One SVG file crashes firefox 1.5 [@ nsSVGGradientFrame::GetNextGradient]

RESOLVED FIXED

Status

()

Core
SVG
--
critical
RESOLVED FIXED
12 years ago
12 years ago

People

(Reporter: Emmanuel Touzery, Assigned: Scooter Morris)

Tracking

({fixed1.8.1, verified1.8.0.2})

Trunk
fixed1.8.1, verified1.8.0.2
Points:
---
Bug Flags:
blocking1.8.0.2 +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [rft-dl])

Attachments

(4 attachments, 1 obsolete attachment)

(Reporter)

Description

12 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5

I attach a SVG file which crashes firefox 1.5 every time on both linux x86 (firefox 1.5 binary from mozilla.org) and windows XP.

Reproducible: Always
(Reporter)

Comment 1

12 years ago
Created attachment 205008 [details]
this svg file crashes firefox 1.5 every time. it was produced by inkscape.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051204 Firefox/1.5
I get no crash (see only some text) :) 
(Reporter)

Comment 3

12 years ago
if you just see the text that's because I set the mimetype of the attachment in bugzilla to text/plain (there was no choice for svg).
Save the attachment to your local disk (for instance copy the text in notepad), name the file "test.svg", make sure the first line contains the <?xml (first line shoudn't be empty) and open in firefox (drag & drop the file on a firefox window). that should crash firefox.
(Reporter)

Comment 4

12 years ago
Created attachment 205037 [details]
CRASHER!! correct mimetype: opening this attachment should crash firefox

i left the other attachment to make it easy to get the faulty SVG for local experiments (if the browser crashes it's annoying to get the file contents)
OK..
Trunk: TB12620259X
Branch: TB12620314E

Comment 6

12 years ago
Incident ID: 12620259
Stack Signature	nsSVGGradientFrame::GetNextGradient 4d0a92fd
Product ID	FirefoxTrunk
Build ID	2005120405
Trigger Time	2005-12-05 06:15:07.0
Platform	Win32
Operating System	Windows NT 5.1 build 2600
Module	firefox.exe + (0029de80)
URL visited	
User Comments	
Since Last Crash	19 sec
Total Uptime	27739 sec
Trigger Reason	Access violation
Source File, Line No.	c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/svg/base/src/nsSVGGradientFrame.cpp, line 621
Stack Trace 	
nsSVGGradientFrame::GetNextGradient  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/svg/base/src/nsSVGGradientFrame.cpp, line 621]
nsSVGGradientFrame::GetNextGradient  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/svg/base/src/nsSVGGradientFrame.cpp, line 626]
nsSVGRadialGradientFrame::PrivateGetCx  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/svg/base/src/nsSVGGradientFrame.cpp, line 947]
nsSVGLinearGradientFrame::GetX1  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/svg/base/src/nsSVGGradientFrame.cpp, line 1122]
CairoRadialGradient  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/svg/renderer/src/cairo/nsSVGCairoGradient.cpp, line 122]
CairoGradient  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/svg/renderer/src/cairo/nsSVGCairoGradient.cpp, line 157]
nsSVGCairoPathGeometry::Render  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/svg/renderer/src/cairo/nsSVGCairoPathGeometry.cpp, line 359]
nsSVGPathGeometryFrame::PaintSVG  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/svg/base/src/nsSVGPathGeometryFrame.cpp, line 286]
nsSVGOuterSVGFrame::Paint  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/svg/base/src/nsSVGOuterSVGFrame.cpp, line 829]
nsContainerFrame::PaintChild  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsContainerFrame.cpp, line 283]
nsContainerFrame::PaintChildren  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsContainerFrame.cpp, line 228]
nsHTMLContainerFrame::Paint  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsHTMLContainerFrame.cpp, line 84]
CanvasFrame::Paint  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/generic/nsHTMLFrame.cpp, line 373]
PresShell::Paint  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 5480]
nsView::Paint  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/view/src/nsView.cpp, line 318]
nsViewManager::RenderDisplayListElement  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 1468]
nsViewManager::RenderViews  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 1380]
nsViewManager::Refresh  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 930]
nsViewManager::DispatchEvent  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 2047]
HandleEvent  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/view/src/nsView.cpp, line 176]
nsWindow::DispatchEvent  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1162]
nsWindow::ProcessMessage  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 4284]
nsWindow::WindowProc  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1351]
USER32.dll + 0x8709 (0x77d18709)
USER32.dll + 0x87eb (0x77d187eb)
USER32.dll + 0xb368 (0x77d1b368)
USER32.dll + 0xb3b4 (0x77d1b3b4)
ntdll.dll + 0xeae3 (0x7c90eae3)
USER32.dll + 0x89e8 (0x77d189e8)
nsAppShell::Run  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/widget/src/windows/nsAppShell.cpp, line 159]
nsAppStartup::Run  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 162]
main  [c:/builds/tinderbox/Fx-Trunk/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61]
kernel32.dll + 0x16d4f (0x7c816d4f)
Assignee: nobody → general
Component: General → SVG
Keywords: crash
Product: Firefox → Core
QA Contact: general → ian
Summary: One SVG file crashes firefox 1.5 → One SVG file crashes firefox 1.5 [@ nsSVGGradientFrame::GetNextGradient]
Version: unspecified → 1.8 Branch
Crashes on Mac as well.
OS: Windows XP → All
Hardware: PC → All

