Closed Bug 841225 Opened 12 years ago Closed 12 years ago

Crash [@ nsProgressFrame::ShouldUseNativeStyle] with svg.text.css-frames.enabled

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla21

People

(Reporter: jruderman, Assigned: heycam)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(3 files)

testcase
157 bytes, image/svg+xml
Details
stack
10.01 KB, text/plain
Details
patch
3.45 KB, patch
bzbarsky
: review+
Details | Diff | Splinter Review
Attached image testcase
With: user_pref("svg.text.css-frames.enabled", true); Crash [@ nsProgressFrame::ShouldUseNativeStyle]
Attached file stack
OS: Mac OS X → All
Hardware: x86_64 → All
mBarDiv->GetPrimaryFrame() is null, so we're crashing on this line: > 290 mBarDiv->GetPrimaryFrame()->GetStyleDisplay()->mAppearance == NS_THEME_PROGRESSBAR_CHUNK && https://mxr.mozilla.org/mozilla-central/source/layout/forms/nsProgressFrame.cpp#290
I don't think we should be creating a frame for the <progress> element inside the SVG <text> element.
Although we already have code to prevent this https://mxr.mozilla.org/mozilla-central/source/layout/base/nsCSSFrameConstructor.cpp#5306 so maybe that's working in this case.
*not working
Attached patch patchSplinter Review
Inside a <tspan>, we're creating frame construction items without a parent frame available to check. So we should be checking the ITEM_IS_SVG_TEXT flag too, to avoid creating frames for non-SVG elements inside SVG text.
Assignee: nobody → cam
Status: NEW → ASSIGNED
Attachment #713782 - Flags: review?(bzbarsky)
Comment on attachment 713782 [details] [diff] [review] patch >+ (aFlags & ITEM_IS_WITHIN_SVG_TEXT))) { This is mis-indented, leading to confusion. Please fix. r=me with that.
Attachment #713782 - Flags: review?(bzbarsky) → review+
Crash Signature: [@ nsProgressFrame::ShouldUseNativeStyle] → [@ nsProgressFrame::ShouldUseNativeStyle] [@ nsProgressFrame::ShouldUseNativeStyle()]
https://hg.mozilla.org/mozilla-central/rev/86d7b194cd33
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla21
Depends on: 841812
No longer depends on: 841812
Blocks: svgtext
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: