Last Comment Bug 361745 - svg viewbox=twisted and image {width,height,x,y}=twisted [@ memset - fbRasterizeTrapezoid]
: svg viewbox=twisted and image {width,height,x,y}=twisted [@ memset - fbRaster...
Status: RESOLVED FIXED
[sg:critical?]
: crash, fixed1.8.0.15, verified1.8.1.8
Product: Core
Classification: Components
Component: Graphics (show other bugs)
: 1.8 Branch
: x86 Mac OS X
: -- critical (vote)
: ---
Assigned To: tor
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2006-11-24 06:25 PST by georgi - hopefully not receiving bugspam
Modified: 2011-06-13 10:01 PDT (History)
16 users (show)
mconnor: blocking1.9+
jaymoz: blocking1.8.1.2-
dveditz: blocking1.8.1.8+
dveditz: wanted1.8.1.x+
asac: blocking1.8.0.next+
jwalden+bmo: in‑testsuite?
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase (636 bytes, text/xml)
2006-11-24 06:26 PST, georgi - hopefully not receiving bugspam
no flags Details
testcase - should show red outline of square (286 bytes, image/svg+xml)
2007-07-06 13:53 PDT, tor
no flags Details
spec correctness - negative values for image width/height are invalid (2.66 KB, patch)
2007-07-06 13:56 PDT, tor
jwatt: review+
roc: superreview+
Details | Diff | Splinter Review
branch version of patch (2.35 KB, patch)
2007-10-02 12:46 PDT, tor
dveditz: review+
roc: superreview+
dveditz: approval1.8.1.8+
asac: approval1.8.0.next+
Details | Diff | Splinter Review

Description georgi - hopefully not receiving bugspam 2006-11-24 06:25:46 PST
svg viewbox=twisted and image {width,height,x,y}=twisted cause crash in memset
on macosx ppc 2.0 branch. trunk complains about not being able to allocate
memory.

may be related to Bug 358767

2.0-latest crashes badly
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x05b91000
0xffff9068 in ___memset_pattern () at
/System/Library/Frameworks/System.framework/PrivateHeaders/ppc/cpu_capabilities.h:193
193
/System/Library/Frameworks/System.framework/PrivateHeaders/ppc/cpu_capabilities.h:
No such file or directory.
        in
/System/Library/Frameworks/System.framework/PrivateHeaders/ppc/cpu_capabilities.h
(gdb) bt 
#0  0xffff9068 in ___memset_pattern () at
/System/Library/Frameworks/System.framework/PrivateHeaders/ppc/cpu_capabilities.h:193
#1  0x90129b30 in memset ()
#2  0x008befd4 in fbRasterizeTrapezoid ()
#3  0x007e3074 in _cairo_pixman_add_trapezoids ()
#4  0x00582e54 in _cairo_image_surface_assume_ownership_of_data ()
#5  0x005a17c0 in _cairo_surface_composite_trapezoids ()
#6  0x008bbe9c in _cairo_clip_combine_to_surface ()
#7  0x008bc000 in _cairo_clip_clip ()
#8  0x0059e260 in cairo_clip_preserve ()
#9  0x0059e21c in cairo_clip ()
#10 0x0057d254 in nsSVGCairoCanvas::SetClipRect ()
#11 0x007225fc in nsSVGImageFrame::PaintSVG ()
#12 0x006dd744 in nsSVGGFrame::PaintSVG ()
#13 0x0075c9cc in nsSVGOuterSVGFrame::Paint ()
#14 0x004c29b8 in nsContainerFrame::PaintChild ()
#15 0x004c2868 in nsContainerFrame::PaintChildren ()
#16 0x00596ed0 in nsHTMLContainerFrame::Paint ()
#17 0x006f874c in CanvasFrame::Paint ()
#18 0x00151040 in PresShell::Paint ()
#19 0x004eb70c in nsView::Paint ()
#20 0x001fafe8 in nsViewManager::RenderDisplayListElement ()
#21 0x001fa8f0 in nsViewManager::RenderViews ()
#22 0x001f9740 in nsViewManager::Refresh ()
#23 0x001fc5fc in nsViewManager::DispatchEvent ()
#24 0x004eb2f8 in ViewWrapper::GetInterface ()
#25 0x006172f0 in nsWindow::DispatchEvent ()

trunk can't allocate memory:
firefox-bin(673,0xa000ed88) malloc: *** vm_allocate(size=2639417344) failed
(error code=3)
firefox-bin(673,0xa000ed88) malloc: *** error: can't allocate region
firefox-bin(673,0xa000ed88) malloc: *** set a breakpoint in szone_error to
debug
firefox-bin(673,0xa000ed88) malloc: *** vm_allocate(size=2639417344) failed
(error code=3)
firefox-bin(673,0xa000ed88) malloc: *** error: can't allocate region
firefox-bin(673,0xa000ed88) malloc: *** set a breakpoint in szone_error to
debug
Comment 1 georgi - hopefully not receiving bugspam 2006-11-24 06:26:14 PST
Created attachment 246463 [details]
testcase
Comment 2 Jay Patel [:jay] 2006-12-27 14:37:32 PST
Not going to block for this, but assigning to Vlad for investigation.  We are willing to take a patch for this if someone can fix it.
Comment 3 georgi - hopefully not receiving bugspam 2006-12-28 00:32:47 PST
this is macosx only so my bet is either mac specific cairo or something wrong in macosx.
Comment 4 georgi - hopefully not receiving bugspam 2006-12-28 02:34:52 PST
oops, this is dup.

*** This bug has been marked as a duplicate of bug 363696 ***
Comment 5 georgi - hopefully not receiving bugspam 2006-12-28 02:35:58 PST
ooooops, wrong window.
Comment 6 georgi - hopefully not receiving bugspam 2007-01-05 08:28:21 PST
modification of this causes crash with scary registers on macosx and "broken pipe" on linux (no crash on linux).
Comment 7 chris hofmann 2007-03-01 15:19:39 PST
vlad, had a chance to look at this yet?
Comment 8 Window Snyder 2007-05-31 14:00:16 PDT
Tor can you take this bug?  If not please help us find us someone who can.
Comment 9 tor 2007-07-06 13:53:59 PDT
Created attachment 271267 [details]
testcase - should show red outline of square
Comment 10 tor 2007-07-06 13:56:32 PDT
Created attachment 271268 [details] [diff] [review]
spec correctness - negative values for image width/height are invalid

Specification correctness fix (see second testcase), and helps us slightly in what we hand to cairo, but ultimately cairo needs to deal properly with things that exceed its internal coordinate representation.
Comment 11 Jonathan Watt [:jwatt] (back in October - email directly if necessary) 2007-07-06 17:05:45 PDT
Comment on attachment 271268 [details] [diff] [review]
spec correctness - negative values for image width/height are invalid

Can you also check the values of width/height in nsSVGImageFrame::GetImageTransform and round them up to zero if necessary.
Comment 12 tor 2007-07-09 08:40:50 PDT
(In reply to comment #11)
> (From update of attachment 271268 [details] [diff] [review])
> Can you also check the values of width/height in
> nsSVGImageFrame::GetImageTransform and round them up to zero if necessary.

This isn't strictly necessary - GetImageTransform is only called by PaintSVG, which this patches to shortcut if width/height less than zero, and GetFrameForPointSVG, which will return false because nsSVGPathGeometryFrame::GetFrameForPointSVG won't return a hit due to a null path.
Comment 13 tor 2007-07-12 08:41:01 PDT
Checked in on trunk.
Comment 14 Daniel Veditz [:dveditz] 2007-09-26 10:59:59 PDT
"Thebes" is probably the wrong component since this crashes the 1.8 branch too.
Comment 15 Daniel Veditz [:dveditz] 2007-09-26 11:00:38 PDT
Does the attached patch work for 1.8, or has the code changed enough that we need a different branch patch?
Comment 16 tor 2007-10-02 12:46:53 PDT
Created attachment 283234 [details] [diff] [review]
branch version of patch
Comment 17 Daniel Veditz [:dveditz] 2007-10-02 16:57:20 PDT
Comment on attachment 283234 [details] [diff] [review]
branch version of patch

The trunk and branch patches are similar enough that we're happy with just the one r/sr.

approved for 1.8.1.8, a=dveditz for release-drivers
Comment 18 tor 2007-10-03 09:32:22 PDT
Checked in on MOZILLA_1_8_BRANCH.
Comment 19 Carsten Book [:Tomcat] - PTO-back Sept 4th 2007-10-12 15:44:18 PDT
verified fixed 1.8.1.8 using Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.8) Gecko/2007100816 Firefox/2.0.0.8 and the testcase from this bug.

No crash on testcase - adding verified keyword
Comment 20 Alexander Sack 2008-02-28 06:46:30 PST
Comment on attachment 283234 [details] [diff] [review]
branch version of patch

a=asac for 1.8.0.15
Comment 21 Alexander Sack 2008-02-28 07:50:24 PST
please commit to 1.8.0 branch
Comment 22 Reed Loden [:reed] (use needinfo?) 2008-03-08 05:35:36 PST
MOZILLA_1_8_0_BRANCH:

Checking in layout/svg/base/src/nsSVGImageFrame.cpp;
/cvsroot/mozilla/layout/svg/base/src/nsSVGImageFrame.cpp,v  <--  nsSVGImageFrame.cpp
new revision: 1.11.12.2; previous revision: 1.11.12.1
done

Note You need to log in before you can comment on or make changes to this bug.