563092 - Crash from stack exhaustion with SVG <use> & SMIL animation of 'display' and another property

Status: RESOLVED DUPLICATE of bug 572938

(Core :: SVG, defect)

Description

[Daniel Holbert [:dholbert]]

Attachment: testcase

STR:
 - Load testcase

ACTUAL RESULTS:
 - 1 second after loading (when the <set> on 'display' property kicks in), Firefox hangs & uses up 99% CPU and starts eating up memory, before crashing ~15 seconds later.
 - From breaking in with GDB, it looks like we've got a stack that's at least thousands of frames deep, with this repeating pattern:

> #35 0xb4a3bc8f in nsSMILAnimationController::DoSample (this=0xb38e14c0, aSkipUnchangedContainers=0) at ../../../mozilla/content/smil/nsSMILAnimationController.cpp:394
> #36 0xb40f7f2d in nsSMILAnimationController::Resample (this=0xb38e14c0) at ../../dist/include/nsSMILAnimationController.h:95
> #37 0xb40f7f4c in nsSMILAnimationController::FlushResampleRequests (this=0xb38e14c0) at ../../dist/include/nsSMILAnimationController.h:102
> #38 0xb40efc39 in PresShell::FlushPendingNotifications (this=0xb172e1d0, aType=Flush_Style) at ../../../mozilla/layout/base/nsPresShell.cpp:4607
> #39 0xb426baab in nsComputedDOMStyle::GetStyleContextForElement (aElement=0xafd36740, aPseudo=0x0, aPresShell=0xb172e1d0) at ../../../mozilla/layout/style/nsComputedDOMStyle.cpp:341
> #40 0xb42b4853 in LookupStyleContext (aElement=0xafd36740) at ../../../mozilla/layout/style/nsStyleAnimation.cpp:985
> #41 0xb42b1b96 in StyleWithDeclarationAdded (aProperty=eCSSProperty_display, aTargetElement=0xafd36740, aSpecifiedValue=..., aUseSVGMode=0) at ../../../mozilla/layout/style/nsStyleAnimation.cpp:1020
> #42 0xb42b39c7 in nsStyleAnimation::ComputeValue (aProperty=eCSSProperty_display, aTargetElement=0xafd36740, aSpecifiedValue=..., aUseSVGMode=0, aComputedValue=...) at ../../../mozilla/layout/style/nsStyleAnimation.cpp:1056
> #43 0xb4a431b7 in ValueFromStringHelper (aPropID=eCSSProperty_display, aTargetElement=0xafd36740, aPresContext=0xb262a800, aString=..., aUseSVGMode=0, aStyleAnimValue=...) at ../../../mozilla/content/smil/nsSMILCSSValueType.cpp:355
> #44 0xb4a437c4 in nsSMILCSSValueType::ValueFromString (aPropID=eCSSProperty_display, aTargetElement=0xafd36740, aString=..., aUseSVGMode=0, aValue=...) at ../../../mozilla/content/smil/nsSMILCSSValueType.cpp:391
> #45 0xb4a42608 in nsSMILCSSProperty::GetBaseValue (this=0xb19ed700) at ../../../mozilla/content/smil/nsSMILCSSProperty.cpp:147
> #46 0xb4a41561 in nsSMILCompositor::ComposeAttribute (this=0xb19e3cb8) at ../../../mozilla/content/smil/nsSMILCompositor.cpp:111
> #47 0xb4a3acf1 in DoComposeAttribute (aCompositor=0xb19e3cb8) at ../../../mozilla/content/smil/nsSMILAnimationController.cpp:308
> #48 0xb4a3c1d7 in nsTHashtable<nsSMILCompositor>::s_EnumStub (table=0xb19f05c0, entry=0xb19e3cb8, number=0, arg=0xbf79f28c) at ../../dist/include/nsTHashtable.h:420
> #49 0x001393f2 in ?? ()
> #50 0xb4a3cea8 in nsTHashtable<nsSMILCompositor>::EnumerateEntries (this=0xb19f05c0, enumFunc=0xb4a3ace0 <DoComposeAttribute(nsSMILCompositor*, void*)>, userArg=0x0) at ../../dist/include/nsTHashtable.h:241
> #51 0xb4a3bc8f in nsSMILAnimationController::DoSample (this=0xb38e14c0, aSkipUnchangedContainers=0) at ../../../mozilla/content/smil/nsSMILAnimationController.cpp:394

Comment 1

[Brian Birtles (:birtles, Feb 26~ parental leave)]

This works for me. Is it still a problem for you?

I suspect it was fixed by either bug 603917 or bug 602880.

Comment 2

[Daniel Holbert [:dholbert]]

WORKSFORME too.  Yay! :)
Mozilla/5.0 (X11; Linux i686; rv:2.0b8pre) Gecko/20101127 Firefox/4.0b8pre

Comment 3

[Daniel Holbert [:dholbert]]

(In reply to comment #1)
> I suspect it was fixed by either bug 603917 or bug 602880.

Looks like an exact dupe of bug 572938, actually (which bug 602880 is duped to).

Canceling my in-testsuite request, since that bug has tests checked in already, and they're pretty similar to this bug's test.