Closed Bug 409811 Opened 17 years ago Closed 17 years ago

Crash [@ nsSVGEnum::SetBaseValue] setting orientType on <svg:marker>

Categories

(Core :: SVG, defect, P3)

x86
macOS
defect

Tracking

()

RESOLVED FIXED

People

(Reporter: jruderman, Assigned: longsonr)

References

Details

(Keywords: assertion, crash, testcase, Whiteboard: [sg:critical?])

Crash Data

Attachments

(2 files, 2 obsolete files)

Loading the testcase triggers: ###!!! ASSERTION: mapping request for a non-attrib enum: 'info.mEnumCount > 0 && mAttrEnum < info.mEnumCount', file /Users/jruderman/trunk/mozilla/content/svg/content/src/nsSVGEnum.cpp, line 56 Crash [@ nsSVGEnum::SetBaseValue] dereferencing 0xaaaaa222.
Flags: blocking1.9?
Whiteboard: [sg:critical?]
One way forward would be to give marker attribute types their own enum class either a) derived from the ordinary enum type b) standalone c) an instance of some non-mapped enum type Before embarking on this though, I really want to understand in what circumstances you should be able to use baseVal to set a value and in what circumstances it should throw The orientType attribute is: readonly SVGAnimatedEnumeration orientType and then you get interface SVGAnimatedEnumeration { attribute unsigned short baseVal; // raises DOMException on setting readonly attribute unsigned short animVal; }; DOMException NO_MODIFICATION_ALLOWED_ERR: Raised on an attempt to change the value of a readonly attribute. So should the example throw this error? Should all baseVal.setValue implementations just return NO_MODIFICATION_ALLOWED_ERR always except when the type is created via createSVGLength or createSVGAngle?
Attached patch patch (obsolete) — Splinter Review
Assignee: nobody → longsonr
Status: NEW → ASSIGNED
Attachment #295238 - Flags: superreview?(tor)
Attachment #295238 - Flags: review?(tor)
This patch sets orient to 0 if orientType.baseVal is set to ORIENT_ANGLE. I'm not sure what else I could do other than that.
Flags: blocking1.9? → blocking1.9+
Priority: -- → P3
Attached patch slightly simpler patch (obsolete) — Splinter Review
nsSVGOrientType now initialises itself also a SetBaseValue method simplifies some calls.
Attachment #295238 - Attachment is obsolete: true
Attachment #295369 - Flags: superreview?(tor)
Attachment #295369 - Flags: review?(tor)
Attachment #295238 - Flags: superreview?(tor)
Attachment #295238 - Flags: review?(tor)
remove aDoSetAttr from SetBaseValue since its only remaining caller passes PR_TRUE Apologies for multiple tries and resultant bugspam.
Attachment #295369 - Attachment is obsolete: true
Attachment #295373 - Flags: superreview?(tor)
Attachment #295373 - Flags: review?(tor)
Attachment #295369 - Flags: superreview?(tor)
Attachment #295369 - Flags: review?(tor)
Attachment #295373 - Flags: superreview?(tor)
Attachment #295373 - Flags: superreview+
Attachment #295373 - Flags: review?(tor)
Attachment #295373 - Flags: review+
Comment on attachment 295373 [details] [diff] [review] even simpler patch Straightforward patch that makes markers use a non-crashing version of nsSVGEnum.
Attachment #295373 - Flags: approval1.9?
Attachment #295373 - Flags: approval1.9?
checked in.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
No assertions/crashes on the 1.8 branch.
Group: security
Flags: wanted1.8.1.x-
Crashtest checked in.
Flags: in-testsuite? → in-testsuite+
Crash Signature: [@ nsSVGEnum::SetBaseValue]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: