Closed
Bug 314244
Opened 20 years ago
Closed 18 years ago
SVG with display: -moz-box causes crash
Categories
(Core :: SVG, defect)
Core
SVG
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: benjamin, Unassigned)
References
Details
(Keywords: crash, testcase)
Attachments
(2 files)
|
604 bytes,
application/vnd.mozilla.xul+xml
|
Details | |
|
3.70 KB,
patch
|
Details | Diff | Splinter Review |
I've been trying to get SVG to participate in XUL box-model layout and any time I set the <svg> element to display: -moz-box I get a crash. Testcase coming up: the initial assertion is in
nsSVGPathGeometryFrame::GetOuterSVGFrame
called from
nsSVGPathGeometryFrame::InitSVG
And after several similar assertions, an assertion
###!!! ASSERTION: A box layout was called by InitBoxMetrics was never called: 'metrics' at nsFrame.cpp, line 5596
And the crash is in nsFrame::GetAscent derefencing "metrics".
|
Reporter | |
Comment 1•20 years ago
|
||
|
||
Comment 2•20 years ago
|
||
Any website can DoS the browser with this, right? If so, then I think we need to fix this for FF 1.5.
Flags: blocking1.8rc1?
|
||
Comment 3•20 years ago
|
||
We have plenty of ways to "DOS" the browser. Just being a crash is really not qualification for 1.8 at this point, imo.
That said, I'm not sure I follow what's going on here. If calling InitBoxWrapped is needed for box layout methods, but we never call InitBoxWrapped on boxes, how does any of this work? bryner, do you recall?
|
|
||
Comment 4•20 years ago
|
||
Ah, nevermind. I was misreading my own debugger output...
So my build crashes because we end up trying to do box layout on an nsSVGRectFrame. Which is a child of a box. And which has no box metrics, because SVG doesn't call nsFrame::Init, so bryner's fix there to call InitBoxMetrics didn't make it through to SVG.
|
||
Updated•20 years ago
|
Flags: blocking1.9a1?
Flags: blocking1.8rc1?
Flags: blocking1.8rc1-
this is now wfm (at least with my debug build) after I checked in the patch for bug 322185. Essentially the patch there blocks xul display types for tag based frame creation.
|
||
Comment 7•20 years ago
|
||
tor, is the patch in this bug still desirable?
|
||
Updated•19 years ago
|
|
|
||
Updated•19 years ago
|
Flags: blocking1.9a1?
|
||
Comment 8•18 years ago
|
||
Marking as WORKSFORME based on comment 6.
Note that Tor got rid of the split init in another patch so the patch in this bug is no longer required.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → WORKSFORME
|
|
||
Updated•18 years ago
|
Flags: in-testsuite?
|
|
||
Comment 9•18 years ago
|
||
Flags: in-testsuite? → in-testsuite+
|
|
||
Comment 10•17 years ago
|
||
The test was giving me an XML parsing error; I fixed that by putting the comment after the '<?xml version="1.0"?>'.
Btw, in the future, please put crash-only tests in e.g. mozilla/layout/svg/crashtests/ instead of mozilla/layout/reftests/svg/bugs/.
|
|
||
Comment 11•17 years ago
|
||
I'm not prescient though! The crashtests directory was only created on 2007-12-12
We should raise a bug to move everything in mozilla/layout/reftests/svg/bugs into /mozilla/layout/svg/crashtests/ and then delete mozilla/layout/reftests/svg/bugs altogether.
|
|
||
Comment 12•17 years ago
|
||
Created bug 421473 for the move
You need to log in
before you can comment on or make changes to this bug.
Description
•