Closed Bug 399863 Opened 17 years ago Closed 17 years ago

We frequently call InitialUpdate() more than once on SVG frames

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jwatt, Assigned: jwatt)

References

Details

(Keywords: perf)

Attachments

(2 files)

patch
7.19 KB, patch
tor
: review+
roc
: review+
roc
: superreview+
Details | Diff | Splinter Review
patch with new assertions
7.80 KB, patch
roc
: approval1.9+
Details | Diff | Splinter Review 
We often call InitialUpdate more than once on some SVG frames. We call InitialUpdate under two different circumstances:

 1) When DidReflow is called for the first time on an SVG document fragment's
    nsSVGOuterSVGFrame we call InitialUpdate on all the SVG frames in that
    fragment.

 2) When an SVG frame is inserted into the frame tree and the parent SVG
    frame already has child frames, nsSVGDisplayContainerFrame::InsertFrames
    calls InitialUpdate on the new frames once they've been inserted.

Since #2 can happen during parsing before the document has loaded, we can get a parser initiated InitialUpdate on frames followed by the InitialUpdate triggered by nsSVGOuterSVGFrame::DidReflow. Really we want to ignore the InitialUpdate call from nsSVGDisplayContainerFrame::InsertFrames if the fragment's nsSVGOuterSVGFrame hasn't received it's initial reflow.
We can probably ignore the nsSVGDisplayContainerFrame::InsertFrames calls when we need to without using nsSVGUtils::GetOuterSVGFrame if we make InitialUpdate remove the NS_FRAME_FIRST_REFLOW bit from SVG frames.
Assignee: nobody → jwatt
This issue is getting in the way of fixing bug 389198, and it's responsible for bugs such as nsSVGForeignObjectFrame being reflowed during frame construction when the tree is in an inconsistent state. According to Boris that's likely to result in broken reflow and risks (possibly exploitable) crashes.
Blocks: 389198
Severity: major → critical
Status: NEW → ASSIGNED
Flags: blocking1.9?
Attached patch patchSplinter Review 
InitialUpdate already removes the NS_FRAME_FIRST_REFLOW bit from SVG frames, so we just need to change nsSVGDisplayContainerFrame::InsertFrames to check for it. I've thrown in some assertions for bonus points.
Attachment #284958 - Flags: superreview?(roc)
Attachment #284958 - Flags: review?(tor)
Attachment #284958 - Flags: review?(tor) → review+
Attachment #284958 - Flags: superreview?(roc)
Attachment #284958 - Flags: superreview+
Attachment #284958 - Flags: review+
Having the assertions call nsSVGUtils::GetOuterSVGFrame for every frame makes loading SVG painfully slow, and it doesn't provide protection against InitialUpdate being called more than once. I've copied the outerSVGFrame assertion to DoReflow so it more directly protects against reflowing at the wrong time, and changed the other assertions to check that InitialUpdate is not called twice.
Attachment #284994 - Flags: approval1.9?
Checked in.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Flags: blocking1.9?
Resolution: --- → FIXED
Summary: We can call InitialUpdate() more than once on SVG frames → We frequently call InitialUpdate() more than once on SVG frames
regression from 20071015_1517_firefox-3.0a9pre.en-US.win32.zip

check-in for this or bug 296818 cause crash.
http://crash-stats.mozilla.com/report/index/6c1ddbca-7b80-11dc-901b-001a4bd43ef6
(URL is wrong, correct URL is http://blog.livedoor.jp/ayase_shiori/)
The problem was with bug 296818.
Backed out as part of the quest to find the Tp regression.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Given this has been backed out, receives is misspelled in the comment in nsISVGChildFrame.h
Heh. Thanks.
Checked in again.
Status: REOPENED → RESOLVED
Closed: 17 years ago17 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: