Closed Bug 346320 Opened 19 years ago Closed 19 years ago

crash [@ nsSVGUtils::UserSpace] when visiting page containing SVG element

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.8beta2

People

(Reporter: bugsy, Assigned: tor)

References

(
URL
)

Details

(Keywords: crash, fixed1.8.1)

Crash Data

Attachments

(1 file)

use right content for user-space text gradient
1.22 KB, patch
scootermorris
: review+
bzbarsky
: superreview+
mtschrep
: approval1.8.1+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1b1) Gecko/20060728 BonEcho/2.0b1 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1b1) Gecko/20060728 BonEcho/2.0b1 When visiting the above URL, Firefox crashes. Confirmed on trunk & branch, Windows & Linux. Reproducible: Always TB21532676E (win branch) TB21533904Q (linux branch)
Flags: blocking-firefox2?
From talkback ID: TB21532676E nsSVGUtils::UserSpace [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/svg/base/src/nsSVGUtils.cpp, line 168] nsSVGLinearGradientFrame::GetX1 [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/svg/base/src/nsSVGGradientFrame.cpp, line 1177] CairoRadialGradient [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/svg/renderer/src/cairo/nsSVGCairoGradient.cpp, line 122] CairoGradient [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/svg/renderer/src/cairo/nsSVGCairoGradient.cpp, line 176] nsSVGCairoGlyphGeometry::Render [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/svg/renderer/src/cairo/nsSVGCairoGlyphGeometry.cpp, line 305] nsSVGGlyphFrame::PaintSVG [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/svg/base/src/nsSVGGlyphFrame.cpp, line 463] nsSVGTextFrame::PaintSVG [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/svg/base/src/nsSVGTextFrame.cpp, line 544] nsSVGGFrame::PaintSVG [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/svg/base/src/nsSVGGFrame.cpp, line 134] nsSVGOuterSVGFrame::Paint [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/svg/base/src/nsSVGOuterSVGFrame.cpp, line 845] nsContainerFrame::PaintChild [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsContainerFrame.cpp, line 283] nsContainerFrame::PaintChildren [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsContainerFrame.cpp, line 228] nsHTMLContainerFrame::Paint [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsHTMLContainerFrame.cpp, line 84] CanvasFrame::Paint [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsHTMLFrame.cpp, line 385] PresShell::Paint [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 5825] nsView::Paint [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/view/src/nsView.cpp, line 316] nsViewManager::RenderDisplayListElement [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 1460] nsViewManager::RenderViews [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 1375] nsViewManager::Refresh [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 930] nsViewManager::DispatchEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 2047] HandleEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/view/src/nsView.cpp, line 174] nsWindow::DispatchEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1348] nsWindow::ProcessMessage [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 4564] nsWindow::WindowProc [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1536] USER32.DLL + 0x3158f (0x77e4158f) USER32.DLL + 0x2c19d (0x77e3c19d) USER32.DLL + 0x2c1ca (0x77e3c1ca) ntdll.dll + 0x11baf (0x77f91baf) USER32.DLL + 0x31e7e (0x77e41e7e) nsAppStartup::Run [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 152] main [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61] KERNEL32.dll + 0x28989 (0x7c598989)
Assignee: nobody → general
Component: General → SVG
Flags: blocking-firefox2?
Product: Firefox → Core
QA Contact: general → ian
Summary: crash when visiting page containing SVG element → crash [@ nsSVGUtils::UserSpace] when visiting page containing SVG element
Version: unspecified → Trunk
Keywords: crash, talkbackid
Status: UNCONFIRMED → NEW
Ever confirmed: true
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a1) Gecko/20060727 Minefield/3.0a1 ID:2006072722 [cairo] WFM
No good here. Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1b1) Gecko/20060727 BonEcho/2.0b1 GDB's stacktrace: #0 0xb49d7bb9 in nsSVGUtils::UserSpace (content=0x9390d30, length=0x939d978, direction=nsSVGUtils::X) at /home/mikew/work/two_oh/mozilla/layout/svg/base/src/nsSVGUtils.cpp:168 #1 0xb49a803f in nsSVGRadialGradientFrame::GetCx (this=0x928b29c, aCx=0xbff2e4fc) at /home/mikew/work/two_oh/mozilla/layout/svg/base/src/nsSVGGradientFrame.cpp:1177 #2 0xb4a445e0 in CairoRadialGradient (ctx=<value optimized out>, aGrad=<value optimized out>) at /home/mikew/work/two_oh/mozilla/layout/svg/renderer/src/cairo/nsSVGCairoGradient.cpp:121 #3 0xb4a449b3 in CairoGradient (ctx=0x937e808, aGrad=0x928b2f4, aSource=0x92bfda4) at /home/mikew/work/two_oh/mozilla/layout/svg/renderer/src/cairo/nsSVGCairoGradient.cpp:176 #4 0xb4a4397c in nsSVGCairoGlyphGeometry::Render (this=0x932e9c0, canvas=0x9295c28) at /home/mikew/work/two_oh/mozilla/layout/svg/renderer/src/cairo/nsSVGCairoGlyphGeometry.cpp:305 #5 0xb49a4017 in nsSVGGlyphFrame::PaintSVG (this=0x92bfd6c, canvas=0x9295c28, dirtyRectTwips=@0xbff2ec90) at /home/mikew/work/two_oh/mozilla/layout/svg/base/src/nsSVGGlyphFrame.cpp:462 #6 0xb49d35ea in nsSVGTSpanFrame::PaintSVG (this=0x92bfcbc, canvas=0x9295c28, dirtyRectTwips=@0xbff2ec90) at /home/mikew/work/two_oh/mozilla/layout/svg/base/src/nsSVGTSpanFrame.cpp:323 #7 0xb49cc0fa in nsSVGTextFrame::PaintSVG (this=0x92bfbb8, canvas=0x9295c28, dirtyRectTwips=@0xbff2ec90) at /home/mikew/work/two_oh/mozilla/layout/svg/base/src/nsSVGTextFrame.cpp:543 #8 0xb49a07c0 in nsSVGGFrame::PaintSVG (this=0x92bf6d0, canvas=0x9295c28, dirtyRectTwips=@0xbff2ec90) at /home/mikew/work/two_oh/mozilla/layout/svg/base/src/nsSVGGFrame.cpp:138 #9 0xb49ba307 in nsSVGOuterSVGFrame::Paint (this=0x92c463c, aPresContext=0x935d2b0, aRenderingContext=@0x8c09220, aDirtyRect=@0xbff2ec90, aWhichLayer=eFramePaintLayer_Overlay, aFlags=0) at /home/mikew/work/two_oh/mozilla/layout/svg/base/src/nsSVGOuterSVGFrame.cpp:849 #10 0xb4501af6 in nsContainerFrame::PaintChild (this=0x935dff0, aPresContext=0x935d2b0, aRenderingContext=@0x8c09220, aDirtyRect=@0xbff2eea8, aFrame=0x92c463c, aWhichLayer=eFramePaintLayer_Overlay, aFlags=0) at /home/mikew/work/two_oh/mozilla/layout/generic/nsContainerFrame.cpp:282 #11 0xb44ff843 in nsContainerFrame::PaintChildren (this=0x935dff0, aPresContext=0x935d2b0, aRenderingContext=@0x8c09220, aDirtyRect=@0xbff2eea8, aWhichLayer=eFramePaintLayer_Overlay, aFlags=0) at /home/mikew/work/two_oh/mozilla/layout/generic/nsContainerFrame.cpp:227 #12 0xb4528451 in nsHTMLContainerFrame::Paint (this=0x935dff0, aPresContext=0x935d2b0, aRenderingContext=@0x8c09220, aDirtyRect=@0xbff2eea8, aWhichLayer=eFramePaintLayer_Overlay, aFlags=0) at /home/mikew/work/two_oh/mozilla/layout/generic/nsHTMLContainerFrame.cpp:83 #13 0xb452904c in CanvasFrame::Paint (this=0x935dff0, aPresContext=0x935d2b0, aRenderingContext=@0x8c09220, aDirtyRect=@0xbff2eea8, aWhichLayer=eFramePaintLayer_Overlay, aFlags=0) at /home/mikew/work/two_oh/mozilla/layout/generic/nsHTMLFrame.cpp:383 #14 0xb44c6560 in PresShell::Paint (this=0x937bdf8, aView=0x8b04160, aRenderingContext=@0x8c09220, aDirtyRect=@0xbff2eea8) at /home/mikew/work/two_oh/mozilla/layout/base/nsPresShell.cpp:5823 #15 0xb488ffe8 in nsView::Paint (this=0x8b04160, rc=@0x8c09220, rect=@0xbff2eea8, aPaintFlags=0, aResult=@0xbff2eec8) at /home/mikew/work/two_oh/mozilla/view/src/nsView.cpp:314 #16 0xb4893c7c in nsViewManager::RenderDisplayListElement (this=0x935a340, element=0x933bb50, aRC=0x8c09220) at /home/mikew/work/two_oh/mozilla/view/src/nsViewManager.cpp:1458 #17 0xb489b01f in nsViewManager::RenderViews (this=0x935a340, aRootView=0x8f53828, aRC=@0x8c09220, aRegion=@0xbff2f084, aRCSurface=0x9237348, aDisplayList=@0xbff2f054) at /home/mikew/work/two_oh/mozilla/view/src/nsViewManager.cpp:1373 #18 0xb489c1dd in nsViewManager::Refresh (this=0x935a340, aView=0x8f53828, aContext=0x8c09220, aRegion=0x926d5e0, aUpdateFlags=<value optimized out>) at /home/mikew/work/two_oh/mozilla/view/src/nsViewManager.cpp:929 #19 0xb489d45d in nsViewManager::DispatchEvent (this=0x935a340, aEvent=0xbff2f298, aStatus=0xbff2f234) at /home/mikew/work/two_oh/mozilla/view/src/nsViewManager.cpp:2045 #20 0xb488f7a9 in HandleEvent (aEvent=0xbff2f298) at /home/mikew/work/two_oh/mozilla/view/src/nsView.cpp:171 #21 0xb676f8a8 in nsCommonWidget::DispatchEvent (this=0x8bb0310, aEvent=0xbff2f298, aStatus=@0xbff2f2e4) at /home/mikew/work/two_oh/mozilla/widget/src/gtk2/nsCommonWidget.cpp:219 #22 0xb67658db in nsWindow::OnExposeEvent (this=0x8bb0310, aWidget=0x8461db0, aEvent=0xbff2f854) at /home/mikew/work/two_oh/mozilla/widget/src/gtk2/nsWindow.cpp:1428 #23 0xb676596a in expose_event_cb (widget=0x8461db0, event=0xbff2f854) at /home/mikew/work/two_oh/mozilla/widget/src/gtk2/nsWindow.cpp:3724 #24 0xb7bd68fe in gtk_marshal_BOOLEAN__VOID () from /opt/gnome/lib/libgtk-x11-2.0.so.0 #25 0xb792e8bd in g_closure_invoke () from /opt/gnome/lib/libgobject-2.0.so.0 #26 0xb793f243 in g_signal_connect_closure_by_id () from /opt/gnome/lib/libgobject-2.0.so.0 #27 0xb794088f in g_signal_emit_valist () from /opt/gnome/lib/libgobject-2.0.so.0 #28 0xb7940c95 in g_signal_emit () from /opt/gnome/lib/libgobject-2.0.so.0 #29 0xb7cc15e8 in gtk_widget_get_default_style () from /opt/gnome/lib/libgtk-x11-2.0.so.0 #30 0xb7bd1645 in gtk_main_do_event () from /opt/gnome/lib/libgtk-x11-2.0.so.0 #31 0xb7a4d15f in gdk_window_is_viewable () from /opt/gnome/lib/libgdk-x11-2.0.so.0 #32 0xb7a4d317 in gdk_window_process_all_updates () from /opt/gnome/lib/libgdk-x11-2.0.so.0 #33 0xb7a4d395 in gdk_window_process_all_updates () from /opt/gnome/lib/libgdk-x11-2.0.so.0 #34 0xb78c20a1 in g_list_copy () from /opt/gnome/lib/libglib-2.0.so.0 #35 0xb78c3abd in g_main_context_dispatch () from /opt/gnome/lib/libglib-2.0.so.0 #36 0xb78c6cbf in g_main_context_check () from /opt/gnome/lib/libglib-2.0.so.0 #37 0xb78c7069 in g_main_loop_run () from /opt/gnome/lib/libglib-2.0.so.0 #38 0xb7bd19e4 in gtk_main () from /opt/gnome/lib/libgtk-x11-2.0.so.0 #39 0xb676d18b in nsAppShell::Run (this=0x81d7108) at /home/mikew/work/two_oh/mozilla/widget/src/gtk2/nsAppShell.cpp:139 #40 0xb5c61307 in nsAppStartup::Run (this=0x81d70c0) at /home/mikew/work/two_oh/mozilla/toolkit/components/startup/src/nsAppStartup.cpp:151 #41 0x08050fc6 in XRE_main (argc=1, argv=0xbff2fe04, aAppData=0x8069860) at /home/mikew/work/two_oh/mozilla/toolkit/xre/nsAppRunner.cpp:2438
WFM - trunk.
Used to crash here, but WFM now with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060730 Minefield/3.0a1 ID:2006073004 [cairo]
Assignee: general → tor
Status: NEW → ASSIGNED
Attachment #231462 - Flags: review?(scootermorris)
Comment on attachment 231462 [details] [diff] [review] use right content for user-space text gradient Man, this is the exception that keeps on giving. It makes me wonder if we're got the right inheritance model for svgGlyphFrame. Oh well, thanks for fixing it!
Attachment #231462 - Flags: review?(scootermorris) → review+
Attachment #231462 - Flags: superreview?(bzbarsky)
Flags: blocking1.8.1?
Target Milestone: --- → mozilla1.8beta2
Attachment #231462 - Flags: superreview?(bzbarsky) → superreview+
Attachment #231462 - Flags: approval1.8.1?
Attachment #231462 - Flags: approval1.8.1? → approval1.8.1+
Checked in on MOZILLA_1_8_BRANCH.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Flags: blocking1.8.1?
Keywords: fixed1.8.1
Resolution: --- → FIXED
Crash Signature: [@ nsSVGUtils::UserSpace]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: