Closed
Bug 338312
Opened 18 years ago
Closed 18 years ago
Moving SVG element that uses a gradient fill out of the <svg:svg> kills Firefox
Categories
(Core :: SVG, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jruderman, Assigned: tor)
References
Details
(Keywords: crash, testcase, Whiteboard: post-1.8 branch)
Attachments
(2 files)
436 bytes,
application/xhtml+xml
|
Details | |
2.26 KB,
patch
|
roc
:
review+
roc
:
superreview+
|
Details | Diff | Splinter Review |
This is with a trunk nightly (2006-05-17) on Mac. It makes Firefox crash in a way that doesn't trigger the Mac OS X crash reporter dialog, but does trigger Talkback. "pure virtual method called" is printed on the console, even outside of a debugger. gdb says: Program received signal SIGABRT, Aborted. 0x90047e4c in kill () (gdb) bt #0 0x90047e4c in kill () #1 0x9012dff4 in abort () #2 0x00435410 in nsTransactionManager::Unlock () #3 0x00435454 in nsTransactionManager::Unlock () #4 0x00068184 in nsTransactionManagerModule_NSGetModule () #5 0x007a0b80 in nsSVGGeometryFrame::QueryInterface () #6 0x2c001b6c in nsQueryInterfaceWithError::operator() () #7 0x2c001ccc in nsCOMPtr_base::assign_from_qi_with_error () #8 0x2c003a24 in NS_GetWeakReference () #9 0x0050caec in nsSVGValue::RemoveObserver () #10 0x007a0c84 in nsSVGGeometryFrame::~nsSVGGeometryFrame () #11 0x007e1268 in nsSVGPathGeometryFrame::~nsSVGPathGeometryFrame () #12 0x009f6aa8 in MOZ_Z__length_code () #13 0x0022af84 in nsFrame::Destroy () #14 0x00592624 in nsFrameList::DestroyFrame () #15 0x0065b420 in nsSVGOuterSVGFrame::RemoveFrame () #16 0x002d9a68 in nsCSSFrameConstructor::ContentRemoved () Talkback (TB18794268Q) says: libSystem.B.dylib.88.1.5 + 0x47e4c (0x90047e4c) libSystem.B.dylib.88.1.5 + 0x12dff4 (0x9012dff4) __cxxabiv1::__unexpected() CompareCacheHashEntryPtr::CompareCacheHashEntryPtr() nsSVGGeometryFrame::QueryInterface() ... (rest of the stack looks the same) Marking as security-sensitive because Editor code (nsTransactionManager) and SSL code (CompareCacheHashEntryPtr) don't belong at the top of these stacks.
Reporter | ||
Comment 1•18 years ago
|
||
Attachment #222369 -
Flags: superreview+
Attachment #222369 -
Flags: review?(roc)
Attachment #222369 -
Flags: review+
Checked in.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Comment 4•18 years ago
|
||
Was this Mac-only? I couldn't reproduce on an old trunk or 1.8 branch on windows, but the fix isn't platform-specific. qawanted: Need to test this on 1.5.0.x and Bon Echo Mac builds and see if we need this fix on the 1.8 branches.
(In reply to comment #4) > Was this Mac-only? I couldn't reproduce on an old trunk or 1.8 branch on > windows, but the fix isn't platform-specific. This crash was the side effect of reworking the svg code on the trunk.
Updated•18 years ago
|
Flags: blocking1.8.1? → blocking1.8.1+
Comment 6•18 years ago
|
||
Thanks! removing 1.8-branch nominations
Updated•17 years ago
|
Group: security
Flags: wanted1.8.1.x-
Flags: wanted1.8.0.x-
You need to log in
before you can comment on or make changes to this bug.
Description
•