Closed
Bug 385246
Opened 17 years ago
Closed 17 years ago
Negative width attribute on <svg:foreignObject> causes "ASSERTION: reflow state made child wrong size" and more
Categories
(Core :: SVG, defect)
Core
SVG
Tracking
()
RESOLVED
FIXED
People
(Reporter: jruderman, Assigned: jwatt)
References
Details
(Keywords: assertion, testcase)
Attachments
(3 files)
(deleted),
image/svg+xml
|
Details | |
(deleted),
image/svg+xml
|
Details | |
(deleted),
patch
|
tor
:
review+
roc
:
superreview+
|
Details | Diff | Splinter Review |
###!!! ASSERTION: reflow state made child wrong size: 'reflowState.ComputedWidth() == size.width', file /Users/jruderman/trunk/mozilla/layout/svg/base/src/nsSVGForeignObjectFrame.cpp, line 580 ###!!! ASSERTION: unexpected size: 'size.width == desiredSize.width && size.height == desiredSize.height', file /Users/jruderman/trunk/mozilla/layout/svg/base/src/nsSVGForeignObjectFrame.cpp, line 586 (The second assertion also shows up in bug 384499.)
Reporter | ||
Comment 1•17 years ago
|
||
Adding a <script> tag removes the extra assertions.
Reporter | ||
Comment 2•17 years ago
|
||
The first testcase triggers extra assertions: ###!!! ASSERTION: XXX. We shouldn't get here. Viewbox width/height is set to 0. Need to disable display of element as per specs.: 'Error', file /Users/jruderman/trunk/mozilla/content/svg/content/src/nsSVGSVGElement.cpp, line 1266 ###!!! ASSERTION: can't mark frame dirty during reflow: '!mIsReflowing', file /Users/jruderman/trunk/mozilla/layout/base/nsPresShell.cpp, line 3073
![]() |
Assignee | |
Updated•17 years ago
|
Assignee: nobody → jwatt
![]() |
Assignee | |
Comment 3•17 years ago
|
||
Since processing of length attributes has been consolidated into a single place (nsSVGElement) it's not so easy to handle rogue values in a robust way. I'm not too keen on scattering checks throughout layout wherever we call GetAnimatedLengthValues. Maybe GetAnimatedLengthValues could be made to know about arbitrary restrictions on length values and clamp the values it returns?
![]() |
Assignee | |
Comment 4•17 years ago
|
||
Hmm, in addition to that I guess we need to treat a width or height of less than zero as if it was zero. That is to say, we are required to disable rendering (and might as well disable reflow) for the element (the element will be reflowed if/when the width/height are made > 0).
![]() |
Assignee | |
Comment 5•17 years ago
|
||
Jesse: it's also really tedious that I still have to ask to see SVG security bugs. I can see this bug blocks some secret bug, but it would help in deciding how important this bug really is if I could see what it's about.
![]() |
Assignee | |
Comment 6•17 years ago
|
||
Here's a patch. It would be nice if GetAnimatedLengthValues knew how to clamp, but for now we can do it at the relevant call sites.
Attachment #269370 -
Flags: review?(tor)
Attachment #269370 -
Flags: review?(tor) → review+
![]() |
Assignee | |
Updated•17 years ago
|
Attachment #269370 -
Flags: superreview?(roc)
Attachment #269370 -
Flags: superreview?(roc) → superreview+
![]() |
Assignee | |
Updated•17 years ago
|
Status: NEW → RESOLVED
Closed: 17 years ago
OS: Mac OS X → All
Hardware: PC → All
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•