Closed Bug 582564 Opened 14 years ago Closed 14 years ago

Crash on Transitions before page load: nsCSSValue::GetStringValue(nsAString_internal&)

Categories

(Core :: CSS Parsing and Computation, defect)

Product:
Core
Component:
CSS Parsing and Computation
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED DUPLICATE of bug 582111

People

(Reporter: paul, Unassigned)

References

(
URL
)

Details

(Keywords: crash, crashreportid, testcase)

Load this demo: http://demos.hacks.mozilla.org/openweb/LONDONPROJECT/ Click on the Firefox logo before the page is completely loaded: Crash. Crash: http://crash-stats.mozilla.com/report/index/bp-edc31fbe-7d66-4048-b69b-dc0192100728 With Signature nsCSSValue::GetStringValue(nsAString_internal&)
Regression window: Works: http://hg.mozilla.org/mozilla-central/rev/5425902639a5 Mozilla/5.0 (Windows; Windows NT 6.1; WOW64; en-US; rv:2.0b2pre) Gecko/20100702 Minefield/4.0b2pre ID:20100702211430 Fails: http://hg.mozilla.org/mozilla-central/rev/f2b02ba56bdd Mozilla/5.0 (Windows; Windows NT 6.1; WOW64; en-US; rv:2.0b2pre) Gecko/20100702 Minefield/4.0b2pre ID:20100702221424 Pushlog: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=5425902639a5&tochange=f2b02ba56bdd
Severity: normal → critical
Component: Layout → Style System (CSS)
QA Contact: layout → style-system
Blocks: 531344
(gdb) frame 2 #2 0x00007ffff5bb54f6 in nsStyleAnimation::ExtractComputedValue (aProperty= eCSSProperty__moz_transform, aStyleContext=0x7fffe494b0c0, aComputedValue=...) at ../../../mozilla/layout/style/nsStyleAnimation.cpp:2360 2360 SubstitutePixelValues(aStyleContext, l->mValue, clone->mValue); (gdb) p l $9 = (const nsCSSValueList *) 0x5a5a5a5a5a5a5a5a That's jemalloc uninitialized memory, in theory...
OK, and in fact we enter the loop with l->mNext set to such a value because: (gdb) p/x *display->mSpecifiedTransform $9 = {mValue = {mUnit = 0x5a5a5a5a, mValue = {mInt = 0x5a5a5a5a, mFloat = 0x80000000, mString = 0x5a5a5a5a5a5a5a5a, mColor = 0x5a5a5a5a, mArray = 0x5a5a5a5a5a5a5a5a, mURL = 0x5a5a5a5a5a5a5a5a, mImage = 0x5a5a5a5a5a5a5a5a, mGradient = 0x5a5a5a5a5a5a5a5a}}, mNext = 0x5a5a5a5a5a5a5a5a} Is it possible that the rule died or something? Might be worth valgrinding this to see what the stacks it produces might have to say for themselves.
I tried doing that, but I can't catch the right moment to click when running under V.... :(
blocking2.0: --- → ?
I think this is the same as the other bug I debugged a few days ago.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Could you confirm that this is fixed in today's nightly?
Confirmed.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.