This page currently crashes for me during loading: https://static.mozilla.com/moco/en-US/images/mozilla_eoy_2013_EN.svg Looks like it has a mask that contains a raster image that's a solid color, so we crash with a null DrawTarget here in imgFrame.cpp: > RefPtr<DrawTarget> dt = aContext->GetDrawTarget(); > > if (mSinglePixel && !doPadding && !doPartialDecode) { > if (mSinglePixelColor.a == 0.0) { > return true; > } > > Rect target(aFill.x, aFill.y, aFill.width, aFill.height); > dt->FillRect(target, ColorPattern(mSinglePixelColor), > DrawOptions(1.0f, CompositionOpForOp(aContext->CurrentOperator()))); > return true; > } We should probably stop this from crashing before bug 987194 is fixed.

The crash is happening under the stack: imgFrame::Draw mozilla::image::RasterImage::DrawWithPreDownscaleIfNeeded mozilla::image::RasterImage::Draw DrawImageInternal nsLayoutUtils::DrawSingleUnscaledImage nsSVGImageFrame::PaintSVG nsSVGUtils::PaintFrameWithEffects nsSVGDisplayContainerFrame::PaintSVG SVGPaintCallback::Paint nsFilterInstance::BuildSourceImage nsFilterInstance::Render nsFilterInstance::PaintFilteredFrame nsSVGUtils::PaintFrameWithEffects nsSVGMaskFrame::ComputeMaskAlpha nsSVGIntegrationUtils::PaintFramesWithEffects nsDisplaySVGEffects::PaintAsLayer mozilla::PaintInactiveLayer The reason the GetDrawTarget() call in comment 0 fails is because nsSVGMaskFrame::ComputeMaskAlpha creates a Thebes backed gfxContext.

Oops, need the gfx2DGlue.h change too.

Comment on attachment 8437308 [details] [diff] [review] patch r=me if you can make the code use a DrawTarget if it's available. This will at least make sure the FillRect path won't rot.

That was fast, thanks!

DOMi and DOMi+ are broken and it appears to be this patch based on regression testing. Good: https://hg.mozilla.org/integration/mozilla-inbound/rev/100a14518e5b Bad : https://hg.mozilla.org/integration/mozilla-inbound/rev/066ed94a5868 Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0

(In reply to Gary [:streetwolf] from comment #8) > DOMi and DOMi+ are broken and it appears to be this patch based on > regression testing. > > Good: https://hg.mozilla.org/integration/mozilla-inbound/rev/100a14518e5b > > Bad : https://hg.mozilla.org/integration/mozilla-inbound/rev/066ed94a5868 > > > Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 Bug is a duplicate of https://bugzilla.mozilla.org/show_bug.cgi?id=1023938

This crash is showing up in Aurora crash reports. Is the patch safe to uplift?

Comment on attachment 8437308 [details] [diff] [review] patch [Approval Request Comment] Bug caused by (feature/regressing bug #): bug 994081 User impact if declined: crashes Testing completed (on m-c, etc.): been on m-c a while Risk to taking this patch (and alternatives if risky): low risk String or IDL/UUID changes made by this patch: none

Comment on attachment 8437308 [details] [diff] [review] patch Aurora uplift approved.

Used old Nightly build (2014-06-09) to crash Firefox using https://static.mozilla.com/moco/en-US/images/mozilla_eoy_2013_EN.svg. Verified that Firefox 32 beta 8 and latest Aurora does not crash after loading the .svg image. Testing was done on Windows 7 64bit, Mac OS X 10.9.4 and Ubuntu 14.04 32bit.