Closed
Bug 319107
Opened 19 years ago
Closed 19 years ago
One SVG file crashes firefox 1.5 [@ nsSVGGradientFrame::GetNextGradient]
Categories
(Core :: SVG, defect)
Core
SVG
Tracking
()
RESOLVED
FIXED
People
(Reporter: emmanuel.touzery, Assigned: scootermorris)
References
Details
(Keywords: fixed1.8.1, verified1.8.0.2, Whiteboard: [rft-dl])
Attachments
(4 files, 1 obsolete file)
|
6.45 KB,
text/plain
|
Details | |
|
6.45 KB,
image/svg+xml
|
Details | |
|
289 bytes,
image/svg+xml
|
Details | |
|
925 bytes,
patch
|
tor
:
review+
benjamin
:
approval-branch-1.8.1+
mtschrep
:
approval1.8.0.1-
dveditz
:
approval1.8.0.2+
|
Details | Diff | Splinter Review |
CRASHER!! correct mimetype: opening this attachment should crash firefox
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5
I attach a SVG file which crashes firefox 1.5 every time on both linux x86 (firefox 1.5 binary from mozilla.org) and windows XP.
Reproducible: Always
|
Reporter | |
Comment 1•19 years ago
|
||
|
||
Comment 2•19 years ago
|
||
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051204 Firefox/1.5
I get no crash (see only some text) :)
|
|
Reporter | |
Comment 3•19 years ago
|
||
if you just see the text that's because I set the mimetype of the attachment in bugzilla to text/plain (there was no choice for svg).
Save the attachment to your local disk (for instance copy the text in notepad), name the file "test.svg", make sure the first line contains the <?xml (first line shoudn't be empty) and open in firefox (drag & drop the file on a firefox window). that should crash firefox.
|
|
Reporter | |
Comment 4•19 years ago
|
||
i left the other attachment to make it easy to get the faulty SVG for local experiments (if the browser crashes it's annoying to get the file contents)
|
|
||
Comment 5•19 years ago
|
||
OK..
Trunk: TB12620259X
Branch: TB12620314E
Incident ID: 12620259
Stack Signature nsSVGGradientFrame::GetNextGradient 4d0a92fd
Product ID FirefoxTrunk
Build ID 2005120405
Trigger Time 2005-12-05 06:15:07.0
Platform Win32
Operating System Windows NT 5.1 build 2600
Module firefox.exe + (0029de80)
URL visited
User Comments
Since Last Crash 19 sec
Total Uptime 27739 sec
Trigger Reason Access violation
Source File, Line No. c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/svg/base/src/nsSVGGradientFrame.cpp, line 621
Stack Trace
nsSVGGradientFrame::GetNextGradient [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/svg/base/src/nsSVGGradientFrame.cpp, line 621]
nsSVGGradientFrame::GetNextGradient [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/svg/base/src/nsSVGGradientFrame.cpp, line 626]
nsSVGRadialGradientFrame::PrivateGetCx [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/svg/base/src/nsSVGGradientFrame.cpp, line 947]
nsSVGLinearGradientFrame::GetX1 [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/svg/base/src/nsSVGGradientFrame.cpp, line 1122]
CairoRadialGradient [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/svg/renderer/src/cairo/nsSVGCairoGradient.cpp, line 122]
CairoGradient [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/svg/renderer/src/cairo/nsSVGCairoGradient.cpp, line 157]
nsSVGCairoPathGeometry::Render [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/svg/renderer/src/cairo/nsSVGCairoPathGeometry.cpp, line 359]
nsSVGPathGeometryFrame::PaintSVG [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/svg/base/src/nsSVGPathGeometryFrame.cpp, line 286]
nsSVGOuterSVGFrame::Paint [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/svg/base/src/nsSVGOuterSVGFrame.cpp, line 829]
nsContainerFrame::PaintChild [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsContainerFrame.cpp, line 283]
nsContainerFrame::PaintChildren [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsContainerFrame.cpp, line 228]
nsHTMLContainerFrame::Paint [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsHTMLContainerFrame.cpp, line 84]
CanvasFrame::Paint [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsHTMLFrame.cpp, line 373]
PresShell::Paint [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 5480]
nsView::Paint [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/view/src/nsView.cpp, line 318]
nsViewManager::RenderDisplayListElement [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 1468]
nsViewManager::RenderViews [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 1380]
