Closed Bug 386566 Opened 17 years ago Closed 17 years ago

Crash [@ nsSVGGeometryFrame::HasStroke]

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jruderman, Assigned: longsonr)

References

Details

(Keywords: crash, testcase, Whiteboard: [sg:critical])

Crash Data

Attachments

(1 file)

testcase (crashes Firefox when loaded)
428 bytes, image/svg+xml
Details 
Thread 0 Crashed:
0   0x00000000 0 + 0
1   nsSVGGeometryFrame::HasStroke() + 153 (nsSVGGeometryFrame.cpp:284)
2   nsSVGPathGeometryFrame::UpdateCoveredRegion() + 93 (nsSVGPathGeometryFrame.cpp:471)
3   nsSVGPathGeometryFrame::UpdateGraphic(int) + 292 (nsSVGPathGeometryFrame.cpp:762)
4   nsSVGPathGeometryFrame::NotifyRedrawUnsuspended() + 55 (nsSVGPathGeometryFrame.cpp:530)
5   nsSVGOuterSVGFrame::UnsuspendRedraw() + 136 (nsSVGOuterSVGFrame.cpp:522)
6   nsSVGOuterSVGFrame::NotifyViewportChange() + 188 (nsSVGOuterSVGFrame.cpp:562)
7   nsSVGSVGElement::InvalidateTransformNotifyFrame() + 142 (nsSVGSVGElement.cpp:1333)
8   nsSVGSVGElement::DidChangeLength(unsigned char, int) + 49 (nsSVGSVGElement.cpp:1443)
...

The top address is often 0x00000000 or 0xdddddddd, but sometimes it's something random-looking.
Flags: blocking1.9?
Broadly the same cause as bug 386475. When we resolve em units the side effect is to flush layout, in this case that destroys the frame we are processing because there is an unflushed change to layout.

Possible solutions that spring to mind would be one of:

a) Flush before we try to do the outer frame NotifyViewPortChange
b) Rewrite the em units code not to flush.
Whiteboard: [sg:critical]
The patch in bug 386475 would fix this too.
Assignee: nobody → longsonr
Fixed by the check in for bug 386475.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Flags: in-testsuite?
I don't see a crash on branch.  In fact, I get an assertion that indicates that branch doesn't support "em" units in this context.
Group: security
Flags: wanted1.8.1.x-
Crashtest checked in.
Flags: in-testsuite? → in-testsuite+
Crash Signature: [@ nsSVGGeometryFrame::HasStroke]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: