The default bug view has changed. See this FAQ.

svg viewbox=twisted and image {width,height,x,y}=twisted [@ memset - fbRasterizeTrapezoid]

RESOLVED FIXED

Status

()

Core
Graphics
--
critical
RESOLVED FIXED
11 years ago
6 years ago

People

(Reporter: georgi - hopefully not receiving bugspam, Assigned: tor)

Tracking

({crash, fixed1.8.0.15, verified1.8.1.8})

1.8 Branch
x86
Mac OS X
crash, fixed1.8.0.15, verified1.8.1.8
Points:
---
Bug Flags:
blocking1.9 +
blocking1.8.1.2 -
blocking1.8.1.8 +
wanted1.8.1.x +
blocking1.8.0.next +
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?], crash signature)

Attachments

(4 attachments)

svg viewbox=twisted and image {width,height,x,y}=twisted cause crash in memset
on macosx ppc 2.0 branch. trunk complains about not being able to allocate
memory.

may be related to Bug 358767

2.0-latest crashes badly
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x05b91000
0xffff9068 in ___memset_pattern () at
/System/Library/Frameworks/System.framework/PrivateHeaders/ppc/cpu_capabilities.h:193
193
/System/Library/Frameworks/System.framework/PrivateHeaders/ppc/cpu_capabilities.h:
No such file or directory.
        in
/System/Library/Frameworks/System.framework/PrivateHeaders/ppc/cpu_capabilities.h
(gdb) bt 
#0  0xffff9068 in ___memset_pattern () at
/System/Library/Frameworks/System.framework/PrivateHeaders/ppc/cpu_capabilities.h:193
#1  0x90129b30 in memset ()
#2  0x008befd4 in fbRasterizeTrapezoid ()
#3  0x007e3074 in _cairo_pixman_add_trapezoids ()
#4  0x00582e54 in _cairo_image_surface_assume_ownership_of_data ()
#5  0x005a17c0 in _cairo_surface_composite_trapezoids ()
#6  0x008bbe9c in _cairo_clip_combine_to_surface ()
#7  0x008bc000 in _cairo_clip_clip ()
#8  0x0059e260 in cairo_clip_preserve ()
#9  0x0059e21c in cairo_clip ()
#10 0x0057d254 in nsSVGCairoCanvas::SetClipRect ()
#11 0x007225fc in nsSVGImageFrame::PaintSVG ()
#12 0x006dd744 in nsSVGGFrame::PaintSVG ()
#13 0x0075c9cc in nsSVGOuterSVGFrame::Paint ()
#14 0x004c29b8 in nsContainerFrame::PaintChild ()
#15 0x004c2868 in nsContainerFrame::PaintChildren ()
#16 0x00596ed0 in nsHTMLContainerFrame::Paint ()
#17 0x006f874c in CanvasFrame::Paint ()
#18 0x00151040 in PresShell::Paint ()
#19 0x004eb70c in nsView::Paint ()
#20 0x001fafe8 in nsViewManager::RenderDisplayListElement ()
#21 0x001fa8f0 in nsViewManager::RenderViews ()
#22 0x001f9740 in nsViewManager::Refresh ()
#23 0x001fc5fc in nsViewManager::DispatchEvent ()
#24 0x004eb2f8 in ViewWrapper::GetInterface ()
#25 0x006172f0 in nsWindow::DispatchEvent ()

trunk can't allocate memory:
firefox-bin(673,0xa000ed88) malloc: *** vm_allocate(size=2639417344) failed
(error code=3)
firefox-bin(673,0xa000ed88) malloc: *** error: can't allocate region
firefox-bin(673,0xa000ed88) malloc: *** set a breakpoint in szone_error to
debug
firefox-bin(673,0xa000ed88) malloc: *** vm_allocate(size=2639417344) failed
(error code=3)
firefox-bin(673,0xa000ed88) malloc: *** error: can't allocate region
firefox-bin(673,0xa000ed88) malloc: *** set a breakpoint in szone_error to
debug
Created attachment 246463 [details]
testcase

Updated

10 years ago
Severity: normal → critical
Component: General → GFX: Thebes
Flags: blocking1.8.1.2?
Keywords: crash
Product: Firefox → Core
QA Contact: general → thebes
Summary: svg viewbox=twisted and image {width,height,x,y}=twisted → svg viewbox=twisted and image {width,height,x,y}=twisted [@ memset - fbRasterizeTrapezoid]
Whiteboard: DUPEME
Version: 2.0 Branch → 1.8 Branch

Comment 2

10 years ago
Not going to block for this, but assigning to Vlad for investigation.  We are willing to take a patch for this if someone can fix it.
Assignee: nobody → vladimir
Flags: blocking1.8.1.2? → blocking1.8.1.2-
this is macosx only so my bet is either mac specific cairo or something wrong in macosx.
oops, this is dup.
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 363696
ooooops, wrong window.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
modification of this causes crash with scary registers on macosx and "broken pipe" on linux (no crash on linux).

