Closed Bug 83804 Opened 24 years ago Closed 23 years ago

N621, M098 & Trunk crashes [@ HaveDecodedRow]

Categories

(Core :: Graphics: ImageLib, defect, P1)

Product:
Core
Component:
Graphics: ImageLib
Platform:
x86
All
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.0

People

(Reporter: dbaron, Assigned: nivedita)

References

Details

(Keywords: crash, testcase, topcrash+, Whiteboard: hitchhiker,[needs r=/sr=])

Crash Data

Attachments

(10 files, 3 obsolete files)

move rgb rowbuffer ownership to nsGIFDecoder2
7.94 KB, patch
Details | Diff | Splinter Review
same + switch to nsMemory::Realloc
8.11 KB, patch
Details | Diff | Splinter Review
make sure transparent index is in range
1.20 KB, patch
Details | Diff | Splinter Review
user comments and urls for HaveDecodedRow crashes with N610
9.60 KB, text/plain
Details
Bug notes
101 bytes, text/plain
Details
Updated Bug Notes From Tucson Beta
1.16 KB, text/plain
Details
N621 talkback data for HaveDecodedRow crashes
18.85 KB, text/plain
Details
Patch for crash on http://www.harry.wp.pl/
722 bytes, patch
pavlov
: review+
Details | Diff | Splinter Review
The gif which causes the crash
37 bytes, image/gif
Details
Incorporated the comments given by Tor
5.78 KB, patch
pavlov
: review+
tor
: superreview+
dbaron
: approval+
Details | Diff | Splinter Review
Talkback is reporting 2 different crashes in HaveDecodedRow (at a number of different line numbers). (These are showing up both before and after tor's changes... I'll give a stack with line numbers for after.) (was line 470) HaveDecodedRow [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\nsGIFDecoder2.cpp line 505] output_row [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp line 211] do_lzw [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp line 400] gif_write [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp line 825] (was line 382) HaveDecodedRow [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\nsGIFDecoder2.cpp line 413] output_row [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp line 211] do_lzw [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp line 400] gif_write [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp line 825]
Keywords: crash
The problems is that GIF2.cpp allocates gs->rgbrow (line 1264) as 3*width, while nsGIFDecoder2 assumes that the length is nsImageFrame->GetImageBytesPerRows() (line 505). The latter can be bigger because nsImageFrame tries to word align rows.
Another allocation point for gs->rgbrow in GIF2.cpp - line 1304.
Taking bug.
Assignee: pavlov → tor
Status: NEW → ASSIGNED
r=pavlov
+ if (decoder->mRGBLine) + nsMemory::Free(decoder->mRGBLine); + decoder->mRGBLine = (PRUint8 *)nsMemory::Alloc(bpr); + Are you freeing someone else's memory there? That seems like an odd pattern there. Also, is it possible to just re-use the memory if it's the same size or larger instead of reallocating? Other than that, sr=blizzard
a=blizzard for 0.9.1 and the trunk for drivers
Blocks: 83989
Checked into trunk and 0.9.1 branch.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
I'm using the 0.9.1 2001060614 build on Win 2000 and I just got this crash going to a bugscape page. According to talkback reports there have been 5 crashes (3 trunk and 2 branch) since 6/5 builds which is after this bug was marked fixed. So, I'm going to reopen this. If someone thinks I'm seeing a different bug let me know and I'll file a new one. My incident id is (31425983) for those with access and the stack is: HaveDecodedRow [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\nsGIFDecoder2.cpp, line 508] output_row [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp, line 210] do_lzw [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp, line 399] gif_write [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp, line 823] nsGIFDecoder2::ProcessData [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\nsGIFDecoder2.cpp, line 208] ReadDataOut [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\nsGIFDecoder2.cpp, line 156] nsPipe::nsPipeInputStream::ReadSegments [d:\builds\seamonkey\mozilla\xpcom\io\nsPipe2.cpp, line 412]
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Too little data, especially since the win32 talkback linenumbers aren't accurate. Is there talkback data from a linux or macos crash? Crasher URLs?
All of the crashes that occurred after your fix was checked in are on Win32. Here are the sites mentioned: 2 of them occurred at http://bugscape.com (which are inside the Netscape firewall so that won't help you out). and www.elkhart.net/websites.html http://www.plenum.com/