nsViewManager::Refresh [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 930]
nsViewManager::DispatchEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 2047]
HandleEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/view/src/nsView.cpp, line 176]
nsWindow::DispatchEvent [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1162]
nsWindow::ProcessMessage [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 4284]
nsWindow::WindowProc [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1351]
USER32.dll + 0x8709 (0x77d18709)
USER32.dll + 0x87eb (0x77d187eb)
USER32.dll + 0xb368 (0x77d1b368)
USER32.dll + 0xb3b4 (0x77d1b3b4)
ntdll.dll + 0xeae3 (0x7c90eae3)
USER32.dll + 0x89e8 (0x77d189e8)
nsAppShell::Run [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsAppShell.cpp, line 159]
nsAppStartup::Run [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 162]
main [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61]
kernel32.dll + 0x16d4f (0x7c816d4f)
Assignee: nobody → general
Component: General → SVG
Keywords: crash
Product: Firefox → Core
QA Contact: general → ian
Summary: One SVG file crashes firefox 1.5 → One SVG file crashes firefox 1.5 [@ nsSVGGradientFrame::GetNextGradient]
Version: unspecified → 1.8 Branch
I can see this crash on firefox 1.5. But not in trunk. I believe this has been fixed by another bug.
|
|
||
Comment 9•19 years ago
|
||
(In reply to comment #8)
> I can see this crash on firefox 1.5. But not in trunk. I believe this has been
> fixed by another bug.
>
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051206 Firefox/1.6a1 ID:2005120605
Still get a crash in the latest trunk: TB12691988Q
Have you tried it with a new profile?
|
||
Comment 10•19 years ago
|
||
erm, picking trunk because that's what the talkback incident i quoted said. (i probably misgrabbed the version from comment 0).
Version: 1.8 Branch → Trunk
|
||
Comment 11•19 years ago
|
||
(In reply to comment #9)
> Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051206
> Firefox/1.6a1 ID:2005120605
> Still get a crash in the latest trunk: TB12691988Q
> Have you tried it with a new profile?
>
Mozilla/5.0 (X11; U; SunOS i86pc; en-US; rv:1.9a1) Gecko/20051125 Firefox/1.6a1
I thought it is a platform independed bug.
With a new profile and not crash.
|
|
Reporter | |
Comment 12•19 years ago
|
||
(In reply to comment #11)
> I thought it is a platform independed bug.
> With a new profile and not crash.
>
no crash, so what happens? the SVG is displayed? if you get text you clicked the wrong link. you must click the link "CRASHER!!".
The svg should look like three people in circle, colored in green.
|
|
||
Comment 13•19 years ago
|
||
(In reply to comment #12)
> no crash, so what happens? the SVG is displayed? if you get text you clicked
> the wrong link. you must click the link "CRASHER!!".
> The svg should look like three people in circle, colored in green.
>
Yes. The SVG is displayed.
And I did not click the wrong link.
The other link is text/plain. I can only see the text.
Also the "CRASHER!!" link crashed my firefox 1.5.
|
||
Updated•19 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
||
Comment 14•19 years ago
|
||
This SVG Image does the same:
http://www.phobeus.de/hosting/flo/images/FirefoxCrash.svg
(I used Inkscape too, to create this Image, but I changed some things with a usual text editor)
|
|
||
Comment 15•19 years ago
|
||
I reduced the size my svg file down to ten lines of code:
<?xml version="1.0" encoding="UTF-8"?>
<svg
xmlns="http://www.w3.org/2000/svg"
xmlns:xlink="http://www.w3.org/1999/xlink">
<defs>
<linearGradient id="crashpart1"/>
<radialGradient xlink:href="#crashpart1" id="crashpart2" />
</defs>
<rect style="fill:url(#crashpart2);" />
</svg>
|
|
||
Comment 16•19 years ago
|
||
(In reply to comment #15)
That crashes indeed :)
|
|
||
Comment 17•19 years ago
|
||
please change the summary to describe the minimal crasher :)
|
Assignee | |
Comment 18•19 years ago
|
||
Attachment #207366 -
Flags: review?(tor)
|
|
Assignee | |
Updated•19 years ago
|
Status: NEW → ASSIGNED
|
||
Updated•19 years ago
|
Assignee: general → scootermorris
Status: ASSIGNED → NEW
|
||
Comment 19•19 years ago
|
||
Comment on attachment 207366 [details] [diff] [review]
Patch for crash
I think you also need to set aNextGrad to nsnull.
Attachment #207366 -
Flags: review?(tor) → review-
|
|
Assignee | |
Comment 20•19 years ago
|
||
(In reply to comment #19)
> (From update of attachment 207366 [details] [diff] [review] [edit])
> I think you also need to set aNextGrad to nsnull.
>
The return value for GetNextGradient is always checked, so there is little chance of a problem, but I agree that its a good discipline in any case.
|
|
Assignee | |
Comment 21•19 years ago
|
||
Attachment #207366 -
Attachment is obsolete: true
Attachment #207543 -
Flags: review?(tor)
Attachment #207543 -
Flags: review?(tor) → review+
Attachment #207543 -
Flags: approval1.8.0.1?
Attachment #207543 -
Flags: approval1.8.1?
|
||
Comment 22•19 years ago
|
||
Comment on attachment 207543 [details] [diff] [review]
Make sure to set aNextGrad to nsnull
Please land on trunk and target the 1.8.0.2 release.
Attachment #207543 -
Flags: approval1.8.0.2?
Attachment #207543 -
Flags: approval1.8.0.1?
Attachment #207543 -
Flags: approval1.8.0.1-
|
|
Assignee | |
Comment 23•19 years ago
|
||
Checked in on trunk:
cvs commit layout/svg/base/src/nsSVGGradientFrame.cpp
Checking in layout/svg/base/src/nsSVGGradientFrame.cpp;
/cvsroot/mozilla/layout/svg/base/src/nsSVGGradientFrame.cpp,v <-- nsSVGGradientFrame.cpp
new revision: 1.21; previous revision: 1.20
done
|
|
Assignee | |
Updated•19 years ago
|
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
|
||
Comment 24•19 years ago
|
||
Comment on attachment 207543 [details] [diff] [review]
Make sure to set aNextGrad to nsnull
Approving vicariously for tor ;-)
Attachment #207543 -
Flags: approval1.8.1? → branch-1.8.1+
|
|
Assignee | |
Comment 25•19 years ago
|
||
Checked in on branch:
Checking in layout/svg/base/src/nsSVGGradientFrame.cpp;
/cvsroot/mozilla/layout/svg/base/src/nsSVGGradientFrame.cpp,v <-- nsSVGGradientFrame.cpp
new revision: 1.14.2.6; previous revision: 1.14.2.5
done
Keywords: crash → fixed1.8.1
|
||
Updated•19 years ago
|
Flags: blocking1.8.0.2+
|
|
||
Comment 26•19 years ago
|
||
Comment on attachment 207543 [details] [diff] [review]
Make sure to set aNextGrad to nsnull
approved for 1.8.0 branch, a=dveditz
Attachment #207543 -
Flags: approval1.8.0.2? → approval1.8.0.2+
|
|
Assignee | |
Comment 27•19 years ago
|
||
Checked in on 1.8.0 branch
|
||
Updated•19 years ago
|
Keywords: fixed1.8.0.2
|
|
||
Comment 28•19 years ago
|
||
*** Bug 328569 has been marked as a duplicate of this bug. ***
|
||
Updated•19 years ago
|
Whiteboard: [rft-dl]
|
||
Comment 29•19 years ago
|
||
v.fixed on 1.8.0 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060302 Firefox/1.5.0.1, no crash with either test svg file (saved first locally and image loaded fine, second small svg loads fine but I can't see it).
Keywords: fixed1.8.0.2 → verified1.8.0.2
You need to log in
before you can comment on or make changes to this bug.
Description
•