Closed Bug 529387 Opened 15 years ago Closed 15 years ago

Crash [@ GetCSSComputedValue] with xmlhttprequest, and "ABORT: actively animated document w/ no window"

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: martijn.martijn, Assigned: dholbert)

References

Details

(Keywords: assertion, crash, testcase)

Crash Data

Attachments

(3 files, 2 obsolete files)

testcase
227 bytes, image/svg+xml
Details
fix v1
2.13 KB, patch
roc
: review+
Details | Diff | Splinter Review
mochitest (as patch)
4.49 KB, patch
Details | Diff | Splinter Review
Attached image testcase 
See testcase which crashes current trunk build on load.

http://crash-stats.mozilla.com/report/index/9b60501c-c3ff-4aa5-8835-886182091117
0	xul.dll	GetCSSComputedValue
1	xul.dll	nsSMILCSSProperty::GetBaseValue
2	xul.dll	nsSMILAnimationFunction::WillReplace
3	xul.dll	nsSMILCompositor::ComposeAttribute
When viewing this testcase in a debug build, I hit this NS_ABORT_IF_FALSE:
> ###!!! ABORT: actively animated document w/ no window: 'win', file ../../../mozilla/content/smil/nsSMILCSSProperty.cpp, line 77
Keywords: assertion
Summary: Crash [@ GetCSSComputedValue] with xmlhttprequest → Crash [@ GetCSSComputedValue] with xmlhttprequest, and "ABORT: actively animated document w/ no window"
Blocks: 531402
Assignee: nobody → dholbert
Status: NEW → ASSIGNED
OS: Windows XP → All
Hardware: x86 → All
Attached image (helper file for testcase 2) (obsolete) — 

    
    

    
  


  

    
    

    
  
Comment on attachment 414904 [details]
testcase 2 [doesn't actually reproduce bug]

Hrm -- so this testcase apparently doesn't reproduce the bug when hosted on Bugzilla, but it does on my local machine. (with the request modified to refer to a local copy of the "helper" file).

Anyway, the local copy of this testcase demonstrates that we fail, given a single <animate> node (targeting a CSS property) within an XMLHttpRequested SVG document.

        Attachment #414904 -
        Attachment description: testcase 2 → testcase 2 [doesn't actually reproduce bug]

    
    

    
  
So here's what basically happens in this bug:

We fire off an XMLHttpRequest for an SVG file that contains animations.  This file is loaded into a separate nsXMLDocument.  We start its animations when the request finishes loading. (via a call to "nsSVGSVGElement::PreHandleEvent" for the NS_SVG_LOAD event)

However, the problem is that this new nsXMLDocument lacks a nsPIDOMWindow -- not only at load-time, but for the rest of time after that as well. (at least in the attached testcases.)

So, we end up running animations in a nsXMLDocument that has no nsPIDOMWindow.  This is bad because "GetCSSComputedValue" function needs (and assumes we have) a nsPIDOMWindow in order to look up base values of CSS properties.

We could of course avoid the crash by bailing out of GetCSSComputedValue if we lack a nsPIDOMWindow....  However, I tend to think we shouldn't be running SVG animations in XMLHttpRequested documents in the first place.

    
  

        Attachment #414904 -
        Attachment is obsolete: true

    
  

        Attachment #414903 -
        Attachment is obsolete: true

    
    

    
  
(In reply to comment #5)
> However, the problem is that this new nsXMLDocument lacks a nsPIDOMWindow --
> not only at load-time, but for the rest of time after that as well. (at least
> in the attached testcases.)
Data documents don't have window. (Well, clone-doc-for-printing will be an exception.) Documents loaded using XHR are data documents.

> However, I tend to think we shouldn't be running SVG
> animations in XMLHttpRequested documents in the first place.
Indeed. I thought animations were somehow bound to presentation, but apparently
they aren't. (Data documents don't have presentation, excluding clone-doc-for-printing).

    
    

    
  
(In reply to comment #5)
> However, I tend to think we shouldn't be running SVG
> animations in XMLHttpRequested documents in the first place.

Agreed.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        fix v1Splinter Review
      

    


  
Ok -- this patch makes us refuse to create an Animation Controller for data documents. (nsDocuments with mLoadedAsData == true)

        Attachment #414920 -
        Flags: review?(roc)

    
    

    
  
Bug 487667 has similar fix for SMIL handling.

    
    

    
  
Daniel, we should have defined behavior for animation related objects/interfaces in data documents if we're not going to crash. ;-) Can you change the test to something that checks the animated value half way through the animation and check that it has the same value as the base value. Maybe also check that getCurrentTime returns zero at that point too.

Olli, do you mind if we land this separately with tests? Seems like it shouldn't be too hard to merge and will give more useful hg blame.

    
    

    
  


  
Here's a mochitest to assert that animations are ineffective in a XMLHttpRequested document, as suggested by jwatt.

    
    

    
  
(In reply to comment #11)
> Olli, do you mind if we land this separately with tests? Seems like it
> shouldn't be too hard to merge and will give more useful hg blame.
This can land separately. I'll just remove one part of the fix for Bug 487667.

    
    

    
  
(I have this in a queue of patches that are all waiting to land once m-c reopens)

    
    

    
  
Landed fix with crashtest:
http://hg.mozilla.org/mozilla-central/rev/a7b3540b0365
Mochitest in separate changeset:
http://hg.mozilla.org/mozilla-central/rev/6b63d9d09d37
Whiteboard: [needs landing]

    
  
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Crash Signature: [@ GetCSSComputedValue]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: