Closed Bug 1927714 Opened 1 year ago Closed 1 year ago

Crash after first render [@ core::option::expect_failed | geckoservo::glue::Servo_ResolveStyle ]

Categories

(Core :: CSS Parsing and Computation, defect)

Product:
Core
Component:
CSS Parsing and Computation
Version:
Firefox 131
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
134 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox-esr128 --- fixed
firefox132 --- wontfix
firefox133 --- fixed
firefox134 --- fixed

People

(Reporter: faustino40, Assigned: emilio)

References

(Regression)

Details

(Keywords: regression)

Crash Data

Attachments

(8 files)

testcase.zip
62.54 KB, application/x-zip-compressed
Details
source-map.zip
262.39 KB, application/x-zip-compressed
Details
I cannot reproduce the crash.mp4
665.37 KB, video/mp4
Details
Repro_Crash_Nightly.mp4
633.69 KB, video/mp4
Details
testcase at root- cannot repro.png
78.91 KB, image/png
Details
Reduced test-case.
444 bytes, text/html
Details
Bug 1927714 - Missing style invalidation in ShadowRoot::AddSlot(). r=smaug
48 bytes, text/x-phabricator-request
dmeehan
: approval-mozilla-beta+
dmeehan
: approval-mozilla-esr128+
Details | Review
Test-case without declarative shadow dom.
452 bytes, text/html
Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0

Steps to reproduce:

I can reproduce the bug on internal Vue+Vite project. I can't make a specific PoC.
The bug happens without the Deepl extension (https://addons.mozilla.org/fr/firefox/addon/deepl-translate/) but it's hard to reproduce without it.
My profile is clean with only Deepl extension to reproduce easily the bug.

The crash doesn't happens in a Chromium browser.

  1. Refresh the page
  2. Select text to make Deepl tool appear.
  3. The Tab crash.

If I resize the window or make another interaction (ex. click on a button that change a css class), the crash doesn't happens.

Crash report: https://crash-stats.mozilla.org/report/index/28baef41-91b0-43ed-b335-ebbbe0241029 (Firefox 131) / https://crash-stats.mozilla.org/report/index/e0cb6461-283e-44c2-b52b-662020241029 (Firefox Nightly) / https://crash-stats.mozilla.org/report/index/1cfff220-da81-4a94-90e3-a9c270241029 (Firefox 131 without Vue Router change).

Firefox Nightly Build-ID : 20241028212656

Actual results:

Selecting the text should not make the tab crash. (In my opinion, the text selection is not the issue, it's more a DOM related issue, with the apparition of Deepl tool)

Expected results:

The tab should not be disrupt by the text selection.

The Bugbug bot thinks this bug should belong to the 'WebExtensions::Untriaged' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Product: Firefox → WebExtensions
Product: WebExtensions → Firefox

The WebExtension is a support to reproduce the bug, not in my opinion the origin of the bug (the bug happened without the extention, but i can't reproduce it without)

Trying to move to CSS Parsing and Computation, since most of the bugs associated to the crash are about stylo. Please move if there's a better component.

Component: Untriaged → CSS Parsing and Computation
Product: Firefox → Core
Crash Signature: [@ core::option::expect_failed | geckoservo::glue::Servo_ResolveStyle ]

Thanks for filing the bug!

  1. Can you use mozregression (https://mozilla.github.io/mozregression/) gui to bisect and find the exact Firefox change that causes the crash for you?
  2. Alternately, please consider sharing the app privately to a mozilla dev.

Without a testcase and/or a bisection, it would be very difficult to diagnose this crash.

Flags: needinfo?(faustino40)
Attached file testcase.zip
Flags: needinfo?(faustino40)

I work on a testcase without any internal data.
The testcase contain two javascript file that I wasn't able to minify. Consequently, you need to distribute it inside a simple HTTP server to prevent any protocol error.

I served the testcase via a server, installed DeepL (but did not signup/login) and selected a word to bring up the floating button. But I couldnt repro the crash.

Do you have any specific setting or set any specific preferences from about:config? Can you reproduce the crash on a fresh Nightly profile (run Firefox -- p from the command line prompt).

Flags: needinfo?(faustino40)
Attached file source-map.zip

The sources map associated with the testcase

Thanks for your try to repro. I can reproduce it with this exact testcase and Deepl (link to Crash Report).
Step I use:

  1. Creation of a new profile in about:profiles
  2. Install Deepl extension, and pass the whool setup but don't login. Give the autorisation to read/write website.
  3. Serve the files with python -m http.server (but it was the same with Nginx)
  4. Double click on "Demo" after the loading of the index. But if I select normally a word, it seem to crash too.
  5. The tab crash

I check my about:config. Nothing special in the fresh profile.

I was able te reproduce it with this exact testcase and Deepl extension on ESR 115.13.0, on a HyperV Debian 12 VM.
Information that I obtain by making the testcase:

  • Their is something strange with the tree "Aucun élément", the DOM element appear only after selection. This behaviour doesn't happen in Chromium
  • If I remove the document.querySelector("#demo").getBoundingClientRect();. The tree "Aucun élément" appear on load and no crash happen.
Flags: needinfo?(faustino40)
Attached video Repro_Crash_Nightly.mp4

(In reply to Faustin from comment #10)

Thanks for your try to repro. I can reproduce it with this exact testcase and Deepl (link to Crash Report).
Step I use:

  1. Creation of a new profile in about:profiles
  2. Install Deepl extension, and pass the whool setup but don't login. Give the autorisation to read/write website.
  3. Serve the files with python -m http.server (but it was the same with Nginx)
  4. Double click on "Demo" after the loading of the index. But if I select normally a word, it seem to crash too.
  5. The tab crash

In a new Nightly profile, I serve the attached testcase via a simple http server. I do not see ** "Demo" or any other thing. It is just an empty page for me. Maybe thats why i dont get the crash.
Even on Chrome, I do not see "demo", the tab is just empty.
I dont know why the testcase does not show "demo" and other things for me.
Do I need anything else (any js or library or something) apart from the testcase?

Flags: needinfo?(faustino40)

(In reply to Mayank Bansal from comment #12)

(In reply to Faustin from comment #10)

Thanks for your try to repro. I can reproduce it with this exact testcase and Deepl (link to Crash Report).
Step I use:

  1. Creation of a new profile in about:profiles
  2. Install Deepl extension, and pass the whool setup but don't login. Give the autorisation to read/write website.
  3. Serve the files with python -m http.server (but it was the same with Nginx)
  4. Double click on "Demo" after the loading of the index. But if I select normally a word, it seem to crash too.
  5. The tab crash

In a new Nightly profile, I serve the attached testcase via a simple http server. I do not see ** "Demo" or any other thing. It is just an empty page for me. Maybe thats why i dont get the crash.
Even on Chrome, I do not see "demo", the tab is just empty.
I dont know why the testcase does not show "demo" and other things for me.
Do I need anything else (any js or library or something) apart from the testcase?

I just check from a fresh downloaded zip, and I serve the attached testcase from testcase directory, so index.html is at the root. I doesn't work when you access index.html from /testcase/index.html

Flags: needinfo?(faustino40)

This is with the testcase at root. Unfortunately, "demo" still does not appear for me. Unless you have some other thought, this is the most I can do here.
I will needinfo the relavent mozilla devs, and maybe they will have better luck

Emilio, you may have some opinion on this crash report with an active reporter and a testcase.

Flags: needinfo?(emilio)

I can repro if I start with a french locale / configure language settings to french, then double-click "Historique", which selects the text and triggers the extension.

The bug has a crash signature, thus the bug will be considered confirmed.

Status: UNCONFIRMED → NEW
Ever confirmed: true
Attached file Reduced test-case.

I could catch in on rr and I understand the issue now.

The issue is that setting the slot name doesn't invalidate style if it ends up mutating the flat tree, which is wrong. If you set crash = false, the second child doesn't show up even though it should.

Flags: needinfo?(emilio)

Bisection:
Bug 1712140 - Part 6: Unblock Declarative ShadowDOM tests. r=dom-core,hsivonen
Differential Revision: https://phabricator.services.mozilla.com/D193677

Keywords: regression
Regressed by: 1712140
Flags: needinfo?(avandolder)

Usually RemoveSlot takes care of this, but if it's not the first slot it
doesn't.

Assignee: nobody → emilio
Status: NEW → ASSIGNED

(In reply to Mayank Bansal from comment #19)

Bisection:
Bug 1712140 - Part 6: Unblock Declarative ShadowDOM tests. r=dom-core,hsivonen
Differential Revision: https://phabricator.services.mozilla.com/D193677

Not really a regression from that bug, I can build a test-case without declarative shadow dom too :)

No longer regressed by: 1712140
Flags: needinfo?(avandolder)

Almost surely bug 1460069 :)

Regressed by: 1460069

Set release status flags based on info from the regressing bug 1460069

status-firefox132: --- → affected
status-firefox133: --- → affected
status-firefox134: --- → affected
status-firefox-esr128: --- → affected
Pushed by ealvarez@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/15c40e7e68df Missing style invalidation in ShadowRoot::AddSlot(). r=smaug
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/48901 for changes under testing/web-platform/tests

https://hg.mozilla.org/mozilla-central/rev/15c40e7e68df

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox134: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 134 Branch

The patch landed in nightly and beta is affected.
:emilio, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox133 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(emilio)

Comment on attachment 9434206 [details]
Bug 1927714 - Missing style invalidation in ShadowRoot::AddSlot(). r=smaug

Beta/Release Uplift Approval Request

  • User impact if declined/Reason for urgency: Very old bug but affecting some sites in the wild as per comment 0
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce:
  • List of other uplifts needed: none
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): One-liner
  • String changes made/needed: none
  • Is Android affected?: Yes
Flags: needinfo?(emilio)
Attachment #9434206 - Flags: approval-mozilla-beta?

Sincere thanks Emilio for the quick bugfix!
I can confirm that the fix works on my internal app with the last Nightly build.
Hope that I have done everything right to help you, the Mozilla contribution process is not easy for a first time.

Comment on attachment 9434206 [details]
Bug 1927714 - Missing style invalidation in ShadowRoot::AddSlot(). r=smaug

Approved for 133.0b3

Attachment #9434206 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Upstream PR merged by moz-wptsync-bot

Yes, you did great, thanks!

Attachment #9434206 - Flags: approval-mozilla-esr128?

Comment on attachment 9434206 [details]
Bug 1927714 - Missing style invalidation in ShadowRoot::AddSlot(). r=smaug

Approved for 128.5esr.

Attachment #9434206 - Flags: approval-mozilla-esr128? → approval-mozilla-esr128+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: