Closed Bug 380691 Opened 17 years ago Closed 17 years ago

Crash [@ nsSVGForeignObjectFrame::TransformPointFromOuter] [@ nsSVGForeignObjectFrame::GetFrameForPointSVG] with foreignObject and mask

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jruderman, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: [sg:critical?] post 1.8-branch)

Crash Data

Attachments

(2 files)

testcase (crashes Firefox when loaded)
(deleted), image/svg+xml
Details
nsSVGForeignObjectFrame is not a nsSVGContainerFrame
(deleted), patch
roc
: review+
roc
: superreview+
Details | Diff | Splinter Review
Attached image testcase (crashes Firefox when loaded) (deleted) — 
Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_PROTECTION_FAILURE (0x0002) at 0x158924f0

Thread 0 Crashed:
0   libgklayout.dylib        	0x15895772 nsSVGForeignObjectFrame::GetFrameForPointSVG(float, float, nsIFrame**) + 164 (nsSVGForeignObjectFrame.cpp:304)
1   libgklayout.dylib        	0x158939f6 nsSVGUtils::GetCanvasTM(nsIFrame*) + 62 (nsSVGUtils.cpp:886)
2   libgklayout.dylib        	0x15893e85 nsSVGUtils::PaintChildWithEffects(nsSVGRenderState*, nsRect*, nsIFrame*) + 461 (nsSVGUtils.cpp:1053)
3   libgklayout.dylib        	0x15886f06 nsSVGOuterSVGFrame::Paint(nsIRenderingContext&, nsRect const&, nsPoint) + 366 (nsSVGOuterSVGFrame.cpp:478)
4   libgklayout.dylib        	0x15886fca nsDisplaySVG::Paint(nsDisplayListBuilder*, nsIRenderingContext*, nsRect const&) + 74 (nsSVGOuterSVGFrame.cpp:373)
...
Flags: blocking1.9?
Whiteboard: [sg:critical?]
I get different stack:
nsSVGUtils::ConvertSVGMatrixToThebes (aMatrix=0x0) at /home/smaug/mozilla/mozilla_cvs/mozilla/layout/svg/base/src/nsSVGUtils.cpp:1301
1301      aMatrix->GetA(&A);
(gdb) bt
#0  nsSVGUtils::ConvertSVGMatrixToThebes (aMatrix=0x0) at /home/smaug/mozilla/mozilla_cvs/mozilla/layout/svg/base/src/nsSVGUtils.cpp:1301
#1  0x00002aaab19696ae in nsSVGUtils::SetClipRect (aContext=0x2aaab45aebb0, aCTM=Variable "aCTM" is not available.
)
    at /home/smaug/mozilla/mozilla_cvs/mozilla/layout/svg/base/src/nsSVGUtils.cpp:1386
#2  0x00002aaab1959435 in nsSVGMaskFrame::ComputeMaskAlpha (this=0x13e1160, aContext=0x7fffa3a406e0, aParent=0x13e15c0, aMatrix=0x0, aOpacity=1)
    at /home/smaug/mozilla/mozilla_cvs/mozilla/layout/svg/base/src/nsSVGMaskFrame.cpp:154
#3  0x00002aaab196bd74 in nsSVGUtils::PaintChildWithEffects (aContext=0x7fffa3a406e0, aDirtyRect=0x7fffa3a40700, aFrame=0x13e1560)
    at /home/smaug/mozilla/mozilla_cvs/mozilla/layout/svg/base/src/nsSVGUtils.cpp:1091
#4  0x00002aaab195a737 in nsSVGOuterSVGFrame::Paint (this=0x13e1228, aRenderingContext=@0x2aaab45acbb8, aDirtyRect=@0x7fffa3a407f0, aPt=Variable "aPt" is not available.
)
    at /home/smaug/mozilla/mozilla_cvs/mozilla/layout/svg/base/src/nsSVGOuterSVGFrame.cpp:480

        Attachment #264899 -
        Flags: review?(roc)

    
    

    
  
Checked in.

Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED

    
    

    
  
This WFM in 1.8.1.4, I assume it doesn't apply to the branch. Please unset the branch "wanted-minus" flags if I've missed something.
Flags: wanted1.8.1.x-
Flags: wanted1.8.0.x-
Whiteboard: [sg:critical?] → [sg:critical?] post 1.8-branch
Group: security
Flags: in-testsuite?

    
    

    
  
Crashtest checked in, but marked as "skip" due to bug 408145.
Flags: in-testsuite? → in-testsuite+
Crash Signature: [@ nsSVGForeignObjectFrame::TransformPointFromOuter]
[@ nsSVGForeignObjectFrame::GetFrameForPointSVG]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: