Closed Bug 1160471 Opened 9 years ago Closed 8 years ago

Firefox crashes when manipulating an SVG file

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Version:
37 Branch
Platform:
x86
Windows
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: petersz.szabo, Assigned: bas.schouten)

References

Details

(Keywords: crash, regression)

Crash Data

User Story

Caused by https://hg.mozilla.org/integration/mozilla-inbound/rev/4f086025350f which was from 934305 (despite what the mistaken commit message says)

Attachments

(3 files)

Open Index.html in Firefox and see the browser crashing
394.11 KB, application/x-zip-compressed
Details
testcase.zip
3.07 KB, application/x-zip-compressed
Details
reduced testcase (WATCH OUT! HANG/CRASH!)
303 bytes, image/svg+xml
Details 
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36

Steps to reproduce:

I was manipulating an SVG file with JavaScript


Actual results:

The browser crashes


Expected results:

The browser should not crash :)
I can confirm a OOM crash with Firefox37 on Windows7
Severity: normal → critical
Status: UNCONFIRMED → NEW
Crash Signature: [@ OOM | large | mozalloc_abort(char const* const) | mozalloc_handle_oom(unsigned int) | moz_xmalloc | std::vector<ots::OpenTypeCMAPSubtableRange, std::allocator<ots::OpenTypeCMAPSubtableRange> >::_Reallocate(unsigned int) ]
Component: Untriaged → SVG
Ever confirmed: true
Keywords: crash
OS: Unspecified → Windows
Product: Firefox → Core
Hardware: Unspecified → x86
Can you add the report ids (including the bp) from about:crashes please
Keywords: regression
Sorry,
it should be Bug 930577
Blocks: 930577
No longer blocks: 651858
Flags: needinfo?(jwatt)
Blocks: 934305
User Story: (updated)
Peter, would you be able to reduce your testcase to something considerably smaller by incrementally chopping bits out of it until you can no longer remove any more without the crash failing to occur?
Flags: needinfo?(jwatt) → needinfo?(petersz.szabo)
Attached file testcase.zip 
Flags: needinfo?(petersz.szabo)

    
    

    
  
That's much better, but I'm not familiar with DrawSVGPlugin or TweenMax. Can you also get rid of those?

    
    

    
  
Unfortunately neither I'm familiar with those libraries. They are third-party libraries from http://greensock.com/drawSVG

    
    

    
  
But I assume you wrote the code:

  TweenMax.staggerTo("#main-line-10", 0, {drawSVG: 0}, 0);

Can you explain what that does? The staggerTo part seems to essentially do some sort of step from one value to another, but the {drawSVG: 0} part and what the value is changing to is not at all clear.

    
    

    
  
I wanted to create an animation, which draws the paths of an SVG image.

To achieve that, I "initialize" the SVG by calling the mentioned function to display "0%" of the given SVG path.

Then I call TweenMax.staggerTo("#main-line-10", 0.5, {drawSVG: "100%"}, 0.1); to slowly draw the full path.

Basically something similar to this: http://codepen.io/netgfx/pen/OPNOgM

I was able to draw other SVG paths, only the one in the attached HTML file is causing the browser to crash.

    
    

    
  


  
Does this still cause issues on Windows?

        Attachment #8607227 -
        Attachment description: reduced testcase → reduced testcase (WATCH OUT! HANG/CRASH!)

    
    

    
  
Yes, It does.

    
    

    
  
Great, thanks for your help reducing the testcase.

Bas, can you take a look at what's going wrong with the path measuring code?
Flags: needinfo?(bas)

    
  
Assignee: nobody → bas
Flags: needinfo?(bas)

    
    

    
  
It seems that the patch in bug 1134549 fixes this.
Depends on: 1134549

    
  
Crash Signature: [@ OOM | large | mozalloc_abort(char const* const) | mozalloc_handle_oom(unsigned int) | moz_xmalloc | std::vector<ots::OpenTypeCMAPSubtableRange, std::allocator<ots::OpenTypeCMAPSubtableRange> >::_Reallocate(unsigned int) ] → [@ OOM | large | mozalloc_abort(char const* const) | mozalloc_handle_oom(unsigned int) | moz_xmalloc | std::vector<ots::OpenTypeCMAPSubtableRange, std::allocator<ots::OpenTypeCMAPSubtableRange> >::_Reallocate(unsigned int) ]
[@ OOM | large | mozalloc_abo…

    
    

    
  
I can no longer reproduce in Ubuntu 15.10, now that the patch referred to in comment 15 was pushed in https://hg.mozilla.org/mozilla-central/rev/3e73fc0dfb01
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: