Closed Bug 582146 Opened 9 years ago Closed 9 years ago

Tall iframe breaks painting

Categories

(Core :: Graphics, defect)

x86
macOS
defect
Not set

Tracking

()

RESOLVED FIXED
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: jruderman, Assigned: roc)

References

Details

(Keywords: testcase, Whiteboard: [sg:low spoof])

Attachments

(2 files, 1 obsolete file)

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0b3pre) Gecko/20100726 Minefield/4.0b3pre

When Firefox navigates to this testcase, it paints nothing -- not even white.  This may be a spoofing risk, both for the testcase and the other page.

Steps:
1. Load http://www.mozilla.com/
2. Load the testcase (by pasting its URL into the address bar)

Result: Content area still looks like mozilla.com.
Expected: Content area should appear white.
Attached file testcase
blocking2.0: --- → ?
That's disturbing. Timothy, do you want to try to fix this?
blocking2.0: ? → betaN+
Who owns this?  Need an owner ASAP.
Assignee: nobody → tnikkel
I can reproduce what I think is the same issue on Linux: it just paints black.

Looks like this was caused by bug 572613 (retained layers basically).
Blocks: 572613
Changing
  aCtx->FillRect(bgClipRect)
in nsDisplayCanvasBackground::Paint to fill the mVisibleRect instead seems to fix this bug. So I guess the bgClipRect is overflowing and causing it to not paint.
Attached patch patch (obsolete) — Splinter Review
Just intersect the bg clip area with the visible rect and draw that.

I don't know why nsThebesRenderingContext::FillRect doesn't draw anything when given such a large rect because it has code specifically to deal with that situation, and it executes correctly in this case. The problem must lie further down into the gfx code.
Attachment #461916 - Flags: review?(roc)
I think we should find the underlying bug. The existing code should work.
Setting a breakpoint on _cairo_error might be useful.
A breakpoint on _cairo_error doesn't seem to be hit.
Assignee: tnikkel → nobody
Attached patch fixSplinter Review
Easy fix! We were clamping cairo coordinates to 8388608. However, converting 8388608 to cairo_fixed_t actually wraps around. 8388607 is the largest coordinate that does not wrap around, so clamp to that instead.
Assignee: nobody → roc
Attachment #461916 - Attachment is obsolete: true
Attachment #476705 - Flags: review?(jmuizelaar)
Attachment #461916 - Flags: review?(roc)
Whiteboard: [sg:low spoof] → [sg:low spoof][needs review]
Comment on attachment 476705 [details] [diff] [review]
fix

This constant would be more meaningful if it were a written in hex and casted to a double.
Attachment #476705 - Flags: review?(jmuizelaar) → review+
Whiteboard: [sg:low spoof][needs review] → [sg:low spoof][needs landing]
Whiteboard: [sg:low spoof][needs landing] → [sg:low spoof]
Blocks: 334359
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.