-07T00:47:29.866Z] 00:47:29     INFO - Linux Ubuntu 18.04 - bionic (Ubuntu 18.04.6 LTS)
[task 2022-09-07T00:47:29.866Z] 00:47:29     INFO - 
[task 2022-09-07T00:47:29.866Z] 00:47:29     INFO - Crash reason:  SIGSEGV / SEGV_MAPERR
[task 2022-09-07T00:47:29.866Z] 00:47:29     INFO - Crash address: 0x0
[task 2022-09-07T00:47:29.866Z] 00:47:29     INFO - Process uptime: not available
[task 2022-09-07T00:47:29.866Z] 00:47:29     INFO - 
[task 2022-09-07T00:47:29.866Z] 00:47:29     INFO - Thread 0 firefox-bin (crashed)
[task 2022-09-07T00:47:29.866Z] 00:47:29     INFO -  0  libxul.so!mozilla::RestyleManager::RebuildAllStyleData(nsChangeHint, mozilla::StyleRestyleHint) [RestyleManager.cpp:2a281a2900f524925107f249b2ddcc7234f1fc2f : 2362 + 0x43]
[task 2022-09-07T00:47:29.866Z] 00:47:29     INFO -      eip = 0xed3ec85c    esp = 0xfffcbff0    ebp = 0xfffcc068    ebx = 0xf0d06000
[task 2022-09-07T00:47:29.866Z] 00:47:29     INFO -      esi = 0xcdd112e0    edi = 0x00000001    eax = 0x00000000    ecx = 0xce7021f0
[task 2022-09-07T00:47:29.866Z] 00:47:29     INFO -      edx = 0x00000000 eflags = 0x00010246
[task 2022-09-07T00:47:29.866Z] 00:47:29     INFO -     Found by: given as instruction pointer in context
[task 2022-09-07T00:47:29.866Z] 00:47:29     INFO -  1  libxul.so!nsPresContext::FlushPendingMediaFeatureValuesChanged() [nsPresContext.cpp:2a281a2900f524925107f249b2ddcc7234f1fc2f : 1909 + 0x88]
[task 2022-09-07T00:47:29.866Z] 00:47:29     INFO -      eip = 0xec369ca1    esp = 0xfffcc070    ebp = 0xfffcc0b8    ebx = 0xf0d06000
[task 2022-09-07T00:47:29.866Z] 00:47:29     INFO -      esi = 0xdc18cf90    edi = 0xfffcc001
[task 2022-09-07T00:47:29.866Z] 00:47:29     INFO -     Found by: call frame info
[task 2022-09-07T00:47:29.866Z] 00:47:29     INFO -  2  libxul.so!mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) [PresShell.cpp:2a281a2900f524925107f249b2ddcc7234f1fc2f : 4353 + 0x9]
[task 2022-09-07T00:47:29.866Z] 00:47:29     INFO -      eip = 0xec318372    esp = 0xfffcc0c0    ebp = 0xfffcc238    ebx = 0xf0d06000
[task 2022-09-07T00:47:29.867Z] 00:47:29     INFO -      esi = 0xf70ace30    edi = 0x00000000
[task 2022-09-07T00:47:29.867Z] 00:47:29     INFO -     Found by: call frame info
[task 2022-09-07T00:47:29.867Z] 00:47:29     INFO -  3  libxul.so!nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) [nsRefreshDriver.cpp:2a281a2900f524925107f249b2ddcc7234f1fc2f : 2565 + 0x31]
[task 2022-09-07T00:47:29.867Z] 00:47:29     INFO -      eip = 0xec309ce9    esp = 0xfffcc240    ebp = 0xfffcc5e8    ebx = 0xf0d06000
[task 2022-09-07T00:47:29.867Z] 00:47:29     INFO -      esi = 0x00000000    edi = 0xf70ace00
[task 2022-09-07T00:47:29.867Z] 00:47:29     INFO -     Found by: call frame info
[task 2022-09-07T00:47:29.867Z] 00:47:29     INFO -  4  libxul.so!mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) [nsRefreshDriver.cpp:2a281a2900f524925107f249b2ddcc7234f1fc2f : 353 + 0x3a]
[task 2022-09-07T00:47:29.867Z] 00:47:29     INFO -      eip = 0xed3cc42e    esp = 0xfffcc5f0    ebp = 0xfffcc638    ebx = 0xf0d06000
[task 2022-09-07T00:47:29.867Z] 00:47:29     INFO -      esi = 0x00000000    edi = 0x00000001
[task 2022-09-07T00:47:29.867Z] 00:47:29     INFO -     Found by: call frame info
[task 2022-09-07T00:47:29.867Z] 00:47:29     INFO -  5  libxul.so!mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) [nsRefreshDriver.cpp:2a281a2900f524925107f249b2ddcc7234f1fc2f : 369 + 0x15]
[task 2022-09-07T00:47:29.867Z] 00:47:29     INFO -      eip = 0xed3cc293    esp = 0xfffcc640    ebp = 0xfffcc678    ebx = 0xf0d06000
[task 2022-09-07T00:47:29.867Z] 00:47:29     INFO -      esi = 0x00000c0b    edi = 0x0d2328ef
[task 2022-09-07T00:47:29.867Z] 00:47:29     INFO -     Found by: call frame info
[task 2022-09-07T00:47:29.867Z] 00:47:29     INFO -  6  libxul.so!mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) [nsRefreshDriver.cpp:2a281a2900f524925107f249b2ddcc7234f1fc2f : 810 + 0x16]
[task 2022-09-07T00:47:29.867Z] 00:47:29     INFO -      eip = 0xed3cbc7a    esp = 0xfffcc680    ebp = 0xfffcc708    ebx = 0xf0d06000
[task 2022-09-07T00:47:29.867Z] 00:47:29     INFO -      esi = 0xd7e95940    edi = 0x0d2328ef
[task 2022-09-07T00:47:29.867Z] 00:47:29     INFO -     Found by: call frame info
[task 2022-09-07T00:47:29.867Z] 00:47:29     INFO -  7  libxul.so!mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) [nsRefreshDriver.cpp:2a281a2900f524925107f249b2ddcc7234f1fc2f : 731 + 0x1d]
[task 2022-09-07T00:47:29.867Z] 00:47:29     INFO -      eip = 0xed3cb7a2    esp = 0xfffcc710    ebp = 0xfffcc778    ebx = 0xf0d06000
[task 2022-09-07T00:47:29.867Z] 00:47:29     INFO -      esi = 0x00000c0b    edi = 0xffffffff
[task 2022-09-07T00:47:29.867Z] 00:47:29     INFO -     Found by: call frame info
[task 2022-09-07T00:47:29.867Z] 00:47:29     INFO -  8  libxul.so!mozilla::detail::RunnableFunction<mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&)::{lambda()#1}>::Run() [nsThreadUtils.h:2a281a2900f524925107f249b2ddcc7234f1fc2f : 531 + 0x57]
[task 2022-09-07T00:47:29.867Z] 00:47:29     INFO -      eip = 0xed3cc54a    esp = 0xfffcc780    ebp = 0xfffcc7b8    ebx = 0xf0d06000

Thanks to bug 1779631, stacktrace with inlined frames:

[task 2022-09-08T08:13:45.452Z] 08:13:45     INFO - Thread 0 firefox-bin (crashed)
[task 2022-09-08T08:13:45.452Z] 08:13:45     INFO -  0  libxul.so!mozilla::RestyleManager::IncrementUndisplayedRestyleGeneration()
[task 2022-09-08T08:13:45.452Z] 08:13:45     INFO -     Found by: inlining
[task 2022-09-08T08:13:45.452Z] 08:13:45     INFO -  1  libxul.so!mozilla::RestyleManager::PostRestyleEvent(mozilla::dom::Element*, mozilla::StyleRestyleHint, nsChangeHint) [RestyleManager.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 2308]
[task 2022-09-08T08:13:45.453Z] 08:13:45     INFO -     Found by: inlining
[task 2022-09-08T08:13:45.453Z] 08:13:45     INFO -  2  libxul.so!mozilla::RestyleManager::RebuildAllStyleData(nsChangeHint, mozilla::StyleRestyleHint) [RestyleManager.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 2362 + 0x36]
[task 2022-09-08T08:13:45.453Z] 08:13:45     INFO -      eip = 0xec24513e    esp = 0xffdece40    ebp = 0xffdece98    ebx = 0xf0d06000
[task 2022-09-08T08:13:45.453Z] 08:13:45     INFO -      esi = 0xcec14830    edi = 0x00000001    eax = 0x00000000    ecx = 0xcf602a10
[task 2022-09-08T08:13:45.453Z] 08:13:45     INFO -      edx = 0x00000000 eflags = 0x00010246
[task 2022-09-08T08:13:45.453Z] 08:13:45     INFO -     Found by: given as instruction pointer in context
[task 2022-09-08T08:13:45.453Z] 08:13:45     INFO -  3  libxul.so!nsPresContext::PostRebuildAllStyleDataEvent(nsChangeHint, mozilla::StyleRestyleHint const&) [nsPresContext.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 1852]
[task 2022-09-08T08:13:45.453Z] 08:13:45     INFO -     Found by: inlining
[task 2022-09-08T08:13:45.454Z] 08:13:45     INFO -  4  libxul.so!nsPresContext::RebuildAllStyleData(nsChangeHint, mozilla::StyleRestyleHint const&) [nsPresContext.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 1840]
[task 2022-09-08T08:13:45.454Z] 08:13:45     INFO -     Found by: inlining
[task 2022-09-08T08:13:45.454Z] 08:13:45     INFO -  5  libxul.so!nsPresContext::FlushPendingMediaFeatureValuesChanged() [nsPresContext.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 1907 + 0x88]
[task 2022-09-08T08:13:45.454Z] 08:13:45     INFO -      eip = 0xeb36ea61    esp = 0xffdecea0    ebp = 0xffdecee8    ebx = 0xf0d06000
[task 2022-09-08T08:13:45.454Z] 08:13:45     INFO -      esi = 0xdc6972f0    edi = 0xffdece01
[task 2022-09-08T08:13:45.455Z] 08:13:45     INFO -     Found by: call frame info
[task 2022-09-08T08:13:45.455Z] 08:13:45     INFO -  6  libxul.so!mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) [PresShell.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 4353 + 0x7]
[task 2022-09-08T08:13:45.455Z] 08:13:45     INFO -      eip = 0xeb31cdd2    esp = 0xffdecef0    ebp = 0xffded068    ebx = 0xf0d06000
[task 2022-09-08T08:13:45.456Z] 08:13:45     INFO -      esi = 0xf70ab030    edi = 0x00000000
[task 2022-09-08T08:13:45.457Z] 08:13:45     INFO -     Found by: call frame info
[task 2022-09-08T08:13:45.457Z] 08:13:45     INFO -  7  libxul.so!mozilla::PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) [PresShell.h:688f2a22d5502c4e502e0a1db043f24771f1c24f : 1470]
[task 2022-09-08T08:13:45.458Z] 08:13:45     INFO -     Found by: inlining
[task 2022-09-08T08:13:45.459Z] 08:13:45     INFO -  8  libxul.so!nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) [nsRefreshDriver.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 2565 + 0x31]
