SVG "circles" example crashes Firefox [@ nsSVGUtils::WillModifyEffects]

VERIFIED FIXED

Status

()

Core
SVG
--
blocker
VERIFIED FIXED
11 years ago
10 years ago

People

(Reporter: Jesse Ruderman, Assigned: Benjamin Smedberg)

Tracking

({crash, regression, testcase})

Trunk
PowerPC
Mac OS X
crash, regression, testcase
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(crash signature, URL)

Attachments

(2 attachments)

(Reporter)

Description

11 years ago
Loading http://croczilla.com/svg/samples/circles1/circles1.svg crashes Firefox.  Since this is a crash regression in a simple, canonical SVG example, I'm giving this bug the "blocker" severity.

Comment 1

11 years ago
Seems to happen on Linux too, see TB26059427 and TB26037978

Comment 2

11 years ago
Those stack traces indicate that we have an invalid frame tree - notably with a nsSVGGlyphFrame which shouldn't exist for this example.  This suggests that the QI at http://lxr.mozilla.org/seamonkey/source/layout/base/nsCSSFrameConstructor.cpp#5475  didn't give the right answer.

Comment 3

11 years ago
Maybe we just need to set metrics to nsnull a couple lines earlier, if the QI doesn't set it to null for a non-match?
(Assignee)

Comment 4

11 years ago
Created attachment 245714 [details] [diff] [review]
Fix failure case to null, rev. 1
Assignee: general → benjamin
Status: NEW → ASSIGNED
Attachment #245714 - Flags: review?(dbaron)
Attachment #245714 - Flags: review?(dbaron) → review+

Comment 5

11 years ago
reproduce with SeaMonkey/2006111508-trunk/WinXP

TB26080531H

Incident ID: 26080531
Stack Signature	nsSVGGeometryFrame::QueryInterface ce142481
Product ID	MozillaTrunk
Build ID	2006111508
Trigger Time	2006-11-16 03:55:50.0
Platform	Win32
Operating System	Windows NT 5.1 build 2600
Module	gklayout.dll + (001f300e)
URL visited	http://croczilla.com/svg/samples/circles1/circles1.svg
User Comments	https://bugzilla.mozilla.org/show_bug.cgi?id=360836
Since Last Crash	14790 sec
Total Uptime	14790 sec
Trigger Reason	Access violation
Source File, Line No.	d:\builds\tinderbox\seamonkeytrunk\winnt_5.2_clobber\mozilla\layout\svg\base\src\nssvggeometryframe.cpp, line 49
Stack Trace 	
nsSVGGeometryFrame::QueryInterface  [mozilla\layout\svg\base\src\nssvggeometryframe.cpp, line 49]
nsSVGGlyphFrame::GetTextFrame  [mozilla\layout\svg\base\src\nssvgglyphframe.cpp, line 1345]
nsCSSFrameConstructor::ConstructTextFrame  [mozilla\layout\base\nscssframeconstructor.cpp, line 5496]
nsCSSFrameConstructor::ConstructFrameInternal  [mozilla\layout\base\nscssframeconstructor.cpp, line 7884]
nsCSSFrameConstructor::ConstructFrame  [mozilla\layout\base\nscssframeconstructor.cpp, line 7793]
nsCSSFrameConstructor::ProcessChildren  [mozilla\layout\base\nscssframeconstructor.cpp, line 11611]
nsCSSFrameConstructor::ConstructDocElementFrame  [mozilla\layout\base\nscssframeconstructor.cpp, line 4611]
nsCSSFrameConstructor::ContentInserted  [mozilla\layout\base\nscssframeconstructor.cpp, line 9174]

Comment 6

11 years ago
Created attachment 245757 [details] [diff] [review]
fix svg iid accessors
Attachment #245757 - Flags: superreview?(benjamin)
Attachment #245757 - Flags: review?(benjamin)
(Reporter)

Comment 7

11 years ago
I still see the crash using (only) the patch in comment 4.  I haven't tried the patch in comment 6 yet.
(Assignee)

Updated

11 years ago
Attachment #245757 - Flags: superreview?(benjamin)
Attachment #245757 - Flags: review?(benjamin)
Attachment #245757 - Flags: review+

Comment 8

11 years ago
Both patches are in - testcase works now.
Status: ASSIGNED → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
*** Bug 360952 has been marked as a duplicate of this bug. ***
Verified FIXED using build 2006-11-17-08 of SeaMonkey trunk under Windows XP; no crash.
Status: RESOLVED → VERIFIED
(Reporter)

Comment 11

10 years ago
Crashtest checked in.
Flags: in-testsuite+
Crash Signature: [@ nsSVGUtils::WillModifyEffects]
You need to log in before you can comment on or make changes to this bug.