Closed Bug 473081 Opened 16 years ago Closed 16 years ago

Tiny SVG causes Firefox to crash [@ nsGenericDOMDataNode::GetOwnerDocument ]

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Version:
1.9.0 Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: niki, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.5) Gecko/2008123017 GranParadiso/3.0.5
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.5) Gecko/2008123017 GranParadiso/3.0.5

When trying to render this SVG image, firefox crashes. Tested with different PCs.

Reproducible: Always

Steps to Reproduce:
1.Open the SVG-File http://baaa.ba.funpic.de/upl/img/bf4b5f4e640b7a47f8c6d6336e82ddd3.svg with Firefox
Actual Results:  
Firefox crashed

Expected Results:  
Not crashing but rendering the image.

Firefox does not produce any bug related output when crashing.

Content of the SVG file:
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.0" width="200" height="200" xmlns="http://www.w3.org/2000/svg">
  <title>SVG test</title>
  <style type="text/css"><![CDATA[text {font-size:60px; text-anchor:middle;}]]></style>
  <line x1="0.5" y1="0.5" x2="200.5" y2="200.5" fill="#000000" stroke="#FF0000" stroke-width="3" stroke-dasharray="none" />
  <line x1="0.5" y1="200.5" x2="200.5" y2="0.5" fill="#000000" stroke="#0000FF" stroke-width="3" stroke-dasharray="1%, 1%" />
  <circle cx="100.5" cy="100.5" r="50" fill="#00FF00" stroke="#000000" stroke-width="1" stroke-dasharray="1%, 1%" />
  <text x="100.5" y="100.5" font-size="30px" fill="#00FF00" stroke="#000000" stroke-width="1" stroke-dasharray="1%, 1%">Igel</text>
</svg>
Crashes 3. Does not crash 3.1 or trunk. (tested on Kubuntu 8.04.1)
bp-7b28c041-7974-4561-8f5b-d368f2090111
0  	libxul.so  	nsGenericDOMDataNode::GetOwnerDocument  	nsNodeInfoManager.h:117
1 	libxul.so 	nsTextNode::GetOwnerDocument 	mozilla/content/base/src/nsTextNode.cpp:66
2 	libxul.so 	nsSVGElement::GetCtx 	mozilla/content/svg/content/src/nsSVGElement.cpp:1007
3 	libxul.so 	nsSVGLength::MaybeGetCtxRect 	mozilla/content/svg/content/src/nsSVGLength.cpp:606
4 	libxul.so 	nsSVGLength::MaybeAddAsObserver 	mozilla/content/svg/content/src/nsSVGLength.cpp:617
5 	libxul.so 	nsSVGLength::SetContext 	mozilla/content/svg/content/src/nsSVGLength.cpp:524
6 	libxul.so 	nsSVGUtils::CoordToFloat 	mozilla/layout/svg/base/src/nsSVGUtils.cpp:664
7 	libxul.so 	nsSVGGeometryFrame::GetStrokeDashArray 	mozilla/layout/svg/base/src/nsSVGGeometryFrame.cpp:219
8 	libxul.so 	nsSVGGeometryFrame::SetupCairoStrokeHitGeometry 	mozilla/layout/svg/base/src/nsSVGGeometryFrame.cpp:421
9 	libxul.so 	nsSVGGeometryFrame::SetupCairoStroke 	mozilla/layout/svg/base/src/nsSVGGeometryFrame.cpp:431
10 	libxul.so 	nsSVGGlyphFrame::PaintSVG 	mozilla/layout/svg/base/src/nsSVGGlyphFrame.cpp:344
11 	libxul.so 	nsSVGUtils::PaintChildWithEffects 	mozilla/layout/svg/base/src/nsSVGUtils.cpp:1380
12 	libxul.so 	nsSVGDisplayContainerFrame::PaintSVG 	mozilla/layout/svg/base/src/nsSVGContainerFrame.cpp:183
13 	libxul.so 	nsSVGTextFrame::PaintSVG 	mozilla/layout/svg/base/src/nsSVGTextFrame.cpp:250
14 	libxul.so 	nsSVGUtils::PaintChildWithEffects 	mozilla/layout/svg/base/src/nsSVGUtils.cpp:1380
15 	libxul.so 	nsSVGOuterSVGFrame::Paint 	mozilla/layout/svg/base/src/nsSVGOuterSVGFrame.cpp:585
16 	libxul.so 	nsDisplaySVG::Paint 	mozilla/layout/svg/base/src/nsSVGOuterSVGFrame.cpp:465
17 	libxul.so 	nsDisplayList::Paint const 	mozilla/layout/base/nsDisplayList.cpp:296
18 	libxul.so 	nsDisplayClip::Paint 	mozilla/layout/base/nsDisplayList.cpp:693
19 	libxul.so 	nsDisplayList::Paint const 	mozilla/layout/base/nsDisplayList.cpp:296
20 	libxul.so 	nsLayoutUtils::PaintFrame 	mozilla/layout/base/nsLayoutUtils.cpp:988
21 	libxul.so 	PresShell::Paint 	mozilla/layout/base/nsPresShell.cpp:5421
22 	libxul.so 	nsViewManager::RenderViews 	mozilla/view/src/nsViewManager.cpp:614
23 	libxul.so 	nsViewManager::Refresh 	mozilla/view/src/nsViewManager.cpp:502
24 	libxul.so 	nsViewManager::DispatchEvent 	mozilla/view/src/nsViewManager.cpp:1134
...
...

In the future, please include a crash ID or stack trace with your report.

Seeing as this already appears to be fixed for the next major release, closing as WFM.
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Component: General → SVG
Product: Firefox → Core
QA Contact: general → general
Resolution: --- → WORKSFORME
Summary: Tiny SVG causes Firefox to crash → Tiny SVG causes Firefox to crash [@ nsGenericDOMDataNode::GetOwnerDocument ]
Version: unspecified → 1.9.0 Branch
If someone can find the bug where this was fixed, please dupe.
Oh, and looks like it does not crash latest 3.0.x. Expect fix in next update.

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.6pre) Gecko/2009011104 GranParadiso/3.0.6pre
You need to log in before you can comment on or make changes to this bug.