Closed
Bug 582146
Opened 14 years ago
Closed 14 years ago
Tall iframe breaks painting
Categories
(Core :: Graphics, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
blocking2.0 | --- | betaN+ |
People
(Reporter: jruderman, Assigned: roc)
References
Details
(Keywords: testcase, Whiteboard: [sg:low spoof])
Attachments
(2 files, 1 obsolete file)
(deleted),
text/html
|
Details | |
(deleted),
patch
|
jrmuizel
:
review+
|
Details | Diff | Splinter Review |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0b3pre) Gecko/20100726 Minefield/4.0b3pre
When Firefox navigates to this testcase, it paints nothing -- not even white. This may be a spoofing risk, both for the testcase and the other page.
Steps:
1. Load http://www.mozilla.com/
2. Load the testcase (by pasting its URL into the address bar)
Result: Content area still looks like mozilla.com.
Expected: Content area should appear white.
Reporter | ||
Comment 1•14 years ago
|
||
Updated•14 years ago
|
blocking2.0: --- → ?
Assignee | ||
Comment 2•14 years ago
|
||
That's disturbing. Timothy, do you want to try to fix this?
Updated•14 years ago
|
blocking2.0: ? → betaN+
Comment 3•14 years ago
|
||
Who owns this? Need an owner ASAP.
Assignee | ||
Updated•14 years ago
|
Assignee: nobody → tnikkel
Comment 4•14 years ago
|
||
I can reproduce what I think is the same issue on Linux: it just paints black.
Looks like this was caused by bug 572613 (retained layers basically).
Blocks: 572613
Comment 5•14 years ago
|
||
Changing
aCtx->FillRect(bgClipRect)
in nsDisplayCanvasBackground::Paint to fill the mVisibleRect instead seems to fix this bug. So I guess the bgClipRect is overflowing and causing it to not paint.
Comment 6•14 years ago
|
||
Just intersect the bg clip area with the visible rect and draw that.
I don't know why nsThebesRenderingContext::FillRect doesn't draw anything when given such a large rect because it has code specifically to deal with that situation, and it executes correctly in this case. The problem must lie further down into the gfx code.
Attachment #461916 -
Flags: review?(roc)
Assignee | ||
Comment 7•14 years ago
|
||
I think we should find the underlying bug. The existing code should work.
Assignee | ||
Comment 8•14 years ago
|
||
Setting a breakpoint on _cairo_error might be useful.
Comment 9•14 years ago
|
||
A breakpoint on _cairo_error doesn't seem to be hit.
Assignee | ||
Updated•14 years ago
|
Assignee: tnikkel → nobody
Assignee | ||
Comment 10•14 years ago
|
||
Easy fix! We were clamping cairo coordinates to 8388608. However, converting 8388608 to cairo_fixed_t actually wraps around. 8388607 is the largest coordinate that does not wrap around, so clamp to that instead.
Assignee: nobody → roc
Attachment #461916 -
Attachment is obsolete: true
Attachment #476705 -
Flags: review?(jmuizelaar)
Attachment #461916 -
Flags: review?(roc)
Assignee | ||
Updated•14 years ago
|
Whiteboard: [sg:low spoof] → [sg:low spoof][needs review]
Comment 11•14 years ago
|
||
Comment on attachment 476705 [details] [diff] [review]
fix
This constant would be more meaningful if it were a written in hex and casted to a double.
Attachment #476705 -
Flags: review?(jmuizelaar) → review+
Assignee | ||
Updated•14 years ago
|
Whiteboard: [sg:low spoof][needs review] → [sg:low spoof][needs landing]
Assignee | ||
Comment 12•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/8ddb7ffe0587
Fixed test and marked it as having an assertion:
http://hg.mozilla.org/mozilla-central/rev/a8212bca66fb
http://hg.mozilla.org/mozilla-central/rev/5a41a70eb631
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•14 years ago
|
Whiteboard: [sg:low spoof][needs landing] → [sg:low spoof]
Assignee | ||
Updated•14 years ago
|
Flags: in-testsuite+
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•