Closed Bug 1487819 Opened 6 years ago Closed 6 years ago

Crash in Servo_StyleSet_FlushStyleSheets

Categories

(Core :: CSS Parsing and Computation, defect)

Product:
Core
Component:
CSS Parsing and Computation
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1490012
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 --- unaffected
firefox61 --- unaffected
firefox62 --- unaffected
firefox63 --- fixed
firefox64 --- fixed

People

(Reporter: calixte, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, testcase-wanted)

Crash Data

This bug was filed from the Socorro interface and is report bp-10e7ac9f-f211-4df5-939d-fa8f30180831. ============================================================= Top 10 frames of crashing thread: 0 libxul.so Servo_StyleSet_FlushStyleSheets src/libcore/sync/atomic.rs:1766 1 libxul.so mozilla::ServoStyleSet::UpdateStylist layout/style/ServoStyleSet.cpp:1461 2 libxul.so mozilla::PresShell::DoFlushPendingNotifications layout/base/PresShell.cpp:4274 3 libxul.so nsRefreshDriver::Tick layout/base/nsRefreshDriver.cpp:1900 4 libxul.so mozilla::InactiveRefreshDriverTimer::TickOne layout/base/nsRefreshDriver.cpp:324 5 libxul.so mozilla::InactiveRefreshDriverTimer::TimerTickOne layout/base/nsRefreshDriver.cpp:949 6 libxul.so nsTimerImpl::Fire xpcom/threads/nsTimerImpl.cpp:701 7 libxul.so nsTimerEvent::Run xpcom/threads/TimerThread.cpp:297 8 libxul.so nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1167 9 libxul.so NS_ProcessNextEvent xpcom/threads/nsThreadUtils.cpp:519 ============================================================= There are 2 crashes (from 1 installation) in nightly 63 with buildid 20180830111743. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1486536. [1] https://hg.mozilla.org/mozilla-central/rev?node=15d80c644e1e
Flags: needinfo?(emilio)
I don't understand how could we get into an state where mIsDestroying is false, but mRawSet is nullptr... Please let me know if this becomes a bit more high-volume, but I'm wary of wallpapering it without understanding what's going on... Jason (& co), is there any chance you could add this signature to your fuzzing machinery so I notice should a test-case for this signature appears? Thanks a lot!
Flags: needinfo?(emilio) → needinfo?(jkratzer)
Keywords: testcase-wanted
(In reply to Emilio Cobos Álvarez (:emilio) from comment #1) > I don't understand how could we get into an state where mIsDestroying is > false, but mRawSet is nullptr... > > Please let me know if this becomes a bit more high-volume, but I'm wary of > wallpapering it without understanding what's going on... > > Jason (& co), is there any chance you could add this signature to your > fuzzing machinery so I notice should a test-case for this signature appears? > Thanks a lot! Done. I'll update here if a testcase becomes available.
Flags: needinfo?(jkratzer)
I see another similar signature that seems to be all Windows crashes: https://bit.ly/2wHX4P5 that seems to have started using 20180828220157. The signature currently in the bug is Mac, Linux and Android crashes. If it isn't the same issue as this bug, I can file a separate one.
yes, most likely it's the same regression.
Crash Signature: [@ Servo_StyleSet_FlushStyleSheets] → [@ Servo_StyleSet_FlushStyleSheets] [@ geckoservo::glue::Servo_StyleSet_FlushStyleSheets ]
status-firefox64: --- → affected
OS: Android → All
Hardware: Unspecified → All
Bug 1490012 has a test-case, duping there.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.