Closed
Bug 409811
Opened 17 years ago
Closed 17 years ago
Crash [@ nsSVGEnum::SetBaseValue] setting orientType on <svg:marker>
Categories
(Core :: SVG, defect, P3)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jruderman, Assigned: longsonr)
References
Details
(Keywords: assertion, crash, testcase, Whiteboard: [sg:critical?])
Crash Data
Attachments
(2 files, 2 obsolete files)
241 bytes,
text/html
|
Details | |
7.83 KB,
patch
|
tor
:
review+
tor
:
superreview+
|
Details | Diff | Splinter Review |
Loading the testcase triggers:
###!!! ASSERTION: mapping request for a non-attrib enum: 'info.mEnumCount > 0 && mAttrEnum < info.mEnumCount', file /Users/jruderman/trunk/mozilla/content/svg/content/src/nsSVGEnum.cpp, line 56
Crash [@ nsSVGEnum::SetBaseValue] dereferencing 0xaaaaa222.
Flags: blocking1.9?
Reporter | ||
Updated•17 years ago
|
Whiteboard: [sg:critical?]
Assignee | ||
Comment 1•17 years ago
|
||
One way forward would be to give marker attribute types their own enum class either
a) derived from the ordinary enum type
b) standalone
c) an instance of some non-mapped enum type
Before embarking on this though, I really want to understand in what circumstances you should be able to use baseVal to set a value and in what circumstances it should throw
The orientType attribute is:
readonly SVGAnimatedEnumeration orientType
and then you get
interface SVGAnimatedEnumeration {
attribute unsigned short baseVal;
// raises DOMException on setting
readonly attribute unsigned short animVal;
};
DOMException
NO_MODIFICATION_ALLOWED_ERR: Raised on an attempt to change the value of a readonly attribute.
So should the example throw this error? Should all baseVal.setValue implementations just return NO_MODIFICATION_ALLOWED_ERR always except when the type is created via createSVGLength or createSVGAngle?
Assignee | ||
Comment 2•17 years ago
|
||
Assignee: nobody → longsonr
Status: NEW → ASSIGNED
Attachment #295238 -
Flags: superreview?(tor)
Attachment #295238 -
Flags: review?(tor)
Assignee | ||
Comment 3•17 years ago
|
||
This patch sets orient to 0 if orientType.baseVal is set to ORIENT_ANGLE. I'm not sure what else I could do other than that.
Updated•17 years ago
|
Flags: blocking1.9? → blocking1.9+
Priority: -- → P3
Assignee | ||
Comment 4•17 years ago
|
||
nsSVGOrientType now initialises itself also a SetBaseValue method simplifies some calls.
Attachment #295238 -
Attachment is obsolete: true
Attachment #295369 -
Flags: superreview?(tor)
Attachment #295369 -
Flags: review?(tor)
Attachment #295238 -
Flags: superreview?(tor)
Attachment #295238 -
Flags: review?(tor)
Assignee | ||
Comment 5•17 years ago
|
||
remove aDoSetAttr from SetBaseValue since its only remaining caller passes PR_TRUE
Apologies for multiple tries and resultant bugspam.
Attachment #295369 -
Attachment is obsolete: true
Attachment #295373 -
Flags: superreview?(tor)
Attachment #295373 -
Flags: review?(tor)
Attachment #295369 -
Flags: superreview?(tor)
Attachment #295369 -
Flags: review?(tor)
Attachment #295373 -
Flags: superreview?(tor)
Attachment #295373 -
Flags: superreview+
Attachment #295373 -
Flags: review?(tor)
Attachment #295373 -
Flags: review+
Assignee | ||
Comment 6•17 years ago
|
||
Comment on attachment 295373 [details] [diff] [review]
even simpler patch
Straightforward patch that makes markers use a non-crashing version of nsSVGEnum.
Attachment #295373 -
Flags: approval1.9?
Assignee | ||
Updated•17 years ago
|
Attachment #295373 -
Flags: approval1.9?
Assignee | ||
Comment 7•17 years ago
|
||
checked in.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Reporter | ||
Comment 8•17 years ago
|
||
No assertions/crashes on the 1.8 branch.
Group: security
Flags: wanted1.8.1.x-
Updated•13 years ago
|
Crash Signature: [@ nsSVGEnum::SetBaseValue]
You need to log in
before you can comment on or make changes to this bug.
Description
•