Closed Bug 1807995 Opened 3 years ago Closed 2 years ago

Crash in [@ <style_traits::owned_slice::OwnedSlice<T> as core::ops::drop::Drop>::drop]

Categories

(Core :: CSS Parsing and Computation, defect)

Product:
Core
Component:
CSS Parsing and Computation
Version:
Firefox 108
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: office, Unassigned)

Details

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/1325665d-95f5-4faa-8ea5-a6fa20221230

Reason: SIGSEGV / SEGV_ACCERR

Top 10 frames of crashing thread:

0  libxul.so  core::ptr::write  library/core/src/ptr/mod.rs:1310
0  libxul.so  core::mem::replace  library/core/src/mem/mod.rs:919
0  libxul.so  <style_traits::owned_slice::OwnedSlice<T> as core::ops::drop::Drop>::drop  servo/components/style_traits/owned_slice.rs:52
0  libxul.so  core::ptr::drop_in_place<style_traits::owned_slice::OwnedSlice<u8>>  library/core/src/ptr/mod.rs:487
0  libxul.so  core::ptr::drop_in_place<style_traits::owned_str::OwnedStr>  library/core/src/ptr/mod.rs:487
0  libxul.so  core::ptr::drop_in_place<style::values::specified::list::QuotePair>  library/core/src/ptr/mod.rs:487
0  libxul.so  core::ptr::drop_in_place<[style::values::specified::list::QuotePair]>  library/core/src/ptr/mod.rs:487
0  libxul.so  core::ptr::drop_in_place<servo_arc::HeaderSlice<servo_arc::HeaderWithLength<u64>, [style::values::specified::list::QuotePair]>>  library/core/src/ptr/mod.rs:487
0  libxul.so  core::ptr::drop_in_place<servo_arc::ArcInner<servo_arc::HeaderSlice<servo_arc::HeaderWithLength<u64>, [style::values::specified::list::QuotePair]>>>  library/core/src/ptr/mod.rs:487
0  libxul.so  core::ptr::drop_in_place<alloc::boxed::Box<servo_arc::ArcInner<servo_arc::HeaderSlice<servo_arc::HeaderWithLength<u64>, [style::values::specified::list::QuotePair]>>>>  library/core/src/ptr/mod.rs:487

The Bugbug bot thinks this bug should belong to the 'Core::CSS Parsing and Computation' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → CSS Parsing and Computation
Product: Firefox → Core

The bug has a crash signature, thus the bug will be considered confirmed.

Status: UNCONFIRMED → NEW
Ever confirmed: true

Hmm, that stack is not really possible. Everything up to selectors::matching::matches_complex_selector makes sense, but selector-matching can't end up in us dropping random computed values. There's one dropped frame (0x41f0000041efffff) and everything after that doesn't make sense...

Can you reproduce this crash? If so, how? It'd be great to know what might be going on...

Thanks a lot.

Flags: needinfo?(office)

Triaging to S3 as the crash signature occurred 2 times within last 6 months.
The other one has a pretty different stack trace, though.

Severity: -- → S3

(In reply to Emilio Cobos Álvarez (:emilio) from comment #3)

Can you reproduce this crash? If so, how? It'd be great to know what might be going on...

Reporter appears to be gone

Status: NEW → RESOLVED
Closed: 2 years ago
Flags: needinfo?(office)
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.