Closed
Bug 1794720
Opened 2 years ago
Closed 2 years ago
Hit MOZ_CRASH(Resolving style on <summary> (0x55f6c9239d30) without current styles: ElementData ...) at servo/ports/geckolib/glue.rs:5698
Categories
(Core :: CSS Parsing and Computation, defect)
Core
CSS Parsing and Computation
Tracking
()
VERIFIED
FIXED
108 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr102 | --- | unaffected |
| firefox105 | --- | unaffected |
| firefox106 | --- | wontfix |
| firefox107 | --- | wontfix |
| firefox108 | --- | verified |
People
(Reporter: tsmith, Assigned: emilio)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])
Attachments
(3 files)
Found while fuzzing m-c 20221009-c4bdea458a08 (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Hit MOZ_CRASH(Resolving style on <summary> (0x55f6c9239d30) without current styles: ElementData { styles: ElementStyles { primary: Some(Some(0x55f6c9227f90)), pseudos: EagerPseudoStyles(None) }, damage: GeckoRestyleDamage(nsChangeHint(0)), hint: RESTYLE_SELF, flags: (empty) }) at servo/ports/geckolib/glue.rs:5698
#0 0x7f992786b985 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
#1 0x7f992786b985 in RustMozCrash /builds/worker/checkouts/gecko/mozglue/static/rust/wrappers.cpp:18:3
#2 0x7f992786b908 in mozglue_static::panic_hook::h78973aca7351e0a7 /builds/worker/checkouts/gecko/mozglue/static/rust/lib.rs:91:9
#3 0x7f992786b38b in core::ops::function::Fn::call::h39922ba40a8415bd /rustc/a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52/library/core/src/ops/function.rs:77:5
#4 0x7f9928801459 in std::panicking::rust_panic_with_hook::hf26e9d4f97b40096 /rustc/a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52/library/std/src/panicking.rs:702:17
#5 0x7f9928801296 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::hfab912107608087a /rustc/a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52/library/std/src/panicking.rs:588:13
#6 0x7f99287fe553 in std::sys_common::backtrace::__rust_end_short_backtrace::h434b685ce8d9965b /rustc/a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52/library/std/src/sys_common/backtrace.rs:138:18
#7 0x7f9928800fc8 in rust_begin_unwind /rustc/a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52/library/std/src/panicking.rs:584:5
#8 0x7f991dc239b2 in core::panicking::panic_fmt::ha6dc7f2ab2479463 /rustc/a55dd71d5fb0ec5a6a3a9e8c27b2127ba491ce52/library/core/src/panicking.rs:142:14
#9 0x7f992813fa9e in Servo_ResolveStyle /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:5698:5
#10 0x7f99233c7aaa in ResolveServoStyle /builds/worker/workspace/obj-build/dist/include/mozilla/ServoStyleSetInlines.h:22:10
#11 0x7f99233c7aaa in nsCSSFrameConstructor::ResolveComputedStyle(nsIContent*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:4631:12
#12 0x7f99233c9935 in nsCSSFrameConstructor::AddFrameConstructionItems(nsFrameConstructorState&, nsIContent*, bool, mozilla::ComputedStyle const&, nsCSSFrameConstructor::InsertionPoint const&, nsCSSFrameConstructor::FrameConstructionItemList&, mozilla::EnumSet<nsCSSFrameConstructor::ItemFlag, unsigned char>) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5163:41
#13 0x7f99233b994a in nsCSSFrameConstructor::AddFrameConstructionItemsInternal(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, bool, mozilla::ComputedStyle*, mozilla::EnumSet<nsCSSFrameConstructor::ItemFlag, unsigned char>, nsCSSFrameConstructor::FrameConstructionItemList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5359:7
#14 0x7f99233c99ae in nsCSSFrameConstructor::AddFrameConstructionItems(nsFrameConstructorState&, nsIContent*, bool, mozilla::ComputedStyle const&, nsCSSFrameConstructor::InsertionPoint const&, nsCSSFrameConstructor::FrameConstructionItemList&, mozilla::EnumSet<nsCSSFrameConstructor::ItemFlag, unsigned char>) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5174:3
#15 0x7f99233bbd68 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9686:9
#16 0x7f99233bfe09 in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameList&, nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:10554:3
#17 0x7f99233c45d9 in nsCSSFrameConstructor::ConstructNonScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:4600:3
#18 0x7f99233c58d7 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:3687:16
#19 0x7f99233ca3a3 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:5595:3
#20 0x7f99233bafc6 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:9439:5
#21 0x7f99233ce971 in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:7189:3
#22 0x7f992338fd00 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:1590:25
#23 0x7f9923396c24 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3160:9
#24 0x7f992336f520 in mozilla::RestyleManager::ProcessPendingRestyles() /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3245:3
#25 0x7f992336ec71 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4380:39
#26 0x7f9923333871 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2563:22
#27 0x7f992333c780 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:375:13
#28 0x7f992333c780 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:353:7
#29 0x7f992333c683 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:369:5
#30 0x7f992333c350 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:896:5
#31 0x7f992333b9ba in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:810:5
#32 0x7f992333b3a1 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:731:5
#33 0x7f992333afda in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:594:14
#34 0x7f992333abec in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:551:9
#35 0x7f9922804cfb in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:68:15
#36 0x7f9922a95576 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:78
#37 0x7f991ec2f8e4 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6267:32
#38 0x7f991ebc0ea1 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1756:25
#39 0x7f991ebbd9f5 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1681:9
#40 0x7f991ebbe596 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1481:3
#41 0x7f991ebbf921 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1579:14
#42 0x7f991dfeab1e in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:538:16
#43 0x7f991dfc3039 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:851:26
#44 0x7f991dfc1bc3 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:683:15
#45 0x7f991dfc1e33 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:461:36
#46 0x7f991dfee3c6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:187:37
#47 0x7f991dfee3c6 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#48 0x7f991dfd7c8f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1205:16
#49 0x7f991dfde29d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10
#50 0x7f991ebc6926 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#51 0x7f991eaebcf7 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#52 0x7f991eaebc02 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#53 0x7f991eaebc02 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#54 0x7f9922fed5e8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:150:27
#55 0x7f99251f717b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:880:20
#56 0x7f991ebc781a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#57 0x7f991eaebcf7 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#58 0x7f991eaebc02 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#59 0x7f991eaebc02 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#60 0x7f99251f6693 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:739:34
#61 0x55f6c6f91b39 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#62 0x55f6c6f91b39 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:359:18
#63 0x7f9934c01082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#64 0x55f6c6f678dc in _start (/home/user/workspace/browsers/m-c-20221004094418-fuzzing-debug/firefox-bin+0x168dc) (BuildId: 9804140749317669ab375d3127cd4fc41aa5c178)
Flags: in-testsuite?
|
Reporter | |
Comment 1•2 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/XOx0N7Qbu9Cz1JCV6UQViQ/index.html
|
||
Comment 2•2 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20221011160345-75c1403f58f7.
The bug appears to have been introduced in the following build range:
Start: 77a0b4c5d19b8006fd2daeac01032ec2e3110f1a (20220916124237)
End: e9fe2912339b2f231b72aab8c0a741b80604994e (20220916182824)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=77a0b4c5d19b8006fd2daeac01032ec2e3110f1a&tochange=e9fe2912339b2f231b72aab8c0a741b80604994e
Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]
|
Assignee | |
Updated•2 years ago
|
Flags: needinfo?(emilio)
|
||
Comment 3•2 years ago
|
||
Set release status flags based on info from the regressing bug 1308080
status-firefox105:
--- → unaffected
status-firefox106:
--- → affected
status-firefox-esr102:
--- → unaffected
|
|
Assignee | |
Comment 4•2 years ago
|
||
|
|
Assignee | |
Comment 5•2 years ago
|
||
|
||
Updated•2 years ago
|
Assignee: nobody → emilio
Attachment #9298179 -
Attachment description: WIP: Bug 1794720 - WIP - fix invalidation of sibling combinators in different slots. → Bug 1794720 - fix invalidation of sibling combinators in different slots. r=#style,#layout
Status: NEW → ASSIGNED
|
|
Assignee | |
Updated•2 years ago
|
Flags: needinfo?(emilio)
|
|
||
Comment 6•2 years ago
|
||
Set release status flags based on info from the regressing bug 1308080
status-firefox108:
--- → affected
Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/7b671f8bf0fc
fix invalidation of sibling combinators in different slots. r=firefox-style-system-reviewers,layout-reviewers,boris
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/36569 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]
|
||
Comment 9•2 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 108 Branch
Upstream PR merged by moz-wptsync-bot
|
|
||
Comment 11•2 years ago
|
||
The patch landed in nightly and beta is affected.
:emilio, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox107towontfix.
For more information, please visit auto_nag documentation.
Flags: needinfo?(emilio)
|
|
Assignee | |
Updated•2 years ago
|
Flags: needinfo?(emilio)
|
||
Updated•2 years ago
|
|
|
||
Comment 12•2 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20221020215126-59fa65e9da08.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
|
||
Comment 13•2 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20221020215126-59fa65e9da08.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
You need to log in
before you can comment on or make changes to this bug.
Description
•