Comment 8

12 years ago
I can see this crash on firefox 1.5. But not in trunk. I believe this has been fixed by another bug.
(In reply to comment #8)
> I can see this crash on firefox 1.5. But not in trunk. I believe this has been
> fixed by another bug.
>
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051206 Firefox/1.6a1 ID:2005120605
Still get a crash in the latest trunk: TB12691988Q
Have you tried it with a new profile? 

Comment 10

12 years ago
erm, picking trunk because that's what the talkback incident i quoted said. (i probably misgrabbed the version from comment 0).
Version: 1.8 Branch → Trunk

Comment 11

12 years ago
(In reply to comment #9)
> Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051206
> Firefox/1.6a1 ID:2005120605
> Still get a crash in the latest trunk: TB12691988Q
> Have you tried it with a new profile? 
> 

Mozilla/5.0 (X11; U; SunOS i86pc; en-US; rv:1.9a1) Gecko/20051125 Firefox/1.6a1
I thought it is a platform independed bug.
With a new profile and not crash.
(Reporter)

Comment 12

12 years ago
(In reply to comment #11)
> I thought it is a platform independed bug.
> With a new profile and not crash.
> 

no crash, so what happens? the SVG is displayed? if you get text you clicked the wrong link. you must click the link "CRASHER!!".
The svg should look like three people in circle, colored in green.

Comment 13

12 years ago
(In reply to comment #12)
> no crash, so what happens? the SVG is displayed? if you get text you clicked
> the wrong link. you must click the link "CRASHER!!".
> The svg should look like three people in circle, colored in green.
> 
Yes. The SVG is displayed.
And I did not click the wrong link.
The other link is text/plain. I can only see the text.
Also the "CRASHER!!" link crashed my firefox 1.5.

Updated

12 years ago
Status: UNCONFIRMED → NEW
Ever confirmed: true

Comment 14

12 years ago
This SVG Image does the same:
http://www.phobeus.de/hosting/flo/images/FirefoxCrash.svg

(I used Inkscape too, to create this Image, but I changed some things with a usual text editor)

Comment 15

12 years ago
Created attachment 205553 [details]
very small svg file which crash Firefox 1.5

I reduced the size my svg file down to ten lines of code:

<?xml version="1.0" encoding="UTF-8"?>
<svg
	xmlns="http://www.w3.org/2000/svg"
	xmlns:xlink="http://www.w3.org/1999/xlink">
	<defs>
 		<linearGradient id="crashpart1"/>
		<radialGradient xlink:href="#crashpart1" id="crashpart2" />
	</defs>
	<rect style="fill:url(#crashpart2);" />
</svg>
(In reply to comment #15)

That crashes indeed :)

Comment 17

12 years ago
please change the summary to describe the minimal crasher :)
(Assignee)

Comment 18

12 years ago
Created attachment 207366 [details] [diff] [review]
Patch for crash
Attachment #207366 - Flags: review?(tor)
(Assignee)

Updated

12 years ago
Status: NEW → ASSIGNED

Updated

12 years ago
Assignee: general → scootermorris
Status: ASSIGNED → NEW

Comment 19

12 years ago
Comment on attachment 207366 [details] [diff] [review]
Patch for crash

I think you also need to set aNextGrad to nsnull.
Attachment #207366 - Flags: review?(tor) → review-
(Assignee)

Comment 20

12 years ago
(In reply to comment #19)
> (From update of attachment 207366 [details] [diff] [review] [edit])
> I think you also need to set aNextGrad to nsnull.
> 

The return value for GetNextGradient is always checked, so there is little chance of a problem, but I agree that its a good discipline in any case.
(Assignee)

Comment 21

12 years ago
Created attachment 207543 [details] [diff] [review]
Make sure to set aNextGrad to nsnull
Attachment #207366 - Attachment is obsolete: true
Attachment #207543 - Flags: review?(tor)

Updated

12 years ago
Attachment #207543 - Flags: review?(tor) → review+

Updated

12 years ago
Attachment #207543 - Flags: approval1.8.0.1?

Updated

12 years ago
Attachment #207543 - Flags: approval1.8.1?

Comment 22

12 years ago
Comment on attachment 207543 [details] [diff] [review]
Make sure to set aNextGrad to nsnull

Please land on trunk and target the 1.8.0.2 release.
Attachment #207543 - Flags: approval1.8.0.2?
Attachment #207543 - Flags: approval1.8.0.1?
Attachment #207543 - Flags: approval1.8.0.1-
(Assignee)

Comment 23

12 years ago
Checked in on trunk:

cvs commit layout/svg/base/src/nsSVGGradientFrame.cpp
Checking in layout/svg/base/src/nsSVGGradientFrame.cpp;
/cvsroot/mozilla/layout/svg/base/src/nsSVGGradientFrame.cpp,v  <--  nsSVGGradientFrame.cpp
new revision: 1.21; previous revision: 1.20
done
(Assignee)

Updated

12 years ago
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED

Comment 24

12 years ago
Comment on attachment 207543 [details] [diff] [review]
Make sure to set aNextGrad to nsnull

Approving vicariously for tor ;-)
Attachment #207543 - Flags: approval1.8.1? → branch-1.8.1+
(Assignee)

Comment 25

12 years ago
Checked in on branch:
Checking in layout/svg/base/src/nsSVGGradientFrame.cpp;
/cvsroot/mozilla/layout/svg/base/src/nsSVGGradientFrame.cpp,v  <--  nsSVGGradientFrame.cpp
new revision: 1.14.2.6; previous revision: 1.14.2.5
done
Keywords: crash → fixed1.8.1
Flags: blocking1.8.0.2+
Comment on attachment 207543 [details] [diff] [review]
Make sure to set aNextGrad to nsnull

approved for 1.8.0 branch, a=dveditz
Attachment #207543 - Flags: approval1.8.0.2? → approval1.8.0.2+
(Assignee)

Comment 27

12 years ago
Checked in on 1.8.0 branch
Keywords: fixed1.8.0.2
*** Bug 328569 has been marked as a duplicate of this bug. ***

Updated

12 years ago
Whiteboard: [rft-dl]

Comment 29

12 years ago
v.fixed on 1.8.0 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060302 Firefox/1.5.0.1, no crash with either test svg file (saved first locally and image loaded fine, second small svg loads fine but I can't see it).
Keywords: fixed1.8.0.2 → verified1.8.0.2
You need to log in before you can comment on or make changes to this bug.