Closed
Bug 582564
Opened 14 years ago
Closed 14 years ago
Crash on Transitions before page load: nsCSSValue::GetStringValue(nsAString_internal&)
Categories
(Core :: CSS Parsing and Computation, defect)
Tracking
()
VERIFIED
DUPLICATE
of bug 582111
People
(Reporter: paul, Unassigned)
References
()
Details
(Keywords: crash, crashreportid, testcase)
Load this demo: http://demos.hacks.mozilla.org/openweb/LONDONPROJECT/ Click on the Firefox logo before the page is completely loaded: Crash. Crash: http://crash-stats.mozilla.com/report/index/bp-edc31fbe-7d66-4048-b69b-dc0192100728 With Signature nsCSSValue::GetStringValue(nsAString_internal&)
|
||
Comment 1•14 years ago
|
||
Regression window: Works: http://hg.mozilla.org/mozilla-central/rev/5425902639a5 Mozilla/5.0 (Windows; Windows NT 6.1; WOW64; en-US; rv:2.0b2pre) Gecko/20100702 Minefield/4.0b2pre ID:20100702211430 Fails: http://hg.mozilla.org/mozilla-central/rev/f2b02ba56bdd Mozilla/5.0 (Windows; Windows NT 6.1; WOW64; en-US; rv:2.0b2pre) Gecko/20100702 Minefield/4.0b2pre ID:20100702221424 Pushlog: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=5425902639a5&tochange=f2b02ba56bdd
|
|
||
Updated•14 years ago
|
Severity: normal → critical
Component: Layout → Style System (CSS)
QA Contact: layout → style-system
|
|
||
Comment 2•14 years ago
|
||
(gdb) frame 2
#2 0x00007ffff5bb54f6 in nsStyleAnimation::ExtractComputedValue (aProperty=
eCSSProperty__moz_transform, aStyleContext=0x7fffe494b0c0, aComputedValue=...)
at ../../../mozilla/layout/style/nsStyleAnimation.cpp:2360
2360 SubstitutePixelValues(aStyleContext, l->mValue, clone->mValue);
(gdb) p l
$9 = (const nsCSSValueList *) 0x5a5a5a5a5a5a5a5a
That's jemalloc uninitialized memory, in theory...|
|
||
Comment 3•14 years ago
|
||
OK, and in fact we enter the loop with l->mNext set to such a value because:
(gdb) p/x *display->mSpecifiedTransform
$9 = {mValue = {mUnit = 0x5a5a5a5a, mValue = {mInt = 0x5a5a5a5a, mFloat = 0x80000000, mString = 0x5a5a5a5a5a5a5a5a, mColor =
0x5a5a5a5a, mArray = 0x5a5a5a5a5a5a5a5a, mURL = 0x5a5a5a5a5a5a5a5a, mImage = 0x5a5a5a5a5a5a5a5a, mGradient =
0x5a5a5a5a5a5a5a5a}}, mNext = 0x5a5a5a5a5a5a5a5a}
Is it possible that the rule died or something? Might be worth valgrinding this to see what the stacks it produces might have to say for themselves.|
|
||
Comment 4•14 years ago
|
||
I tried doing that, but I can't catch the right moment to click when running under V.... :(
blocking2.0: --- → ?
I think this is the same as the other bug I debugged a few days ago.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Could you confirm that this is fixed in today's nightly?
|
Reporter | |
Comment 8•14 years ago
|
||
Confirmed.
blocking2.0: ? → ---
You need to log in
before you can comment on or make changes to this bug.
Description
•