Closed
Bug 289839
Opened 20 years ago
Closed 20 years ago
SVG crashes when unloading a text gradient
Categories
(Core :: SVG, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: rod, Assigned: tor)
References
()
Details
(Keywords: crash)
Attachments
(2 files)
|
6.99 KB,
image/svg+xml
|
Details | |
|
1.97 KB,
patch
|
jwatt
:
review+
mkaply
:
approval1.8b2+
|
Details | Diff | Splinter Review |
file from W3C testsuite
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8b2) Gecko/20050409 Firefox/1.0+
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8b2) Gecko/20050409 Firefox/1.0+
A daily firefox build with the svg extension core dumps when
the page with the following attached svg document is unloaded by
hitting the back button.
The attached svg document is extracted from:
http://www.carto.net/papers/svg/samples/fill.shtml
The build information is:
Configure arguments:
--enable-application=browser --disable-ldap --disable-mailnews
--enable-extensions=cookie,xml-rpc,xmlextras,pref,transformiix,universalchardet,
webservices,inspector,gnomevfs,negotiateauth
--disable-composer --enable-single-profile --disable-profilesharing
--enable-crypto --enable-xft --disable-freetype2 --disable-installer
--enable-default-toolkit=gtk2 --disable-tests --disable-debug
--enable-optimize=-O2 --disable-shared --enable-static
--enable-svg --enable-svg-renderer-cairo
Reproducible: Always
Steps to Reproduce:
1. load web page err1.svg
2. select the back button
Actual Results:
firefox dies
Expected Results:
not crash
<?xml version="1.0" encoding="iso-8859-1" standalone="no"?>
<!-- err1.svg -->
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.0//EN"
"http://www.w3.org/TR/SVG/DTD/svg10.dtd">
<svg width="262" height="320" zoomAndPan="disable"
xmlns="http://www.w3.org/2000/svg"
xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve">
<defs>
<linearGradient id="txGradient" transform="rotate(90)">
<stop offset="0%" stop-color="black"/>
<stop offset="100%" stop-color="white"/>
</linearGradient>
</defs>
<g transform="translate(20,20)">
<g>
<text x="25" y="235" id="transptext" style="font-size:26"
transform="rotate(90),translate(-18,-448)"><tspan
style="fill:url(#txGradient);">< transparency ></tspan></text>
</g>
</g>
|
||
Comment 1•20 years ago
|
||
-> Core / SVG
Severity: normal → critical
Component: General → SVG
Keywords: crash
Product: Firefox → Core
Version: unspecified → Trunk
|
|
||
Updated•20 years ago
|
Assignee: firefox → general
QA Contact: general → ian
|
||
Comment 2•20 years ago
|
||
it seems like gradients used on text and tspan elements are causing this bug.
I think this was caused by the gradient "liveness" patch. When the gradient
frame it destroyed, it tells its frame buddies that their fill has changed.
In the case of the glyph frame, this causes a Suspend/UnsuspendDraw with a
null view manager.
Assignee: general → tor
Status: UNCONFIRMED → ASSIGNED
Attachment #180379 -
Flags: review?(scootermorris)
*** Bug 290053 has been marked as a duplicate of this bug. ***
|
|
||
Comment 5•20 years ago
|
||
Comment on attachment 180379 [details] [diff] [review]
prevent crash
What about in InvalidateRegion? Can that be called during teardown?
Attachment #180379 -
Flags: review?(scootermorris) → review+
I think the logic of UnsuspendRedraw/NotifyRedrawUnsuspended/UpdateGraphic
are such that we won't end up in the situation you describe.
Summary: SVG crashes when onloading the indicated web page → SVG crashes when unloading a text gradient
Attachment #180379 -
Flags: approval1.8b2?
|
||
Comment 7•20 years ago
|
||
Comment on attachment 180379 [details] [diff] [review]
prevent crash
a=mkaply
Attachment #180379 -
Flags: approval1.8b2? → approval1.8b2+
Checked in.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•