Closed Bug 623945 Opened 14 years ago Closed 14 years ago

Firefox 4.0b9pre Crash [@ mozilla::imagelib::SVGDocumentWrapper::StopAnimation() ]

Categories

(Core :: Graphics: ImageLib, defect)

Product:
Core
Component:
Graphics: ImageLib
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: marcia, Assigned: dholbert)

Details

(Keywords: crash, crashreportid, reproducible)

Crash Data

Attachments

(1 file, 1 obsolete file)

fix v1 now w/ test
5.04 KB, patch
roc
: review+
joe
: approval2.0+
Details | Diff | Splinter Review
Seen while reviewing trunk crash stats. Crashes started showing up using the 2011010100 build. http://tinyurl.com/2cto7d8 to the crashes which are all Windows. Possible pushlog regression range: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b083bc8b79ab&tochange=b2275b45a33d Frame Module Signature [Expand] Source 0 xul.dll mozilla::imagelib::SVGDocumentWrapper::StopAnimation modules/libpr0n/src/SVGDocumentWrapper.cpp:224 1 xul.dll mozilla::imagelib::SVGDocumentWrapper::OnStartRequest modules/libpr0n/src/SVGDocumentWrapper.cpp:273 2 xul.dll mozilla::imagelib::VectorImage::OnStartRequest modules/libpr0n/src/VectorImage.cpp:640 3 xul.dll imgRequest::OnDataAvailable 4 xul.dll nsRefPtr<nsPresContext>::~nsRefPtr<nsPresContext> obj-firefox/dist/include/nsAutoPtr.h:969 5 xul.dll NS_TableDrivenQI obj-firefox/xpcom/build/nsISupportsImpl.cpp:49 6 xul.dll nsBaseChannel::QueryInterface netwerk/base/src/nsBaseChannel.cpp:339 7 xul.dll nsACString_internal::Assign xpcom/string/src/nsTSubstring.cpp:390 8 xul.dll nsBaseChannel::GetContentType netwerk/base/src/nsBaseChannel.cpp:495 9 xul.dll nsRefPtr<nsPresContext>::~nsRefPtr<nsPresContext> obj-firefox/dist/include/nsAutoPtr.h:969 10 xul.dll ProxyListener::OnStartRequest modules/libpr0n/src/imgLoader.cpp:2000 11 xul.dll ProxyListener::OnDataAvailable modules/libpr0n/src/imgLoader.cpp:2019 12 xul.dll nsBaseChannel::OnDataAvailable netwerk/base/src/nsBaseChannel.cpp:755 13 xul.dll nsInputStreamPump::OnStateTransfer netwerk/base/src/nsInputStreamPump.cpp:510
Ring any bells, Daniel?
Assignee: nobody → dholbert
This exact crash doesn't ring any bells, but looks easy to fix. It's crashing on a null-deref on the last line here: > 221 nsIDocument* doc = mViewer->GetDocument(); > 222 if (doc) { > 223#ifdef MOZ_SMIL > 224 doc->GetAnimationController()->Pause(nsSMILTimeContainer::PAUSE_IMAGE); We've already null-checked |doc|, so that's not null -- so it must be that |doc->GetAnimationController()| returns null. ...and that can easily happen if SMIL or image animations are disabled via an about:config pref, or for a few other reasons. So I think we just need to null-check |doc->GetAnimationController()| there. (I'm guessing the date that this started showing up corresponds more to when a particular user flipped a particular pref, or started using nightlies with an already-flipped pref. This has likely been a bug for a little while.)
Confirmed crash -- here are STEPS TO REPRODUCE: 1. Toggle about:config pref svg.smil.enabled --> false 2. Visit http://blog.dholbert.org/2010/10/svg-as-image.html --> CRASH [@ mozilla::imagelib::SVGDocumentWrapper::StopAnimation ] bp-f5eab1fd-67e9-4521-8fa1-628fd2110107
Status: NEW → ASSIGNED
Keywords: crashreportid
OS: Windows XP → All
Hardware: x86 → All
Attached patch fix v1 (obsolete) — Splinter Review
Working on an automated test. (probably a mochitest, not a crashtest, since I need to flip a pref to trigger this crash.)
Attachment #502118 - Flags: review?(roc)
Keywords: reproducible
Here's the fix with a crashtest loaded into an iframe, in a mochitest that toggles the svg.smil.enabled pref off for its duration. I've confirmed that the mochitest passes with the fix, and fails without the fix. The failure looks like this, since we crash: >TEST-UNEXPECTED-FAIL | /tests/content/svg/content/test/test_SVGAnimatedImageSMILDisabled.html | Exited with code -11 during test run
Attachment #502118 - Attachment is obsolete: true
Attachment #502152 - Flags: review?(roc)
Attachment #502118 - Flags: review?(roc)
Comment on attachment 502152 [details] [diff] [review] fix v1 now w/ test Requesting approval. Simple well-understood fix, fixes crash, includes tests.
Attachment #502152 - Flags: approval2.0?
Comment on attachment 502152 [details] [diff] [review] fix v1 now w/ test It's like you have a key to my heart.
Attachment #502152 - Flags: approval2.0? → approval2.0+
Whiteboard: [needs landing]
http://hg.mozilla.org/mozilla-central/rev/2bf97aec7fdd
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Whiteboard: [needs landing]
Crash Signature: [@ mozilla::imagelib::SVGDocumentWrapper::StopAnimation() ]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: