Open
Bug 1322643
Opened 8 years ago
Updated 1 year ago
SVG triggers assertion "ToRect(strokeBBoxExtents).IsFinite() (bbox is about to go bad)"
Categories
(Core :: SVG, defect, P3)
Core
SVG
Tracking
()
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase)
Attachments
(2 files, 1 obsolete file)
SVG testcase
Assertion failure: ToRect(strokeBBoxExtents).IsFinite() (bbox is about to go bad), at /home/worker/workspace/build/src/layout/svg/nsSVGPathGeometryFrame.cpp:655
==30375==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f88547b7fd1 bp 0x7ffd36818230 sp 0x7ffd36817c40 T0)
#0 0x7f88547b7fd0 in nsSVGPathGeometryFrame::GetBBoxContribution(mozilla::gfx::Matrix const&, unsigned int) /home/worker/workspace/build/src/layout/svg/nsSVGPathGeometryFrame.cpp:655:7
#1 0x7f88547b6e98 in nsSVGPathGeometryFrame::ReflowSVG() /home/worker/workspace/build/src/layout/svg/nsSVGPathGeometryFrame.cpp:434:20
#2 0x7f8854763803 in nsSVGDisplayContainerFrame::ReflowSVG() /home/worker/workspace/build/src/layout/svg/nsSVGContainerFrame.cpp:359:7
#3 0x7f88547b085e in nsSVGOuterSVGFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, unsigned int&) /home/worker/workspace/build/src/layout/svg/nsSVGOuterSVGFrame.cpp:450:5
#4 0x7f8854431986 in nsLineLayout::ReflowFrame(nsIFrame*, unsigned int&, mozilla::ReflowOutput*, bool&) /home/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:939:5
#5 0x7f88544be88a in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4120:3
#6 0x7f88544bd22d in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3921:5
#7 0x7f88544b4aad in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3795:9
#8 0x7f88544ae654 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2801:5
...
see log.txt
|
Reporter | |
Comment 1•8 years ago
|
||
|
||
Updated•8 years ago
|
Priority: -- → P3
|
||
Comment 2•8 years ago
|
||
Looks like jwatt added this assertion in bug 1080688. Tentatively tagging him for initial thoughts/triage.
Depends on: 1080688
Flags: needinfo?(jwatt)
|
||
Comment 3•8 years ago
|
||
This is what we basically get after processing the previous testcase with the HTML parser. We end up with a path with a single point with massive (50e90%) stroke-width. (It's a bit weird that the bounding box isn't empty given that the default for stroke-linecap is 'butt', but adding a second point would give the same huge result. If content can trigger this assertion then we simply need to decide what we should do at that point in the code to handle infinite bbox (maybe ignore it?).
Attachment #8817568 -
Attachment is obsolete: true
Flags: needinfo?(jwatt)
|
||
Updated•7 years ago
|
Blocks: 1080688
Has Regression Range: --- → yes
status-firefox56:
--- → wontfix
status-firefox57:
--- → wontfix
status-firefox58:
--- → fix-optional
status-firefox-esr52:
--- → wontfix
No longer depends on: 1080688
|
||
Comment 4•6 years ago
|
||
https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Move_fix-optionals
status-firefox59:
--- → ?
|
||
Updated•2 years ago
|
Severity: normal → S3
|
|
Reporter | |
Updated•1 year ago
|
status-firefox110:
--- → wontfix
status-firefox111:
--- → wontfix
status-firefox112:
--- → affected
status-firefox-esr102:
--- → affected
Flags: in-testsuite?
Keywords: testcase
You need to log in
before you can comment on or make changes to this bug.
Description
•