Closed
Bug 531550
Opened 15 years ago
Closed 14 years ago
"ASSERTION: Trying to do sandwich add of more than one value" with svg:animateTransform
Categories
(Core :: SVG, defect)
Core
SVG
Tracking
()
RESOLVED
FIXED
mozilla2.0b8
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | final+ |
People
(Reporter: jruderman, Assigned: birtles)
References
Details
(Keywords: assertion, testcase)
Attachments
(2 files, 1 obsolete file)
|
114 bytes,
image/svg+xml
|
Details | |
|
2.64 KB,
patch
|
dholbert
:
review+
|
Details | Diff | Splinter Review |
testcase
###!!! ASSERTION: Trying to do sandwich add of more than one value.: 'srcTransforms.Length() == 1', file /Users/jruderman/central/content/svg/content/src/nsSVGTransformSMILType.cpp, line 169 ###!!! ASSERTION: invalid array index: 'i < Length()', file ../../../../dist/include/nsTArray.h, line 326 The first assertion is misleading: srcTransforms.Length() is actually 0.
|
Reporter | |
Comment 1•14 years ago
|
||
This prevents me from finding other "ASSERTION: invalid array index" bugs, which are often security holes :(
|
Assignee | |
Updated•14 years ago
|
Assignee: nobody → birtles
Status: NEW → ASSIGNED
blocking2.0: --- → ?
|
||
Comment 3•14 years ago
|
||
Comment on attachment 491746 [details] [diff] [review] Patch v1a >+ // [...] but since the duration is indefinite we'll actually try >+ // to add it. I'm confused about what this means -- why does an indefinite duration mean we'll actually try to add, when we wouldn't otherwise?
|
|
Assignee | |
Comment 4•14 years ago
|
||
(In reply to comment #3) > I'm confused about what this means -- why does an indefinite duration mean > we'll actually try to add, when we wouldn't otherwise? Yeah, good point this comment needs to be tweaked. For by-animation, normally the interpolation step would ensure that we don't end up with an empty transform animation value. However, when there's an indefinite duration we skip interpolation altogether and just set the first value (the empty 'from' value we'd normally interpolate from). However, I think there are other cases where this can arise too such as when we have values="1". So I'll tweak the comment to make this clearer.
blocking2.0: ? → final+
|
|
Assignee | |
Comment 5•14 years ago
|
||
Fix up comment as per comment 3.
Attachment #491746 -
Attachment is obsolete: true
Attachment #492618 -
Flags: review?(dholbert)
Attachment #491746 -
Flags: review?(dholbert)
|
|
||
Comment 6•14 years ago
|
||
Comment on attachment 492618 [details] [diff] [review] Patch v1b Makes much more sense now -- thanks for clarifying that! r=dholbert
Attachment #492618 -
Flags: review?(dholbert) → review+
|
|
Assignee | |
Comment 7•14 years ago
|
||
Pushed: http://hg.mozilla.org/mozilla-central/rev/b578485c389e
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Flags: in-testsuite+
OS: Mac OS X → All
Hardware: x86 → All
Resolution: --- → FIXED
Target Milestone: --- → mozilla2.0b8
You need to log in
before you can comment on or make changes to this bug.
Description
•