Closed
Bug 289516
Opened 20 years ago
Closed 20 years ago
Firefox 1.0.2 crashes everytime due to animated gif upon photobucket.com account logon. [@ nsImageWin::Init]
Categories
(Core Graveyard :: GFX, defect)
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: monkey_brains, Unassigned)
References
()
Details
(Keywords: crash)
Crash Data
Attachments
(3 files)
|
88.50 KB,
image/gif
|
Details | |
|
3.98 KB,
text/plain
|
Details | |
|
1.39 KB,
patch
|
emaijala+moz
:
review+
tor
:
superreview+
asa
:
approval1.8b2+
|
Details | Diff | Splinter Review |
image that causes mozilla to crash
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2 StumbleUpon/1.9993
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2 StumbleUpon/1.9993
Firefox crashed each time when i went to photobucket.com (after logging into my
account), using Firefox 1.0.2 on a Windows NT 5.1 (XP Professional Version 2002
Service Pack 2) system. The build ID is 20050317.
When i run Firefox (Normal mode) again, the application cannot close normally.
I discovered the problem occurs because in my account i have a 18.6 KB animated
gif. Using IE 6.0, i successfully removed the animated gif in my account and
thus Firefox (Safe mode) has been able to work normally again. For your
infomation, the animated gif will display accurately using Firefox using the
link below:
http://i4.photobucket.com/albums/y110/firefoxbug/sig1.gif
I have created a photobucket.com account for you to test the problem.
username: firefoxbug
password: firebug
Reproducible: Always
Steps to Reproduce:
1.Logon to the photobucket account
http://photobucket.com/albums/y110/firefoxbug/ using the password: "firebug".
2.
3.
Actual Results:
Firefox 1.0.2 crashes.
Firefox(Normal mode) cannot run/close normally upon restarting Firefox.
Firefox(Safe mode) is able to restart, run and close normally.
Expected Results:
Making a comparison using IE 6.0, upon logging into the account, it did not
crash although the animated gif did not display accurately in the account.
|
||
Comment 1•20 years ago
|
||
Also crashes 20050405 Linux nightly. See TB4931882X
Related Bug #250290 - Firefox 0.9.1 Crashes Displaying Large Animated GIF
Keywords: crash
|
||
Comment 3•20 years ago
|
||
The cause of the crash is th_sig10.gif (the thumbnail of the image).
|
||
Comment 4•20 years ago
|
||
|
|
||
Updated•20 years ago
|
Summary: Firefox 1.0.2 crashes everytime due to animated gif upon photobucket.com account logon. → Firefox 1.0.2 crashes everytime due to animated gif upon photobucket.com account logon. [@ nsImageWin::Init]
|
|
||
Updated•20 years ago
|
Assignee: firefox → win32
Status: UNCONFIRMED → NEW
Component: General → GFX: Win32
Ever confirmed: true
Product: Firefox → Core
QA Contact: general → ian
Version: unspecified → Trunk
|
|
||
Updated•20 years ago
|
Assignee: win32 → general
Component: GFX: Win32 → GFX
OS: Windows XP → All
|
|
||
Comment 5•20 years ago
|
||
photobucket.com has obiously totally screwed up that thumbnail. The thumbnail is
25480*14560 pixels in size so this probably just a duplicate of bug 250290. When
you replace bytes 7 and 8 (width) and bytes 9 and 10 (height) by reasonable
values, Mozilla does not crash.
|
||
Comment 6•20 years ago
|
||
Ouch. Agreed that it looks a lot like bug 250290, but Mozilla should really
handle this gracefully.
Crashed for me on WinXPsp2 --> TB4942163Z
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050407
Firefox/1.0+
Flags: blocking-aviary1.1?
|
||
Comment 7•20 years ago
|
||
(In reply to comment #6)
> Ouch. Agreed that it looks a lot like bug 250290, but Mozilla should really
> handle this gracefully.
>
> Crashed for me on WinXPsp2 --> TB4942163Z
> Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050407
> Firefox/1.0+
Couldn´t get the big image from Bug 250290 to crash, but the 88k small animated
gif here crashes reliably.
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8b2) Gecko/20050408
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=TB4944519E
|
|
||
Comment 8•20 years ago
|
||
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8b2) Gecko/20050409
Looking for the testcase or bugnumber, I´m getting about 8 talkbacks, most from
me. Two of them are equal, produced with different nightlies by rapidly resizing
the image. Click to grow to full size, click to shrink to window, click again...
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=1&searchby=url&match=contains&searchfor=https%3A%2F%2Fbugzilla.mozilla.org%2Fattachment.cgi%3Fid%3D180050&vendor=All&product=All&platform=All&buildid=&sdate=&stime=&edate=&etime=&sortby=bbid
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=1&searchby=comments&match=contains&searchfor=289516&vendor=All&product=All&platform=All&buildid=&sdate=&stime=&edate=&etime=&sortby=bbid
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=4945585
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=4964987
MSVCRT.DLL + 0xad3e (0x7800ad3e)
MSVCRT.DLL + 0x9856 (0x78009856)
_createJSDObject
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/jsd/jsd_obj.c,
line 124]
jsd_ObjectHook
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/jsd/jsd_obj.c,
line 171]
js_NewObject
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsobj.c, line
1938]
js_CloneFunctionObject
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsfun.c, line
1935]
XPTC_InvokeByIndex
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp,
line 102]
XPCWrappedNative::CallMethod
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappednative.cpp,
line 2065]
XPC_WN_CallMethod
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp,
line 1287]
js_Invoke
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 1314]
js_Interpret
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 3589]
js_Invoke
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 1334]
js_Interpret
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 3589]
js_Invoke
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 1334]
js_Interpret
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 3155]
js_Invoke
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/jsinterp.c,
line 1334]
nsXPCWrappedJSClass::CallMethod
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappedjsclass.cpp,
line 1339]
nsXPCWrappedJS::CallMethod
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/js/src/xpconnect/src/xpcwrappedjs.cpp,
line 450]
SharedStub
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/xpcom/reflect/xptcall/src/md/win32/xptcstubs.cpp,
line 147]
nsEventListenerManager::HandleEventSubType
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventListenerManager.cpp,
line 1545]
nsEventListenerManager::HandleEvent
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventListenerManager.cpp,
line 1642]
nsXULElement::HandleDOMEvent
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2194]
nsXULElement::HandleDOMEvent
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2173]
nsXULElement::HandleDOMEvent
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2173]
nsXULElement::HandleDOMEvent
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2173]
nsXULElement::HandleDOMEvent
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2173]
nsXULElement::HandleDOMEvent
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2173]
nsXULElement::HandleChromeEvent
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/xul/content/src/nsXULElement.cpp,
line 2863]
nsGlobalWindow::HandleDOMEvent
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/dom/src/base/nsGlobalWindow.cpp,
line 897]
nsDocument::HandleDOMEvent
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/base/src/nsDocument.cpp,
line 3885]
nsEventStateManager::SendFocusBlur
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventStateManager.cpp,
line 4167]
nsEventStateManager::SetContentState
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventStateManager.cpp,
line 3793]
nsEventStateManager::PostHandleEvent
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/content/events/src/nsEventStateManager.cpp,
line 1915]
PresShell::HandleEventInternal
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/base/nsPresShell.cpp,
line 6338]
PresShell::HandleEvent
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/layout/base/nsPresShell.cpp,
line 6113]
nsViewManager::HandleEvent
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp,
line 2508]
nsViewManager::DispatchEvent
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/view/src/nsViewManager.cpp,
line 2228]
HandleEvent
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/view/src/nsView.cpp,
line 174]
nsWindow::DispatchEvent
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 1150]
nsWindow::DispatchMouseEvent
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 5764]
ChildWindow::DispatchMouseEvent
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 6017]
nsWindow::WindowProc
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/widget/src/windows/nsWindow.cpp,
line 1442]
KERNEL32.DLL + 0x363b (0xbff7363b)
KERNEL32.DLL + 0x242e7 (0xbff942e7)
0x00638bea
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=4964987
MSVCRT.DLL + 0xad3e (0x7800ad3e)
MSVCRT.DLL + 0x954b (0x7800954b)
MSVCRT.DLL + 0x14cf (0x780014cf)
gfxImageFrame::Init
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/gfx/src/shared/gfxImageFrame.cpp,
line 142]
nsGIFDecoder2::HaveDecodedRow
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/modules/libpr0n/decoders/gif/nsGIFDecoder2.cpp,
line 441]
output_row
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/modules/libpr0n/decoders/gif/GIF2.cpp,
line 202]
gif_write
[c:/builds/tinderbox/MozillaTrunk/WINNT_5.0_Clobber/mozilla/modules/libpr0n/decoders/gif/GIF2.cpp,
line 460]
0x16007004
http://talkback-public.mozilla.org/talkback/fastfind.jsp?search=2&type=iid&id=4935964
msvcrt.dll + 0x37631 (0x77c47631)
imgContainerGIF::DoComposite
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/modules/libpr0n/decoders/gif/imgContainerGIF.cpp,
line 579]
imgContainerGIF::Notify
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/modules/libpr0n/decoders/gif/imgContainerGIF.cpp,
line 429]
nsTimerImpl::Fire
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/xpcom/threads/nsTimerImpl.cpp,
line 395]
nsAppShellService::Run
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/xpfe/appshell/src/nsAppShellService.cpp,
line 495]
main
[d:/builds/tinderbox/Fx-Aviary1.0.1/WINNT_5.0_Depend/mozilla/browser/app/nsBrowserApp.cpp,
line 58]
kernel32.dll + 0x16d4f (0x7c816d4f)
|
|
||
Comment 9•20 years ago
|
||
Regression from Bug 286233
class destructor deletes memory pointers if not null. OOM error deletes memory
pointers, but didn't set the variable to null. Eventually Mozilla craps out.
Attachment #180244 -
Flags: superreview?(tor)
Attachment #180244 -
Flags: review?(emaijala)
|
|
||
Comment 10•20 years ago
|
||
I've created Bug 289763 to address why the attached image does not display in
Mozilla (even after the patch in this bug is applied)
|
||
Updated•20 years ago
|
Attachment #180244 -
Flags: review?(emaijala) → review+
|
||
Comment 11•20 years ago
|
||
Have you tested the patch on Linux (I can't) ?
It seems that new throws by default, (Comment 1, TB4931882X is signal 6, see
also bug 166862)
So if it is true and this bug is about OOM because of very large GIF dimensions,
could you consider switching to nsImageWin::mXXX to malloc()/free() instead of
new/delete ?
|
|
||
Comment 12•20 years ago
|
||
(In reply to comment #11)
> Have you tested the patch on Linux (I can't) ?
No, it will not fix linux. That's Bug 166862 (as you helpfully pointed me to,
thanks!)
> So if it is true and this bug is about OOM because of very large GIF dimensions,
> could you consider switching to nsImageWin::mXXX to malloc()/free() instead of
> new/delete ?
There's no difference between malloc and new (that I'm aware of) for native
types (PRUInt8). Unlike on some Linux platforms, new[] in Windows doesn't
terminate mozilla.exe on error, it just returns null.
|
|
||
Comment 13•20 years ago
|
||
(In reply to comment #12)
> No, it will not fix linux.
Oops, sorry I didn't notice that the patch was gfx/src/windows. I've been
confused by Comment 1 and OS->All.
> Unlike on some Linux platforms, new[] in Windows doesn't
> terminate mozilla.exe on error, it just returns null.
MSVC7 terminates mozilla.exe on error just like GCC/Linux, and since there's no
difference for native types, using malloc/free would give the same result as
MSVC6 for those using optimized/custom builds.
OS: All → Windows 98
Attachment #180244 -
Flags: superreview?(tor) → superreview+
|
|
||
Updated•20 years ago
|
Attachment #180244 -
Flags: approval1.8b2?
|
||
Comment 14•20 years ago
|
||
Comment on attachment 180244 [details] [diff] [review]
null after delete
a=asa
Attachment #180244 -
Flags: approval1.8b2? → approval1.8b2+
|
|
||
Comment 15•20 years ago
|
||
Checking in nsImageWin.cpp;
/cvsroot/mozilla/gfx/src/windows/nsImageWin.cpp,v <-- nsImageWin.cpp
new revision: 3.145; previous revision: 3.144
done
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
|
||
Comment 16•20 years ago
|
||
we should use new (std::nothrow), to avoid exceptions on OOM.
|
|
||
Comment 17•20 years ago
|
||
(In reply to comment #16)
> we should use new (std::nothrow), to avoid exceptions on OOM.
I'll file a bug on this for nsImageWin tommorow, unless someone does it first
(it would be a simple patch, one that probably should go into Gecko 1.8, as some
official releases are building with MSCV7). Someone should check all new[]
calls and fix them (and since some OSes compilers may not support nothrow,
they'd have to switch to malloc, or something)
|
|
||
Comment 18•20 years ago
|
||
(In reply to comment #17)
> > we should use new (std::nothrow), to avoid exceptions on OOM.
> I'll file a bug on this for nsImageWin tommorow, unless someone does it first
Bug 290284
Verified FIXED using build 2005-04-18 on Windows XP Seamonkey trunk.
Status: RESOLVED → VERIFIED
|
|
||
Updated•20 years ago
|
Flags: blocking-aviary1.1?
|
|
||
Comment 20•20 years ago
|
||
Exactly the same happening here with 1.0.4
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.7.8) Gecko/20050511
Firefox/1.0.4
|
||
Updated•16 years ago
|
Product: Core → Core Graveyard
|
|
||
Updated•14 years ago
|
Crash Signature: [@ nsImageWin::Init]
You need to log in
before you can comment on or make changes to this bug.
Description
•