67 crashes on 14 installs 3days. Unlike other crashes we'd been seeing, this crash is triggered by a reframe? According to bug 1391444 comment 39, it happens on ebay. https://www.ebay.com/myb/PurchaseHistory https://www.ebay.com/myb/BidsOffers https://www.ebay.com/myb/WatchList

I will try to reproduce this crash today.

I can't reproduce the crash but I have gotten various crashes on debug build while opening https://www.ebay.com/myb/WatchList . (I created a new account and put 8 items on the watch list) #0 0x00007fffa8d2c898 in ?? () #1 0x00007fffd44e6d78 in ?? () #2 0x00007fffd44e6d78 in ?? () #3 0x00007fffa8d2c800 in ?? () #4 0x00007fffa8d2c900 in ?? () #5 0x0000000000000013 in ?? () #6 0x00007fffafe994e0 in ?? () #7 0x00007fffa8d2c800 in ?? () #8 0x00007fffa8d2c900 in ?? () #9 0x0000000000000013 in ?? () #10 0x00007fffafe994e0 in ?? () #11 0x00007fffa8d2c800 in ?? () #12 0x00007fffa8d2c900 in ?? () #13 0x0000000000000013 in ?? () #14 0x00007fffafe994e0 in ?? () #15 0x00007fffa8d2c800 in ?? () #16 0x00007fffa8d2c900 in ?? () #17 0x0000000000000013 in ?? () #18 0x00007fffa8d2c900 in ?? () #19 0x0000000000000012 in ?? () #20 0x00007fffafe994e0 in ?? () #21 0x00007fffa8d2c800 in ?? () #22 0x00007fffa8d2c900 in ?? () #23 0x0000000000000013 in ?? () #24 0x00007fffafe994e0 in ?? () #25 0x00007fffd44e6ef0 in ?? () #26 0x00007fffd44e6d08 in ?? () #27 0x00007fffd44e6f90 in ?? () #28 0x00007fffe8a2bfd9 in std::collections::hash::map::search_hashed<style::gecko_string_cache::Atom,smallvec::SmallVec<[style::stylist::Rule; 1]>,&std::collections::hash::table::RawTable<style::gecko_string_cache::Atom, smallvec::SmallVec<[style::stylist::Rule; 1]>>,closure> (table=0x700, hash=SafeHash = {...}, is_match=closure = {...}) at /checkout/src/libstd/collections/hash/map.rs:418 #0 0x00007fffe7e2fcf4 in style::properties::animated_properties::{{impl}}::animate (self=0x7fffb83a7678, other=0x7fffb83a7788, procedure=Interpolate = {...}) at /home/ikezoe/stylo/obj-firefox/toolkit/library/x86_64-unknown-linux-gnu/debug/build/style-594b3b76409ba63f/out/properties.rs:86675 #1 0x00007fffe7357d85 in geckoservo::glue::Servo_AnimationCompose (raw_value_map=0x7fffd4489630, base_values=0x7fffb830ecc8, css_property=eCSSProperty_opacity,- segment=0x7fffae934be8, last_segment=0x7fffae934be8, computed_timing=0x7fffd4489310, iteration_composite=Replace) at /home/ikezoe/stylo/servo/ports/geckolib/glue.rs:547 #2 0x00007fffe107be39 in mozilla::dom::KeyframeEffectReadOnly::ComposeStyleRule (this=0x7fffb830ec00, aAnimationValues=..., aProperty=..., aSegment=..., aComputedTiming=...) at /home/ikezoe/stylo/dom/animation/KeyframeEffectReadOnly.cpp:672 #3 0x00007fffe108ca4a in mozilla::dom::KeyframeEffectReadOnly::ComposeStyle<RawServoAnimationValueMap&> (this=0x7fffb830ec00, aComposeResult=..., aPropertiesToSkip=...) at /home/ikezoe/stylo/dom/animation/KeyframeEffectReadOnly.cpp:731 #4 0x00007fffe108a3ad in mozilla::dom::Animation::ComposeStyle<RawServoAnimationValueMap&> (this=0x7fffaa9dd9e0, aComposeResult=..., aPropertiesToSkip=...) at /home/ikezoe/stylo/dom/animation/Animation.cpp:1018 #0 0x00007fffe8435f7a in core::sync::atomic::atomic_load<u8> (dst=0x8 <error: Cannot access memory at address 0x8>, order=Relaxed) at /checkout/src/libcore/sync/atomic.rs:1441 #1 0x00007fffe8435620 in core::sync::atomic::{{impl}}::load (self=0x8, order=Relaxed) at /checkout/src/libcore/sync/atomic.rs:313 #2 0x00007fffe842f645 in std::sys_common::poison::{{impl}}::get (self=0x8) at /checkout/src/libstd/sys_common/poison.rs:53 #3 0x00007fffe842fd6c in std::sync::condvar::{{impl}}::wait<()> (self=0x7fffc62d9c68, guard=...) at /checkout/src/libstd/sync/condvar.rs:213 #4 0x00007fffd44cffe0 in ?? () #5 0x0000000000000000 in ?? () #0 0x00007fffe8971386 in core::ptr::read<style::dom::SendNode<style::gecko::wrapper::GeckoNode>> (src=0x3e52d12600000000) at /checkout/src/libcore/ptr.rs:164 #1 smallvec::{{impl}}::drop<[style::dom::SendNode<style::gecko::wrapper::GeckoNode>; 128]> (self=0x7fffd44ce298) at /home/ikezoe/central/third_party/rust/smallvec/lib.rs:880 #2 0x00007fffe8a43ae5 in core::ptr::drop_in_place<smallvec::SmallVec<[style::dom::SendNode<style::gecko::wrapper::GeckoNode>; 128]>> () at /checkout/src/libcore/ptr.rs:60 #3 0x00007fffe8a97b1e in style::parallel::top_down_dom<style::gecko::wrapper::GeckoElement,style::gecko::traversal::RecalcStyleOnly> (nodes=..., root=..., traversal_data=...,- scope=0x3e52d12600000000, pool=0x7fffa9d999dc, traversal=0x7fffa9d99aec, tls=0x0) at /home/ikezoe/central/servo/components/style/parallel.rs:214 #4 style::parallel::traverse_nodes::{{closure}}<style::gecko::wrapper::GeckoElement,style::gecko::traversal::RecalcStyleOnly,smallvec::Drain<style::dom::SendNode<style::gecko::wrapper::GeckoNode>>> (scope=0x7fffd448b220) at /home/ikezoe/central/servo/components/style/parallel.rs:272 #5 0x00007fffe89dea0e in rayon_core::scope::{{impl}}::execute_job_closure::{{closure}}<closure,()> () at /home/ikezoe/central/third_party/rust/rayon-core/src/scope/mod.rs:354 #6 0x00007fffe8b3076b in std::panic::{{impl}}::call_once<(),closure> (self=..., _args=0) at /checkout/src/libstd/panic.rs:296 #7 0x00007fffe8a20fba in std::panicking::try::do_call<std::panic::AssertUnwindSafe<closure>,()> (data=0x7fffd44cf218 "") at /checkout/src/libstd/panicking.rs:454 #8 0x00007fffd44cf130 in ?? () #9 0x0000000000000000 in ?? () All stacks don't make sense to me. Also I get sometimes the panic, '<div id=domain-nav> (0x7fffb32a13a0) has still dirty bit true or animation-only dirty bit false', (on today's mozilla-central ab2d700fda2b). So I applied Emilio's latest patch set in bug 1394935. Then I got an assertion, Assertion failure: aNode1 != aNode2, in GetCommonAncestorInternal(). With the Emilio's patch set, I can no longer get other crashes. I also checked when this bug crash started to be reported. It's 20170824100243 build. The build is the first build that included bug 1383332. So I think this bug is also caused by bug 1383332.

Let's mark it as dependent then. This makes sense, thanks for investigating it!

Hiro, can we resolve this now?

I see crash reports as recently as build id 20170831220208 like bp-afab0b6f-0911-44f1-a836-861d40170901.

Actually 20170831220208 does not include bug 1394935, but I found a crash report for buildid: 20170901100309 which includes bug 1394935. bp-685ef73e-f178-4fc8-adc7-c934d0170901. So this crash is not yet fixed unfortunately. One thing I should note is that the watch list on ebay now causes an assertion (bug 1396153) frequently even I disable stylo. So I started suspecting this crash is caused by an issue which is unrelated to stylo. Anyway, as I wrote in comment 2, a weird thing definitely happens on the watch list.

Bug 1396153 is not related to this crash at all. Disabling "network.http.tailing.enabled" makes the ebay site work fine. I haven't seen any crashes so far on the ebay site.

In case this is not easy to fix, feel free to perma disable the feature (have a patch to turn network.http.tailing.enabled to false). I won't have time to look at this sooner than in two weeks.

No worries. After bug 1395884, I can't see any crashes on ebay.com with enabling the feature. Thank you!

After 20170901100309, we have still one crash report (bp-685ef73e-f178-4fc8-adc7-c934d0170901), I think the crashes on ebay.com have been fixed by bug 1394935, the new crash must be caused by a different cause. I will close this bug if new crash reports did not increase so much after this weekend.

No more new crash reports so far.

Hiro, I still see crash reports for geckoservo::glue::Servo_ResolveStyle in build 20170903220032, such as bp-4ddcd33e-9698-43a2-9622-6fe020170904 and bp- 885c44ec-48ac-4814-bd86-721330170904 . Are those different bugs?

The latter is related to bug 1395719, since the stack includes CharacterDataChanged. The former has AccessibleCaretManager::UpdateCarets, I had never seen the symbol, seems different issue.

(In reply to Hiroyuki Ikezoe (:hiro) from comment #13) > The latter is related to bug 1395719, since the stack includes > CharacterDataChanged. The former has AccessibleCaretManager::UpdateCarets, > I had never seen the symbol, seems different issue. The first one looks a loot like this one, given it's a normal layout flush... URLs or STR would be appreciated though.

I did check all crash reports which has Servo_RestyleStyle since buildid:20170901100309. There are 57 reports; 42 have CharacterDataChanged. 8 have nsBlockFrame::GetOutsideBulletList 5 have ScrollFrameHelper::AsyncScrollPortEvent::Run I see nothing particular symbols in rest of two. (bp-ff448625-d358-4d0b-a084-7b78e0170905 and bt-4ddcd33e-9698-43a2-9622-6fe020170904). I think 42 reports are related to bug 1395719, but I am not 100% sure the bug fixes the crash. But given that fixing dirty bit thing (bug 1394935) stopped the crash on ebay.com (I believe it stopped), I think it will fix the crash. Anyway, now Bobby found the URL that causes 'CharacterDataChanged' crash.

Too late for 56. Mass won't fix for 56.