Closed
Bug 360836
Opened 18 years ago
Closed 18 years ago
SVG "circles" example crashes Firefox [@ nsSVGUtils::WillModifyEffects]
Categories
(Core :: SVG, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: jruderman, Assigned: benjamin)
References
()
Details
(Keywords: crash, regression, testcase)
Crash Data
Attachments
(2 files)
712 bytes,
patch
|
dbaron
:
review+
|
Details | Diff | Splinter Review |
4.97 KB,
patch
|
benjamin
:
review+
|
Details | Diff | Splinter Review |
Loading http://croczilla.com/svg/samples/circles1/circles1.svg crashes Firefox. Since this is a crash regression in a simple, canonical SVG example, I'm giving this bug the "blocker" severity.
Comment 1•18 years ago
|
||
Seems to happen on Linux too, see TB26059427 and TB26037978
Those stack traces indicate that we have an invalid frame tree - notably with a nsSVGGlyphFrame which shouldn't exist for this example. This suggests that the QI at http://lxr.mozilla.org/seamonkey/source/layout/base/nsCSSFrameConstructor.cpp#5475 didn't give the right answer.
Maybe we just need to set metrics to nsnull a couple lines earlier, if the QI doesn't set it to null for a non-match?
Assignee | ||
Comment 4•18 years ago
|
||
Attachment #245714 -
Flags: review?(dbaron) → review+
reproduce with SeaMonkey/2006111508-trunk/WinXP TB26080531H Incident ID: 26080531 Stack Signature nsSVGGeometryFrame::QueryInterface ce142481 Product ID MozillaTrunk Build ID 2006111508 Trigger Time 2006-11-16 03:55:50.0 Platform Win32 Operating System Windows NT 5.1 build 2600 Module gklayout.dll + (001f300e) URL visited http://croczilla.com/svg/samples/circles1/circles1.svg User Comments https://bugzilla.mozilla.org/show_bug.cgi?id=360836 Since Last Crash 14790 sec Total Uptime 14790 sec Trigger Reason Access violation Source File, Line No. d:\builds\tinderbox\seamonkeytrunk\winnt_5.2_clobber\mozilla\layout\svg\base\src\nssvggeometryframe.cpp, line 49 Stack Trace nsSVGGeometryFrame::QueryInterface [mozilla\layout\svg\base\src\nssvggeometryframe.cpp, line 49] nsSVGGlyphFrame::GetTextFrame [mozilla\layout\svg\base\src\nssvgglyphframe.cpp, line 1345] nsCSSFrameConstructor::ConstructTextFrame [mozilla\layout\base\nscssframeconstructor.cpp, line 5496] nsCSSFrameConstructor::ConstructFrameInternal [mozilla\layout\base\nscssframeconstructor.cpp, line 7884] nsCSSFrameConstructor::ConstructFrame [mozilla\layout\base\nscssframeconstructor.cpp, line 7793] nsCSSFrameConstructor::ProcessChildren [mozilla\layout\base\nscssframeconstructor.cpp, line 11611] nsCSSFrameConstructor::ConstructDocElementFrame [mozilla\layout\base\nscssframeconstructor.cpp, line 4611] nsCSSFrameConstructor::ContentInserted [mozilla\layout\base\nscssframeconstructor.cpp, line 9174]
Attachment #245757 -
Flags: superreview?(benjamin)
Attachment #245757 -
Flags: review?(benjamin)
Reporter | ||
Comment 7•18 years ago
|
||
I still see the crash using (only) the patch in comment 4. I haven't tried the patch in comment 6 yet.
Assignee | ||
Updated•18 years ago
|
Attachment #245757 -
Flags: superreview?(benjamin)
Attachment #245757 -
Flags: review?(benjamin)
Attachment #245757 -
Flags: review+
Both patches are in - testcase works now.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Comment 9•18 years ago
|
||
*** Bug 360952 has been marked as a duplicate of this bug. ***
Verified FIXED using build 2006-11-17-08 of SeaMonkey trunk under Windows XP; no crash.
Status: RESOLVED → VERIFIED
Updated•13 years ago
|
Crash Signature: [@ nsSVGUtils::WillModifyEffects]
You need to log in
before you can comment on or make changes to this bug.
Description
•