Closed
Bug 419746
Opened 16 years ago
Closed 16 years ago
SVG crash in gfxASurface::SetDeviceOffset() via nsSVGMaskFrame::ComputeMaskAlpha()
Categories
(Core :: SVG, defect, P2)
Tracking
()
VERIFIED
FIXED
People
(Reporter: Dolske, Assigned: longsonr)
References
()
Details
(Keywords: crash, testcase)
Attachments
(2 files, 2 obsolete files)
2.84 KB,
image/svg+xml
|
Details | |
3.70 KB,
patch
|
vlad
:
review+
vlad
:
superreview+
|
Details | Diff | Splinter Review |
FF crashes with http://people.freedesktop.org/~lapo/g-i-t/face-mess.svg Gecko/2008022604 Minefield/3.0b4pre, OS X 10.5 Breakpad report 3384ec4a-e4cb-11dc-8088-001a4bd43ed6 Signature Source 0 gfxASurface::SetDeviceOffset(gfxPoint const&) mozilla/gfx/thebes/src/gfxASurface.cpp:220 1 nsSVGMaskFrame::ComputeMaskAlpha(nsSVGRenderState*, nsISVGChildFrame*, nsIDOMSVGMatrix*, float) mozilla/layout/svg/base/src/nsSVGMaskFrame.cpp:173 2 nsSVGUtils::PaintChildWithEffects(nsSVGRenderState*, nsRect*, nsIFrame*) mozilla/layout/svg/base/src/nsSVGUtils.cpp:1348 3 nsSVGDisplayContainerFrame::PaintSVG(nsSVGRenderState*, nsRect*) mozilla/layout/svg/base/src/nsSVGContainerFrame.cpp:184 4 nsSVGUtils::PaintChildWithEffects(nsSVGRenderState*, nsRect*, nsIFrame*) mozilla/layout/svg/base/src/nsSVGUtils.cpp:1333 5 nsSVGOuterSVGFrame::Paint(nsIRenderingContext&, nsRect const&, nsPoint) mozilla/layout/svg/base/src/nsSVGOuterSVGFrame.cpp:584 6 nsDisplaySVG::Paint(nsDisplayListBuilder*, nsIRenderingContext*, nsRect const&) mozilla/layout/svg/base/src/nsSVGOuterSVGFrame.cpp:464 7 nsDisplayList::Paint(nsDisplayListBuilder*, nsIRenderingContext*, nsRect const&) const mozilla/layout/base/nsDisplayList.cpp:294 8 nsDisplayClip::Paint(nsDisplayListBuilder*, nsIRenderingContext*, nsRect const&) mozilla/layout/base/nsDisplayList.cpp:883 9 nsDisplayList::Paint(nsDisplayListBuilder*, nsIRenderingContext*, nsRect const&) const mozilla/layout/base/nsDisplayList.cpp:294 10 nsLayoutUtils::PaintFrame(nsIRenderingContext*, nsIFrame*, nsRegion const&, unsigned int) mozilla/layout/base/nsLayoutUtils.cpp:872 11 PresShell::Paint(nsIView*, nsIRenderingContext*, nsRegion const&)
Comment 1•16 years ago
|
||
Attachment #305876 -
Attachment is obsolete: true
Assignee | ||
Comment 2•16 years ago
|
||
Doesn't crash on Windows. Anyone want to try for a regression range?
Reporter | ||
Comment 3•16 years ago
|
||
(In reply to comment #0) > Breakpad report 3384ec4a-e4cb-11dc-8088-001a4bd43ed6 With magic linkification (I hope): bp-3384ec4a-e4cb-11dc-8088-001a4bd43ed6
Comment 4•16 years ago
|
||
So it looks like we pass in |gfxPoint(0,0)| to gfxASurface::SetDeviceOffset then crash accessing the members of the gfxPoint? That would suggest something has screwed with the stack. I don't have a Mac, so CC'ing Vlad and setting blocking1.9?. Any thoughts Vlad?
No big mystery here -- the pattern that's returned from PopGroup is in error (CAIRO_STATUS_NO_MEMORY, which is generally a generic not very useful error), and nothing is checking pattern->CairoStatus() to make sure it's == 0 (success). pattern->GetSurface() is returning NULL, and we end up calling setDeviceOffset with a NULL surface pointer.
Assignee | ||
Comment 6•16 years ago
|
||
Can anybody confirm that this fixes it on a Mac? All I can say is that masks still work on Windows with this change.
Assignee: nobody → longsonr
Status: NEW → ASSIGNED
Attachment #308576 -
Flags: superreview?(vladimir)
Attachment #308576 -
Flags: review?(vladimir)
Comment on attachment 308576 [details] [diff] [review] possible patch Should check pattern->CairoStatus() as well, before even calling GetSurface() on it.
Assignee | ||
Comment 8•16 years ago
|
||
CairoStatus is a member of gfxASurface. It is not a member of gfxPattern so a call to pattern->CairoStatus() will not compile.
Assignee | ||
Comment 10•16 years ago
|
||
(In reply to comment #9) > http://mxr.mozilla.org/seamonkey/source/gfx/thebes/public/gfxPattern.h#90 ? > You are right of course.
Attachment #308576 -
Attachment is obsolete: true
Attachment #309599 -
Flags: superreview?(vladimir)
Attachment #309599 -
Flags: review?(vladimir)
Attachment #308576 -
Flags: superreview?(vladimir)
Attachment #308576 -
Flags: review?(vladimir)
Comment on attachment 309599 [details] [diff] [review] address review comment Looks good
Attachment #309599 -
Flags: superreview?(vladimir)
Attachment #309599 -
Flags: superreview+
Attachment #309599 -
Flags: review?(vladimir)
Attachment #309599 -
Flags: review+
Assignee | ||
Updated•16 years ago
|
Attachment #309599 -
Flags: approval1.9?
Comment 12•16 years ago
|
||
We should definitely take this, so marking blocking1.9+. Please check it in. Besides these safety checks it would be good to know why the pattern is going into error, and whether we should be doing some earlier checks of the input to cairo. That can be post 1.9, but perhaps file a follow up bug for investigation if you think that's useful?
Flags: blocking1.9? → blocking1.9+
Updated•16 years ago
|
Attachment #309599 -
Flags: approval1.9?
Assignee | ||
Comment 13•16 years ago
|
||
I can't investigate this, it only happens on macs and I don't have one.
Comment 14•16 years ago
|
||
I didn't mean that you should personally do the investigating, just that we should have a bug on record for it to happen (assuming you didn't know why the pattern is going into error and feel that it's okay for us to allow that). I'll file a bug shortly.
Comment 15•16 years ago
|
||
Bug 423403.
Assignee | ||
Comment 16•16 years ago
|
||
My guess is that the pattern is going into error because it is too big for a Mac. Macs seem to either require more memory for patterns or have a lower memory limit; bug 385228 was looking into this.
Updated•16 years ago
|
Priority: -- → P2
Assignee | ||
Comment 17•16 years ago
|
||
(In reply to comment #9) > http://mxr.mozilla.org/seamonkey/source/gfx/thebes/public/gfxPattern.h#90 ? > I just worked it out that you added that while I wasn't looking ;-)
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 18•16 years ago
|
||
checked in earlier today.
Comment 19•16 years ago
|
||
verified fixed using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9pre) Gecko/2008040920 Firefox/3.0pre When i surf to the url from comment#0 i see the Assertion from Bug 427325, but no crash --> Verified fixed
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•