Closed Bug 338312 Opened 18 years ago Closed 18 years ago

Moving SVG element that uses a gradient fill out of the <svg:svg> kills Firefox

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Platform:
PowerPC
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jruderman, Assigned: tor)

References

Details

(Keywords: crash, testcase, Whiteboard: post-1.8 branch)

Attachments

(2 files)

testcase
436 bytes, application/xhtml+xml
Details
remove observers in Destroy instead of destructor
2.26 KB, patch
roc
: review+
roc
: superreview+
Details | Diff | Splinter Review 
This is with a trunk nightly (2006-05-17) on Mac.  It makes Firefox crash in a way that doesn't trigger the Mac OS X crash reporter dialog, but does trigger Talkback.  "pure virtual method called" is printed on the console, even outside of a debugger.

gdb says:

Program received signal SIGABRT, Aborted.
0x90047e4c in kill ()
(gdb) bt
#0  0x90047e4c in kill ()
#1  0x9012dff4 in abort ()
#2  0x00435410 in nsTransactionManager::Unlock ()
#3  0x00435454 in nsTransactionManager::Unlock ()
#4  0x00068184 in nsTransactionManagerModule_NSGetModule ()
#5  0x007a0b80 in nsSVGGeometryFrame::QueryInterface ()
#6  0x2c001b6c in nsQueryInterfaceWithError::operator() ()
#7  0x2c001ccc in nsCOMPtr_base::assign_from_qi_with_error ()
#8  0x2c003a24 in NS_GetWeakReference ()
#9  0x0050caec in nsSVGValue::RemoveObserver ()
#10 0x007a0c84 in nsSVGGeometryFrame::~nsSVGGeometryFrame ()
#11 0x007e1268 in nsSVGPathGeometryFrame::~nsSVGPathGeometryFrame ()
#12 0x009f6aa8 in MOZ_Z__length_code ()
#13 0x0022af84 in nsFrame::Destroy ()
#14 0x00592624 in nsFrameList::DestroyFrame ()
#15 0x0065b420 in nsSVGOuterSVGFrame::RemoveFrame ()
#16 0x002d9a68 in nsCSSFrameConstructor::ContentRemoved ()

Talkback (TB18794268Q) says:

libSystem.B.dylib.88.1.5 + 0x47e4c (0x90047e4c)
libSystem.B.dylib.88.1.5 + 0x12dff4 (0x9012dff4)
__cxxabiv1::__unexpected()   CompareCacheHashEntryPtr::CompareCacheHashEntryPtr()   nsSVGGeometryFrame::QueryInterface() 
...      (rest of the stack looks the same)

Marking as security-sensitive because Editor code (nsTransactionManager) and SSL code (CompareCacheHashEntryPtr) don't belong at the top of these stacks.
Attached file testcase 

    
    

    
  


  
Assignee: general → tor
Status: NEW → ASSIGNED

        Attachment #222369 -
        Flags: review?(roc)

    
    

    
  
Checked in.

Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED

    
    

    
  
Was this Mac-only? I couldn't reproduce on an old trunk or 1.8 branch on windows, but the fix isn't platform-specific.

qawanted: Need to test this on 1.5.0.x and Bon Echo Mac builds and see if we need this fix on the 1.8 branches.
Flags: blocking1.8.1?
Flags: blocking1.8.0.6?
Keywords: qawanted

    
    

    
  
(In reply to comment #4)
> Was this Mac-only? I couldn't reproduce on an old trunk or 1.8 branch on
> windows, but the fix isn't platform-specific.

This crash was the side effect of reworking the svg code on the trunk.


    
  
Flags: blocking1.8.1? → blocking1.8.1+

    
    

    
  
Thanks! removing 1.8-branch nominations
Flags: blocking1.8.1+
Flags: blocking1.8.0.6?
Keywords: qawanted
Whiteboard: post-1.8 branch
Group: security
Flags: wanted1.8.1.x-
Flags: wanted1.8.0.x-

    
    

    
  
Crashtest checked in.
Flags: in-testsuite+

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: