"ABORT: We expect aDirtyRect to be non-null" with <foreignObject> in <pattern>

RESOLVED FIXED in mozilla12

Status

()

Core
SVG
--
critical
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: Jesse Ruderman, Unassigned)

Tracking

({assertion, regression, testcase})

Trunk
mozilla12
assertion, regression, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

(Reporter)

Description

6 years ago
Created attachment 542041 [details]
testcase (crashes Firefox when loaded)

###!!! ABORT: We expect aDirtyRect to be non-null: 'aDirtyRect', file layout/svg/base/src/nsSVGForeignObjectFrame.cpp, line 200
(Reporter)

Comment 1

6 years ago
Created attachment 542042 [details]
stack trace
(Reporter)

Comment 2

6 years ago
Only crashes debug builds. I guess opt builds hit one of the early returns before doing a null deref.
(Reporter)

Comment 3

6 years ago
The first bad revision is:
changeset:   f23ef87dcfb3
user:        Robert Longson
date:        Sun Apr 24 20:55:58 2011 +0100
summary:     Bug 620274 - nsSVGForeignObjectFrame::PaintSVG null checks aDirtyRect when it is always non-null r=dholbert
Keywords: regression
(That first-bad-cset makes sense -- that's the bug that added the assertion.)

So, the null aDirtyRect comes from 2 stacklevels up, here:
> 325       nsSVGUtils::PaintFrameWithEffects(&tmpState, nsnull, kid);
http://mxr.mozilla.org/mozilla-central/source/layout/svg/base/src/nsSVGPatternFrame.cpp#325

...and PaintFrameWithEffects calls
> svgChildFrame->PaintSVG(aContext, aDirtyRect);
and in this case svgChildFrame is a nsSVGForeignObjectFrame.

There are analogous PaintFrameWithEffects(... nsnull...) calls in nsSVGMaskFrame.cpp and nsSVGMarkerFrame.cpp, too -- I imagine those might also hit this problem.

So, it looks like bug 620274 comment 1 was overly optimistic. :)

I think we probably want to back out bug 620274, and then add a null check around the code that timeless highlighted in the first comment there...

(In reply to comment #2)
> Only crashes debug builds. I guess opt builds hit one of the early returns
> before doing a null deref.

Yeah -- if I replace the ABORT_IF_FALSE to WARN_IF_FALSE, then my debug build loads the testcase fine, too.  It takes the first return from PaintSVG, under "if (IsDisabled())" (which checks for an empty mRect, which we have in this case.)
OS: Mac OS X → All
Hardware: x86 → All

Comment 5

6 years ago
Just swapping the IsDisabled and ABORT lines would fix this, although I'm worried that we've not done a reflow so that foreignObjects in patterns don't really work properly and never have.

Backing out f23ef87dcfb3 seems a good start though.

Comment 6

5 years ago
backed out bug 620274
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED

Updated

5 years ago
Target Milestone: --- → mozilla12
https://hg.mozilla.org/mozilla-central/rev/24365794891f
You need to log in before you can comment on or make changes to this bug.