Open Bug 1800306 Opened 3 years ago Updated 1 year ago

Crash in [@ atomic_refcell::AtomicRefCell<T>::borrow]

Categories

(Core :: CSS Parsing and Computation, defect)

Product:
Core
Component:
CSS Parsing and Computation
Platform:
Unspecified
Android
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox107 --- wontfix
firefox108 --- wontfix
firefox109 --- wontfix
firefox110 --- fix-optional

People

(Reporter: gsvelto, Unassigned)

References

Details

(Keywords: crash, regression, regressionwindow-wanted)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/c24f0d2b-a503-4947-ae47-aecf70221109

MOZ_CRASH Reason: already mutably borrowed

Top 10 frames of crashing thread:

0  libxul.so  MOZ_Crash  mfbt/Assertions.h:261
0  libxul.so  RustMozCrash  mozglue/static/rust/wrappers.cpp:18
1  libxul.so  mozglue_static::panic_hook  mozglue/static/rust/lib.rs:91
2  libxul.so  core::ops::function::Fn::call  library/core/src/ops/function.rs:77
3  libxul.so  std::panicking::rust_panic_with_hook  library/std/src/panicking.rs:702
4  libxul.so  std::panicking::begin_panic_handler::{{closure}}  library/std/src/panicking.rs:588
5  libxul.so  std::sys_common::backtrace::__rust_end_short_backtrace  library/std/src/sys_common/backtrace.rs:138
6  libxul.so  rust_begin_unwind  library/std/src/panicking.rs:584
7  libxul.so  core::panicking::panic_fmt  library/core/src/panicking.rs:142
8  libxul.so  core::panicking::panic_display  library/core/src/panicking.rs:72

I'm unsure if this is the same bug as 1800304, just related to it or something different altogether. There are several different stacks under this signature but they all seem to be within CSS-related code.

Component: CSS Transitions and Animations → CSS Parsing and Computation

Would love to have a regression window, but without STR that's difficult... Looks like this arose as a new regression in 106 (although the possibly-related bug 1800304 does have some pre-106 reports, so it might be that it's been hiding under other signatures.)

Severity: -- → S2
Keywords: regression, regressionwindow-wanted

Adding bug 1801006 to see-also. The "shape" of the crash history graph (so far) is remarkably similar between the two bugs, and they both seem to be Android-only.

See Also: → 1801006
Flags: qe-verify-

(In reply to Daniel Holbert [:dholbert] from comment #2)

Adding bug 1801006 to see-also. The "shape" of the crash history graph (so far) is remarkably similar between the two bugs

(Update: this is no longer true -- the graph "shapes" have diverged between these two bugs over the past week. bug 1801006 got a huge spike starting Dec 1, for some reason.)

I'm moving [@ atomic_refcell::AtomicRefCell<T>::borrow_mut] from bug 1800304 over to this bug, since it seems more closely related with the other signature here (and bug 1800304 comment 0 suggests that gsvelto didn't have strong reasons for grouping it over there).

Crash Signature: [@ atomic_refcell::AtomicRefCell<T>::borrow] → [@ atomic_refcell::AtomicRefCell<T>::borrow] [@ atomic_refcell::AtomicRefCell<T>::borrow_mut]

For both of the crash signatures here (borrow and borrow_mut), version 106 seems to represent the vast majority of crash volume here (95% and 98%, respectively). There are some crashes in versions 107 and 108, but much less -- borrow has 52 crashes in 107+108, borrow_mut has 80 crashes in 107+108. (And neither have any crash volume in 109 yet.)

So, there does seem to have been a spike with version 106 (~3900 crashes for the two signatures combined for that version), but it doesn't seem to have persisted, even though we're nearly done with the next release cycle (version 108 gets released next week).

So S2 was appropriate during the spike, but given the reduction in volume, I think we can safely consider this S3 now.

Severity: S2 → S3
No longer blocks: 1903930
Depends on: 1903930
Depends on: 1904139
You need to log in before you can comment on or make changes to this bug.