237216 - crash after gfxImageFrame::Init called with zero-sized rect

Status: RESOLVED FIXED

(Core :: SVG, defect)

Description

[Jonas Sicking (:sicking) No longer reading bugmail consistently]

When doing some simple DOM-animations with svg i every now and then get an
assertion "error - negative image size" followed by a null-nsCOMPtr dereference
assertion and a crash.

The problem seems to originate in nsSVGOuterSVGFrame::Paint producing a
zero-sized rect. The zero comes from |aDirtyRect.height*pxPerTwips| resulting in
zero. In my case aDirtyRect.height was 8.

A little bit later i crash in nsSVGLibartBitmapDefault::Flush since
nsCOMPtr<nsIImage> img(do_GetInterface(ireq)); has resulted in a null |img|.

Although the actual crash is a libart-specific (it needs to check successvalue
better), it seems wront that nsSVGOuterSVGFrame::Paint should produce a
zerosized area to paint.

Comment 1

[Alex Fritze]

Attachment: patch to nsSVGOuterSVGFrame.cpp

OK, looks like we need to change the rounding when converting from twips->px
rect.

Comment 2

[Jonas Sicking (:sicking) No longer reading bugmail consistently]

Comment on attachment 143696 [details] [diff] [review]
patch to nsSVGOuterSVGFrame.cpp

this patch will 'round to nearest' for x1 and y1 (and strange rounding for x0,
y0). Don't you want to round towards positive infinity rounding for x1, y1 and
negative infinity for x0, y0?

Note that (int) rounding always rounds towards 0 which is extra hairy if these
numbers can be negative. You might want to use the ceil() and floor()
functions.

Comment 3

[Alex Fritze]

Attachment: patch using casts & ceil()

Comment 4

[Alex Fritze]

checked in