Closed
Bug 1415021
Opened 7 years ago
Closed 7 years ago
Assertion failure: NS_IsMainThread(), at /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:4449
Categories
(Core :: DOM: Core & HTML, defect, P3)
Tracking
()
RESOLVED
FIXED
mozilla58
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox56 | --- | disabled |
firefox57 | --- | wontfix |
firefox58 | --- | fixed |
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase)
Attachments
(1 file)
(deleted),
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev dc45ee24c55d.
==1794==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f15aa1fb2fd bp 0x7f1547693330 sp 0x7f1547693310 T38)
==1794==The signal is caused by a WRITE memory access.
==1794==Hint: address points to the zero page.
#0 0x7f15aa1fb2fc in nsDocument::GetRootElementInternal() const /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:4449:3
#1 0x7f15ad585765 in Gecko_IsRootElement /builds/worker/workspace/build/src/layout/style/ServoBindings.cpp:331:32
#2 0x7f15b1e14a5c in _$LT$style..style_resolver..StyleResolverForElement$LT$$u27$a$C$$u20$$u27$ctx$C$$u20$$u27$le$C$$u20$E$GT$$GT$::cascade_style::hfcd3d8b1eea3246c /builds/worker/workspace/build/src/servo/components/style/style_resolver.rs:575
#3 0x7f15b1e161ec in _$LT$style..style_resolver..StyleResolverForElement$LT$$u27$a$C$$u20$$u27$ctx$C$$u20$$u27$le$C$$u20$E$GT$$GT$::cascade_style_and_visited::hbcc3d5428d73dbf2 /builds/worker/workspace/build/src/servo/components/style/style_resolver.rs:307
#4 0x7f15b1e1608e in _$LT$style..style_resolver..StyleResolverForElement$LT$$u27$a$C$$u20$$u27$ctx$C$$u20$$u27$le$C$$u20$E$GT$$GT$::cascade_primary_style::hdb0450e0a06b3713 /builds/worker/workspace/build/src/servo/components/style/style_resolver.rs:212
#5 0x7f15b1e15d2a in style::style_resolver::{{impl}}::resolve_primary_style<style::gecko::wrapper::GeckoElement> /builds/worker/workspace/build/src/servo/components/style/style_resolver.rs:171
#6 0x7f15b1e15d2a in _$LT$style..style_resolver..StyleResolverForElement$LT$$u27$a$C$$u20$$u27$ctx$C$$u20$$u27$le$C$$u20$E$GT$$GT$::resolve_style::hca47dc6843881f80 /builds/worker/workspace/build/src/servo/components/style/style_resolver.rs:229
#7 0x7f15b1e16340 in style::style_resolver::{{impl}}::resolve_style_with_default_parents::{{closure}}<style::gecko::wrapper::GeckoElement> /builds/worker/workspace/build/src/servo/components/style/style_resolver.rs:267
#8 0x7f15b1e16340 in style::style_resolver::with_default_parent_styles<style::gecko::wrapper::GeckoElement,closure,style::style_resolver::ResolvedElementStyles> /builds/worker/workspace/build/src/servo/components/style/style_resolver.rs:104
#9 0x7f15b1e16340 in _$LT$style..style_resolver..StyleResolverForElement$LT$$u27$a$C$$u20$$u27$ctx$C$$u20$$u27$le$C$$u20$E$GT$$GT$::resolve_style_with_default_parents::h8d287bd989859987 /builds/worker/workspace/build/src/servo/components/style/style_resolver.rs:266
#10 0x7f15b2514163 in style::traversal::compute_style::hb1c18cb61e3b45ed /builds/worker/workspace/build/src/servo/components/style/traversal.rs:695
#11 0x7f15b1e2a295 in style::traversal::recalc_style_at<style::gecko::wrapper::GeckoElement,style::gecko::traversal::RecalcStyleOnly,closure> /builds/worker/workspace/build/src/servo/components/style/traversal.rs:496
#12 0x7f15b1e2a295 in _$LT$style..gecko..traversal..RecalcStyleOnly$LT$$u27$recalc$GT$$u20$as$u20$style..traversal..DomTraversal$LT$style..gecko..wrapper..GeckoElement$LT$$u27$le$GT$$GT$$GT$::process_preorder::h9f13b1bc9d919d00 /builds/worker/workspace/build/src/servo/components/style/gecko/traversal.rs:37
#13 0x7f15b1da1d03 in style::parallel::top_down_dom<style::gecko::wrapper::GeckoElement,style::gecko::traversal::RecalcStyleOnly> /builds/worker/workspace/build/src/servo/components/style/parallel.rs:191
#14 0x7f15b1da1d03 in style::parallel::traverse_nodes::hcc7428c5d7663977 /builds/worker/workspace/build/src/servo/components/style/parallel.rs:270
#15 0x7f15b1d7827c in style::parallel::top_down_dom<style::gecko::wrapper::GeckoElement,style::gecko::traversal::RecalcStyleOnly> /builds/worker/workspace/build/src/servo/components/style/parallel.rs:207
#16 0x7f15b1d7827c in style::parallel::traverse_nodes::{{closure}}<style::gecko::wrapper::GeckoElement,style::gecko::traversal::RecalcStyleOnly,alloc::vec_deque::Drain<style::dom::SendNode<style::gecko::wrapper::GeckoNode>>> /builds/worker/workspace/build/src/servo/components/style/parallel.rs:285
#17 0x7f15b1d7827c in rayon_core::scope::{{impl}}::execute_job_closure::{{closure}}<closure,()> /builds/worker/workspace/build/src/third_party/rust/rayon-core/src/scope/mod.rs:354
#18 0x7f15b1d7827c in _$LT$std..panic..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h14fa14fc07d1669a /checkout/src/libstd/panic.rs:296
#19 0x7f15b1e31f5d in std::panicking::try::do_call::ha86e8aa17081757d /checkout/src/libstd/panicking.rs:480
#20 0x7f15b24a721b in __rust_maybe_catch_panic /checkout/src/libpanic_abort/lib.rs:38
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:4449:3 in nsDocument::GetRootElementInternal() const
Thread T38 (StyleThread#1) created by T0 here:
#0 0x4a5836 in __interceptor_pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:245:3
#1 0x7f15b24a10c5 in std::sys::imp::thread::Thread::new::h2c6998a77a036aca /checkout/src/libstd/sys/unix/thread.rs:72
#2 0x7f15b24421d3 in std::thread::Builder::spawn::hd6fb93dd89f2c79b /checkout/src/libstd/thread/mod.rs:404
#3 0x7f15b243fc44 in rayon_core::registry::Registry::new::h882acea1c31456c8 /builds/worker/workspace/build/src/third_party/rust/rayon-core/src/registry.rs:145
#4 0x7f15b2443de7 in rayon_core::thread_pool::ThreadPool::new::hdd08dfbae25f5c69 /builds/worker/workspace/build/src/third_party/rust/rayon-core/src/thread_pool/mod.rs:56
#5 0x7f15b21e11d1 in style::gecko::global_style_data::{{impl}}::deref::__static_ref_initialize /builds/worker/workspace/build/src/servo/components/style/gecko/global_style_data.rs:100
#6 0x7f15b21e11d1 in core::ops::function::FnOnce::call_once<fn() -> style::gecko::global_style_data::StyleThreadPool,()> /checkout/src/libcore/ops/function.rs:223
#7 0x7f15b21e11d1 in lazy_static::lazy::{{impl}}::get::{{closure}}<style::gecko::global_style_data::StyleThreadPool,fn() -> style::gecko::global_style_data::StyleThreadPool> /builds/worker/workspace/build/src/third_party/rust/lazy_static-0.2.8/src/lazy.rs:23
#8 0x7f15b21e11d1 in std::sync::once::Once::call_once::_$u7b$$u7b$closure$u7d$$u7d$::h92616637572425d4 /checkout/src/libstd/sync/once.rs:227
#9 0x7f15b248e54c in std::sync::once::Once::call_inner::h0387785e5237c55d /checkout/src/libstd/sync/once.rs:307
#10 0x7f15b21e08ff in std::sync::once::Once::call_once::h084a0318aef8ef32 /checkout/src/libstd/sync/once.rs:227
#11 0x7f15b23d17f2 in lazy_static::lazy::{{impl}}::get<style::gecko::global_style_data::StyleThreadPool,fn() -> style::gecko::global_style_data::StyleThreadPool> /builds/worker/workspace/build/src/third_party/rust/lazy_static-0.2.8/src/lazy.rs:22
#12 0x7f15b23d17f2 in style::gecko::global_style_data::{{impl}}::deref::__stability /builds/worker/workspace/build/src/obj-firefox/toolkit/library/gtest/rust/<__lazy_static_internal macros>:20
#13 0x7f15b23d17f2 in _$LT$style..gecko..global_style_data..STYLE_THREAD_POOL$u20$as$u20$core..ops..deref..Deref$GT$::deref::h1a21ac69bdce8579 /builds/worker/workspace/build/src/obj-firefox/toolkit/library/gtest/rust/<__lazy_static_internal macros>:21
#14 0x7f15b1ddb929 in geckoservo::glue::traverse_subtree::h185e3a4b911f53a6 /builds/worker/workspace/build/src/servo/ports/geckolib/glue.rs:263
#15 0x7f15b1ddbd3f in Servo_TraverseSubtree /builds/worker/workspace/build/src/servo/ports/geckolib/glue.rs:309
#16 0x7f15ad5c313a in mozilla::ServoStyleSet::StyleNewSubtree(mozilla::dom::Element*) /builds/worker/workspace/build/src/layout/style/ServoStyleSet.cpp:1059:5
#17 0x7f15ad899154 in nsCSSFrameConstructor::GetAnonymousContent(nsIContent*, nsIFrame*, nsTArray<nsIAnonymousContentCreator::ContentInfo>&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4415:19
#18 0x7f15ad8982c0 in nsCSSFrameConstructor::BeginBuildingScrollFrame(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, nsAtom*, bool, nsContainerFrame*&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4725:28
#19 0x7f15ad89601a in nsCSSFrameConstructor::SetUpDocElementContainingBlock(nsIContent*) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:3038:25
#20 0x7f15ad893e32 in nsCSSFrameConstructor::ConstructDocElementFrame(mozilla::dom::Element*, nsILayoutHistoryState*) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:2537:3
#21 0x7f15ad8a9c1c in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsIContent*, nsILayoutHistoryState*, nsCSSFrameConstructor::InsertionKind, TreeMatchContext*) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:8107:9
#22 0x7f15ad8a8b43 in nsCSSFrameConstructor::ContentInserted(nsIContent*, nsIContent*, nsILayoutHistoryState*, nsCSSFrameConstructor::InsertionKind) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:7980:3
#23 0x7f15ad813cbd in mozilla::PresShell::Initialize(int, int) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:1783:26
#24 0x7f15aa1a55ef in nsContentSink::StartLayout(bool) /builds/worker/workspace/build/src/dom/base/nsContentSink.cpp:1288:26
#25 0x7f15a9493e21 in nsHtml5TreeOpExecutor::StartLayout(bool*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:665:18
#26 0x7f15a9491d99 in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOperation.cpp:1210:17
#27 0x7f15a948fb27 in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:492:29
#28 0x7f15a9499324 in nsHtml5ExecutorFlusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5StreamParser.cpp:130:20
#29 0x7f15a7b08cff in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14
#30 0x7f15a7b29910 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10
#31 0x7f15a86c6025 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
#32 0x7f15a8618177 in MessageLoop::RunInternal() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#33 0x7f15a8618009 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299:3
#34 0x7f15ad2aae1a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
#35 0x7f15b04cefe1 in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:288:30
#36 0x7f15b0643b68 in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4675:22
#37 0x7f15b064578a in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4837:8
#38 0x7f15b06466b9 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4932:21
#39 0x4ed558 in do_main(int, char**, char**) /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:231:22
#40 0x4ece7b in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:304:16
Flags: in-testsuite?
Comment 1•7 years ago
|
||
The assertion was added for stylo in bug 1333183.
Emilio, could you please take a look?
Flags: needinfo?(emilio)
Updated•7 years ago
|
Blocks: 1333183
Has Regression Range: --- → yes
status-firefox56:
--- → disabled
status-firefox57:
--- → wontfix
status-firefox58:
--- → fix-optional
status-firefox-esr52:
--- → unaffected
Priority: -- → P3
Version: 52 Branch → 54 Branch
Comment 2•7 years ago
|
||
I haven't been able to repro, Jason, any particular pref or tip? Can you repro on current trunk? Thanks!
Flags: needinfo?(emilio) → needinfo?(jkratzer)
Reporter | ||
Comment 3•7 years ago
|
||
I spoke with Emilio offline and provided him with the prefs that I used to originally reproduce the issue. Please raise an NI again if you still can't reproduce it.
Flags: needinfo?(jkratzer)
Reporter | ||
Comment 6•7 years ago
|
||
(In reply to Emilio Cobos Álvarez [:emilio] from comment #5)
> Still couldn't repro :(
Neither can I now. This may have been fixed since initially reported?
Flags: needinfo?(jkratzer)
Comment 7•7 years ago
|
||
Yeah, that sounds likely... Oh well.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WORKSFORME
Comment 8•7 years ago
|
||
Actually, let's land the crashtest.
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
Pushed by ecoal95@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/aca928db9dd6
Add crashtest. r=me
Comment 10•7 years ago
|
||
Pushed by ecoal95@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/25bc5a2fff2f
Enable webcomponents in the crashtest since it calls createShadowRoot. r=me
Comment 11•7 years ago
|
||
Pushed by ecoal95@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/91a4c7a72f31
Re-disable web-components in the crashtest for leaks, see bug 1416296. r=me on a CLOSED TREE
Comment 12•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/aca928db9dd6
https://hg.mozilla.org/mozilla-central/rev/25bc5a2fff2f
https://hg.mozilla.org/mozilla-central/rev/91a4c7a72f31
Status: REOPENED → RESOLVED
Closed: 7 years ago → 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
Assignee | ||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•