Testcase found while fuzzing mozilla-central rev 190b827aaa2b. rax = 0x0000000000000000 rdx = 0x0000000000000000 rcx = 0x0000000000000b40 rbx = 0x00007f57cfa1d240 rsi = 0x00007f57e831d8b0 rdi = 0x00007f57e831c680 rbp = 0x00007ffcf01ba2f0 rsp = 0x00007ffcf01ba2d0 r8 = 0x00007f57e831d8b0 r9 = 0x00007f57e9495740 r10 = 0x00000000ffffffc7 r11 = 0x0000000000000000 r12 = 0x00007f57ce164000 r13 = 0x0000000000000000 r14 = 0x0000000000000000 r15 = 0x00007ffcf01ba5c0 rip = 0x00007f57d8d31f74 OS|Linux|0.0.0 Linux 4.15.0-32-generic #35-Ubuntu SMP Fri Aug 10 17:58:07 UTC 2018 x86_64 CPU|amd64|family 6 model 78 stepping 3|1 GPU||| Crash|SIGSEGV /SEGV_MAPERR|0x0|0 0|0|libxul.so|mozilla::ServoStyleSet::PreTraverseSync()|hg:hg.mozilla.org/mozilla-central:layout/style/ServoStyleSet.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|435|0x18 0|1|libxul.so|mozilla::ServoStyleSet::PreTraverse(mozilla::ServoTraversalFlags, mozilla::dom::Element*)|hg:hg.mozilla.org/mozilla-central:layout/style/ServoStyleSet.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|442|0x5 0|2|libxul.so|mozilla::ServoStyleSet::StyleDocument(mozilla::ServoTraversalFlags)|hg:hg.mozilla.org/mozilla-central:layout/style/ServoStyleSet.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|968|0xa 0|3|libxul.so|mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags)|hg:hg.mozilla.org/mozilla-central:layout/base/RestyleManager.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|3025|0x12 0|4|libxul.so|mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|4297|0x19 0|5|libxul.so|mozilla::PresShell::DoFlushPendingNotifications(mozilla::FlushType)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|4138|0x7 0|6|libxul.so|mozilla::PresShell::DidDoReflow(bool)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|8851|0x8 0|7|libxul.so|mozilla::PresShell::ProcessReflowCommands(bool)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|9207|0xb 0|8|libxul.so|mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|4347|0x15 0|9|libxul.so|nsRefreshDriver::Tick(mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|1926|0x5 0|10|libxul.so|mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|324|0x8 0|11|libxul.so|mozilla::RefreshDriverTimer::Tick(mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|317|0xc 0|12|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|755|0xc 0|13|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|571|0xc 0|14|libxul.so|mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&)|hg:hg.mozilla.org/mozilla-central:layout/ipc/VsyncChild.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|78|0x9 0|15|libxul.so|mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&)|s3:gecko-generated-sources:0c7cf777c2ff93c34ff1546f677320cb1229427e6947e87c6fa76720f9b9c5b6a4a4d036521ed9a643f4fa5e10a57d8748e2532d47fce8282aa653340c0c00ff/ipc/ipdl/PVsyncChild.cpp:|167|0xc 0|16|libxul.so|mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|2239|0x6 0|17|libxul.so|mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|2166|0xb 0|18|libxul.so|mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|2012|0xb 0|19|libxul.so|mozilla::ipc::MessageChannel::MessageTask::Run()|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|2045|0xc 0|20|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|1167|0x15 0|21|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|519|0x11 0|22|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|97|0xa 0|23|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|325|0x17 0|24|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|318|0x8 0|25|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|158|0xd 0|26|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|944|0x11 0|27|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|269|0x5 0|28|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|325|0x17 0|29|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|318|0x8 0|30|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|770|0x8 0|31|firefox|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|50|0x14 0|32|firefox|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|287|0x11 0|33|libc-2.27.so||||0x21b97 0|34|firefox|MOZ_ReportAssertionFailure|hg:hg.mozilla.org/mozilla-central:mfbt/Assertions.h:190b827aaa2b5e6fb9af7a0defb238ccc35f8b9e|164|0x5

We usually rely on this call happening soon enough that it doesn't matter, but from document.write it can matter actually. This is the call that makes this work the same way as other sheet addition / removals. This would fix cases where counter styles / @font-face rules in quirk.css wouldn't get properly updated in some cases. Hopefully we don't have any of those.

When CSS rules change, we usually do this implicitly from FlushUserFontSet & co. However there's a code path that dirties the stylist but not the CSS rules, and that's when the compat mode changes and we're an SVG document. I don't think that can get hit (easily, at least?), but it's pretty easy to do so and I think this is cleaner too. This fixes that case so the stylist can't assert in that case either, and so that we still rebuild the cascade data so that the hash maps use the right keys for a given quirks-mode.

Comment on attachment 9004310 [details] Make nsPresContext::CompatibilityModeChanged() properly call PresShell::ApplicableStylesChanged. Cameron McCormack (:heycam) has approved the revision.

Comment on attachment 9004313 [details] Explicitly flush the StyleSet from FlushPendingNotifications. Cameron McCormack (:heycam) has approved the revision.

Comment on attachment 9004314 [details] Crashtest. Cameron McCormack (:heycam) has approved the revision.

Thanks for the informative commit messages. :-)

Pushed by emilio@crisal.io: https://hg.mozilla.org/integration/mozilla-inbound/rev/15e5faa7e1d9 Make nsPresContext::CompatibilityModeChanged() properly call PresShell::ApplicableStylesChanged. r=heycam https://hg.mozilla.org/integration/mozilla-inbound/rev/15d80c644e1e Explicitly flush the StyleSet from FlushPendingNotifications. r=heycam https://hg.mozilla.org/integration/mozilla-inbound/rev/a47f6d2d38a4 Crashtest. r=heycam

Backed out changeset a47f6d2d38a4 (bug 1486536) for failing at tests/layout/style/crashtests/1486536.html Backout link: https://hg.mozilla.org/integration/mozilla-inbound/rev/0e03f055808cb2ed38381c1c1f7f1b2756a7c8a4 Push with failures: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=a47f6d2d38a4d7e46770f43a137d456fa02525ba Log link: https://treeherder.mozilla.org/logviewer.html#?job_id=196222497&repo=mozilla-inbound&lineNumber=23872 Log snippet: [task 2018-08-28T15:48:28.266Z] 15:48:28 INFO - REFTEST TEST-START | file:///builds/worker/workspace/build/tests/reftest/tests/layout/style/crashtests/1486536.html [task 2018-08-28T15:48:28.270Z] 15:48:28 INFO - REFTEST TEST-LOAD | file:///builds/worker/workspace/build/tests/reftest/tests/layout/style/crashtests/1486536.html | 3010 / 3594 (83%) [task 2018-08-28T15:53:28.272Z] 15:53:28 INFO - REFTEST TEST-UNEXPECTED-FAIL | file:///builds/worker/workspace/build/tests/reftest/tests/layout/style/crashtests/1486536.html | load failed: timed out after 300000 ms waiting for 'load' event for file:///builds/worker/workspace/build/tests/reftest/tests/layout/style/crashtests/1486536.html [task 2018-08-28T15:53:28.275Z] 15:53:28 INFO - REFTEST INFO | Saved log: START file:///builds/worker/workspace/build/tests/reftest/tests/layout/style/crashtests/1486536.html [task 2018-08-28T15:53:28.278Z] 15:53:28 INFO - REFTEST INFO | Saved log: [CONTENT] AfterPaintListener in file:///builds/worker/workspace/build/tests/reftest/tests/layout/style/crashtests/1486536.html [task 2018-08-28T15:53:28.280Z] 15:53:28 INFO - REFTEST INFO | Saved log: [CONTENT] AfterPaintListener in file:///builds/worker/workspace/build/tests/reftest/tests/layout/style/crashtests/1486536.html

https://hg.mozilla.org/mozilla-central/rev/15e5faa7e1d9 https://hg.mozilla.org/mozilla-central/rev/15d80c644e1e