Created attachment 644736 [details] testcase ###!!! ASSERTION: Should not use nsSVGIntegrationUtils on this SVG frame: '!svgChildFrame || (NS_SVGDisplayListPaintingEnabled() && !(aFrame->GetStateBits() & NS_STATE_SVG_NONDISPLAY_CHILD))', file layout/svg/base/src/nsSVGIntegrationUtils.cpp, line 390
Created attachment 647343 [details] [diff] [review] patch The assertion is getting upset because nsSVGOuterSVGFrame implements nsISVGChildFrame. The assertion should just check for the NS_FRAME_SVG_LAYOUT bit instead of nsISVGChildFrame.
The test in bug 768351 is essentially the same as this one, which is why I didn't include it in this patch as a crashtest.
Comment on attachment 647343 [details] [diff] [review] patch [Approval Request Comment] The real bug we want to fix on aurora is bug 779403, but that bug depends on the fix in bug 768351, which in turn depends on the fix in this bug, so requesting approval on this patch. Bug caused by (feature/regressing bug #): 738192 User impact if declined: SVG masking is broken Testing completed (on m-c, etc.): patch has been on m-c for several days Risk to taking this patch (and alternatives if risky): none String or UUID changes made by this patch: none
Err, for "Risk to taking this patch (and alternatives if risky)" I seem to have only processed the "alternatives" part. The risk is very low though, but yeah, there aren't really any viable alternatives.
Saw the assertion on 2012-07-22-mozilla-central-debug build. Verified fixed on FF 16 2012-09-19-mozilla-beta-debug build on Mac OS X 10.7.4.
Verified fixed on FF 17 2012-10-15-mozilla-beta-debug build on Mac OS X 10.7.4.