Closed Bug 385096 Opened 17 years ago Closed 17 years ago

"ASSERTION: aAttrEnum out of range" in nsSVGElement::DidChangeNumber and crash

Categories

(Core :: SVG, defect)

x86
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: jruderman, Unassigned)

References

Details

(Keywords: assertion, crash, testcase, Whiteboard: [sg:critical] post 1.8-branch)

Attachments

(2 files)

Loading the testcase in a Mac trunk debug triggers an assertion about 80% of the time. About 10% of the time, it also crashes. ###!!! ASSERTION: aAttrEnum out of range: 'aAttrEnum < info.mNumberCount', file nsSVGElement.cpp, line 888 The crash signature varies a bit; here's a particularly scary one: Thread 0 Crashed: 0 0xe834ec83 1 nsAttrAndChildArray::SetAndTakeAttr(nsIAtom*, nsAttrValue&) + 336 (nsAttrAndChildArray.cpp:388) 2 nsGenericElement::SetAttrAndNotify(int, nsIAtom*, nsIAtom*, nsAString_internal const&, nsAttrValue&, int, int, int) + 296 (nsGenericElement.cpp:3560) 3 nsGenericElement::SetAttr(int, nsIAtom*, nsIAtom*, nsAString_internal const&, int) + 708 (nsGenericElement.cpp:3528) 4 nsGenericElement::SetAttr(int, nsIAtom*, nsAString_internal const&, int) + 62 (nsGenericElement.h:393) 5 nsSVGElement::DidChangeNumber(unsigned char, int) + 330 (nsSVGElement.cpp:894) 6 nsSVGNumber2::SetBaseValue(float, nsSVGElement*, int) + 67 (nsSVGNumber2.cpp:82) 7 nsSVGNumber2::DOMAnimatedNumber::SetBaseVal(float) + 55 (nsSVGNumber2.h:87) 8 NS_InvokeByIndex_P + 98 (xptcinvoke_unixish_x86.cpp:179)
Whiteboard: [sg:critical]
Attached patch call base ::InitSplinter Review
Attachment #269007 - Flags: superreview?(roc)
Attachment #269007 - Flags: review?(jwatt)
Attachment #269007 - Flags: review?(jwatt) → review+
Attachment #269007 - Flags: superreview?(roc) → superreview+
Checked in.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
feFuncG is part of SVGFilters, new in 1.9
Flags: wanted1.8.1.x-
Flags: wanted1.8.0.x-
Whiteboard: [sg:critical] → [sg:critical] post 1.8-branch
Group: security
Flags: in-testsuite?
Crashtest checked in.
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: