Closed
Bug 620810
Opened 15 years ago
Closed 15 years ago
Crash from infinite recursion inside mozilla::imagelib::VectorImage::StartAnimation, with <feImage xlink:href="#anything">
Categories
(Core :: SVG, defect)
Core
SVG
Tracking
()
RESOLVED
DUPLICATE
of bug 613899
People
(Reporter: dholbert, Assigned: dholbert)
References
Details
(Keywords: crash, regression, testcase)
Attachments
(1 file)
|
232 bytes,
image/svg+xml
|
Details |
testcase (crashes m-c nightly builds)
Attached testcase crashes Firefox nightly builds, with infinite recursion.
Repeating chunk of stack:
> #4 0x00007f93fd8f1001 in mozilla::imagelib::VectorImage::StartAnimation (this=0x7f93da00f240) at modules/libpr0n/src/VectorImage.cpp:280
> #5 0x00007f93fd8dbde3 in mozilla::imagelib::Image::EvaluateAnimation (this=0x7f93da00f240) at modules/libpr0n/src/Image.cpp:168
> #6 0x00007f93fd8dbc14 in mozilla::imagelib::Image::IncrementAnimationConsumers (this=0x7f93da00f240) at modules/libpr0n/src/Image.cpp:119
> #7 0x00007f93fd91320f in imgRequestProxy::IncrementAnimationConsumers (this=0x7f93da010350) at modules/libpr0n/src/imgRequestProxy.cpp:355
> #8 0x00007f93fba3b0d6 in IncrementAnimationEnumerator (aKey=0x7f93da010350, aData=1, userArg=0x0) at content/base/src/nsDocument.cpp:8203
> #9 0x00007f93fba479a9 in nsBaseHashtable<nsPtrHashKey<imgIRequest>, unsigned int, unsigned int>::s_EnumReadStub (table=0x7f93da1bc4d0, hdr=0x7f93e22af630, number=1, arg=0x7fff2bda3280) at ../../../dist/include/nsBaseHashtable.h:345
> #10 0x00007f940f90a413 in PL_DHashTableEnumerate (table=0x7f93da1bc4d0, etor=0x7f93fba47950 <nsBaseHashtable<nsPtrHashKey<imgIRequest>, unsigned int, unsigned int>::s_EnumReadStub(PLDHashTable*, PLDHashEntryHdr*, PRUint32, void*)>, arg=0x7fff2bda3280) at pldhash.c:754
> #11 0x00007f93fba43747 in nsBaseHashtable<nsPtrHashKey<imgIRequest>, unsigned int, unsigned int>::EnumerateRead (this=0x7f93da1bc4d0, enumFunc=0x7f93fba3b0aa <IncrementAnimationEnumerator(imgIRequest*, PRUint32, void*)>, userArg=0x0) at ../../../dist/include/nsBaseHashtable.h:206
> #12 0x00007f93fba3b169 in nsDocument::SetImagesNeedAnimating (this=0x7f93da1bc000, aAnimating=1) at content/base/src/nsDocument.cpp:8225
> #13 0x00007f93fd8ec5a1 in mozilla::imagelib::SVGDocumentWrapper::StartAnimation (this=0x7f93da184dd0) at modules/libpr0n/src/SVGDocumentWrapper.cpp:209
> #14 0x00007f93fd8f1001 in mozilla::imagelib::VectorImage::StartAnimation (this=0x7f93da00f240) at modules/libpr0n/src/VectorImage.cpp:280
> #15 0x00007f93fd8dbde3 in mozilla::imagelib::Image::EvaluateAnimation (this=0x7f93da00f240) at modules/libpr0n/src/Image.cpp:168
> #16 0x00007f93fd8dbc14 in mozilla::imagelib::Image::IncrementAnimationConsumers (this=0x7f93da00f240) at modules/libpr0n/src/Image.cpp:119
This crashes as far back as 2010-11-17 (though it takes a reload or two in that nightly), but does not crash in the nightly before that. So, given the EvaluateAnimation / StartAnimation in the stack, this looks like it's a regression from bug 611797.
|
Assignee | |
Updated•15 years ago
|
|
|
Assignee | |
Updated•15 years ago
|
Summary: Infinite recursion inside mozilla::imagelib::VectorImage::StartAnimation, with <feImage xlink:href="#anything"> → Crash from infinite recursion inside mozilla::imagelib::VectorImage::StartAnimation, with <feImage xlink:href="#anything">
|
|
Assignee | |
Comment 1•15 years ago
|
||
longsonr reported this to me earlier today, with crashes after clicking "Start SVG Demo" at these URLs:
http://svg-wow.org/blog/2009/10/04/twirl/
http://svg-wow.org/blog/2009/10/04/ripple/
(Note that those demos and this bug's testcase sort of depend on feImage being able to handle fragments, which is covered in bug 455986. In m-c, feImage can't handle fragments right now, so we end up treating the fragment identifier as an alias for the current document's URL, effectively.)
|
|
Assignee | |
Updated•15 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•