Closed Bug 508247 Opened 10 years ago Closed 10 years ago

Crash [@ _moz_cairo_matrix_multiply] with getCTM method on path inside definition-src

Categories

(Core :: SVG, defect, critical)

x86
Windows XP
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla1.9.2b1
Tracking Status
status1.9.2 --- beta1-fixed

People

(Reporter: martijn.martijn, Assigned: longsonr)

References

Details

(4 keywords)

Crash Data

Attachments

(2 files)

Attached image testcase
See testcase, which crashes current trunk build.

This regressed between 2009-07-22 and 2009-07-24:
http://hg.mozilla.org/mozilla-central/pushloghtml?startdate=2009-07-22+04%3A00%3A00&enddate=2009-07-24+06%3A00%3A00
I guess a regression from bug 435356.

http://crash-stats.mozilla.com/report/index/c7aff124-3e64-42fd-902b-318792090804?p=1
0  	xul.dll  	_moz_cairo_matrix_multiply  	 gfx/cairo/cairo/src/cairo-matrix.c:298
1 	xul.dll 	gfxMatrix::Multiply 	gfx/thebes/src/gfxMatrix.cpp:82
2 	xul.dll 	xul.dll@0x9aeb17 	
3 	xul.dll 	nsSVGGraphicElement::GetCTM 	content/svg/content/src/nsSVGGraphicElement.cpp:109
4 	xul.dll 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:101
5 	xul.dll 	XPCWrappedNative::CallMethod 	js/src/xpconnect/src/xpcwrappednative.cpp:2710
Flags: blocking1.9.2?
Attached patch patchSplinter Review
Assignee: nobody → longsonr
Attachment #393439 - Flags: review?(jwatt)
Comment on attachment 393439 [details] [diff] [review]
patch

Seems like you should just replace the:

  ancestor->GetNameSpaceID() == kNameSpaceID_SVG

with the:

  ancestor->IsNodeOfType(nsINode::eSVG

Thanks for fixing.
Attachment #393439 - Flags: review?(jwatt) → review+
I don't think we want to terminate the loop if we find a generic node, just skip over it, so I think what I have is right.
I'm not sure I follow. The loop only continues while |ancestor->GetNameSpaceID() == kNameSpaceID_SVG|. Are there cases when |ancestor->IsNodeOfType(nsINode::eSVG
)| would be false but |ancestor->GetNameSpaceID() == kNameSpaceID_SVG| would be true?
The testcase is precisely such an example. Basically an unknown node is node type XML rather than node type SVG but it is in the SVG namespace.
Are you happy with the explanation Jonathan? I'd still like to land the patch as is.
Blocks: 510956
Yes, sorry. Good point. Maybe you could add a little reminder comment there? Or maybe not. Whatever you prefer.
pushed http://hg.mozilla.org/mozilla-central/rev/b0cdd9e8cebb
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Please land this on 1.9.2
Flags: blocking1.9.2? → blocking1.9.2+
BTW Martijn's testcase should be checked in as a crashtest
Flags: in-testsuite?
Attachment #393439 - Flags: approval1.9.2?
Attachment #393439 - Flags: approval1.9.2?
pushed http://hg.mozilla.org/mozilla-central/rev/f52a00e04cf1
Flags: in-testsuite? → in-testsuite+
I don't see this crash anymore with the patch, but bug 510956 looks very similar, and it still crashes with the patch applied.
I'm sorry, I copied the wrong bug number. That should be bug 515288, not 510956.
Target Milestone: --- → mozilla1.9.2b1
Verified on the 1.9.2 branch using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2b6pre) Gecko/20091231 Namoroka/3.6b6pre(.NET CLR 3.5.30729). I verified using the testcase attached to the bug.
Keywords: verified1.9.2
Crash Signature: [@ _moz_cairo_matrix_multiply]
You need to log in before you can comment on or make changes to this bug.