Crash [@ nsSVGEnum::SetBaseValue]

RESOLVED FIXED

Status

()

--
critical
RESOLVED FIXED
11 years ago
7 years ago

People

(Reporter: jruderman, Assigned: longsonr)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
x86
Mac OS X
assertion, crash, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.9 ?
wanted1.8.1.x -
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?], crash signature)

Attachments

(1 attachment, 2 obsolete attachments)

(Reporter)

Description

11 years ago
Created attachment 282467 [details]
testcase (crashes Firefox when loaded)

Loading the testcase crashes Firefox, making nsSVGEnum::SetBaseValue dereference 0xaaaaaaa1.

Regression from bug 383685, perhaps?
Flags: blocking1.9?
(Reporter)

Updated

11 years ago
Whiteboard: [sg:critical?]
(Reporter)

Comment 1

11 years ago
The crash is preceded by:

###!!! ASSERTION: mapping request for a non-attrib enum: 'info.mEnumCount > 0 && mAttrEnum < info.mEnumCount', file /Users/jruderman/trunk/mozilla/content/svg/content/src/nsSVGEnum.cpp, line 56
(Assignee)

Comment 2

11 years ago
Created attachment 282514 [details] [diff] [review]
patch
Assignee: nobody → longsonr
Status: NEW → ASSIGNED
Attachment #282514 - Flags: review?(tor)
(Assignee)

Comment 3

11 years ago
Created attachment 282521 [details] [diff] [review]
do need to set a value though
Attachment #282514 - Attachment is obsolete: true
Attachment #282521 - Flags: review?(tor)
Attachment #282514 - Flags: review?(tor)

Comment 4

11 years ago
How I hate <marker>'s orient...

This will stop a crash, but calling SetOrientToAuto or SetOrientToAngle won't cause the marker top update (not that it would have done so before either).
(Assignee)

Comment 5

11 years ago
(In reply to comment #4)
> How I hate <marker>'s orient...
> 
> This will stop a crash, but calling SetOrientToAuto or SetOrientToAngle won't
> cause the marker top update (not that it would have done so before either).
> 

Well, bug 397749 will fix those although at the moment that patch has this fix and bug 397620 in it.

Updated

11 years ago
Attachment #282521 - Flags: review?(tor) → review+
(Assignee)

Updated

11 years ago
Attachment #282521 - Flags: superreview?(roc)
Gah!

Having nsSVGEnumMapping change over time for the same element is a bit of a trap since none of the others do that. How hard would it be to leave it the same but have extra code elsewhere to deal with the orient?
(Assignee)

Updated

11 years ago
Attachment #282521 - Attachment is obsolete: true
Attachment #282521 - Flags: superreview?(roc)
(Assignee)

Comment 7

11 years ago
The patch in bug 397749 fixes this crash, together with a number of other issues.

For orientType the nsSVGEnumMapping does not change over time, it does not exist at all. I've now made a special SetBaseValue method that only nsSVGMarkerElement can use for enumerations to handle orientType. nsSVGEnum.cpp file no longer requires changes.
(Reporter)

Updated

11 years ago
Depends on: 397749
(Assignee)

Comment 8

11 years ago
Fixed by check in for bug 397749
Status: ASSIGNED → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
(Assignee)

Comment 9

11 years ago
Reopening as the patch for bug 397749 has been backed out.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
(Assignee)

Comment 10

11 years ago
bug 397749 has been checked in again.
Status: REOPENED → RESOLVED
Last Resolved: 11 years ago11 years ago
Resolution: --- → FIXED

Updated

11 years ago
Flags: in-testsuite?
(Reporter)

Comment 11

11 years ago
Loading the testcase does not cause any assertions or crash on branch.
Group: security
Flags: wanted1.8.1.x-
(Reporter)

Comment 12

11 years ago
Crashtest checked in.
Flags: in-testsuite? → in-testsuite+
Crash Signature: [@ nsSVGEnum::SetBaseValue]
You need to log in before you can comment on or make changes to this bug.