Closed Bug 289839 Opened 19 years ago Closed 19 years ago

SVG crashes when unloading a text gradient

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: rod, Assigned: tor)

References

(
URL
)

Details

(Keywords: crash)

Attachments

(2 files)

file from W3C testsuite
6.99 KB, image/svg+xml
Details
prevent crash
1.97 KB, patch
jwatt
: review+
mkaply
: approval1.8b2+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8b2) Gecko/20050409 Firefox/1.0+
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8b2) Gecko/20050409 Firefox/1.0+

A daily firefox build with the svg extension core dumps when
the page with the following attached svg document is unloaded by
hitting the back button.

The attached svg document is extracted from:
   http://www.carto.net/papers/svg/samples/fill.shtml

The build information is:

Configure arguments:
--enable-application=browser --disable-ldap --disable-mailnews
--enable-extensions=cookie,xml-rpc,xmlextras,pref,transformiix,universalchardet,
webservices,inspector,gnomevfs,negotiateauth
--disable-composer --enable-single-profile --disable-profilesharing
--enable-crypto --enable-xft --disable-freetype2 --disable-installer
--enable-default-toolkit=gtk2 --disable-tests --disable-debug
--enable-optimize=-O2 --disable-shared --enable-static
--enable-svg --enable-svg-renderer-cairo



Reproducible: Always

Steps to Reproduce:
1. load web page err1.svg
2. select the back button


Actual Results:  
firefox dies

Expected Results:  
not crash

<?xml version="1.0" encoding="iso-8859-1" standalone="no"?>
<!-- err1.svg -->
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.0//EN"
"http://www.w3.org/TR/SVG/DTD/svg10.dtd">
<svg width="262" height="320" zoomAndPan="disable"
     xmlns="http://www.w3.org/2000/svg"
xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve">

  <defs>
   <linearGradient id="txGradient" transform="rotate(90)">
    <stop offset="0%" stop-color="black"/>
    <stop offset="100%" stop-color="white"/>
   </linearGradient>
  </defs>

  <g transform="translate(20,20)">
   <g>
    <text x="25" y="235" id="transptext" style="font-size:26"
transform="rotate(90),translate(-18,-448)"><tspan
style="fill:url(#txGradient);">&lt; transparency &gt;</tspan></text>
   </g>
  </g>
-> Core / SVG
Severity: normal → critical
Component: General → SVG
Keywords: crash
Product: Firefox → Core
Version: unspecified → Trunk
Assignee: firefox → general
QA Contact: general → ian
Attached image file from W3C testsuite 
it seems like gradients used on text and tspan elements are causing this bug.
Attached patch prevent crashSplinter Review 
I think this was caused by the gradient "liveness" patch.  When the gradient
frame it destroyed, it tells its frame buddies that their fill has changed.
In the case of the glyph frame, this causes a Suspend/UnsuspendDraw with a
null view manager.
Assignee: general → tor
Status: UNCONFIRMED → ASSIGNED
Attachment #180379 - Flags: review?(scootermorris)
*** Bug 290053 has been marked as a duplicate of this bug. ***
Comment on attachment 180379 [details] [diff] [review]
prevent crash

What about in InvalidateRegion? Can that be called during teardown?
Attachment #180379 - Flags: review?(scootermorris) → review+
I think the logic of UnsuspendRedraw/NotifyRedrawUnsuspended/UpdateGraphic
are such that we won't end up in the situation you describe.
Summary: SVG crashes when onloading the indicated web page → SVG crashes when unloading a text gradient
Attachment #180379 - Flags: approval1.8b2?
Comment on attachment 180379 [details] [diff] [review]
prevent crash

a=mkaply
Attachment #180379 - Flags: approval1.8b2? → approval1.8b2+
Checked in.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: