Created attachment 414924 [details] testcase ###!!! ASSERTION: Trying to do sandwich add of more than one value.: 'srcTransforms.Length() == 1', file /Users/jruderman/central/content/svg/content/src/nsSVGTransformSMILType.cpp, line 169 ###!!! ASSERTION: invalid array index: 'i < Length()', file ../../../../dist/include/nsTArray.h, line 326 The first assertion is misleading: srcTransforms.Length() is actually 0.
This prevents me from finding other "ASSERTION: invalid array index" bugs, which are often security holes :(
Created attachment 491746 [details] [diff] [review] Patch v1a Proposed patch.
Comment on attachment 491746 [details] [diff] [review] Patch v1a >+ // [...] but since the duration is indefinite we'll actually try >+ // to add it. I'm confused about what this means -- why does an indefinite duration mean we'll actually try to add, when we wouldn't otherwise?
(In reply to comment #3) > I'm confused about what this means -- why does an indefinite duration mean > we'll actually try to add, when we wouldn't otherwise? Yeah, good point this comment needs to be tweaked. For by-animation, normally the interpolation step would ensure that we don't end up with an empty transform animation value. However, when there's an indefinite duration we skip interpolation altogether and just set the first value (the empty 'from' value we'd normally interpolate from). However, I think there are other cases where this can arise too such as when we have values="1". So I'll tweak the comment to make this clearer.
Created attachment 492618 [details] [diff] [review] Patch v1b Fix up comment as per comment 3.
Comment on attachment 492618 [details] [diff] [review] Patch v1b Makes much more sense now -- thanks for clarifying that! r=dholbert