Closed Bug 1209525 Opened 10 years ago Closed 10 years ago

Assertion failure: inverted (Attempted to get the inverse of a non-invertible matrix), at c:\users\mozilla\debug-builds\mozilla-central\firefox-debug\dist\include\mozilla/gfx/Matrix.h:215

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla44
Tracking Flags:
Tracking Status
firefox42 --- unaffected
firefox43 + fixed
firefox44 --- fixed

People

(Reporter: cbook, Assigned: twointofive)

References

(
URL
)

Details

(Keywords: assertion, regression)

Attachments

(1 file, 2 obsolete files)

Patch v3
6.52 KB, patch
lizzard
: approval-mozilla-aurora+
Details | Diff | Splinter Review
Found via bughunter and reproduced on a windows 7 debug build. Steps to reproduce: Load https://yadi.sk/d/A_GSZmPHH6Xrk --> Assertion failure: inverted (Attempted to get the inverse of a non-invertible matrix), at c:\users\m ozilla\debug-builds\mozilla-central\firefox-debug\dist\include\mozilla/gfx/Matrix.h:215 #01: mozilla::dom::SVGRectElement::GetGeometryBounds (c:\users\mozilla\debug-builds\mozilla-central\ dom\svg\svgrectelement.cpp:155) #02: nsSVGPathGeometryFrame::GetBBoxContribution (c:\users\mozilla\debug-builds\mozilla-central\layo ut\svg\nssvgpathgeometryframe.cpp:515) #03: nsSVGPathGeometryFrame::ReflowSVG (c:\users\mozilla\debug-builds\mozilla-central\layout\svg\nss vgpathgeometryframe.cpp:404) #04: nsSVGDisplayContainerFrame::ReflowSVG (c:\users\mozilla\debug-builds\mozilla-central\layout\svg \nssvgcontainerframe.cpp:361) #05: nsSVGDisplayContainerFrame::ReflowSVG (c:\users\mozilla\debug-builds\mozilla-central\layout\svg \nssvgcontainerframe.cpp:361) #06: nsSVGOuterSVGFrame::Reflow (c:\users\mozilla\debug-builds\mozilla-central\layout\svg\nssvgouter svgframe.cpp:458) #07: nsContainerFrame::ReflowChild (c:\users\mozilla\debug-builds\mozilla-central\layout\generic\nsc ontainerframe.cpp:1003) #08: nsCanvasFrame::Reflow (c:\users\mozilla\debug-builds\mozilla-central\layout\generic\nscanvasfra me.cpp:690) #09: nsContainerFrame::ReflowChild (c:\users\mozilla\debug-builds\mozilla-central\layout\generic\nsc ontainerframe.cpp:1003) #10: nsHTMLScrollFrame::ReflowScrolledFrame (c:\users\mozilla\debug-builds\mozilla-central\layout\ge neric\nsgfxscrollframe.cpp:529) #11: nsHTMLScrollFrame::ReflowContents (c:\users\mozilla\debug-builds\mozilla-central\layout\generic \nsgfxscrollframe.cpp:660) #12: nsHTMLScrollFrame::Reflow (c:\users\mozilla\debug-builds\mozilla-central\layout\generic\nsgfxsc rollframe.cpp:876) #13: nsContainerFrame::ReflowChild (c:\users\mozilla\debug-builds\mozilla-central\layout\generic\nsc ontainerframe.cpp:1045) #14: ViewportFrame::Reflow (c:\users\mozilla\debug-builds\mozilla-central\layout\generic\nsviewportf rame.cpp:217) #15: PresShell::DoReflow (c:\users\mozilla\debug-builds\mozilla-central\layout\base\nspresshell.cpp: 9076) #16: PresShell::ProcessReflowCommands (c:\users\mozilla\debug-builds\mozilla-central\layout\base\nsp resshell.cpp:9242) #17: PresShell::FlushPendingNotifications (c:\users\mozilla\debug-builds\mozilla-central\layout\base \nspresshell.cpp:4137) #18: PresShell::FlushPendingNotifications (c:\users\mozilla\debug-builds\mozilla-central\layout\base \nspresshell.cpp:3978) #19: mozilla::image::SVGDocumentWrapper::FlushLayout (c:\users\mozilla\debug-builds\mozilla-central\ image\svgdocumentwrapper.cpp:398) #20: mozilla::image::VectorImage::OnSVGDocumentLoaded (c:\users\mozilla\debug-builds\mozilla-central \image\vectorimage.cpp:1196) #21: mozilla::image::SVGLoadEventListener::HandleEvent (c:\users\mozilla\debug-builds\mozilla-centra l\image\vectorimage.cpp:225) #22: mozilla::EventListenerManager::HandleEventSubType (c:\users\mozilla\debug-builds\mozilla-centra l\dom\events\eventlistenermanager.cpp:1011) #23: mozilla::EventListenerManager::HandleEventInternal (c:\users\mozilla\debug-builds\mozilla-centr al\dom\events\eventlistenermanager.cpp:1139) #24: mozilla::EventListenerManager::HandleEvent (c:\users\mozilla\debug-builds\mozilla-central\firef ox-debug\dist\include\mozilla\eventlistenermanager.h:350) #25: mozilla::EventTargetChainItem::HandleEvent (c:\users\mozilla\debug-builds\mozilla-central\dom\e vents\eventdispatcher.cpp:226) #26: mozilla::EventTargetChainItem::HandleEventTargetChain (c:\users\mozilla\debug-builds\mozilla-ce ntral\dom\events\eventdispatcher.cpp:317) #27: mozilla::EventDispatcher::Dispatch (c:\users\mozilla\debug-builds\mozilla-central\dom\events\ev entdispatcher.cpp:655) #28: mozilla::EventDispatcher::DispatchDOMEvent (c:\users\mozilla\debug-builds\mozilla-central\dom\e vents\eventdispatcher.cpp:719) #29: nsINode::DispatchEvent (c:\users\mozilla\debug-builds\mozilla-central\dom\base\nsinode.cpp:1295 ) #30: mozilla::AsyncEventDispatcher::Run (c:\users\mozilla\debug-builds\mozilla-central\dom\events\as ynceventdispatcher.cpp:53) #31: nsThread::ProcessNextEvent (c:\users\mozilla\debug-builds\mozilla-central\xpcom\threads\nsthrea d.cpp:960) #32: NS_ProcessNextEvent (c:\users\mozilla\debug-builds\mozilla-central\xpcom\glue\nsthreadutils.cpp :277) #33: mozilla::ipc::MessagePump::Run (c:\users\mozilla\debug-builds\mozilla-central\ipc\glue\messagep ump.cpp:95) #34: MessageLoop::RunInternal (c:\users\mozilla\debug-builds\mozilla-central\ipc\chromium\src\base\m essage_loop.cc:234) #35: MessageLoop::RunHandler (c:\users\mozilla\debug-builds\mozilla-central\ipc\chromium\src\base\me ssage_loop.cc:228) #36: MessageLoop::Run (c:\users\mozilla\debug-builds\mozilla-central\ipc\chromium\src\base\message_l oop.cc:202) #37: nsBaseAppShell::Run (c:\users\mozilla\debug-builds\mozilla-central\widget\nsbaseappshell.cpp:15 8) #38: nsAppShell::Run (c:\users\mozilla\debug-builds\mozilla-central\widget\windows\nsappshell.cpp:18 0) #39: nsAppStartup::Run (c:\users\mozilla\debug-builds\mozilla-central\toolkit\components\startup\nsa ppstartup.cpp:282) #40: XREMain::XRE_mainRun (c:\users\mozilla\debug-builds\mozilla-central\toolkit\xre\nsapprunner.cpp :4298) #41: XREMain::XRE_main (c:\users\mozilla\debug-builds\mozilla-central\toolkit\xre\nsapprunner.cpp:43 91) #42: XRE_main (c:\users\mozilla\debug-builds\mozilla-central\toolkit\xre\nsapprunner.cpp:4493) #43: do_main (c:\users\mozilla\debug-builds\mozilla-central\browser\app\nsbrowserapp.cpp:212) #44: NS_internal_main (c:\users\mozilla\debug-builds\mozilla-central\browser\app\nsbrowserapp.cpp:39 9) #45: wmain (c:\users\mozilla\debug-builds\mozilla-central\toolkit\xre\nswindowswmain.cpp:138) #46: __tmainCRTStartup (f:\dd\vctools\crt\crtw32\startup\crt0.c:255) #47: BaseThreadInitThunk[kernel32 +0x4ee1c] #48: RtlInitializeExceptionChain[ntdll +0x637eb] #49: RtlInitializeExceptionChain[ntdll +0x637be]
Blocks: 1092125
Keywords: regression
Assignee: nobody → twointofive
Attached patch Patch v1 (obsolete) — Splinter Review
I'm not sure where the offending svg is, but I did verify that the one that causes the crash has mViewportWidth = mViewportHeight = 0 in SVGSVGElement, so GetViewBoxTransform returns an all-zeroes matrix, so SVGSVGElement::PrependLocalTransformsTo returns an all-zeroes matrix to nsSVGUtils::GetCTM, which assigns it to the non-scaling-stroke transform in nsSVGUtils::GetNonScalingStrokeTransform, and then GetGeometryBounds causes the assertion when it tries to invert it. The new crashtest produces the same backtrace on failure as above.
Attachment #8667711 - Flags: review?(longsonr)
Comment on attachment 8667711 [details] [diff] [review] Patch v1 I think we should deal with this in the caller rather than in every called method. I.e return bbox if nsSVGUtils::GetNonScalingStrokeTransform returns something singular in nsSVGPathGeometryFrame::GetBBoxContribution
Attachment #8667711 - Flags: review?(longsonr) → review-
And make the called methods just assert that they aren't passed something singular.
Attached patch Patch v2 (obsolete) — Splinter Review
Attachment #8667711 - Attachment is obsolete: true
Attachment #8667906 - Flags: review?(longsonr)
Comment on attachment 8667906 [details] [diff] [review] Patch v2 >- gotSimpleBounds = element->GetGeometryBounds(&simpleBounds, >- strokeOptions, >- aToBBoxUserspace, >- &moz2dUserToOuterSVG); >+ if (!moz2dUserToOuterSVG.IsSingular()) { >+ gotSimpleBounds = element->GetGeometryBounds(&simpleBounds, >+ strokeOptions, >+ aToBBoxUserspace, >+ &moz2dUserToOuterSVG); >+ } else { >+ return bbox; >+ } Write it this way instead. + if (moz2dUserToOuterSVG.IsSingular()) { + return bbox; + } + gotSimpleBounds = element->GetGeometryBounds(&simpleBounds, + strokeOptions, + aToBBoxUserspace, + &moz2dUserToOuterSVG); r=longsonr with that change
Attachment #8667906 - Flags: review?(longsonr) → review+
Attached patch Patch v3Splinter Review
Attachment #8667906 - Attachment is obsolete: true
https://hg.mozilla.org/mozilla-central/rev/5be97c635fbd
Status: NEW → RESOLVED
Closed: 10 years ago
status-firefox44: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
Comment on attachment 8667920 [details] [diff] [review] Patch v3 Approval Request Comment [Feature/regressing bug #]: bug 1092125 [User impact if declined]: Possibly very little. It's nore that we don't want a function to be called with data it is not equipped to handle properly and then go down unexpected code paths. [Describe test coverage new/current, TreeHerder]: includes reftest [Risks and why]: could end up with the wrong bounds, unlikely to have visible consequences though. [String/UUID change made/needed]: none
Attachment #8667920 - Flags: approval-mozilla-aurora?
Comment on attachment 8667920 [details] [diff] [review] Patch v3 Approved for aurora uplift; regressed in 43
Attachment #8667920 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: