Closed
Bug 428228
Opened 16 years ago
Closed 16 years ago
Removing element from <svg:svg> crashes [@ nsSVGUtils::NotifyAncestorsOfFilterRegionChange]
Categories
(Core :: SVG, defect, P2)
Core
SVG
Tracking
()
VERIFIED
FIXED
People
(Reporter: jruderman, Assigned: jwatt)
References
Details
(Keywords: crash, regression, testcase)
Crash Data
Attachments
(2 files, 1 obsolete file)
329 bytes,
application/xhtml+xml
|
Details | |
952 bytes,
patch
|
longsonr
:
review+
roc
:
superreview+
beltzner
:
approval1.9+
|
Details | Diff | Splinter Review |
Loading the testcase crashes Firefox. The immediate cause of the crash seems to be: * nsSVGDisplayContainerFrame::RemoveFrame calls nsSVGUtils::NotifyAncestorsOfFilterRegionChange(this), where |this| is an nsSVGOuterSVGFrame. * nsSVGUtils::NotifyAncestorsOfFilterRegionChange skips the passed-in frame before walking up the ancestor chain, and expects to hit an nsSVGOuterSVGFrame before it hits any non-SVG frames. * It encounters an nsBlockFrame or nsAreaFrame that happens to have the NS_STATE_SVG_FILTERED bit (which has a different meaning for non-SVG frames), but of course no actual filter property. This bug appeared within the last few days. I think it's a regression from bug 423998 -- the first hunk of that bug's patch fixed a typo causing the nsSVGUtils::NotifyAncestorsOfFilterRegionChange(this) call to be skipped.
Flags: blocking1.9?
Assignee | ||
Comment 1•16 years ago
|
||
I'll try and fix this, since I'm possibly not going to be available for reviews for the next four days.
Assignee: nobody → jwatt
OS: Mac OS X → All
Hardware: PC → All
Assignee | ||
Comment 2•16 years ago
|
||
Okay, this is probably the best I can do in the time I have available, and it's probably the safest way to play this anyway.
Attachment #314790 -
Flags: superreview?(roc)
Attachment #314790 -
Flags: review?(longsonr)
Assignee | ||
Comment 3•16 years ago
|
||
Marking blocking1.9+. This is a recent regression that will cause us to crash whenever anyone removed a direct child of an <svg> element. Clearly unacceptable. The patch is very low risk.
Flags: blocking1.9? → blocking1.9+
Priority: -- → P2
Comment 4•16 years ago
|
||
Does checking (aFrame->GetStateBits() & NS_STATE_IS_OUTER_SVG) not work? If so that's what you want, rather than this.
Assignee | ||
Comment 5•16 years ago
|
||
Any particular reason that it matters?
Assignee | ||
Comment 6•16 years ago
|
||
Attachment #314790 -
Attachment is obsolete: true
Attachment #314794 -
Flags: superreview?(roc)
Attachment #314794 -
Flags: review?(longsonr)
Attachment #314790 -
Flags: superreview?(roc)
Attachment #314790 -
Flags: review?(longsonr)
Comment 7•16 years ago
|
||
Comment on attachment 314794 [details] [diff] [review] patch using NS_STATE_IS_OUTER_SVG faster and consistent with rest of codebase
Attachment #314794 -
Flags: review?(longsonr) → review+
Comment on attachment 314794 [details] [diff] [review] patch using NS_STATE_IS_OUTER_SVG Make sure a crashtest is landed for this.
Attachment #314794 -
Flags: superreview?(roc) → superreview+
Assignee | ||
Comment 9•16 years ago
|
||
Comment on attachment 314794 [details] [diff] [review] patch using NS_STATE_IS_OUTER_SVG Requesting approval1.9. This is a very safe, obviously correct fix. It's important we get this fix in, since it prevents us from iterating over unknown memory.
Attachment #314794 -
Flags: approval1.9?
Comment 10•16 years ago
|
||
Comment on attachment 314794 [details] [diff] [review] patch using NS_STATE_IS_OUTER_SVG a1.9=beltzner
Attachment #314794 -
Flags: approval1.9? → approval1.9+
Assignee | ||
Comment 11•16 years ago
|
||
Checked in.
Status: NEW → RESOLVED
Closed: 16 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Comment 12•16 years ago
|
||
verified fixed using Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9pre) Gecko/2008050804 Minefield/3.0pre and Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9pre) Gecko/2008050614 Minefield/3.0pre - no crash on testcase --> Verified fixed
Status: RESOLVED → VERIFIED
Updated•13 years ago
|
Crash Signature: [@ nsSVGUtils::NotifyAncestorsOfFilterRegionChange]
You need to log in
before you can comment on or make changes to this bug.
Description
•