[task 2022-09-08T08:13:45.460Z] 08:13:45     INFO -      eip = 0xeb30b029    esp = 0xffded070    ebp = 0xffded418    ebx = 0xf0d06000
[task 2022-09-08T08:13:45.461Z] 08:13:45     INFO -      esi = 0x00000000    edi = 0xf70ab000
[task 2022-09-08T08:13:45.461Z] 08:13:45     INFO -     Found by: call frame info
[task 2022-09-08T08:13:45.462Z] 08:13:45     INFO -  9  libxul.so!mozilla::RefreshDriverTimer::TickDriver(nsRefreshDriver*, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) [nsRefreshDriver.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 375]
[task 2022-09-08T08:13:45.463Z] 08:13:45     INFO -     Found by: inlining
[task 2022-09-08T08:13:45.464Z] 08:13:45     INFO - 10  libxul.so!mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) [nsRefreshDriver.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 353 + 0x3a]
[task 2022-09-08T08:13:45.464Z] 08:13:45     INFO -      eip = 0xec225a5e    esp = 0xffded420    ebp = 0xffded468    ebx = 0xf0d06000
[task 2022-09-08T08:13:45.465Z] 08:13:45     INFO -      esi = 0x00000000    edi = 0x00000001
[task 2022-09-08T08:13:45.466Z] 08:13:45     INFO -     Found by: call frame info
[task 2022-09-08T08:13:45.467Z] 08:13:45     INFO - 11  libxul.so!mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) [nsRefreshDriver.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 369 + 0x15]
[task 2022-09-08T08:13:45.468Z] 08:13:45     INFO -      eip = 0xec2258c3    esp = 0xffded470    ebp = 0xffded4a8    ebx = 0xf0d06000
[task 2022-09-08T08:13:45.468Z] 08:13:45     INFO -      esi = 0x00000296    edi = 0x626a3cc7
[task 2022-09-08T08:13:45.469Z] 08:13:45     INFO -     Found by: call frame info
[task 2022-09-08T08:13:45.470Z] 08:13:45     INFO - 12  libxul.so!mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) [nsRefreshDriver.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 896]
[task 2022-09-08T08:13:45.471Z] 08:13:45     INFO -     Found by: inlining
[task 2022-09-08T08:13:45.471Z] 08:13:45     INFO - 13  libxul.so!mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) [nsRefreshDriver.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 810 + 0x13]
[task 2022-09-08T08:13:45.472Z] 08:13:45     INFO -      eip = 0xec2252a5    esp = 0xffded4b0    ebp = 0xffded538    ebx = 0xf0d06000
[task 2022-09-08T08:13:45.473Z] 08:13:45     INFO -      esi = 0xd8317700    edi = 0x626a3cc7
[task 2022-09-08T08:13:45.474Z] 08:13:45     INFO -     Found by: call frame info
[task 2022-09-08T08:13:45.474Z] 08:13:45     INFO - 14  libxul.so!mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) [nsRefreshDriver.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 731 + 0x1d]
[task 2022-09-08T08:13:45.475Z] 08:13:45     INFO -      eip = 0xec224dc2    esp = 0xffded540    ebp = 0xffded5a8    ebx = 0xf0d06000
[task 2022-09-08T08:13:45.475Z] 08:13:45     INFO -      esi = 0x00000296    edi = 0xffffffff
[task 2022-09-08T08:13:45.475Z] 08:13:45     INFO -     Found by: call frame info
[task 2022-09-08T08:13:45.476Z] 08:13:45     INFO - 15  libxul.so!mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() [nsRefreshDriver.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 594]
[task 2022-09-08T08:13:45.476Z] 08:13:45     INFO -     Found by: inlining
[task 2022-09-08T08:13:45.476Z] 08:13:45     INFO - 16  libxul.so!mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&)::{lambda()#1}::operator()() const [nsRefreshDriver.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 566]
[task 2022-09-08T08:13:45.476Z] 08:13:45     INFO -     Found by: inlining
[task 2022-09-08T08:13:45.476Z] 08:13:45     INFO - 17  libxul.so!mozilla::detail::RunnableFunction<mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&)::{lambda()#1}>::Run() [nsThreadUtils.h:688f2a22d5502c4e502e0a1db043f24771f1c24f : 531 + 0x57]
[task 2022-09-08T08:13:45.476Z] 08:13:45     INFO -      eip = 0xec225b7a    esp = 0xffded5b0    ebp = 0xffded5e8    ebx = 0xf0d06000
[task 2022-09-08T08:13:45.476Z] 08:13:45     INFO -      esi = 0xd8317700    edi = 0xd11d00cc
[task 2022-09-08T08:13:45.477Z] 08:13:45     INFO -     Found by: call frame info
[task 2022-09-08T08:13:45.477Z] 08:13:45     INFO - 18  libxul.so!mozilla::PrioritizableRunnable::Run() [nsThreadUtils.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 130 + 0x7]
[task 2022-09-08T08:13:45.477Z] 08:13:45     INFO -      eip = 0xeb845225    esp = 0xffded5f0    ebp = 0xffded5f8    ebx = 0xf0d06000
[task 2022-09-08T08:13:45.477Z] 08:13:45     INFO -      esi = 0x00000043    edi = 0xcec15260
[task 2022-09-08T08:13:45.477Z] 08:13:45     INFO -     Found by: call frame info
[task 2022-09-08T08:13:45.477Z] 08:13:45     INFO - 19  libxul.so!mozilla::RunnableTask::Run() [TaskController.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 538]
[task 2022-09-08T08:13:45.477Z] 08:13:45     INFO -     Found by: inlining
[task 2022-09-08T08:13:45.477Z] 08:13:45     INFO - 20  libxul.so!mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) [TaskController.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 851 + 0x342]
[task 2022-09-08T08:13:45.477Z] 08:13:45     INFO -      eip = 0xeb084b60    esp = 0xffded600    ebp = 0xffdedc78    ebx = 0xf0d06000
[task 2022-09-08T08:13:45.477Z] 08:13:45     INFO -      esi = 0x00000043    edi = 0xcec15260
[task 2022-09-08T08:13:45.477Z] 08:13:45     INFO -     Found by: call frame info
[task 2022-09-08T08:13:45.478Z] 08:13:45     INFO - 21  libxul.so!mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) [TaskController.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 683]
[task 2022-09-08T08:13:45.478Z] 08:13:45     INFO -     Found by: inlining
[task 2022-09-08T08:13:45.478Z] 08:13:45     INFO - 22  libxul.so!mozilla::TaskController::ProcessPendingMTTask(bool) [TaskController.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 461]
[task 2022-09-08T08:13:45.478Z] 08:13:45     INFO -     Found by: inlining
[task 2022-09-08T08:13:45.478Z] 08:13:45     INFO - 23  libxul.so!mozilla::TaskController::InitializeInternal()::$_0::operator()() const [TaskController.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 187]
[task 2022-09-08T08:13:45.478Z] 08:13:45     INFO -     Found by: inlining
[task 2022-09-08T08:13:45.478Z] 08:13:45     INFO - 24  libxul.so!mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() [nsThreadUtils.h:688f2a22d5502c4e502e0a1db043f24771f1c24f : 531]
[task 2022-09-08T08:13:45.478Z] 08:13:45     INFO -     Found by: inlining
[task 2022-09-08T08:13:45.478Z] 08:13:45     INFO - 25  libxul.so!nsThread::ProcessNextEvent(bool, bool*) [nsThread.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 1205 + 0x1e]
[task 2022-09-08T08:13:45.478Z] 08:13:45     INFO -      eip = 0xeb08d42d    esp = 0xffdedc80    ebp = 0xffdedee8    ebx = 0xf0d06000
[task 2022-09-08T08:13:45.478Z] 08:13:45     INFO -      esi = 0xffdedd68    edi = 0xf7049580
[task 2022-09-08T08:13:45.478Z] 08:13:45     INFO -     Found by: call frame info
[task 2022-09-08T08:13:45.478Z] 08:13:45     INFO - 26  libxul.so!NS_ProcessNextEvent(nsIThread*, bool) [nsThreadUtils.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 465]
[task 2022-09-08T08:13:45.478Z] 08:13:45     INFO -     Found by: inlining
[task 2022-09-08T08:13:45.478Z] 08:13:45     INFO - 27  libxul.so!mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) [MessagePump.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 85 + 0x2f]
[task 2022-09-08T08:13:45.479Z] 08:13:45     INFO -      eip = 0xeb0d39ae    esp = 0xffdedef0    ebp = 0xffdee028    ebx = 0xf0d06000
[task 2022-09-08T08:13:45.479Z] 08:13:45     INFO -      esi = 0xf4158340    edi = 0xffdedfc8
[task 2022-09-08T08:13:45.479Z] 08:13:45     INFO -     Found by: call frame info
[task 2022-09-08T08:13:45.479Z] 08:13:45     INFO - 28  libxul.so!MessageLoop::RunInternal() [message_loop.cc:688f2a22d5502c4e502e0a1db043f24771f1c24f : 381]
[task 2022-09-08T08:13:45.479Z] 08:13:45     INFO -     Found by: inlining
[task 2022-09-08T08:13:45.479Z] 08:13:45     INFO - 29  libxul.so!MessageLoop::RunHandler() [message_loop.cc:688f2a22d5502c4e502e0a1db043f24771f1c24f : 374]
[task 2022-09-08T08:13:45.479Z] 08:13:45     INFO -     Found by: inlining
[task 2022-09-08T08:13:45.479Z] 08:13:45     INFO - 30  libxul.so!MessageLoop::Run() [message_loop.cc:688f2a22d5502c4e502e0a1db043f24771f1c24f : 356 + 0xb]
[task 2022-09-08T08:13:45.479Z] 08:13:45     INFO -      eip = 0xeba3f72f    esp = 0xffdee030    ebp = 0xffdee068    ebx = 0xf0d06000
[task 2022-09-08T08:13:45.479Z] 08:13:45     INFO -      esi = 0xffdee048    edi = 0xf41289a0
[task 2022-09-08T08:13:45.479Z] 08:13:45     INFO -     Found by: call frame info
[task 2022-09-08T08:13:45.479Z] 08:13:45     INFO - 31  libxul.so!nsBaseAppShell::Run() [nsBaseAppShell.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 150 + 0xc]
[task 2022-09-08T08:13:45.479Z] 08:13:45     INFO -      eip = 0xec1b03e6    esp = 0xffdee070    ebp = 0xffdee088    ebx = 0xf0d06000
[task 2022-09-08T08:13:45.479Z] 08:13:45     INFO -      esi = 0xf701d700    edi = 0xf41289a0
[task 2022-09-08T08:13:45.479Z] 08:13:45     INFO -     Found by: call frame info
[task 2022-09-08T08:13:45.480Z] 08:13:45     INFO - 32  libxul.so!nsAppStartup::Run() [nsAppStartup.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 295 + 0x8]
[task 2022-09-08T08:13:45.480Z] 08:13:45     INFO -      eip = 0xeaabf24d    esp = 0xffdee090    ebp = 0xffdee0b8    ebx = 0xf0d06000
[task 2022-09-08T08:13:45.480Z] 08:13:45     INFO -      esi = 0xf70fe100    edi = 0x80004005
[task 2022-09-08T08:13:45.480Z] 08:13:45     INFO -     Found by: call frame info
[task 2022-09-08T08:13:45.480Z] 08:13:45     INFO - 33  libxul.so!XREMain::XRE_mainRun() [nsAppRunner.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 5720 + 0x7]
[task 2022-09-08T08:13:45.480Z] 08:13:45     INFO -      eip = 0xeab3afb4    esp = 0xffdee0c0    ebp = 0xffdee228    ebx = 0xf0d06000
[task 2022-09-08T08:13:45.480Z] 08:13:45     INFO -      esi = 0x00000000    edi = 0x80004005
[task 2022-09-08T08:13:45.480Z] 08:13:45     INFO -     Found by: call frame info
[task 2022-09-08T08:13:45.480Z] 08:13:45     INFO - 34  libxul.so!XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) [nsAppRunner.cpp:688f2a22d5502c4e502e0a1db043f24771f1c24f : 5913 + 0x6]
[task 2022-09-08T08:13:45.480Z] 08:13:45     INFO -      eip = 0xeab3b92f    esp = 0xffdee230    ebp = 0xffdee298    ebx = 0xf0d06000
[task 2022-09-08T08:13:45.480Z] 08:13:45     INFO -      esi = 0xffdee2b0    edi = 0xf7007558
[task 2022-09-08T08:13:45.480Z] 08:13:45     INFO -     Found by: call frame info

Starting from
https://github.com/llvm/llvm-project/commit/6c8adc505471542be38bd71d1000062daa46d7bc,
Servo_NoteExplicitHints can end up inlined in its callers via
cross-language LTO, which didn't happen before. This yields a
miscompilation in the caller, causing crashes. Until the miscompilation
is fixed, avoid the inlining.

Assignee: nobody → mh+mozilla
Status: NEW → ASSIGNED
Pushed by mh@glandium.org:
https://hg.mozilla.org/integration/autoland/rev/b5f9a98c4e2e
Work around miscompilation on cross-LTO. r=emilio

https://hg.mozilla.org/mozilla-central/rev/b5f9a98c4e2e

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox106: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 106 Branch

Backed out per request. Backout link

Status: RESOLVED → REOPENED
status-firefox106: fixed → ---
Flags: needinfo?(mh+mozilla)
Resolution: FIXED → ---
Target Milestone: 106 Branch → ---

Turns out there are more miscompilations. This will need to be addressed at the compiler level because we can't be sure to find them all.

Status: REOPENED → RESOLVED
Closed: 2 years ago2 years ago
Flags: needinfo?(mh+mozilla)
Resolution: --- → WONTFIX
Attachment #9294818 - Attachment is obsolete: true
Status: RESOLVED → REOPENED
Closed: 2 years ago2 years ago
Resolution: WONTFIX → ---
Status: REOPENED → RESOLVED
Closed: 2 years ago2 years ago
Resolution: --- → WONTFIX

This turns out to be a rustc bug that will need to be addressed separately from clang. For posterity, below is what I was originally typing as a llvm-project bug:

------8<-------

STR:

I'll go with some observations first, then will dig into where this is happening.

  • I bisected this down to https://github.com/llvm/llvm-project/commit/6c8adc505471542be38bd71d1000062daa46d7bc, and it stops happening if I revert it on either trunk or clang 15.
  • It doesn't happen on clang 14.
  • When I say "don't happen", there's one subtlety: the function that is inlined in a miscompiled way is not inlined when the bug doesn't manifest itself. I wasn't able to force inlining of the function in those cases to determine if there's an underlying (older) problem that 6c8adc505471542be38bd71d1000062daa46d7bc brought to surface by allowing the inlining to happen, but I wouldn't be surprised if that's the case.
  • I also didn't manage to get the function to inline with an affected build of llvm after extracting the two functions bytecodes and manually compiling them. I'm not too knowledgeable about the tools to compile bytecode so I probably missed something to enable passes that happen during LTO or something.
  • I'm not sure whether reverting 6c8adc505471542be38bd71d1000062daa46d7bc is free of other side effects. I'm happy to locally do that until this is fixed, if there's no problem doing so (which I suspect is the case).
  • It only affects 32-bits platforms (confirmed on Linux and Windows).
  • Depending on the platform, other similar-ish rust-originating functions are inlined in other C++ functions in a similarly wrong manner, but it's not completely consistent between platforms. The one I'll be analyzing below does happen on both Linux and Windows, but for the others that had visible crashy consequences, they only happened on Windows.

So, what goes wrong is the inlining of Servo_NoteExplicitHints into its callers. I've purposely added some attributes forcing the non-inlining the Servo_NoteExplicitHints's main callee as well as the non-inlining of its callers' into their callers. The original code doesn't have those attributes, but the miscompilation happens both with or without.

The relevant section of code from the miscompiled binary looks like this, in mozilla::RestyleManager::PostRestyleEvent:

 320f92e:       8b 75 14                mov    0x14(%ebp),%esi
 320f931:       89 78 0c                mov    %edi,0xc(%eax)
 320f934:       8b 06                   mov    (%esi),%eax
 320f936:       89 55 ec                mov    %edx,-0x14(%ebp)
 320f939:       83 ec 04                sub    $0x4,%esp
 320f93c:       0f b6 c9                movzbl %cl,%ecx
 320f93f:       8d 55 ec                lea    -0x14(%ebp),%edx
 320f942:       50                      push   %eax
 320f943:       51                      push   %ecx
 320f944:       52                      push   %edx
 320f945:       e8 e6 c5 4a 06          call   96bbf30 <style::gecko::wrapper::GeckoElement::note_explicit_hints@plt>

(it's using the PLT because I removed plenty of flags from the real command line, but it doesn't matter)

What goes wrong here is that this crashes on the mov (%esi),%eax instruction. In the call to note_explicit_hints, it's meant to feed the third argument. That value of %esi comes from the instruction mov 0x14(%ebp),%esi (there's actually another code path that leads here but jumps back to 0x320f934, but it's also setting %esi from the same origin.

Let's compare with the same code compiled with the noinline attribute on Servo_NoteExplicitHints:

 31e2d4e:       8b 75 14                mov    0x14(%ebp),%esi
 31e2d51:       89 78 0c                mov    %edi,0xc(%eax)
 31e2d54:       88 4d e0                mov    %cl,-0x20(%ebp)
 31e2d57:       83 ec 10                sub    $0x10,%esp
 31e2d5a:       0f b6 45 e0             movzbl -0x20(%ebp),%eax
 31e2d5e:       88 44 24 04             mov    %al,0x4(%esp)
 31e2d62:       89 74 24 08             mov    %esi,0x8(%esp)
 31e2d66:       89 14 24                mov    %edx,(%esp)
 31e2d69:       e8 72 00 00 00          call   31e2de0 <Servo_NoteExplicitHints>

031e2de0 <Servo_NoteExplicitHints>:
 31e2de0:       55                      push   %ebp
 31e2de1:       89 e5                   mov    %esp,%ebp
 31e2de3:       53                      push   %ebx
 31e2de4:       50                      push   %eax
 31e2de5:       8b 45 08                mov    0x8(%ebp),%eax
 31e2de8:       e8 00 00 00 00          call   31e2ded <Servo_NoteExplicitHints+0xd>
 31e2ded:       5b                      pop    %ebx
 31e2dee:       81 c3 5b 16 7e 06       add    $0x67e165b,%ebx
 31e2df4:       89 45 f8                mov    %eax,-0x8(%ebp)
 31e2df7:       83 ec 04                sub    $0x4,%esp
 31e2dfa:       8d 45 f8                lea    -0x8(%ebp),%eax
 31e2dfd:       ff 75 10                pushl  0x10(%ebp)
 31e2e00:       ff 75 0c                pushl  0xc(%ebp)
 31e2e03:       50                      push   %eax
 31e2e04:       e8 47 92 4d 06          call   96bc050 <style::gecko::wrapper::GeckoElement::note_explicit_hints@plt>
(...)

Focusing again on the provenance of the the first argument to note_explicit_hints, here we have:

mov    0x14(%ebp),%esi
mov    %esi,0x8(%esp)
// call decreases %esp by 4
// push decreases %esp by 4
// %ebp is set to %esp meaning that by now 0x10(%ebp) is the same as 0x8(%esp) before the call.
pushl  0x10(%ebp)

Note there is no dereference like in the miscompiled case.

------8<-------

It turns out, I hadn't been attentive enough when I looked at the IR. Well, my first (weak) excuse is that with debug info enabled, the IR was hard to read, and I only looked at the IR without debug info today. So, what did I see in the IR?

In Unified_cpp_layout_base0.o:

declare hidden void @Servo_NoteExplicitHints(ptr noundef, ptr noundef byval(%"struct.mozilla::StyleRestyleHint") align 4, i32 noundef) local_unnamed_addr #2

In geckoservo-9bc96ac3331a0a5f.geckoservo.2746d36d-cgu.0.rcgu.o:

define void @Servo_NoteExplicitHints(ptr noundef nonnull align 4 %0, ptr noalias nocapture noundef readonly byval(%0) dereferenceable(1) %1, ptr noalias nocapture noundef readonly byval(%1) dereferenceable(4) %2) unnamed_addr #0 !prof !31 {

Note how the third argument is a ptr in the Rust-compiled version (note it was compiled with nightly, because I wanted to reduce any side effects from the difference in llvm version between stable rust and clang 15). It would seem to be the root cause for the LTO fuck up. When the function is not inlined, it still compiles fine. LLVM probably doesn't like that the functions are not declared the same way on both ends.

What's going on here is that the actual type for that argument in C++ is nsChangeHint, declared as enum nsChangeHint: uint32_t. Bindgen converts that to a #[repr(C)] struct nsChangeHint(u32). In turn, the ptr byval is what rustc transforms that into.

Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---

Potentially dangerous differences in IR between C++ and Rust found so far:

  • Gecko_EnsureImageLayersLength
  • Gecko_MediaFeatures_PrefersColorScheme
  • Servo_EasingFunctionAt
  • Servo_NoteExplicitHints
  • wr_dp_define_scroll_layer
  • wr_dp_push_box_shadow
  • wr_dp_push_line
  • wr_dp_push_linear_gradient

More on Windows 32-bits:

  • Gecko_MediaFeatures_DynamicRange
  • Gecko_MediaFeatures_PrefersColorScheme
  • Servo_ComputedValues_GetForAnonymousBox
  • Servo_ComputedValues_Inherit
  • Servo_EasingFunctionAt
  • Servo_NoteExplicitHints
  • Servo_ResolvePseudoStyle
  • Servo_ResolveStyle
  • Servo_UseCounters_Create
  • apz_deregister_sampler
  • apz_post_scene_swap
  • apz_sample_transforms
  • omta_deregister_sampler
  • omta_register_sampler
  • wr_api_set_debug_flags
  • wr_compositor_add_surface
  • wr_compositor_attach_external_image
  • wr_compositor_create_backdrop_surface
  • wr_compositor_create_external_surface
  • wr_compositor_create_surface
  • wr_compositor_create_tile
  • wr_compositor_destroy_surface
  • wr_compositor_destroy_tile
  • wr_compositor_start_compositing
  • wr_dp_push_text
  • wr_notifier_external_event
  • wr_notifier_new_frame_ready
  • wr_notifier_nop_frame_done
  • wr_transaction_generate_frame
  • wr_transaction_invalidate_rendered_frame
  • wr_transaction_remove_pipeline
  • wr_transaction_set_root_pipeline
  • wr_transaction_update_epoch

What's going on here is that the actual type for that argument in C++ is nsChangeHint, declared as enum nsChangeHint: uint32_t. Bindgen converts that to a #[repr(C)] struct nsChangeHint(u32). In turn, the ptr byval is what rustc transforms that into.

That should ideally be using repr(transparent) nowadays fwiw.

For that specific one, repr(transparent) works, although the cbindgen we use doesn't produce that, but there are other cases that don't work like that.

So, after more thorough investigation, I've convinced myself that:

Let's switch this bug to a task because at this point the defect part has been evaluated to not be an immediate problem.

Severity: -- → N/A
Type: defect → task
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: