Closed Bug 277392 Opened 20 years ago Closed 20 years ago

SVG object with marker: crash when deleting

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: kohl, Assigned: tor)

Details

(Keywords: crash)

Attachments

(2 files)

pressing third button will crash Mozilla SVG
5.26 KB, text/xml
Details
don't leave hanging references to the parent
1.24 KB, patch
jwatt
: review+
asa
: approval1.8a6+
Details | Diff | Splinter Review 
when deleting an SVG object, which is using marker, Mozilla is crashing
(tested on older builds and Build 2005010609)
clicking the button "kill an object with marker" will crash Mozilla SVG in all
cases (but no crash after removing marker from the deleted object)
Severity: normal → critical
Keywords: crash
Summary: SVG object with marker: crash when deleting → SVG object with marker: crash when deleting
Confirming. I see the crash with a Gtk2 build from today.

Here is the backtrace:

#0  0x4087c5dc in nanosleep () from /lib/tls/libc.so.6
#1  0x4087c3ef in sleep () from /lib/tls/libc.so.6
#2  0x08057f5d in ah_crap_handler (signum=11) at nsSigHandlers.cpp:132
#3  0x41e943ec in nsProfileLock::FatalSignalHandler (signo=11)
    at nsProfileLock.cpp:209
#4  <signal handler called>
#5  0x4177714b in nsSVGMarkerFrame::GetCanvasTM (this=0x89dd880)
    at nsSVGMarkerFrame.cpp:271
#6  0x41785a15 in nsSVGPathGeometryFrame::GetCanvasTM (this=0x89dda5c,
    aCTM=0xbfffcccc) at nsSVGPathGeometryFrame.cpp:395
#7  0x417f523d in nsSVGLibartPathGeometry::GetPath (this=0x8bc16e8)
    at nsSVGLibartPathGeometry.cpp:184
#8  0x417f54bc in nsSVGLibartPathGeometry::GetFill (this=0x8bc16e8)
    at nsSVGLibartPathGeometry.cpp:226
#9  0x417f61ca in nsSVGLibartPathGeometry::GetCoveredRegion (this=0x8bc16e8,
    _retval=0xbfffce0c) at nsSVGLibartPathGeometry.cpp:420
#10 0x417f609b in nsSVGLibartPathGeometry::Update (this=0x8bc16e8,
    updatemask=2, _retval=0xbfffce8c) at nsSVGLibartPathGeometry.cpp:394
#11 0x417857d6 in nsSVGPathGeometryFrame::NotifyRedrawUnsuspended (
    this=0x89dda5c) at nsSVGPathGeometryFrame.cpp:321
#12 0x4175b5f7 in nsSVGDefsFrame::NotifyRedrawUnsuspended (this=0x89dd880)
    at nsSVGDefsFrame.cpp:318
#13 0x4175b5f7 in nsSVGDefsFrame::NotifyRedrawUnsuspended (this=0x89dd658)
    at nsSVGDefsFrame.cpp:318
#14 0x4177b23b in nsSVGOuterSVGFrame::UnsuspendRedraw (this=0x89dd4bc)
    at nsSVGOuterSVGFrame.cpp:985
#15 0x417e11c3 in nsSVGSVGElement::UnsuspendRedrawAll (this=0x89abe68)
    at nsSVGSVGElement.cpp:571
#16 0x417e106b in nsSVGSVGElement::UnsuspendRedraw (this=0x89abe68,
    suspend_handle_id=1) at nsSVGSVGElement.cpp:546
#17 0x40127c09 in XPTC_InvokeByIndex () at xptcinvoke_gcc_x86_unix.cpp:69
#18 0x40a45ade in XPCWrappedNative::CallMethod (ccx=@0xbfffd250,
    mode=CALL_METHOD) at xpcwrappednative.cpp:2033
#19 0x40a4ffd9 in XPC_WN_CallMethod (cx=0x8b7e350, obj=0x882ed38, argc=1,
    argv=0x8d0c7f8, vp=0xbfffd400) at xpcwrappednativejsops.cpp:1287
#20 0x401b3ecd in js_Invoke (cx=0x8b7e350, argc=1, flags=0) at jsinterp.c:1293