Updated

10 years ago
Whiteboard: DUPEME → [sg:critical?] DUPEME

Comment 7

10 years ago
vlad, had a chance to look at this yet?

Updated

10 years ago
Flags: blocking1.9+

Comment 8

10 years ago
Tor can you take this bug?  If not please help us find us someone who can.
Assignee: vladimir → tor
Status: REOPENED → NEW
(Assignee)

Comment 9

10 years ago
Created attachment 271267 [details]
testcase - should show red outline of square
(Assignee)

Comment 10

10 years ago
Created attachment 271268 [details] [diff] [review]
spec correctness - negative values for image width/height are invalid

Specification correctness fix (see second testcase), and helps us slightly in what we hand to cairo, but ultimately cairo needs to deal properly with things that exceed its internal coordinate representation.
Attachment #271268 - Flags: superreview?(roc)
Attachment #271268 - Flags: review?(jwatt)
Comment on attachment 271268 [details] [diff] [review]
spec correctness - negative values for image width/height are invalid

Can you also check the values of width/height in nsSVGImageFrame::GetImageTransform and round them up to zero if necessary.
Attachment #271268 - Flags: review?(jwatt) → review+

Updated

10 years ago
Whiteboard: [sg:critical?] DUPEME → [sg:critical?]
(Assignee)

Comment 12

10 years ago
(In reply to comment #11)
> (From update of attachment 271268 [details] [diff] [review])
> Can you also check the values of width/height in
> nsSVGImageFrame::GetImageTransform and round them up to zero if necessary.

This isn't strictly necessary - GetImageTransform is only called by PaintSVG, which this patches to shortcut if width/height less than zero, and GetFrameForPointSVG, which will return false because nsSVGPathGeometryFrame::GetFrameForPointSVG won't return a hit due to a null path.
Attachment #271268 - Flags: superreview?(roc) → superreview+
(Assignee)

Comment 13

10 years ago
Checked in on trunk.
Status: NEW → RESOLVED
Last Resolved: 10 years ago10 years ago
Resolution: --- → FIXED
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.7?
"Thebes" is probably the wrong component since this crashes the 1.8 branch too.
Does the attached patch work for 1.8, or has the code changed enough that we need a different branch patch?
Flags: blocking1.8.1.8? → blocking1.8.1.8+
(Assignee)

Comment 16

10 years ago
Created attachment 283234 [details] [diff] [review]
branch version of patch
Attachment #283234 - Flags: superreview?(roc)
Attachment #283234 - Flags: review?(jwatt)
Attachment #283234 - Flags: superreview?(roc) → superreview+
Comment on attachment 283234 [details] [diff] [review]
branch version of patch

The trunk and branch patches are similar enough that we're happy with just the one r/sr.

approved for 1.8.1.8, a=dveditz for release-drivers
Attachment #283234 - Flags: review?(jwatt)
Attachment #283234 - Flags: review+
Attachment #283234 - Flags: approval1.8.1.8+
(Assignee)

Comment 18

10 years ago
Checked in on MOZILLA_1_8_BRANCH.
Keywords: fixed1.8.1.8
Flags: in-testsuite?
verified fixed 1.8.1.8 using Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.8) Gecko/2007100816 Firefox/2.0.0.8 and the testcase from this bug.

No crash on testcase - adding verified keyword
Keywords: fixed1.8.1.8 → verified1.8.1.8
Group: security

Comment 20

9 years ago
Comment on attachment 283234 [details] [diff] [review]
branch version of patch

a=asac for 1.8.0.15
Attachment #283234 - Flags: approval1.8.0.15+

Comment 21

9 years ago
please commit to 1.8.0 branch
Flags: blocking1.8.0.15-
Keywords: checkin-needed

Updated

9 years ago
Flags: blocking1.8.0.15- → blocking1.8.0.15+
MOZILLA_1_8_0_BRANCH:

Checking in layout/svg/base/src/nsSVGImageFrame.cpp;
/cvsroot/mozilla/layout/svg/base/src/nsSVGImageFrame.cpp,v  <--  nsSVGImageFrame.cpp
new revision: 1.11.12.2; previous revision: 1.11.12.1
done
Keywords: checkin-needed → fixed1.8.0.15
Crash Signature: [@ memset - fbRasterizeTrapezoid]
You need to log in before you can comment on or make changes to this bug.