Open
Bug 556610
Opened 14 years ago
Updated 2 years ago
Abort() in nsStyleAnimation::Interpolate()
Categories
(Core :: CSS Parsing and Computation, defect)
Tracking
()
NEW
People
(Reporter: jst, Unassigned)
References
()
Details
I just hit this yesterday while not even using the browser. The URL of the document that caused this was twitter.com, I'm guessing it's their new front page code that gets us into this situation. Unfortunately this is an optimized build, so it's not trivial to see what the actual values were that caused this abort, but here's a stack:
#8 0x00007f0407311cef in Abort (aMsg=0x4fd0 <Address 0x4fd0 out of bounds>)
at ../../../mozilla/xpcom/base/nsDebugImpl.cpp:385
#9 0x00007f0407311eee in NS_DebugBreak_P (aSeverity=3, aStr=
0x7f04076a3ac5 "out of range", aExpr=
0x7f04075aed30 "0.0 <= aPortion && aPortion <= 1.0", aFile=
0x7f04075ab989 "../../../mozilla/layout/style/nsStyleAnimation.h", aLine=
132) at ../../../mozilla/xpcom/base/nsDebugImpl.cpp:356
#10 0x00007f040698990c in nsStyleAnimation::Interpolate(nsCSSProperty, nsStyleAnimation::Value const&, nsStyleAnimation::Value const&, double, nsStyleAnimation::Value&) () from /home/jst/bin/firefox/libxul.so
#11 0x00007f040698949b in ElementTransitionsStyleRule::MapRuleInfoInto (this=
0x7f03c80360d0, aRuleData=0x7fff839fa270)
at ../../../mozilla/layout/style/nsTransitionManager.cpp:255
#12 0x00007f04069626d4 in nsRuleNode::WalkRuleTree (this=0x7f03bdb3f4f8, aSID=
eStyleStruct_Border, aContext=0x7f03d5f9d180, aRuleData=0x7fff839fa270,
aSpecificData=0x7fff839f9dc0)
at ../../../mozilla/layout/style/nsRuleNode.cpp:1948
#13 0x00007f0406965071 in nsRuleNode::GetBorderData (this=0x7f03bdb3f4f8,
aContext=0x7f03d5f9d180)
at ../../../mozilla/layout/style/nsRuleNode.cpp:1700
#14 0x00007f0406965160 in nsRuleNode::GetStyleBorder (this=0x7f03bdb3f4f8,
aContext=0x4fd0, aComputeData=6)
at ../../../mozilla/layout/style/nsStyleStructList.h:134
I have a core file, so if someone wants more info out of this that should certainly be doable within the next several days.
The only thing I can think of is that nsSMILKeySpline can map a value that's within 0-1 to a value very slightly outside it. (The caller clamps timePortion to 0-1, calls GetSplineValue, and then calls nsStyleAnimation::Interpolate.)
If that's the case, maybe the right thing to do is either (a) weaken the range or (b) change the NS_ABORT_IF_FALSE to NS_WARNING.
|
Reporter | |
Comment 3•14 years ago
|
||
Here's more info from dbaron debugging a bit more on the core file I have:
(gdb) p $13.mMostRecentRefresh
$14 = {mValue = 3107967583408497}
(gdb) p pt.mStartTime
$15 = {mValue = 3107967583408497}
(gdb) p $14.mValue - $15.mValue
$16 = 0
(gdb) p pt
$17 = (ElementPropertyTransition &) @0x7f03b785e008: {mProperty =
eCSSProperty_box_shadow, mStartValue = {mUnit = eUnit_Shadow, mValue = {
mInt = -953878848, mCoord = -953878848, mFloat = -42230.75, mColor =
3341088448, mCSSValuePair = 0x7f03c724f6c0, mCSSRect = 0x7f03c724f6c0,
mCSSValueList = 0x7f03c724f6c0, mCSSValuePairList = 0x7f03c724f6c0,
mString = 0x7f03c724f6c0}}, mEndValue = {mUnit = eUnit_Shadow, mValue = {
mInt = 0, mCoord = 0, mFloat = 0, mColor = 0, mCSSValuePair = 0x0,
mCSSRect = 0x0, mCSSValueList = 0x0, mCSSValuePairList = 0x0, mString =
0x0}}, mCurrentValue = {mUnit = eUnit_Null, mValue = {mInt = -1307767840,
mCoord = -1307767840, mFloat = -8.20998025e-09, mColor = 2987199456,
mCSSValuePair = 0x7f03b20d0be0, mCSSRect = 0x7f03b20d0be0,
mCSSValueList = 0x7f03b20d0be0, mCSSValuePairList = 0x7f03b20d0be0,
mString = 0x7f03b20d0be0}}, mStartTime = {mValue = 3107967583408497},
mDuration = {mValue = 0}, mTimingFunction = {mX1 = 0, mY1 = 0, mX2 = 1,
mY2 = 1, mSampleValues = {6.8998416478437392e-310, 0, 0,
6.8998651536176239e-310, 6.8998369850007887e-310, 6.8998203551598407e-310,
6.8998870238805664e-310, 6.8998416478437392e-310, 6.8998857755742069e-310,
6.9532527116396852e-310, 6.4228533959362051e-323},
static kSampleStepSize = 0.10000000000000001}}See, in this case, GetSplineValue should hit the code:
if (mX1 == mY1 && mX2 == mY2)
return aX;
which is the one case where I'm really confident it can't map a value in 0-1 to outside 0-1.
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•