#21 0x401c3fe0 in js_Interpret (cx=0x8b7e350, pc=0x8b2b78f ":",
    result=0xbfffdb6c) at jsinterp.c:3563
#22 0x401b3f56 in js_Invoke (cx=0x8b7e350, argc=1, flags=2) at jsinterp.c:1313
#23 0x401b4332 in js_InternalInvoke (cx=0x8b7e350, obj=0x882e898,
    fval=142797216, flags=0, argc=1, argv=0xbfffded8, rval=0xbfffddbc)
    at jsinterp.c:1390
#24 0x4017eb2a in JS_CallFunctionValue (cx=0x8b7e350, obj=0x882e898,
    fval=142797216, argc=1, argv=0xbfffded8, rval=0xbfffddbc) at jsapi.c:3804
#25 0x4167249b in nsJSContext::CallEventHandler (this=0x8b852f8,
    aTarget=0x882e898, aHandler=0x882e9a0, argc=1, argv=0xbfffded8,
    rval=0xbfffddbc) at nsJSEnvironment.cpp:1351
#26 0x416ca49b in nsJSEventListener::HandleEvent (this=0x8c94798,
    aEvent=0x8a36440) at nsJSEventListener.cpp:174
#27 0x4151e096 in nsEventListenerManager::HandleEventSubType (this=0x897b360,
    aListenerStruct=0x8c947f8, aDOMEvent=0x8a36440, aCurrentTarget=0x8c17f30,
    aSubType=4, aPhaseFlags=7) at nsEventListenerManager.cpp:1519
#28 0x4151e481 in nsEventListenerManager::HandleEvent (this=0x897b360,
    aPresContext=0x8b428b8, aEvent=0xbfffe510, aDOMEvent=0xbfffe26c,
    aCurrentTarget=0x8c17f30, aFlags=7, aEventStatus=0xbfffeb38)
    at nsEventListenerManager.cpp:1609
#29 0x414e1bd7 in nsGenericElement::HandleDOMEvent (this=0x897b328,
    aPresContext=0x8b428b8, aEvent=0xbfffe510, aDOMEvent=0xbfffe26c, aFlags=7,
    aEventStatus=0xbfffeb38) at nsGenericElement.cpp:1981
#30 0x4155efeb in nsHTMLButtonElement::HandleDOMEvent (this=0x897b328,
    aPresContext=0x8b428b8, aEvent=0xbfffe510, aDOMEvent=0x0, aFlags=1,
    aEventStatus=0xbfffeb38) at nsHTMLButtonElement.cpp:345
#31 0x412613c2 in PresShell::HandleEventInternal (this=0x89dbbb0,
    aEvent=0xbfffe510, aView=0x0, aFlags=1, aStatus=0xbfffeb38)
    at nsPresShell.cpp:5916
#32 0x4126106d in PresShell::HandleEventWithTarget (this=0x89dbbb0,
    aEvent=0xbfffe510, aFrame=0x894b75c, aContent=0x897b328, aFlags=1,
    aStatus=0xbfffeb38) at nsPresShell.cpp:5834
#33 0x4152973c in nsEventStateManager::CheckForAndDispatchClick (
    this=0x8a42a88, aPresContext=0x8b428b8, aEvent=0xbfffec90,
    aStatus=0xbfffeb38) at nsEventStateManager.cpp:2946
#34 0x41527460 in nsEventStateManager::PostHandleEvent (this=0x8a42a88,
    aPresContext=0x8b428b8, aEvent=0xbfffec90, aTargetFrame=0x894b75c,
    aStatus=0xbfffeb38, aView=0x8c17ad0) at nsEventStateManager.cpp:1928
#35 0x412616f4 in PresShell::HandleEventInternal (this=0x89dbbb0,
    aEvent=0xbfffec90, aView=0x8c17ad0, aFlags=1, aStatus=0xbfffeb38)
    at nsPresShell.cpp:5968
#36 0x41260d30 in PresShell::HandleEvent (this=0x89dbbb0, aView=0x8c17ad0,
    aEvent=0xbfffec90, aEventStatus=0xbfffeb38, aForceHandle=0,
    aHandled=@0xbfffeaa8) at nsPresShell.cpp:5772
#37 0x41664edd in nsViewManager::HandleEvent (this=0x8b7db70, aView=0x8b75960,
    aEvent=0xbfffec90, aCaptured=0) at nsViewManager.cpp:2406
#38 0x4166440b in nsViewManager::DispatchEvent (this=0x8b7db70,
    aEvent=0xbfffec90, aStatus=0xbfffec40) at nsViewManager.cpp:2133
#39 0x416593d1 in HandleEvent (aEvent=0xbfffec90) at nsView.cpp:171
#40 0x40e234ee in nsCommonWidget::DispatchEvent (this=0x840c108,
    aEvent=0xbfffec90, aStatus=@0xbfffec8c) at nsCommonWidget.cpp:218
#41 0x40e1479e in nsWindow::OnButtonReleaseEvent (this=0x840c108,
    aWidget=0x8186180, aEvent=0x8301c88) at nsWindow.cpp:1428
#42 0x40e1996b in button_release_event_cb (widget=0x8186180, event=0x8301c88)
    at nsWindow.cpp:3517
#43 0x403cf0d4 in _gtk_marshal_BOOLEAN__BOXED ()
   from /usr/lib/libgtk-x11-2.0.so.0
#44 0x40638c20 in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0
#45 0x4064cc28 in g_signal_emit_by_name () from /usr/lib/libgobject-2.0.so.0
#46 0x4064b9be in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0
#47 0x4064bee4 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0
#48 0x404cdf67 in gtk_widget_send_expose () from /usr/lib/libgtk-x11-2.0.so.0
#49 0x403cd672 in gtk_propagate_event () from /usr/lib/libgtk-x11-2.0.so.0
#50 0x403cc3c6 in gtk_main_do_event () from /usr/lib/libgtk-x11-2.0.so.0
#51 0x405ca1a5 in _gdk_events_queue () from /usr/lib/libgdk-x11-2.0.so.0
#52 0x40691c02 in g_main_depth () from /usr/lib/libglib-2.0.so.0
#53 0x40692cf8 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#54 0x40693030 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
#55 0x40693673 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#56 0x403cbc83 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
#57 0x40e204d2 in nsAppShell::Run (this=0x81a42b0) at nsAppShell.cpp:139
#58 0x422119cc in nsAppStartup::Run (this=0x81a4188) at nsAppStartup.cpp:207
#59 0x080515be in main1 (argc=1, argv=0xbffff524, nativeApp=0x813c0e8)
    at nsAppRunner.cpp:1324
#60 0x0805232a in main (argc=1, argv=0xbffff524) at nsAppRunner.cpp:1811
Assignee: general → general
Status: UNCONFIRMED → NEW
Component: General → SVG
Ever confirmed: true
OS: Windows XP → All
Product: Mozilla Application Suite → Core
QA Contact: general → ian
Assignee: general → tor
Status: NEW → ASSIGNED

        Attachment #170547 -
        Flags: review?(jonathan.watt)

    
    

    
  
Comment on attachment 170547 [details] [diff] [review]
don't leave hanging references to the parent

r=jwatt

note you are setting mMarkerParent to NULL instead of nsnull here:
http://lxr.mozilla.org/seamonkey/source/layout/svg/base/src/nsSVGMarkerFrame.cp
p#248

        Attachment #170547 -
        Flags: review?(jonathan.watt) → review+

    
    

    
  
Comment on attachment 170547 [details] [diff] [review]
don't leave hanging references to the parent

Crash fix, not in default build.

        Attachment #170547 -
        Flags: approval1.8a6?

    
    

    
  
Comment on attachment 170547 [details] [diff] [review]
don't leave hanging references to the parent

a=asa for checkin to 1.8a6

        Attachment #170547 -
        Flags: approval1.8a6? → approval1.8a6+

    
    

    
  
Checked in.

Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: