Closed Bug 385246 Opened 17 years ago Closed 17 years ago

Negative width attribute on <svg:foreignObject> causes "ASSERTION: reflow state made child wrong size" and more

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jruderman, Assigned: jwatt)

References

Details

(Keywords: assertion, testcase)

Attachments

(3 files)

testcase
(deleted), image/svg+xml
Details
testcase that triggers only the assertions in comment 0
(deleted), image/svg+xml
Details
patch
(deleted), patch
tor
: review+
roc
: superreview+
Details | Diff | Splinter Review
Attached image testcase (deleted) — 
###!!! ASSERTION: reflow state made child wrong size: 'reflowState.ComputedWidth() == size.width', file /Users/jruderman/trunk/mozilla/layout/svg/base/src/nsSVGForeignObjectFrame.cpp, line 580

###!!! ASSERTION: unexpected size: 'size.width == desiredSize.width && size.height == desiredSize.height', file /Users/jruderman/trunk/mozilla/layout/svg/base/src/nsSVGForeignObjectFrame.cpp, line 586

(The second assertion also shows up in bug 384499.)
Adding a <script> tag removes the extra assertions.
The first testcase triggers extra assertions:

###!!! ASSERTION: XXX. We shouldn't get here. Viewbox width/height is set to 0. Need to disable display of element as per specs.: 'Error', file /Users/jruderman/trunk/mozilla/content/svg/content/src/nsSVGSVGElement.cpp, line 1266

###!!! ASSERTION: can't mark frame dirty during reflow: '!mIsReflowing', file /Users/jruderman/trunk/mozilla/layout/base/nsPresShell.cpp, line 3073
Assignee: nobody → jwatt
Since processing of length attributes has been consolidated into a single place (nsSVGElement) it's not so easy to handle rogue values in a robust way. I'm not too keen on scattering checks throughout layout wherever we call GetAnimatedLengthValues. Maybe GetAnimatedLengthValues could be made to know about arbitrary restrictions on length values and clamp the values it returns?
Hmm, in addition to that I guess we need to treat a width or height of less than zero as if it was zero. That is to say, we are required to disable rendering (and might as well disable reflow) for the element (the element will be reflowed if/when the width/height are made > 0).
Jesse: it's also really tedious that I still have to ask to see SVG security bugs. I can see this bug blocks some secret bug, but it would help in deciding how important this bug really is if I could see what it's about.
Attached patch patch (deleted) — Splinter Review 
Here's a patch. It would be nice if GetAnimatedLengthValues knew how to clamp, but for now we can do it at the relevant call sites.
Attachment #269370 - Flags: review?(tor)
Attachment #269370 - Flags: review?(tor) → review+
Attachment #269370 - Flags: superreview?(roc)
Attachment #269370 - Flags: superreview?(roc) → superreview+
Status: NEW → RESOLVED
Closed: 17 years ago
OS: Mac OS X → All
Hardware: PC → All
Resolution: --- → FIXED
Depends on: 368573
Flags: in-testsuite?
Crashtest checked in.
Flags: in-testsuite? → in-testsuite+
Depends on: 596765
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: