I crashed on this. https://crash-stats.mozilla.com/report/index/a041abc8-7b37-46ea-a749-52f0d0170719 Fix is straightforward, will work it up.

Actually, the simple failure mode that I thought we were hitting can't happen, so this is more complex. I have an (large) rr trace of it though, so it should be just a matter of time to work through it.

(This seems to only happen with ABP, but the cause might be a deeper issue, we'll see).

This was removed recently in the ComputedValues patch, and makes traversal logging rather unusable. MozReview-Commit-ID: 5Jisfj9QxBM

The issue here is that the DestroyFramesFor call does a ClearServoDataFromSubtree, and then we subsequently fail to load the bindings, leaving ourselves with an unstyled subtree that isn't marked with descendant bits and isn't rooted at a display:none element, which is forbidden. This can trigger crashes when we call the innerText getter on one of the unstyled elements, since that will first flush layout (which won't find the unstyled subtree), and then invoke IsOrHasAncestorWithDisplayNone, which passes LazyComputeBehavior::Assert. MozReview-Commit-ID: 7roBkH9fTGZ

MozReview-Commit-ID: IUqzytg3SqL

Comment on attachment 8888152 [details] [diff] [review] Part 2 - Wait to destroy frames until after we've successfully fetched the binding. v1 Review of attachment 8888152 [details] [diff] [review]: ----------------------------------------------------------------- Looks reasonable.

Pushed by bholley@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/5a43e98b2000 Wait to destroy frames until after we've successfully fetched the binding. r=heycam https://hg.mozilla.org/integration/autoland/rev/747035414236 Crashtest. r=heycam

https://hg.mozilla.org/mozilla-central/rev/5a43e98b2000 https://hg.mozilla.org/mozilla-central/rev/747035414236