Closed Bug 975773 Opened 10 years ago Closed 10 years ago

Hit MOZ_CRASH(this shouldn't be called for filters without inputs) [@ mozilla::gfx::SourceNeededRegionForPrimitive]

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla30
Tracking Flags:
Tracking Status
firefox27 --- unaffected
firefox28 + fixed
firefox29 + fixed
firefox30 --- fixed
b2g-v1.3 --- fixed
b2g-v1.3T --- fixed
b2g-v1.4 --- fixed

People

(Reporter: jruderman, Assigned: mstange)

References

Details

(Keywords: assertion, crash, testcase)

Crash Data

Attachments

(3 files)

testcase (crashes Firefox when loaded)
258 bytes, image/svg+xml
Details
stack
21.06 KB, text/plain
Details
v1
2.13 KB, patch
roc
: review+
Sylvestre
: approval-mozilla-aurora+
Sylvestre
: approval-mozilla-beta+
Details | Diff | Splinter Review 
Hit MOZ_CRASH(this shouldn't be called for filters without inputs) at gfx/src/FilterSupport.cpp:1415
Attached file stack 

    
  
Crash Signature: [@ mozilla::gfx::SourceNeededRegionForPrimitive] → [@ mozilla::gfx::SourceNeededRegionForPrimitive]
[@ mozilla::gfx::FilterSupport::ComputeSourceNeededRegions]

    
    

    
  

      
      
      
      

        Attached patch
          
          
        v1Splinter Review
      

    


  
aDescription.Type() is FilterPrimitiveDescription::eNone here, because the specular lighting filter primitive refuses to be created at http://dxr.mozilla.org/mozilla-central/source/content/svg/content/src/nsSVGFilters.cpp?from=nsSVGFilters.cpp:515#517 because it has no frame. In nsSVGFilterInstance::BuildPrimitives(), we don't check the primitive's type and assign the inputs regardless, so the resulting eNone filter has NumberOfInputs() == 1. And there's nothing wrong with that, so we should just not crash in that case.
Assignee: nobody → mstange
Status: NEW → ASSIGNED

        Attachment #8380553 -
        Flags: review?(roc)

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/3cfdf8037ca3
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla30

    
    

    
  
This was caused by bug 924103 and affects Firefox 28 and 29 as well.
Blocks: 924103

          status-firefox27:
          --- → unaffected

          status-firefox28:
          --- → affected

          status-firefox29:
          --- → affected

          status-firefox30:
          --- → fixed

          tracking-firefox28:
          --- → ?

          tracking-firefox29:
          --- → ?

    
    

    
  
Comment on attachment 8380553 [details] [diff] [review]
v1

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 924103
User impact if declined: crash on specifically-constructed web pages
Testing completed (on m-c, etc.): local testing + patch contains crashtest
Risk to taking this patch (and alternatives if risky): extremely low
String or IDL/UUID changes made by this patch: none

        Attachment #8380553 -
        Flags: approval-mozilla-beta?

        Attachment #8380553 -
        Flags: approval-mozilla-aurora?

        Attachment #8380553 -
        Flags: approval-mozilla-aurora? → approval-mozilla-aurora+

        Attachment #8380553 -
        Flags: approval-mozilla-beta? → approval-mozilla-beta+

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: