896164 - crash in nsAnimationManager::BuildAnimations

Status: RESOLVED INCOMPLETE

(Core :: CSS Parsing and Computation, defect)

Description

[Scoobidiver (away)]

It started spiking in 25.0a1/20130712 and is #20 crasher in 25.0a1. The regression range for the spike is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=dde4dcd6fa46&tochange=b44898282f21

Signature 	nsAnimationManager::BuildAnimations(nsStyleContext*, nsTArray<ElementAnimation>&) More Reports Search
UUID 	4866f260-f9d1-4f80-9f3b-01ea32130719
Date Processed	2013-07-19 13:23:24.759828
Uptime	13
Last Crash	31 seconds before submission
Install Age 	478 since version was first installed.
Install Time 	2013-07-19 13:15:04
Product 	Firefox
Version 	25.0a1
Build ID 	20130719030204
Release Channel 	nightly
OS 	Mac OS X
OS Version 	10.8.4 12E55
Build Architecture 	amd64
Build Architecture Info 	family 6 model 37 stepping 5 | 4
Crash Reason 	EXC_BAD_ACCESS / KERN_INVALID_ADDRESS
Crash Address 	0x2c
App Notes 	
AdapterVendorID: 0x10de, AdapterDeviceID: 0x a29GL Layers! GL Context? GL Context+ GL Layers+ 

Frame 	Module 	Signature 	Source
0 	XUL 	nsAnimationManager::BuildAnimations(nsStyleContext*, nsTArray<ElementAnimation>&) 	obj-firefox/x86_64/dist/include/nsTArray.h
1 	XUL 	nsAnimationManager::CheckAnimationRule(nsStyleContext*, mozilla::dom::Element*) 	layout/style/nsAnimationManager.cpp
2 	XUL 	nsStyleSet::GetContext(nsStyleContext*, nsRuleNode*, nsRuleNode*, nsIAtom*, nsCSSPseudoElements::Type, mozilla::dom::Element*, unsigned int) 	layout/style/nsStyleSet.cpp
3 	XUL 	nsStyleSet::ResolveStyleFor(mozilla::dom::Element*, nsStyleContext*, TreeMatchContext&) 	layout/style/nsStyleSet.cpp
4 	XUL 	nsFrameManager::ReResolveStyleContext(nsPresContext*, nsIFrame*, nsIContent*, nsStyleChangeList*, nsChangeHint, nsChangeHint, nsRestyleHint, mozilla::css::RestyleTracker&, nsFrameManager::DesiredA11yNotifications, nsTArray<nsIContent*>&, TreeMatchContext&) 	layout/base/nsFrameManager.cpp
5 	XUL 	nsFrameManager::ComputeStyleChangeFor(nsIFrame*, nsStyleChangeList*, nsChangeHint, mozilla::css::RestyleTracker&, bool) 	layout/base/nsFrameManager.cpp
6 	XUL 	nsCSSFrameConstructor::RestyleElement(mozilla::dom::Element*, nsIFrame*, nsChangeHint, mozilla::css::RestyleTracker&, bool) 	layout/base/nsCSSFrameConstructor.cpp
7 	XUL 	mozilla::css::RestyleTracker::DoProcessRestyles() 	layout/base/RestyleTracker.cpp
8 	XUL 	nsCSSFrameConstructor::ProcessPendingRestyles() 	layout/base/RestyleTracker.h
9 	XUL 	PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) 	layout/base/nsPresShell.cpp
10 	XUL 	nsDocument::FlushPendingNotifications(mozFlushType) 	content/base/src/nsDocument.cpp
11 	XUL 	mozilla::dom::Element::GetScrollFrame(nsIFrame**) 	content/base/src/Element.cpp
12 	XUL 	mozilla::dom::ElementBinding::get_scrollLeft 	obj-firefox/x86_64/dist/include/mozilla/dom/Element.h
13 	XUL 	mozilla::dom::ElementBinding::genericGetter 	obj-firefox/x86_64/dom/bindings/ElementBinding.cpp
14 	XUL 	js::ion::DoCallNativeGetter 	js/src/ion/BaselineIC.cpp
15 		@0x1000f8aab 	
16 	XUL 	js::ion::DebugPrologue(JSContext*, js::ion::BaselineFrame*, int*) 	js/src/ion/VMFunctions.cpp

More reports at:
https://crash-stats.mozilla.com/report/list?product=Firefox&signature=nsAnimationManager%3A%3ABuildAnimations%28nsStyleContext*%2C+nsTArray%3CElementAnimation%3E%26%29

Comment 1

[Sebastian Zartner [:sebo]]

My crash report:

https://crash-stats.mozilla.com/report/index/7ada4189-cc51-429a-8e3f-903772130730

Test case for this:
1. Install Firebug 1.11.4 from addons.mozilla.org
2. Open Firebug at http://www.dropzonejs.com/
3. Enable and switch to the Net panel
4. Drag a big file (in my case it was around 200MB) into the first "Drop files to upload" area

The crash signature is not always the same. Sometimes I get the signature of bug 542120.

Sebastian

Comment 2

[u279076]

I'm not sure if the steps in comment 1 are valid anymore as I cannot reproduce this as described in Firefox 25.0b1. Sebastian, can you please give this another go and report your results?

By the way, looking at recent crash-stats this is pretty low volume, 3 crashes on Firefox 24.0 and 2 crashes on Firefox 23.0.1 in the last week (no crashes reported for any other version).

Comment 3

[Sebastian Zartner [:sebo]]

I also can't reproduce my steps anymore using Firefox 24.0/25.0/26.0a2/27.0a1 + Firebug 1.12.2. Though I need to say that I'm also currently testing on another system.
Later I'll test on the original system I tested before and check if the problem is also gone there. So I don't clear the 'needinfo' flag yet.

Sebastian

Comment 4

[Sebastian Zartner [:sebo]]

Hmm, on the other machine there are still crashes, though with different signatures:

https://crash-stats.mozilla.com/report/index/2e8f030c-f8da-4408-86f1-095aa2130926
https://crash-stats.mozilla.com/report/index/1bc34cc1-a643-48a4-b59d-f3f262130926
https://crash-stats.mozilla.com/report/index/775058cc-fba4-4ccd-8c31-528052130926

I need to do one additional step to trigger the crash, though. I am moving the mouse over the request's "Size" column within Firebug's Net panel. (Didn't try that at the other machine before.)

Sebastian

Comment 5

[u279076]

My steps:
1. Install Firefox 24.0 and start with a new profile
2. Install Firebug from https://addons.mozilla.org/en-US/firefox/addon/firebug
3. Open a new tab to http://www.dropzonejs.com/
4. Open Firebug, click the Net tab and click the Enable link
5. Drag a 258MB text file onto the drop zone
> RESULT: Crash

IMPORTANT: This crash only reproduces if the Net panel is not enabled before loading Dropzone. If it's already enabled the browser will hang for a bit while the file is loaded but ultimately recovers.

Note that as per step 1 this bug affects Firefox 24 as well. I will try to see if this goes back even further.

Comment 6

[u279076]

FWIW, I can reproduce this on any page, even about:home and I can reproduce this going back to Firefox 20 so far but only with Firebug installed. I'm starting to think this is Firebug's bug. I'm not convinced this is a regression at this point. Perhaps the signature first showed up in Firefox 25 but the crashing situation did not. Unfortunately I cannot confirm 100% since my crash reports are returning "report could not be located" even though they've been submitted.

Sebastian, if you have evidence that this is definitely a Firefox regression I think you'll need to provide the regression window. We have a tool for this: http://mozilla.github.io/mozregression/

Comment 7

[Sebastian Zartner [:sebo]]

My latest crash reports also don't show up.
I tried on my Win 8.1 machine again now and it also crashed. Though I always has to hover the "Size" column for the request within the Net panel.

FWIW I reproduced my test case again on the other machine and it also crashes for me, though only when I hover the "Size" column within the Net panel.

> FWIW, I can reproduce this on any page, even about:home
What are the exact steps there?

Sebastian

Comment 8

[u279076]

(In reply to Sebastian Zartner from comment #7)
> > FWIW, I can reproduce this on any page, even about:home
> What are the exact steps there?

1. Install Firefox 24.0 and start with a new profile
2. Install Firebug from https://addons.mozilla.org/en-US/firefox/addon/firebug
3. Load about:home in the current tab
4. Open Firebug, click the Net tab and click the Enable link
5. Drag a 258MB text file into content

Comment 9

[u279076]

Watching the process in Task Manager the memory usage grows quite rapidly -- this could be generic OOM situation.

Comment 10

[Ryan VanderMeulen [:RyanVM]]

No recent crash reports with this signature. Can you still reproduce this, Anthony?

Comment 11

[u279076]

(In reply to Ryan VanderMeulen [:RyanVM UTC-4] from comment #10)
> No recent crash reports with this signature. Can you still reproduce this,
> Anthony?

No, the crash does not reproduce in the latest Nightly.