Closed Bug 395616 Opened 17 years ago Closed 17 years ago

"ASSERTION: aAttrEnum out of range" and crash [@ nsAttrName::nsAttrName]

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jruderman, Unassigned)

References

Details

(Keywords: assertion, crash, testcase, Whiteboard: [sg:critical?])

Crash Data

Attachments

(2 files, 4 obsolete files)

testcase (crashes Firefox when loaded)
216 bytes, text/html
Details
adjusted comment
16.19 KB, patch
longsonr
: review+
roc
: superreview+
roc
: approval1.9+
Details | Diff | Splinter Review
Loading the testcase triggers: ###!!! ASSERTION: aAttrEnum out of range: 'aAttrEnum < info.mEnumCount', file /Users/jruderman/trunk/mozilla/content/svg/content/src/nsSVGElement.cpp, line 993 ###!!! ASSERTION: unknown enumeration value: 'Error', file /Users/jruderman/trunk/mozilla/content/svg/content/src/nsSVGEnum.cpp, line 95 Crash [@ nsAttrName::nsAttrName] dereferencing 0x6fffefeb.
Flags: blocking1.9?
Whiteboard: [sg:critical?]
This reminds me of bug 385096.
Attachment #280358 - Flags: review? → review?(longsonr)
Comment on attachment 280358 [details] [diff] [review] SVGMarker's orient/orientAngle/orientType is a bad joke >+void >+nsSVGMarkerElement::DidChangeEnum(PRUint8 aAttrEnum, PRBool aDoSetAttr) >+{ >+ if (aAttrEnum == ORIENTTYPE) { >+ if (mOrientType.GetBaseValue() == SVG_MARKER_ORIENT_AUTO) { >+ SetOrientToAuto(); >+ } else { >+ nsCOMPtr<nsIDOMSVGAngle> a; >+ mOrient->GetAnimVal(getter_AddRefs(a)); Should that be GetBaseVal? >+ nsAutoString value; >+ a->GetValueAsString(value); >+ if (value.EqualsLiteral("auto")) { >+ UnsetAttr(kNameSpaceID_None, nsGkAtoms::orient, PR_TRUE); >+ } >+ } >+ return; You've got me here. I don't understand why you're calling UnsetAttr? Perhaps a comment or two to indicate what's happening in this method is called for. >+ } >+ >+ nsSVGMarkerElementBase::DidChangeEnum(aAttrEnum, aDoSetAttr); >+} >+
Attachment #280358 - Attachment is obsolete: true
Attachment #280358 - Flags: review?(longsonr)
(In reply to comment #4) > Created an attachment (id=280375) [details] > try more extensive straightening of code > With this splitting of mOrientType from mOrient can we remove the auto support from nsSVGAngle? i.e. the mIsAuto attribute and its attendant code?
(In reply to comment #5) > With this splitting of mOrientType from mOrient can we remove the auto support > from nsSVGAngle? i.e. the mIsAuto attribute and its attendant code? Ugh - didn't realize there was all that code floating around. We need something to prevent a parse error being reported when the orient attribute is set to 'auto'.
(In reply to comment #6) > (In reply to comment #5) > > With this splitting of mOrientType from mOrient can we remove the auto support > > from nsSVGAngle? i.e. the mIsAuto attribute and its attendant code? > > Ugh - didn't realize there was all that code floating around. We need > something to prevent a parse error being reported when the orient attribute is > set to 'auto'. > It's how I originally tried to fix the auto/angle mess. I got rid of mOrientType and pushed everything to mOrient then tried to construct an orientType on the fly. It looks like you are going back to having mOrient(Angle) and mOrientType. Each approach has good and bad points but clearly need to choose only one of them ;-)
(In reply to comment #7) > It's how I originally tried to fix the auto/angle mess. I got rid of > mOrientType and pushed everything to mOrient then tried to construct an > orientType on the fly. It looks like you are going back to having > mOrient(Angle) and mOrientType. Each approach has good and bad points but > clearly need to choose only one of them ;-) A decision which is complicated by SVGAnimatedAngle only being used by SVGMarkerElement in the DOM.
Attached patch dumb nsSVGAngle approach (obsolete) — Splinter Review
Attachment #280375 - Attachment is obsolete: true
Comment on attachment 280392 [details] [diff] [review] dumb nsSVGAngle approach > /* void setOrientToAngle (in nsIDOMSVGAngle angle); */ > NS_IMETHODIMP nsSVGMarkerElement::SetOrientToAngle(nsIDOMSVGAngle *angle) > { > if (!angle) > return NS_ERROR_DOM_SVG_WRONG_TYPE_ERR; > > nsIDOMSVGAngle *a; >- mOrient->GetBaseVal(&a); >+ mOrientAngle->GetBaseVal(&a); > float f; > angle->GetValue(&f); > a->SetValue(f); > return NS_OK; Don't you need to set the enum to SVG_MARKER_ORIENT_ANGLE here? >- a->GetValueAsString(value); >- if (!value.EqualsLiteral("auto")) >+ mOrientAngle->GetAnimVal(getter_AddRefs(a)); I think this line can move inside the if below can't it? >+ if (mOrientType.GetBaseValue() != SVG_MARKER_ORIENT_AUTO) { > a->GetValue(&aAngle); >+ } >
Attached patch Adjust per comments. (obsolete) — Splinter Review
Attachment #280392 - Attachment is obsolete: true
Comment on attachment 280471 [details] [diff] [review] Adjust per comments. >+ // these need to be handled seperately because its a derived enum (orient) Nits: s/seperately/separately/ and s/its/it's/ looks good. I'd give this r=longsonr if you asked for it.
Attached patch adjusted commentSplinter Review
Attachment #280471 - Attachment is obsolete: true
Attachment #280502 - Flags: review?(longsonr)
Attachment #280502 - Flags: review?(longsonr) → review+
Attachment #280502 - Flags: superreview?(roc)
Attachment #280502 - Flags: superreview?(roc) → superreview+
Checked in.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Flags: in-testsuite?
Doesn't crash or assert on branch.
Group: security
Flags: wanted1.8.1.x-
Crashtest checked in.
Flags: in-testsuite? → in-testsuite+
Crash Signature: [@ nsAttrName::nsAttrName]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: