Closed Bug 1876539 Opened 2 years ago Closed 2 years ago

Crash in [@ mozilla::ServoStyleSet::ClearNonInheritingComputedStyles]

Categories

(Core :: DOM: CSS Object Model, defect)

Product:
Core
Component:
DOM: CSS Object Model
Platform:
All
Android
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
124 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox122 --- fixed
firefox123 --- fixed
firefox124 --- fixed

People

(Reporter: dmeehan, Assigned: smaug)

References

Details

(Keywords: crash)

Crash Data

Attachments

(3 files)

Bug 1876539, drop styleset only if presshell has been disconnected, r=emilio
48 bytes, text/x-phabricator-request
Details | Review
Bug 1876539, drop styleset only if presshell has been disconnected, r=emilio
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-beta+
Details | Review
Bug 1876539, drop styleset only if presshell has been disconnected, r=emilio
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-release+
Details | Review

Crash report: https://crash-stats.mozilla.org/report/index/606566e1-0539-410a-9a7f-2b97a0240114

Reason: SIGSEGV / SEGV_MAPERR

Top 10 frames of crashing thread:

0  libxul.so  RefPtr<mozilla::ComputedStyle>::assign_assuming_AddRef  mfbt/RefPtr.h:70
0  libxul.so  RefPtr<mozilla::ComputedStyle>::operator=  mfbt/RefPtr.h:188
0  libxul.so  mozilla::ServoStyleSet::ClearNonInheritingComputedStyles  layout/style/ServoStyleSet.cpp:1188
0  libxul.so  mozilla::ServoStyleSet::ShellDetachedFromDocument  layout/style/ServoStyleSet.cpp:139
1  libxul.so  mozilla::dom::Document::DeletePresShell  dom/base/Document.cpp:7138
2  libxul.so  mozilla::PresShell::Destroy  layout/base/PresShell.cpp:1310
3  libxul.so  nsDocumentViewer::DestroyPresShell  layout/base/nsDocumentViewer.cpp:3519
4  libxul.so  nsDocumentViewer::Destroy  layout/base/nsDocumentViewer.cpp:1741
5  libxul.so  nsDocumentViewer::~nsDocumentViewer  layout/base/nsDocumentViewer.cpp:566
6  libxul.so  nsDocumentViewer::Release  layout/base/nsDocumentViewer.cpp:533

The first reports for this are in Fx122.0b7

Pinging triage owner, not sure what introduced this, nor why we didn't see it start in Nightly around the same time.
The following were the patches that were uplift to mozilla-central before Fx122.0b7:
https://hg.mozilla.org/releases/mozilla-beta/pushloghtml?fromchange=DEVEDITION_122_0b6_RELEASE&tochange=DEVEDITION_122_0b7_RELEASE

Flags: needinfo?(amejiamarmol)

I reached out the the DOM team to see if someone in the team is familiar with crash.

Flags: needinfo?(amejiamarmol)
Component: General → DOM: CSS Object Model
Product: Fenix → Core

Maybe Olli's lazy styleset creation? Looks like the styleset is null maybe prematurely?

Flags: needinfo?(smaug)

Hmm, something about printing

Assignee: nobody → smaug
Flags: needinfo?(smaug)

Ok, on Nightly we have https://crash-stats.mozilla.org/report/index/e93b5f66-57d4-4f91-b544-1c1c60240125
but late beta doesn't have DIAGNOSTIC_ASSERT

Attachment #9376553 - Flags: approval-mozilla-beta?

Uplift Approval Request

  • Risk associated with taking this patch: Very low. Just not clearing some data early, and we used to have that behavior
  • String changes made/needed: NA
  • Needs manual QE test: no
  • Explanation of risk level: ^
  • User impact if declined: crashes
  • Is Android affected?: yes
  • Fix verified in Nightly: no
  • Code covered by automated testing: no
  • Steps to reproduce for manual QE testing: We don't have steps to reproduce
Attachment #9376554 - Flags: approval-mozilla-release?

Uplift Approval Request

  • Risk associated with taking this patch: Very slow, we just don't clear certain data (always) early, similarly what we did before
  • String changes made/needed: NA
  • Needs manual QE test: no
  • Explanation of risk level: ^
  • User impact if declined: Crashes
  • Steps to reproduce for manual QE testing: We don't have STR
  • Is Android affected?: yes
  • Fix verified in Nightly: no
  • Code covered by automated testing: no
Pushed by opettay@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/c7d31544e88e drop styleset only if presshell has been disconnected, r=emilio

https://hg.mozilla.org/mozilla-central/rev/c7d31544e88e

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox124: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 124 Branch

Since nightly and release are affected, beta will likely be affected too.
For more information, please visit BugBot documentation.

status-firefox123: --- → affected
Attachment #9376553 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Attachment #9376554 - Flags: approval-mozilla-release? → approval-mozilla-release+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: