Closed Bug 508247 Opened 15 years ago Closed 15 years ago

Crash [@ _moz_cairo_matrix_multiply] with getCTM method on path inside definition-src

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9.2b1
Tracking Flags:
Tracking Status
status1.9.2 --- beta1-fixed

People

(Reporter: martijn.martijn, Assigned: longsonr)

References

Details

(4 keywords)

Crash Data

Attachments

(2 files)

testcase
(deleted), image/svg+xml
Details
patch
(deleted), patch
jwatt
: review+
Details | Diff | Splinter Review
Attached image testcase (deleted) —
See testcase, which crashes current trunk build. This regressed between 2009-07-22 and 2009-07-24: http://hg.mozilla.org/mozilla-central/pushloghtml?startdate=2009-07-22+04%3A00%3A00&enddate=2009-07-24+06%3A00%3A00 I guess a regression from bug 435356. http://crash-stats.mozilla.com/report/index/c7aff124-3e64-42fd-902b-318792090804?p=1 0 xul.dll _moz_cairo_matrix_multiply gfx/cairo/cairo/src/cairo-matrix.c:298 1 xul.dll gfxMatrix::Multiply gfx/thebes/src/gfxMatrix.cpp:82 2 xul.dll xul.dll@0x9aeb17 3 xul.dll nsSVGGraphicElement::GetCTM content/svg/content/src/nsSVGGraphicElement.cpp:109 4 xul.dll NS_InvokeByIndex_P xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:101 5 xul.dll XPCWrappedNative::CallMethod js/src/xpconnect/src/xpcwrappednative.cpp:2710
Flags: blocking1.9.2?
Attached patch patch (deleted) — Splinter Review
Assignee: nobody → longsonr
Attachment #393439 - Flags: review?(jwatt)
Comment on attachment 393439 [details] [diff] [review] patch Seems like you should just replace the: ancestor->GetNameSpaceID() == kNameSpaceID_SVG with the: ancestor->IsNodeOfType(nsINode::eSVG Thanks for fixing.
Attachment #393439 - Flags: review?(jwatt) → review+
I don't think we want to terminate the loop if we find a generic node, just skip over it, so I think what I have is right.
I'm not sure I follow. The loop only continues while |ancestor->GetNameSpaceID() == kNameSpaceID_SVG|. Are there cases when |ancestor->IsNodeOfType(nsINode::eSVG )| would be false but |ancestor->GetNameSpaceID() == kNameSpaceID_SVG| would be true?
The testcase is precisely such an example. Basically an unknown node is node type XML rather than node type SVG but it is in the SVG namespace.
Are you happy with the explanation Jonathan? I'd still like to land the patch as is.
Blocks: 510956
Yes, sorry. Good point. Maybe you could add a little reminder comment there? Or maybe not. Whatever you prefer.
pushed http://hg.mozilla.org/mozilla-central/rev/b0cdd9e8cebb
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Please land this on 1.9.2
Flags: blocking1.9.2? → blocking1.9.2+
BTW Martijn's testcase should be checked in as a crashtest
Flags: in-testsuite?
Attachment #393439 - Flags: approval1.9.2?
Attachment #393439 - Flags: approval1.9.2?
pushed http://hg.mozilla.org/mozilla-central/rev/f52a00e04cf1
Flags: in-testsuite? → in-testsuite+
I don't see this crash anymore with the patch, but bug 510956 looks very similar, and it still crashes with the patch applied.
I'm sorry, I copied the wrong bug number. That should be bug 515288, not 510956.
status1.9.2: --- → beta1-fixed
Target Milestone: --- → mozilla1.9.2b1
Verified on the 1.9.2 branch using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2b6pre) Gecko/20091231 Namoroka/3.6b6pre(.NET CLR 3.5.30729). I verified using the testcase attached to the bug.
Keywords: verified1.9.2
Crash Signature: [@ _moz_cairo_matrix_multiply]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: