Closed Bug 397704 Opened 13 years ago Closed 13 years ago

Crash [@ nsSVGEnum::SetBaseValue]

Categories

(Core :: SVG, defect, critical)

x86
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: jruderman, Assigned: longsonr)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [sg:critical?])

Crash Data

Attachments

(1 file, 2 obsolete files)

Loading the testcase crashes Firefox, making nsSVGEnum::SetBaseValue dereference 0xaaaaaaa1.

Regression from bug 383685, perhaps?
Flags: blocking1.9?
Whiteboard: [sg:critical?]
The crash is preceded by:

###!!! ASSERTION: mapping request for a non-attrib enum: 'info.mEnumCount > 0 && mAttrEnum < info.mEnumCount', file /Users/jruderman/trunk/mozilla/content/svg/content/src/nsSVGEnum.cpp, line 56
Attached patch patch (obsolete) — Splinter Review
Assignee: nobody → longsonr
Status: NEW → ASSIGNED
Attachment #282514 - Flags: review?(tor)
Attached patch do need to set a value though (obsolete) — Splinter Review
Attachment #282514 - Attachment is obsolete: true
Attachment #282521 - Flags: review?(tor)
Attachment #282514 - Flags: review?(tor)
How I hate <marker>'s orient...

This will stop a crash, but calling SetOrientToAuto or SetOrientToAngle won't cause the marker top update (not that it would have done so before either).
(In reply to comment #4)
> How I hate <marker>'s orient...
> 
> This will stop a crash, but calling SetOrientToAuto or SetOrientToAngle won't
> cause the marker top update (not that it would have done so before either).
> 

Well, bug 397749 will fix those although at the moment that patch has this fix and bug 397620 in it.
Attachment #282521 - Flags: review?(tor) → review+
Attachment #282521 - Flags: superreview?(roc)
Gah!

Having nsSVGEnumMapping change over time for the same element is a bit of a trap since none of the others do that. How hard would it be to leave it the same but have extra code elsewhere to deal with the orient?
Attachment #282521 - Attachment is obsolete: true
Attachment #282521 - Flags: superreview?(roc)
The patch in bug 397749 fixes this crash, together with a number of other issues.

For orientType the nsSVGEnumMapping does not change over time, it does not exist at all. I've now made a special SetBaseValue method that only nsSVGMarkerElement can use for enumerations to handle orientType. nsSVGEnum.cpp file no longer requires changes.
Depends on: 397749
Fixed by check in for bug 397749
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Reopening as the patch for bug 397749 has been backed out.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
bug 397749 has been checked in again.
Status: REOPENED → RESOLVED
Closed: 13 years ago13 years ago
Resolution: --- → FIXED
Flags: in-testsuite?
Loading the testcase does not cause any assertions or crash on branch.
Group: security
Flags: wanted1.8.1.x-
Crashtest checked in.
Flags: in-testsuite? → in-testsuite+
Crash Signature: [@ nsSVGEnum::SetBaseValue]
You need to log in before you can comment on or make changes to this bug.