This bug was filed from the Socorro interface and is report bp-29b52a7d-494d-4f78-bb97-e0af10170711. ============================================================= Crashing Thread (0) Frame Module Signature Source 0 xul.dll mozilla::css::GroupRule::cycleCollection::Unlink(void*) layout/style/GroupRule.cpp:271 1 xul.dll mozilla::ServoMediaRule::cycleCollection::Unlink(void*) layout/style/ServoMediaRule.cpp:36 2 xul.dll nsCycleCollector::CollectWhite() xpcom/base/nsCycleCollector.cpp:3343 3 xul.dll nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) xpcom/base/nsCycleCollector.cpp:3695 4 xul.dll nsCycleCollector_collectSlice(js::SliceBudget&, bool) xpcom/base/nsCycleCollector.cpp:4224 5 xul.dll nsJSContext::RunCycleCollectorSlice(mozilla::TimeStamp) dom/base/nsJSEnvironment.cpp:1733 6 xul.dll ICCRunnerFired dom/base/nsJSEnvironment.cpp:1792 7 xul.dll CollectorRunner::Run() dom/base/nsJSEnvironment.cpp:264 8 xul.dll CollectorRunner::TimedOut(nsITimer*, void*) dom/base/nsJSEnvironment.cpp:281 9 xul.dll nsTimerImpl::Fire(int) xpcom/threads/nsTimerImpl.cpp:510 10 xul.dll nsTimerEvent::Run() xpcom/threads/TimerThread.cpp:286 11 xul.dll nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:1437 12 xul.dll NS_ProcessNextEvent(nsIThread*, bool) xpcom/threads/nsThreadUtils.cpp:489 13 xul.dll mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:125 14 xul.dll mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:302 15 xul.dll MessageLoop::RunHandler() ipc/chromium/src/base/message_loop.cc:313 16 xul.dll MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:293 17 xul.dll nsBaseAppShell::Run() widget/nsBaseAppShell.cpp:156 18 xul.dll nsAppShell::Run() widget/windows/nsAppShell.cpp:271 19 xul.dll XRE_RunAppShell() toolkit/xre/nsEmbedFunctions.cpp:895 20 xul.dll mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:270 21 xul.dll MessageLoop::RunHandler() ipc/chromium/src/base/message_loop.cc:313 22 xul.dll MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:293 23 xul.dll XRE_InitChildProcess(int, char** const, XREChildData const*) toolkit/xre/nsEmbedFunctions.cpp:711 24 firefox.exe content_process_main(mozilla::Bootstrap*, int, char** const) ipc/contentproc/plugin-container.cpp:64 25 firefox.exe NS_internal_main(int, char**, char**) browser/app/nsBrowserApp.cpp:286 26 firefox.exe wmain toolkit/xre/nsWindowsWMain.cpp:115 27 firefox.exe __scrt_common_main_seh f:/dd/vctools/crt/vcstartup/src/startup/exe_common.inl:253 28 kernel32.dll BaseThreadInitThunk 29 ntdll.dll RtlUserThreadStart crashes with this signature are showing up since 56.0a1 build 20170706060058 when stylo was enabled on windows. so far all the reports are coming from windows 10 users with an nvidia gpu (not sure if this is a coincidence).

I guess the issue here is that ServoGroupRuleRules::mRuleList is nullptr when we call ServoGroupRuleRules::Clear(). I guess adding a null-check in Clear() would fix this crash. However, it seems to me that mRuleList can be nullptr only when Clear() is called, and Clear() is only called from Unlink(). That means Unlink can be invoked multiple times for an object? smaug, can Unlink be invoked multiple times on one object?

Yes if unlinking is incomplete elsewhere.

Ok, NI to xidorn to land the null-check. rs=me.

Pushed by xquan@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/3c3af3fff558 Null-check mRuleList in ServoGroupRuleRules::Clear. rs=bholley