Closed Bug 841225 Opened 10 years ago Closed 10 years ago

Crash [@ nsProgressFrame::ShouldUseNativeStyle] with svg.text.css-frames.enabled

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla21

People

(Reporter: jruderman, Assigned: heycam)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(3 files)

testcase
157 bytes, image/svg+xml
Details
stack
10.01 KB, text/plain
Details
patch
3.45 KB, patch
bzbarsky
: review+
Details | Diff | Splinter Review
Attached image testcase 
With:
  user_pref("svg.text.css-frames.enabled", true);

Crash [@ nsProgressFrame::ShouldUseNativeStyle]
Attached file stack 
OS: Mac OS X → All
Hardware: x86_64 → All

    
    

    
  
mBarDiv->GetPrimaryFrame() is null, so we're crashing on this line:

> 290 mBarDiv->GetPrimaryFrame()->GetStyleDisplay()->mAppearance == NS_THEME_PROGRESSBAR_CHUNK &&
https://mxr.mozilla.org/mozilla-central/source/layout/forms/nsProgressFrame.cpp#290

    
    

    
  
I don't think we should be creating a frame for the <progress> element inside the SVG <text> element.

    
    

    
  
Although we already have code to prevent this https://mxr.mozilla.org/mozilla-central/source/layout/base/nsCSSFrameConstructor.cpp#5306 so maybe that's working in this case.

    
    

    
  
*not working

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patchSplinter Review
      

    


  
Inside a <tspan>, we're creating frame construction items without a parent frame available to check.  So we should be checking the ITEM_IS_SVG_TEXT flag too, to avoid creating frames for non-SVG elements inside SVG text.
Assignee: nobody → cam
Status: NEW → ASSIGNED

        Attachment #713782 -
        Flags: review?(bzbarsky)

    
    

    
  
Comment on attachment 713782 [details] [diff] [review]
patch

>+          (aFlags & ITEM_IS_WITHIN_SVG_TEXT))) {

This is mis-indented, leading to confusion.  Please fix.

r=me with that.

        Attachment #713782 -
        Flags: review?(bzbarsky) → review+

    
  
Crash Signature: [@ nsProgressFrame::ShouldUseNativeStyle] → [@ nsProgressFrame::ShouldUseNativeStyle]
[@ nsProgressFrame::ShouldUseNativeStyle()]

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/86d7b194cd33
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla21

    
  
Depends on: 841812

    
  
No longer depends on: 841812

    
  
Blocks: svgtext

          You need to log in
          before you can comment on or make changes to this bug.