crash in nsStyleTransformMatrix::MatrixForTransformFunction when animating a transform to or from 'none'

RESOLVED FIXED in Firefox 40

Status

()

Core
Graphics
--
critical
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: dietrich, Assigned: dbaron)

Tracking

({crash, regression})

unspecified
mozilla40
crash, regression
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox40 fixed)

Details

(crash signature)

Attachments

(2 attachments)

(Reporter)

Description

3 years ago
This bug was filed from the Socorro interface and is 
report bp-e04656d3-6682-472f-9fca-a29d42150410.
=============================================================

100% reproducible by loading https://cssanimation.rocks/principles/

Started in the last couple of days.
More reports: https://crash-stats.mozilla.com/report/list?product=Firefox&signature=nsStyleTransformMatrix%3A%3AMatrixForTransformFunction

|aData| is 0x5a5a5a5a in MatrixForTransformFunction, so whatever object was holding that pointer is now dead.

First seen 20150407030207. Mostly Windows and a few Mac, so I'm guessing bug 980770.
Flags: needinfo?(dbaron)
(Assignee)

Comment 2

3 years ago
Yes; the stack is something that would happen only with OMT animations on.
Blocks: 980770
(Assignee)

Comment 3

3 years ago
Also reproducable on Linux with OMTA on.
OS: Mac OS X → All
(Assignee)

Comment 4

3 years ago
The immediate cause is that it's being passed a single-item list whose unit is eCSSUnit_None, rather than a list of transform functions that it expects.  Need to figure out why it has that expectation and/or why we're not meeting it.
(Assignee)

Comment 5

3 years ago
Created attachment 8593113 [details]
testcase

We crash when animating transform to or from 'none'.
(Assignee)

Updated

3 years ago
Assignee: nobody → dbaron
Status: NEW → ASSIGNED
Flags: needinfo?(dbaron)
Summary: crash in nsStyleTransformMatrix::MatrixForTransformFunction → crash in nsStyleTransformMatrix::MatrixForTransformFunction when animating a transform to or from 'none'
(Assignee)

Comment 6

3 years ago
FWIW, I have a patch; most of the time is debugging why the existing tests in layout/style/test/test_transitions_per_property.html don't show this bug.
(Assignee)

Comment 7

3 years ago
... which is because it never samples at the start or end of the animations, only in the middle.
(Assignee)

Comment 8

3 years ago
Created attachment 8593182 [details] [diff] [review]
Don't crash when doing an off-main-thread animation of a transform to or from the 'none' value

I confirmed locally (with ./mach mochitest-plain --e10s on Linux) that
the added test crashes without the patch and passes with the patch.
Attachment #8593182 - Flags: review?(bbirtles)
Attachment #8593182 - Flags: review?(bbirtles) → review+
https://hg.mozilla.org/mozilla-central/rev/62b47badf9f9
Status: ASSIGNED → RESOLVED
Last Resolved: 3 years ago
status-firefox40: --- → fixed
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
You need to log in before you can comment on or make changes to this bug.