Closed Bug 386475 Opened 18 years ago Closed 18 years ago

Crash [@ nsRect::nsRect] [@ nsSVGFilterProperty::GetRect]

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jruderman, Assigned: longsonr)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(2 files, 2 obsolete files)

testcase (crashes Firefox when loaded)
491 bytes, application/xhtml+xml
Details
updated patch (remove unnecessary includes)
1.80 KB, patch
tor
: review+
bzbarsky
: superreview+
Details | Diff | Splinter Review
Loading the testcase crashes Firefox (Mac trunk). Thread 0 Crashed: 0 nsRect::nsRect[in-charge](nsRect const&) + 47 (nsRect.h:61) 1 nsSVGFilterProperty::GetRect() + 30 (nsSVGUtils.cpp:174) 2 nsSVGUtils::FindFilterInvalidation(nsIFrame*) + 132 (nsSVGUtils.cpp:789) 3 nsSVGForeignObjectFrame::UpdateGraphic() + 263 (nsSVGForeignObjectFrame.cpp:544) 4 nsSVGForeignObjectFrame::NotifyRedrawUnsuspended() + 64 (nsSVGForeignObjectFrame.cpp:406) 5 nsSVGDisplayContainerFrame::NotifyRedrawUnsuspended() + 75 (nsSVGContainerFrame.cpp:275) 6 nsSVGOuterSVGFrame::UnsuspendRedraw() + 136 (nsSVGOuterSVGFrame.cpp:522)
When we resolve em units the side effect is to flush layout, in this case that destroys the frame we are processing because there is an unflushed change to layout. Possible solutions I see would be one of: a) Flush before we try to do the outer frame NotifyViewPortChange b) Rewrite the em units code not to flush.
Attached patch option a) flush layout changes (obsolete) — Splinter Review
Assignee: nobody → longsonr
Status: NEW → ASSIGNED
Attachment #270728 - Flags: review?(tor)
Comment on attachment 270728 [details] [diff] [review] option a) flush layout changes I don't think I know enough about the possible side effects of pushing flushes to usefully review this change.
That patch looks wrong, in that after that flush call |this| could be dead, so accessing mContent is bad...
Attached patch plan b (obsolete) — Splinter Review
Avoid calling the function that flushes altogether then.
Attachment #270728 - Attachment is obsolete: true
Attachment #270799 - Flags: review?(tor)
Attachment #270728 - Flags: review?(tor)
Assuming the code in question will handle a future reresolve or reframe correctly, and that you don't need this style for display:none things, that seems like absolutely the way to go.
Attachment #270799 - Attachment is obsolete: true
Attachment #270863 - Flags: review?(tor)
Attachment #270799 - Flags: review?(tor)
Attachment #270863 - Flags: superreview?(bzbarsky)
(In reply to comment #6) > Assuming the code in question will handle a future reresolve or reframe > correctly, and that you don't need this style for display:none things, that > seems like absolutely the way to go. > The when the reframe occurs we just go again with the new frame layout. We have various problems with things in defs elements being set to display:none and then referenced. I don't think this will make things any worse.
Comment on attachment 270863 [details] [diff] [review] updated patch (remove unnecessary includes) Looks great!
Attachment #270863 - Flags: superreview?(bzbarsky) → superreview+
Attachment #270863 - Flags: review?(tor) → review+
checked in.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Flags: in-testsuite?
Crashtest checked in.
Flags: in-testsuite? → in-testsuite+
Crash Signature: [@ nsRect::nsRect] [@ nsSVGFilterProperty::GetRect]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: