This bug was filed from the Socorro interface and is report bp-d8aba41d-f7b2-4b22-a631-c4c370170625. ============================================================= 0 libxul.so nsAbsoluteContainingBlock::RemoveFrame(nsIFrame*, mozilla::layout::FrameChildListID, nsIFrame*) 1 libxul.so nsFrameManager::RemoveFrame layout/base/nsFrameManager.cpp:426 2 libxul.so nsPlaceholderFrame::DestroyFrom(nsIFrame*) 3 libxul.so nsBlockFrame::DoRemoveFrame(nsIFrame*, unsigned int) 4 libxul.so nsBlockFrame::RemoveFrame(mozilla::layout::FrameChildListID, nsIFrame*) 5 libxul.so nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags, bool*, nsIContent**) 6 libxul.so nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, bool, nsCSSFrameConstructor::RemoveFlags, nsIContent**) 7 libxul.so mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) 8 libxul.so mozilla::ServoRestyleManager::DoProcessPendingRestyles layout/base/ServoRestyleManager.cpp:629 9 libxul.so libxul.so@0x1e08e93 10 libxul.so nsRefreshDriver::Tick(long, mozilla::TimeStamp) 11 libxul.so mozilla::RefreshDriverTimer::TickRefreshDrivers layout/base/nsRefreshDriver.cpp:327 12 libxul.so mozilla::RefreshDriverTimer::Tick layout/base/nsRefreshDriver.cpp:319 13 libxul.so mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver layout/base/nsRefreshDriver.cpp:750 14 libxul.so mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync layout/base/nsRefreshDriver.cpp:564 15 libxul.so mozilla::layout::VsyncChild::RecvNotify layout/ipc/VsyncChild.cpp:67 16 libxul.so mozilla::layout::PVsyncChild::OnMessageReceived obj-firefox/ipc/ipdl/PVsyncChild.cpp:155 17 libxul.so mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) 18 libxul.so mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) 19 libxul.so libxul.so@0xc71261 20 libxul.so mozilla::ipc::MessageChannel::MessageTask::Run() 21 libxul.so nsThread::ProcessNextEvent(bool, bool*) 22 libxul.so NS_ProcessNextEvent(nsIThread*, bool) 23 libxul.so mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) 24 libxul.so MessageLoop::Run() 25 libxul.so nsBaseAppShell::Run widget/nsBaseAppShell.cpp:156 26 libxul.so XRE_RunAppShell toolkit/xre/nsEmbedFunctions.cpp:896 27 libxul.so MessageLoop::Run() 28 libxul.so XRE_InitChildProcess toolkit/xre/nsEmbedFunctions.cpp:712 29 firefox content_process_main ipc/contentproc/plugin-container.cpp:64 30 firefox _init Ø 31 libc-2.25.so libc-2.25.so@0x204d9 32 firefox firefox@0x1196f 33 firefox firefox@0x1afdf 34 firefox firefox@0x1196f 35 firefox mozilla::ReadAheadLib(char const*) Ø 36 ld-2.25.so ld-2.25.so@0x1132f 37 firefox firefox@0x1afdf 38 firefox _start Fwiw, at the same time, two crash reports were generated. This is the second one: bp-fd072b5b-7f8f-4c95-b5cc-9e6920170625 ============================================================= 0 libxul.so nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>::SwapArrayElements<nsTArrayInfallibleAllocator, nsTArrayInfallibleAllocator> xpcom/ds/nsTArray-inl.h:338 1 libxul.so nsCOMArray_base::Clear() 2 libxul.so nsMutationReceiver::RemoveClones dom/base/nsDOMMutationObserver.h:378 3 libxul.so nsMutationReceiver::Disconnect dom/base/nsDOMMutationObserver.cpp:114 4 libxul.so nsMutationReceiver::~nsMutationReceiver dom/base/nsDOMMutationObserver.h:346 5 libxul.so nsMutationReceiver::~nsMutationReceiver dom/base/nsDOMMutationObserver.h:346 6 libxul.so nsMutationReceiver::Release dom/base/nsDOMMutationObserver.cpp:87 7 libxul.so nsCOMArray_base::~nsCOMArray_base() 8 libxul.so nsTHashtable<nsBaseHashtableET<nsISupportsHashKey, nsAutoPtr<nsCOMArray<nsMutationReceiver> > > >::s_ClearEntry xpcom/ds/nsCOMArray.h:246 9 libxul.so PLDHashTable::Clear() 10 libxul.so nsDOMMutationObserver::HandleMutation xpcom/ds/nsTHashtable.h:272 11 libxul.so nsDOMMutationObserver::HandleMutationsInternal dom/base/nsDOMMutationObserver.cpp:906 12 libxul.so mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) 13 libxul.so XPCJSContext::AfterProcessTask js/xpconnect/src/XPCJSContext.cpp:1007 14 libxul.so nsThread::ProcessNextEvent(bool, bool*) 15 libxul.so NS_ProcessNextEvent(nsIThread*, bool) 16 libxul.so mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) 17 libxul.so MessageLoop::Run() 18 libxul.so nsBaseAppShell::Run widget/nsBaseAppShell.cpp:156 19 libxul.so XRE_RunAppShell toolkit/xre/nsEmbedFunctions.cpp:896 20 libxul.so MessageLoop::Run() 21 libxul.so XRE_InitChildProcess toolkit/xre/nsEmbedFunctions.cpp:712 22 firefox content_process_main ipc/contentproc/plugin-container.cpp:64 23 firefox _init Ø 24 libc-2.25.so libc-2.25.so@0x204d9 25 firefox firefox@0x1196f 26 firefox firefox@0x1afdf Ø 27 locale-archive locale-archive@0x3cc0fff 28 firefox firefox@0x1196f 29 firefox mozilla::ReadAheadLib(char const*) Ø 30 ld-2.25.so ld-2.25.so@0x1132f 31 firefox firefox@0x1afdf 32 firefox _start

STR: 1. Visit flipboard tp read news feed.(signed in) 2. Doing random feeds reading back and forth. 3. Crashed tab observed. The reproduced rate is low but generally it can happen in 3~5 mins.

Crash reports for reference: d706dd03-615e-41d4-9db7-64a750170628 df0d6644-3eee-4568-921f-33c9d0170628 be84f5dc-2a63-4ce8-ba07-39ab70170628 62f626d6-cdc9-4343-ad3e-a6f6f0170628

Sounds like something is going bad with frame constructor. It would be great if there could be some simplified testcase.

astley, could you try reproducing this issue with a debug build and see if there is any assertion around?

(In reply to Xidorn Quan [:xidorn] UTC+10 from comment #4) > astley, could you try reproducing this issue with a debug build and see if > there is any assertion around? Yes, working on it.

I could easily reproduce this crash on Stylo macOS build as well. Here comes the crash stack trace. [Child 54191] WARNING: stylo: HasStateDependentStyle always returns zero!: file /Users/Astley/Mozilla/projects/mozilla-central/layout/style/ServoStyleSet.cpp, line 957 thread '<unnamed>' panicked at 'Resolving style on element without current styles with lazy computation forbidden.', /Users/Astley/Mozilla/projects/mozilla-central/servo/ports/geckolib/glue.rs:2603 stack backtrace: 0: std::sys::imp::backtrace::tracing::imp::unwind_backtrace 1: std::panicking::default_hook::{{closure}} 2: std::panicking::default_hook 3: std::panicking::rust_panic_with_hook 4: std::panicking::begin_panic 5: Servo_ResolveStyle 6: _ZN7mozilla13ServoStyleSet17ResolveServoStyleEPNS_3dom7ElementE 7: _ZN7mozilla19ServoRestyleManager20ProcessPostTraversalEPNS_3dom7ElementEP14nsStyleContextRNS_17ServoRestyleStateE 8: _ZN7mozilla19ServoRestyleManager20ProcessPostTraversalEPNS_3dom7ElementEP14nsStyleContextRNS_17ServoRestyleStateE 9: _ZN7mozilla19ServoRestyleManager20ProcessPostTraversalEPNS_3dom7ElementEP14nsStyleContextRNS_17ServoRestyleStateE 10: _ZN7mozilla19ServoRestyleManager20ProcessPostTraversalEPNS_3dom7ElementEP14nsStyleContextRNS_17ServoRestyleStateE 11: _ZN7mozilla19ServoRestyleManager20ProcessPostTraversalEPNS_3dom7ElementEP14nsStyleContextRNS_17ServoRestyleStateE 12: _ZN7mozilla19ServoRestyleManager20ProcessPostTraversalEPNS_3dom7ElementEP14nsStyleContextRNS_17ServoRestyleStateE 13: _ZN7mozilla19ServoRestyleManager20ProcessPostTraversalEPNS_3dom7ElementEP14nsStyleContextRNS_17ServoRestyleStateE 14: _ZN7mozilla19ServoRestyleManager20ProcessPostTraversalEPNS_3dom7ElementEP14nsStyleContextRNS_17ServoRestyleStateE 15: _ZN7mozilla19ServoRestyleManager20ProcessPostTraversalEPNS_3dom7ElementEP14nsStyleContextRNS_17ServoRestyleStateE 16: _ZN7mozilla19ServoRestyleManager20ProcessPostTraversalEPNS_3dom7ElementEP14nsStyleContextRNS_17ServoRestyleStateE 17: _ZN7mozilla19ServoRestyleManager20ProcessPostTraversalEPNS_3dom7ElementEP14nsStyleContextRNS_17ServoRestyleStateE 18: _ZN7mozilla19ServoRestyleManager20ProcessPostTraversalEPNS_3dom7ElementEP14nsStyleContextRNS_17ServoRestyleStateE 19: _ZN7mozilla19ServoRestyleManager20ProcessPostTraversalEPNS_3dom7ElementEP14nsStyleContextRNS_17ServoRestyleStateE 20: _ZN7mozilla19ServoRestyleManager20ProcessPostTraversalEPNS_3dom7ElementEP14nsStyleContextRNS_17ServoRestyleStateE 21: _ZN7mozilla19ServoRestyleManager24DoProcessPendingRestylesENS_24TraversalRestyleBehaviorE 22: _ZN7mozilla9PresShell11HandleEventEP8nsIFramePNS_14WidgetGUIEventEbP13nsEventStatusPP10nsIContent 23: _ZN7mozilla9PresShell11HandleEventEP8nsIFramePNS_14WidgetGUIEventEbP13nsEventStatusPP10nsIContent 24: _ZN13nsViewManager13DispatchEventEPN7mozilla14WidgetGUIEventEP6nsViewP13nsEventStatus 25: _ZN6nsView11HandleEventEPN7mozilla14WidgetGUIEventEb 26: _ZN7mozilla6widget12PuppetWidget13DispatchEventEPNS_14WidgetGUIEventER13nsEventStatus 27: _ZN7mozilla6layers18APZCCallbackHelper19DispatchWidgetEventERNS_14WidgetGUIEventE 28: _ZN7mozilla3dom8TabChild24RecvRealMouseButtonEventERKNS_16WidgetMouseEventERKNS_6layers19ScrollableLayerGuidERKy 29: _ZThn96_N7mozilla3dom8TabChild22RecvRealMouseMoveEventERKNS_16WidgetMouseEventERKNS_6layers19ScrollableLayerGuidERKy 30: _ZN7mozilla3dom13PBrowserChild17OnMessageReceivedERKN3IPC7MessageE 31: _ZN7mozilla3dom13PContentChild17OnMessageReceivedERKN3IPC7MessageE 32: _ZN7mozilla3ipc14MessageChannel20DispatchAsyncMessageERKN3IPC7MessageE 33: _ZN7mozilla3ipc14MessageChannel15DispatchMessageEON3IPC7MessageE 34: _ZN7mozilla3ipc14MessageChannel10RunMessageERNS1_11MessageTaskE 35: _ZN7mozilla3ipc14MessageChannel11MessageTask3RunEv 36: _ZN7mozilla14SchedulerGroup8Runnable3RunEv 37: _ZN8nsThread16ProcessNextEventEbPb 38: _Z23NS_ProcessPendingEventsP9nsIThreadj 39: _ZN14nsBaseAppShell19NativeEventCallbackEv 40: _ZN10nsAppShell18ProcessGeckoEventsEPv 41: __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ 42: __CFRunLoopDoSources0 43: __CFRunLoopRun 44: CFRunLoopRunSpecific 45: RunCurrentEventLoopInMode 46: ReceiveNextEventCommon 47: _BlockUntilNextEventMatchingListInModeWithFilter 48: _DPSNextEvent 49: -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] 50: -[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] 51: -[NSApplication run] 52: _ZN10nsAppShell3RunEv 53: _Z15XRE_RunAppShellv 54: _ZN7mozilla3ipc26MessagePumpForChildProcess3RunEPN4base11MessagePump8DelegateE 55: _ZN11MessageLoop3RunEv 56: _Z20XRE_InitChildProcessiPPcPK12XREChildData 57: main Redirecting call to abort() to mozalloc_abort Hit MOZ_CRASH() at /Users/Astley/Mozilla/projects/mozilla-central/memory/mozalloc/mozalloc_abort.cpp:33

It seems the stack trace in comment 6 is different from the one I encountered on Linux64 build. I'm testing on a debug build on macOS, not sure if it's the case. If not related, I'll fine another bug for follow-up.

That is an assertion added in bug 1345695. It is possible that you are hitting a different bug, or violation of that assertion is the root cause of the crash of this frame constructor issue. astley, what did you see with you Linux64 build? Is that a debug build? heycam, it seems you added the assertion mentioned in comment 6, what would you expect to happen if that assertion is violated? Is this bug (the crash with stack in comment 0) looks like something which can be related to that?

The panic place in comment 6 is exactly same as bug 1371450 also the stack includes APZ thing, so I am suspecting this was caused by the same root cause, at least for Astley case.

(In reply to Xidorn Quan [:xidorn] UTC+10 from comment #8) > That is an assertion added in bug 1345695. It is possible that you are > hitting a different bug, or violation of that assertion is the root cause of > the crash of this frame constructor issue. > > astley, what did you see with you Linux64 build? Is that a debug build? I'm encountering the same crash on my local Stylo Linux64 debug build. Presumably, you are guessing right... I'm trying to have a non-debug build and see what happens.

Given comment 6 and comment 9, make bug 1371450 block this. We can see if this still happens after that gets fixed.

Tab crash on facebook. No STR yet. bp-fd6ad759-09d7-4f69-90f2-e077a0170703 03.07.17 18:55 [@ nsAbsoluteContainingBlock::RemoveFrame ] bp-19920cbc-277c-40d2-8d8e-e6f5f0170703 03.07.17 18:55 [@ nsAbsoluteContainingBlock::RemoveFrame ]

Closing bug 1371450 seems to fix this crash.

Oops.