Closed Bug 508247 Opened 10 years ago Closed 10 years ago
Crash [@ _moz
_cairo _matrix _multiply] with get CTM method on path inside definition-src
See testcase, which crashes current trunk build. This regressed between 2009-07-22 and 2009-07-24: http://hg.mozilla.org/mozilla-central/pushloghtml?startdate=2009-07-22+04%3A00%3A00&enddate=2009-07-24+06%3A00%3A00 I guess a regression from bug 435356. http://crash-stats.mozilla.com/report/index/c7aff124-3e64-42fd-902b-318792090804?p=1 0 xul.dll _moz_cairo_matrix_multiply gfx/cairo/cairo/src/cairo-matrix.c:298 1 xul.dll gfxMatrix::Multiply gfx/thebes/src/gfxMatrix.cpp:82 2 xul.dll xul.dll@0x9aeb17 3 xul.dll nsSVGGraphicElement::GetCTM content/svg/content/src/nsSVGGraphicElement.cpp:109 4 xul.dll NS_InvokeByIndex_P xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:101 5 xul.dll XPCWrappedNative::CallMethod js/src/xpconnect/src/xpcwrappednative.cpp:2710
Assignee: nobody → longsonr
Attachment #393439 - Flags: review?(jwatt)
Comment on attachment 393439 [details] [diff] [review] patch Seems like you should just replace the: ancestor->GetNameSpaceID() == kNameSpaceID_SVG with the: ancestor->IsNodeOfType(nsINode::eSVG Thanks for fixing.
Attachment #393439 - Flags: review?(jwatt) → review+
I don't think we want to terminate the loop if we find a generic node, just skip over it, so I think what I have is right.
I'm not sure I follow. The loop only continues while |ancestor->GetNameSpaceID() == kNameSpaceID_SVG|. Are there cases when |ancestor->IsNodeOfType(nsINode::eSVG )| would be false but |ancestor->GetNameSpaceID() == kNameSpaceID_SVG| would be true?
The testcase is precisely such an example. Basically an unknown node is node type XML rather than node type SVG but it is in the SVG namespace.
Are you happy with the explanation Jonathan? I'd still like to land the patch as is.
Yes, sorry. Good point. Maybe you could add a little reminder comment there? Or maybe not. Whatever you prefer.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Please land this on 1.9.2
Flags: blocking1.9.2? → blocking1.9.2+
BTW Martijn's testcase should be checked in as a crashtest
Flags: in-testsuite? → in-testsuite+
I don't see this crash anymore with the patch, but bug 510956 looks very similar, and it still crashes with the patch applied.
I'm sorry, I copied the wrong bug number. That should be bug 515288, not 510956.
Verified on the 1.9.2 branch using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2b6pre) Gecko/20091231 Namoroka/3.6b6pre(.NET CLR 3.5.30729). I verified using the testcase attached to the bug.
Crash Signature: [@ _moz_cairo_matrix_multiply]
You need to log in before you can comment on or make changes to this bug.