Closed Bug 464374 Opened 16 years ago Closed 16 years ago

Crash [@ nsSVGUtils::MaxExpansion] with svg filter, mathml

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9.1b3

People

(Reporter: jruderman, Assigned: longsonr)

References

Details

(4 keywords)

Crash Data

Attachments

(2 files, 3 obsolete files)

testcase (crashes Firefox when loaded)
393 bytes, image/svg+xml
Details
address review comment v2 [Checkin: Comment 14 & 16]
4.57 KB, patch
roc
: review+
roc
: superreview+
beltzner
: approval1.9.1+
Details | Diff | Splinter Review
###!!! ASSERTION: SVG frames should not get here: '!aNonSVGFrame->IsFrameOfType(nsIFrame::eSVG)', file /Users/jruderman/central/layout/svg/base/src/nsSVGIntegrationUtils.cpp, line 399 followed by a null deref [@ nsSVGUtils::MaxExpansion].
Attached patch patch (obsolete) — Splinter Review
Assignee: nobody → longsonr
Status: NEW → ASSIGNED
Attachment #347669 - Flags: superreview?(roc)
Attachment #347669 - Flags: review?(roc)
Attached patch patch (obsolete) — Splinter Review
precedence
Attachment #347669 - Attachment is obsolete: true
Attachment #347671 - Flags: superreview?(roc)
Attachment #347671 - Flags: review?(roc)
Attachment #347669 - Flags: superreview?(roc)
Attachment #347669 - Flags: review?(roc)
Comment on attachment 347671 [details] [diff] [review] patch But can you explain what caused the crash and why this fixes it?
Attachment #347671 - Flags: superreview?(roc)
Attachment #347671 - Flags: superreview+
Attachment #347671 - Flags: review?(roc)
Attachment #347671 - Flags: review+
Here, or as a comment in the code? Assuming you meant here... All of the elements are in a <defs> section which makes them unrendered. <defs> children only exist for use by other rendered elements such as markers and don't have a covered region. The testcase manages to cause a style change to a pathGeometryFrame which is a child of a defs frame. Presumably the pathGeometryFrame is that of the rect element as that would seem to be the only thing that would have one. When the invalidation code runs on something that doesn't have a covered region it goes boom. You'll find the same thing in nsSVGDisplayContainerFrame::RemoveFrame.
Perhaps it would be better to move the NONDISPLAY_CHILD check to InvalidateCoveredRegion, instead of checking that at every call site?
It's more efficient this way as you can avoid the outer svg frame call. How about hoisting the whole thing to a new nsSVGUtils::InvalidateCoveredRegion method?
Attached patch address review comment (obsolete) — Splinter Review
I need to test this.
Attachment #347671 - Attachment is obsolete: true
Attachment #347737 - Attachment is obsolete: true
Attachment #348066 - Flags: superreview?(roc)
Attachment #348066 - Flags: review?(roc)
Attachment #348066 - Flags: superreview?(roc)
Attachment #348066 - Flags: superreview+
Attachment #348066 - Flags: review?(roc)
Attachment #348066 - Flags: review+
Comment on attachment 348066 [details] [diff] [review] address review comment v2 [Checkin: Comment 14 & 16] Simple fix for crash. Just adds a test for whether the function will crash and avoids calling it.
Attachment #348066 - Flags: approval1.9.1?
Comment on attachment 348066 [details] [diff] [review] address review comment v2 [Checkin: Comment 14 & 16] a191=beltzner
Attachment #348066 - Flags: approval1.9.1? → approval1.9.1+
Whiteboard: checkin-needed
Keywords: checkin-needed
Whiteboard: checkin-needed → [needs landing]
Comment on attachment 348066 [details] [diff] [review] address review comment v2 [Checkin: Comment 14 & 16] http://hg.mozilla.org/mozilla-central/rev/c764915ebd2e
Attachment #348066 - Attachment description: address review comment v2 → address review comment v2 [Checkin: Comment 14]
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Whiteboard: [needs landing] → [c-n: baking for 1.9.1]
Target Milestone: --- → mozilla1.9.2a1
Comment on attachment 348066 [details] [diff] [review] address review comment v2 [Checkin: Comment 14 & 16] http://hg.mozilla.org/releases/mozilla-1.9.1/rev/598d498219ce
Attachment #348066 - Attachment description: address review comment v2 [Checkin: Comment 14] → address review comment v2 [Checkin: Comment 14 & 16]
Keywords: checkin-neededfixed1.9.1
Whiteboard: [c-n: baking for 1.9.1]
Target Milestone: mozilla1.9.2a1 → mozilla1.9.1b3
verified fixed on the 1.9.1 branch using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20081230 Shiretoko/3.1b3pre. Adding keyword. verified fixed on the trunk using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20081230 Minefield/3.2a1pre.
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1verified1.9.1
Flags: in-testsuite+
Crash Signature: [@ nsSVGUtils::MaxExpansion]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: