Closed
Bug 1066556
Opened 10 years ago
Closed 8 years ago
Hang & eventual heap memory exhaustion in FlattenBezierCurveSegment (from gfx/2d/Path.cpp), with SVG <path> & getTotalLength() (or textPath, other path-length-dependent functionality)
Categories
(Core :: Graphics, defect)
Core
Graphics
Tracking
()
RESOLVED
FIXED
People
(Reporter: denpashogai, Assigned: bas.schouten)
References
Details
(Keywords: hang)
Attachments
(2 files)
testcase 1 (WARNING: hangs firefox & slowly eats up memory as it hangs)
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:34.0) Gecko/20100101 Firefox/34.0
Build ID: 20140912004004
Steps to reproduce:
Using 34.0a2 Nightly on a Mac, with {Adblock Plus, HTTPS Everywhere, Flashblock} all installed but disabled, and Test Pilot enabled...
(Cannot reproduce with Windows Nightly in a Virtualbox VM)
Go to this link:
http://24ways.org/2013/animating-vectors-with-svg/
Actual results:
1. Page starts to render
2. Empty "Codepen" box appears
3. Firefox hangs (for at least 10 minutes before I manually killed it)
4. Virtual memory usage in htop goes up to 149G
Expected results:
1. Page renders
2. Animated SVG/Javascript stuff happens in the Codepen box
3. Virtual memory usage does not go bananas
|
Reporter | |
Updated•10 years ago
|
Hardware: x86 → x86_64
WFM with Nightly on Win 7, Codepen box is not empty ("24 gift") and no VM peak.
|
||
Comment 2•10 years ago
|
||
(In reply to Oisín Mac Fhearaí from comment #0) > User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:34.0) > Gecko/20100101 Firefox/34.0 > Build ID: 20140912004004 > > Steps to reproduce: > > Using 34.0a2 Nightly on a Mac You mean Aurora? I'm confused - your build ID is for today, but Nightly is version 35 now... In any case, this WFM with current nightly on OS X 10.9... Can you confirm what version you're testing?
Flags: needinfo?(denpashogai)
|
|
Reporter | |
Comment 3•10 years ago
|
||
(In reply to :Gijs Kruitbosch from comment #2) > (In reply to Oisín Mac Fhearaí from comment #0) > > User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:34.0) > > Gecko/20100101 Firefox/34.0 > > Build ID: 20140912004004 > > > > Steps to reproduce: > > > > Using 34.0a2 Nightly on a Mac > > > You mean Aurora? I'm confused - your build ID is for today, but Nightly is > version 35 now... In any case, this WFM with current nightly on OS X 10.9... > Can you confirm what version you're testing? Ack, you're right -- it's Aurora running on my Mac at work. I'm running Nightly on two other machines. My bad :-/ Perhaps I can edit the description...
Flags: needinfo?(denpashogai)
|
|
Reporter | |
Comment 4•10 years ago
|
||
BTW, it also appears to hang FF 32.0 on my Ubuntu box. Perhaps it's been solved between 32/34 and 35 then?
|
||
Updated•10 years ago
|
Component: Untriaged → SVG
Product: Firefox → Core
|
||
Comment 5•10 years ago
|
||
I can reproduce in today's Nightly on Linux, both with the URL from comment 0, and with this URL that just directly goes to the Codepen: http://codepen.io/drewm/full/yJflC It hangs when loaded, and memory usage steadily creeps upwards. After ~10-15 seconds it was still hanging and memory usage had crossed 10% (and still growing) which would be 3.2 GB on my system. I killed it manually at that point. 35.0a1 (2014-09-13)
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Mac OS X → All
Hardware: x86_64 → All
Version: 34 Branch → Trunk
|
|
||
Comment 6•10 years ago
|
||
Here's a backtrace in GDB, during the hang. From a bit more poking around in gdb: we never escape from FlattenBezierCurveSegment, defined here: http://mxr.mozilla.org/mozilla-central/source/gfx/2d/Path.cpp#234 We just loop forever, waiting for 't' to be at least 1.0. But in my samples while we were hanging in that function, 't' seems to always be 0.00010483856 -- it never changes. s3 (from which t is derived) never changes either, between a few of my samples -- it always seems to be -12131.3711.
|
|
||
Comment 7•10 years ago
|
||
(Presumably the never-ending memory increase is from the LineTo() that gets called at the end of every loop-iteration, adding more and more segments to a path that will never complete.) Adding dependency on bug 935049, which added this code, and bumping to Graphics since this seems to be a bug in gfx/2d/. Bas, looks like this algorithm from bug 935049 might not be guaranteed to terminate (or, there's a bug in our impl). Any chance you can take a look?
Component: SVG → Graphics
Depends on: 935049
Flags: needinfo?(bas)
Summary: Animated Javascript/SVG demo in Codepen hangs with over 140GB heap → Animated Javascript/SVG demo in Codepen hangs in FlattenBezierCurveSegment (from gfx/2d/Path.cpp) with over 140GB heap
|
|
||
Comment 9•10 years ago
|
||
Here's a reduced testcase, based on the smaller testcase in bug 1067695.
|
|
||
Updated•10 years ago
|
Keywords: hang
Summary: Animated Javascript/SVG demo in Codepen hangs in FlattenBezierCurveSegment (from gfx/2d/Path.cpp) with over 140GB heap → Hang & eventual heap memory exhaustion in FlattenBezierCurveSegment (from gfx/2d/Path.cpp), with SVG <path> & getTotalLength() (or textPath, other path-length-dependent functionality)
|
Assignee | |
Comment 10•10 years ago
|
||
This bug is duped in several places, I should fix it sometime soon :-).
Assignee: nobody → bas
Status: NEW → ASSIGNED
Flags: needinfo?(bas)
|
||
Comment 12•8 years ago
|
||
I can no longer reproduce in Ubuntu 15.10, with FF 45.0.1 I get a length of 67.77793884277344 and no hanging.
|
|
||
Updated•8 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•