Closed Bug 868904 Opened 7 years ago Closed 7 years ago

Too-much-recursion crash with CSS animated transform, SVG

Categories

(Core :: SVG, defect, critical)

23 Branch
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla23
Tracking Status
firefox22 --- unaffected
firefox23 --- verified

People

(Reporter: jruderman, Assigned: longsonr)

References

Details

(Keywords: crash, regression, testcase)

Attachments

(2 files)

Repeating portion of the stack:

> #136 0x0000000101cd9f27 in nsIFrame::IsTransformed (this=0x10e3b2a88) at layout/generic/nsFrame.cpp:991
> #137 0x0000000102e4b198 in nsSVGOuterSVGFrame::IsSVGTransformed (this=0x10e3b2980, aOwnTransform=0x0, aFromParentTransform=0x0) at nsSVGOuterSVGFrame.h:102
> #138 0x0000000101dc1d0d in mozilla::css::CommonElementAnimationData::CanAnimatePropertyOnCompositor (aElement=0x113deff20, aProperty=eCSSProperty_transform, aFlags=mozilla::css::CommonElementAnimationData::CanAnimate_AllowPartial) at layout/style/AnimationCommon.cpp:309
> #139 0x0000000101de6754 in ElementAnimations::CanPerformOnCompositorThread (this=0x1246450d0, aFlags=mozilla::css::CommonElementAnimationData::CanAnimate_AllowPartial) at layout/style/nsAnimationManager.cpp:400
> #140 0x0000000101bf8093 in HasAnimationOrTransition (aContent=0x113deff20, aAnimationProperty=0x10ca19fa0, aProperty=eCSSProperty_transform) at layout/base/nsLayoutUtils.cpp:193
> #141 0x0000000101bf7fcf in nsLayoutUtils::HasAnimationsForCompositor (aContent=0x113deff20, aProperty=eCSSProperty_transform) at layout/base/nsLayoutUtils.cpp:208
> #142 0x0000000101cd9f27 in nsIFrame::IsTransformed (this=0x10e3b2a88) at layout/generic/nsFrame.cpp:991
No crash on Windows.
Version: Trunk → 23 Branch
Attached patch patchSplinter Review
Assignee: nobody → longsonr
Attachment #745769 - Flags: review?(dholbert)
(In reply to Scoobidiver from comment #2)
> No crash on Windows.

It crashes on Windows.  I bet the regressing changeset just hasn't hit Nightly yet.

Also, note that any given too-much-recursion bug can have dozens of Socorro signatures, depending on (how much stack space you have modulo the size of the repeating portion).  See bug 559077.
Comment on attachment 745769 [details] [diff] [review]
patch

r=me

I'll land this on Robert's behalf (at his request).

Try push: https://tbpl.mozilla.org/?tree=Try&rev=1c9552006a6e
Attachment #745769 - Flags: review?(dholbert) → review+
https://hg.mozilla.org/mozilla-central/rev/350afae381eb
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
Duplicate of this bug: 869818
Mozilla/5.0 (X11; Linux i686; rv:23.0) Gecko/20100101 Firefox/23.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:23.0) Gecko/20100101 Firefox/23.0
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0

Verified as fixed on Firefox 23 Beta 1 (buildID: 20130625125232) and latest Nightly (buildID: 20130625031238).
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.