Last Comment Bug 735943 - Crash @ nsCSSFrameConstructor::ProcessPendingRestyles
: Crash @ nsCSSFrameConstructor::ProcessPendingRestyles
Status: VERIFIED FIXED
[sg:critical][qa!]
: crash, testcase
Product: Core
Classification: Components
Component: Layout (show other bugs)
: Trunk
: All All
: -- critical (vote)
: mozilla14
Assigned To: Mats Palmgren (:mats)
:
Mentors:
Depends on:
Blocks: randomstyles 594645
  Show dependency treegraph
 
Reported: 2012-03-14 17:25 PDT by Jesse Ruderman
Modified: 2012-05-18 13:26 PDT (History)
12 users (show)
mats: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
+
verified
+
verified
verified
12+
verified
unaffected


Attachments
testcase (crashes Firefox when loaded) (1.15 KB, text/html)
2012-03-14 17:25 PDT, Jesse Ruderman
no flags Details
stack trace with popups allowed (9.40 KB, text/plain)
2012-03-14 17:26 PDT, Jesse Ruderman
no flags Details
stack trace with popups blocked (3.28 KB, text/plain)
2012-03-14 17:27 PDT, Jesse Ruderman
no flags Details
stack (6.56 KB, text/html)
2012-03-14 18:37 PDT, Mats Palmgren (:mats)
no flags Details
fix+test (4.19 KB, patch)
2012-03-14 19:30 PDT, Mats Palmgren (:mats)
bzbarsky: review+
akeybl: approval‑mozilla‑aurora+
akeybl: approval‑mozilla‑beta+
Details | Diff | Splinter Review
for esr10 (3.33 KB, patch)
2012-04-02 16:28 PDT, Mats Palmgren (:mats)
lukasblakk+bugs: approval‑mozilla‑esr10+
Details | Diff | Splinter Review

Description Jesse Ruderman 2012-03-14 17:25:40 PDT
Created attachment 606033 [details]
testcase (crashes Firefox when loaded)

About 50% of the time, this testcase causes a crash in nsCSSFrameConstructor::ProcessPendingRestyles.
Comment 1 Jesse Ruderman 2012-03-14 17:26:34 PDT
Created attachment 606034 [details]
stack trace with popups allowed
Comment 2 Jesse Ruderman 2012-03-14 17:27:01 PDT
Created attachment 606035 [details]
stack trace with popups blocked
Comment 3 Mats Palmgren (:mats) 2012-03-14 18:37:23 PDT
Created attachment 606052 [details]
stack
Comment 4 Mats Palmgren (:mats) 2012-03-14 19:30:05 PDT
Created attachment 606076 [details] [diff] [review]
fix+test

FYI, the document has a strong pointer to the nsSMILAnimationController
object, which keeps a raw pointer to it (mDocument).

Try results pending:
https://tbpl.mozilla.org/?usebuildbot=1&tree=Try&rev=0281d2f4f580

Filed bug 735966 on the assertion when running the crash test.
Comment 5 Mats Palmgren (:mats) 2012-03-14 21:51:17 PDT
Again, with just this change this time (there's a jsreftest crash in the one above):
https://tbpl.mozilla.org/?usebuildbot=1&tree=Try&rev=8316f137ca46
Comment 6 Jesse Ruderman 2012-03-14 23:59:07 PDT
My testcase (reduced from what the fuzzer created) is an insane tangle of setTimeouts. It might be possible to create a more robust regression test ;)
Comment 7 Scoobidiver (away) 2012-03-15 01:20:52 PDT
I hit bp-d0df45dc-63db-44d8-a6d8-f76722120315 (popups blocked) and bp-3d521fe3-cc02-44fc-8058-d85972120315 (popups allowed).
Comment 8 Mats Palmgren (:mats) 2012-03-15 06:23:51 PDT
Hmm, there's a couple of "ASSERTION: This is unsafe! Fix the caller!: 'Error', content/events/src/nsEventDispatcher.cpp, line 558" on the new crash test.
https://tbpl.mozilla.org/php/getParsedLog.php?id=10090225&tree=Try&full=1#error0
Comment 9 Boris Zbarsky [:bz] (TPAC) 2012-03-15 10:07:21 PDT
Comment on attachment 606076 [details] [diff] [review]
fix+test

Document (probably in the header and at the presshell check for mIsDestroying) that FlushResampleRequests can trigger style flushes, and r=me
Comment 11 Mats Palmgren (:mats) 2012-03-20 13:00:23 PDT
This crash fix seems worth taking on branches after baking it for a while...
Comment 12 Mounir Lamouri (:mounir) 2012-03-21 03:48:47 PDT
https://hg.mozilla.org/mozilla-central/rev/75f461e05221
Comment 13 Alex Keybl [:akeybl] 2012-03-21 14:33:54 PDT
(In reply to Mats Palmgren [:mats] from comment #11)
> This crash fix seems worth taking on branches after baking it for a while...

Do we know what the regressing bug is or whether this is a pain point for users? If not, this can ride the trains.
Comment 14 Mats Palmgren (:mats) 2012-03-21 15:29:54 PDT
I would guess the addition of the FlushResampleRequests() call in
http://hg.mozilla.org/mozilla-central/rev/d6dbb4231c11
is what caused the regression (bug 547333).

The reason I recommend merging this fix to branches is that without it we
run script from inside a destroyed pres shell, which I think is unsafe.
The fix is very low-risk.
Comment 15 Mats Palmgren (:mats) 2012-03-28 23:28:00 PDT
Comment on attachment 606076 [details] [diff] [review]
fix+test

See comment 14.
Comment 17 Alex Keybl [:akeybl] 2012-04-02 12:44:31 PDT
Comment on attachment 606076 [details] [diff] [review]
fix+test

[Triage Comment]
Low risk fix, and both Mats and the security team agree that this is something we should fix all the way up to FF12. Please land asap, as we'll go to build with Beta 4 tomorrow (4/3) at 5PM PT.

Please make sure to prepare a patch for the ESR branch as well.
Comment 18 Mats Palmgren (:mats) 2012-04-02 16:28:40 PDT
Created attachment 611648 [details] [diff] [review]
for esr10

The fix applies also to esr10, but without the test since the pref()
reftest feature doesn't exist there, afaict.
Comment 19 Al Billings [:abillings] 2012-04-02 16:39:12 PDT
Verified fixed in nightly Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:14.0) Gecko/20120402 Firefox/14.0a1. The testcase pretty reliably crashes my Aurora build.
Comment 21 Lukas Blakk [:lsblakk] use ?needinfo 2012-04-03 12:21:15 PDT
Comment on attachment 611648 [details] [diff] [review]
for esr10

Thanks, please go ahead and land as per https://wiki.mozilla.org/Release_Management/ESR_Landing_Process

Note You need to log in before you can comment on or make changes to this bug.