Closed Bug 1245735 Opened 8 years ago Closed 8 years ago

crash in mozilla::StyleAnimationValue::ComputeValues

Categories

(Core :: DOM: Animation, defect)

Product:
Core
Component:
DOM: Animation
Version:
47 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1239889
Tracking Flags:
Tracking Status
firefox47 --- fixed

People

(Reporter: MatsPalmgren_bugz, Unassigned)

References

Details

(Keywords: crash, regression)

Crash Data

This bug was filed from the Socorro interface and is 
report bp-dacfcc59-1312-47e0-86e3-265ca2160203.
=============================================================

Looks like a recent regression; first reported crash in build 2016012903.

Stack:
mozilla::StyleAnimationValue::ComputeValues(nsCSSProperty, nsCSSProps::EnabledState, mozilla::dom::Element*, mozilla::css::StyleRule*, nsTArray<mozilla::PropertyStyleAnimationValuePair>&, bool*)
mozilla::StyleAnimationValue::ComputeValues(nsCSSProperty, nsCSSProps::EnabledState, mozilla::dom::Element*, nsAString_internal const&, bool, nsTArray<mozilla::PropertyStyleAnimationValuePair>&)
mozilla::dom::BuildAnimationPropertyListFromKeyframeSequence
mozilla::dom::KeyframeEffectReadOnly::BuildAnimationPropertyList(JSContext*, mozilla::dom::Element*, JS::Handle<JSObject*>, nsTArray<mozilla::AnimationProperty>&, mozilla::ErrorResult&)
mozilla::dom::KeyframeEffectReadOnly::Constructor(mozilla::dom::GlobalObject const&, mozilla::dom::Element*, JS::Handle<JSObject*>, mozilla::TimingParams const&, mozilla::ErrorResult&)
mozilla::dom::Element::Animate(JSContext*, JS::Handle<JSObject*>, mozilla::dom::UnrestrictedDoubleOrKeyframeAnimationOptions const&, mozilla::ErrorResult&)
mozilla::dom::ElementBinding::animate
mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*)
js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct)
Interpret
...

More Reports:
https://crash-stats.mozilla.com/report/list?product=Firefox&signature=mozilla%3A%3AStyleAnimationValue%3A%3AComputeValues
Given mozilla::dom::ElementBinding::animate on the stack I'm guessing this is
related to the Element.animate feature?
Flags: needinfo?(bbirtles)
Likely related to bug 1239889. Marking as blocking Element.animate. We'll fix bug 1239889 and see if we get any more crash reports after that.
Blocks: 1245000
Component: CSS Parsing and Computation → DOM: Animation
Flags: needinfo?(bbirtles)
I notice that all the variants of ComputeValues eventually end up calling LookupStyleContext which dereferences the result of aElement->GetCurrentDoc() without null-checking it. So one possibility for the crash here is that. And that would suggest bug 1239889.
This hasn't shown up since build 2016020403[1] so I'm going to assume that bug 1239889 fixed it.

[1] https://crash-stats.mozilla.com/report/list?signature=mozilla%3A%3AStyleAnimationValue%3A%3AComputeValues#tab-table
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.