Closed
Bug 164049
Opened 22 years ago
Closed 20 years ago
SVGTransform.prototype.setMatrix crashes on null or undefined argument
Categories
(Core :: SVG, defect)
Core
SVG
Tracking
()
RESOLVED
FIXED
People
(Reporter: jasonkarldavis, Assigned: jwatt)
Details
(Keywords: crash)
Attachments
(2 files, 1 obsolete file)
|
889 bytes,
image/svg+xml
|
Details | |
|
886 bytes,
patch
|
alex
:
review+
|
Details | Diff | Splinter Review |
testcase - click button to crash
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.1b) Gecko/20020814
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.1b) Gecko/20020814
Calling setMatrix(null) and setMatrix(undefined) crashes the browser. Calling
setMatrix({}) and setMatrix([]) will disable rendering of any elements the
transform applies to. I believe it is because it interprets them as
matrix(0,0,0,0,0,0). Other literals, such as false, 7, and 'hello' all throw errors.
http://www.w3.org/TR/SVG11/coords.html#InterfaceSVGTransform does not claim
setMatrix throws an exception, but the IDL indicates it should only accept an
object of type SVGMatrix. Therefore, the literals should not throw an error, and
instead should do absolutely nothing. Same with the empty object and array
literals (which presently kill rendering).
Then again, throwing an error would make sense - would someone else with more
knowledge on the subject please comment?
Reproducible: Always
Steps to Reproduce:
1. View the URL
Actual Results:
Mozilla crashed.
Expected Results:
Do absolutely nothing as per the specs, or throw an error.
Hi Using:Mozilla 1.1b Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.1b) Gecko/20020814 I confirm this behavior.
Well I'll try again, in that I believe that I've got confirm rights. Perhaps the new Bugzilla has a bug ;-) Using: Mozilla 1.1b Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.1b) Gecko/20020814 I confirm this behavior.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Steve, it would appear that you do indeed have confirm rights. Do you get at Talkback incidentID for your efforts? Please list that here. Thanks.
Hello No, a Talkback incidentID is not possible in that these builds are 'experimental' zips with no Talkback features.
|
||
Comment 5•21 years ago
|
||
The URL is gone. Jason, do you still see this problem? If so, can you repost your test case?
|
Assignee | |
Comment 6•20 years ago
|
||
|
|
Assignee | |
Comment 7•20 years ago
|
||
Lets you set and test different arguments.
Attachment #150371 -
Attachment is obsolete: true
|
|
Assignee | |
Updated•20 years ago
|
|
|
Assignee | |
Comment 8•20 years ago
|
||
Apparently the JavaScript values null and undefined get passed to the C++ function as nsnull, so a simple NS_ENSURE_ARG(matrix) will fix the crash, but I will try and implement sensible handling of JS objects that don't implement QueryInterface before creating a patch.
Assignee: alex → jonathan.watt
|
|
Assignee | |
Updated•20 years ago
|
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 9•20 years ago
|
||
On second thoughts here's the patch to solve the crash. The problems encountered when JS objects are passed to setMatrix extend far further than just this function. Sanity checking of parameters would be better addressed as a separate issue. Roughly speaking the plan will be to ensure that only objects that are instances of *our* implementations of SVG interfaces may be passed to such functions (since XPConnect makes it impossible for the C++ code to ensure JS objects fully implement such interfaces and the interfaces they inherit).
|
|
Assignee | |
Updated•20 years ago
|
Attachment #150965 -
Flags: review?(alex)
|
||
Updated•20 years ago
|
Attachment #150965 -
Flags: review?(alex) → review+
|
|
||
Comment 10•20 years ago
|
||
Checked in.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•