From today's talkback report (31422028) URL: www.elkhart.net/websites.html (31406922) URL: http://bugscape.com/ (31406922) Comments: filing bugs... (31382620) URL: http://www.plenum.com/ (31382620) Comments: Mozilla crashed while downloading graphics (31373609) Comments: - www.iltalehti.fi -> crash (31257752) URL: www.netscape.com (31257752) Comments: Opening the Netscape home page. (31246127) URL: www.askmen.com (31174628) URL: http://linuxtoday.com (31174628) Comments: Scrolling through a webpage (31157659) Comments: no clue where/why it crashed... (31146747) Comments: crash loading a page (31092607) URL: www.usatoday.com (31092607) Comments: Clicked on the tech link
Comments from M091 builds (31425983) Comments: Went to a bugscape query list (31361691) Comments: Crashed after I entered a Bugscape bug (31233390) Comments: browsing borland community
Platforms? Build #s? Stacks?
Also you can check http://ftp.mozilla.org/pub/data/crash-data/detailed-crash-analysis-all.html#Have DecodedRow HaveDecodedRow 24 First BBID : http://climate/reports/stackcommentemail.cfm?dynamicBBID=31092607 Last BBID : http://climate/reports/stackcommentemail.cfm?dynamicBBID=31422028 Min Runtime :187 Max Runtime :534174 Min seconds since last crash :8 Max seconds since last crash :441539 First Appearance Date : 2001-05-30 Last Appearance Date : 2001-06-06 First Build ID : 2001052909 Latest Build ID : 2001060606 Stack Trace: HaveDecodedRow [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\nsGIFDecoder2.cpp line 508] output_row [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp line 210] do_lzw [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp line 399] gif_write [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp line 823] nsGIFDecoder2::ProcessData [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\nsGIFDecoder2.cpp line 208] ReadDataOut [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\nsGIFDecoder2.cpp line 156] nsInputStreamTee::WriteSegmentFun [d:\builds\seamonkey\mozilla\xpcom\io\nsInputStreamTee.cpp line 82] nsInputStreamTee::ReadSegments [d:\builds\seamonkey\mozilla\xpcom\io\nsInputStreamTee.cpp line 138] nsGIFDecoder2::WriteFrom [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\nsGIFDecoder2.cpp line 229] imgRequest::OnDataAvailable [d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgRequest.cpp line 741] ProxyListener::OnDataAvailable [d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgLoader.cpp line 387] nsStreamListenerTee::OnDataAvailable [d:\builds\seamonkey\mozilla\netwerk\base\src\nsStreamListenerTee.cpp line 57] nsHttpChannel::OnDataAvailable [d:\builds\seamonkey\mozilla\netwerk\protocol\http\src\nsHttpChannel.cpp line 2102] nsOnDataAvailableEvent::HandleEvent [d:\builds\seamonkey\mozilla\netwerk\base\src\nsStreamListenerProxy.cpp line 185] PL_HandleEvent [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c line 591] PL_ProcessPendingEvents [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c line 524] _md_EventReceiverProc [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c line 1072] nsAppShellService::Run [d:\builds\seamonkey\mozilla\xpfe\appshell\src\nsAppShellService.cpp line 418] netscp6.exe + 0x16b5 (0x004016b5) netscp6.exe + 0x11b8 (0x004011b8) netscp6.exe + 0x2ecd (0x00402ecd) KERNEL32.DLL + 0x17d08 (0x77e97d08) HaveDecodedRow 28ce7292 http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/gif /nsGIFDecoder2.cpp line 508 Build: 2001060606 CrashDate: 2001-06-06 UptimeMinutes: 109 Total: 122 OS: Windows NT 5.0 build 2195 Detailed : http://climate/reports/incidenttemplate.cfm?bbid=31422028 StackTrace: http://climate/reports/stackcommentemail.cfm?dynamicBBID=31422028 (31422028) URL: www.elkhart.net/websites.html HaveDecodedRow 6974c0fc http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/gif /nsGIFDecoder2.cpp line 470 Build: 2001053023 CrashDate: 2001-06-06 UptimeMinutes: 4 Total: 437 OS: Windows NT 5.0 build 2195 Detailed : http://climate/reports/incidenttemplate.cfm?bbid=31409453 StackTrace: http://climate/reports/stackcommentemail.cfm?dynamicBBID=31409453 HaveDecodedRow 2d25614d http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/gif /nsGIFDecoder2.cpp line 508 Build: 2001060506 CrashDate: 2001-06-06 UptimeMinutes: 27 Total: 143 OS: Windows NT 5.0 build 2195 Detailed : http://climate/reports/incidenttemplate.cfm?bbid=31406922 StackTrace: http://climate/reports/stackcommentemail.cfm?dynamicBBID=31406922 (31406922) URL: http://bugscape.com/ (31406922) Comments: filing bugs... HaveDecodedRow f1a78db1 http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/gif /nsGIFDecoder2.cpp line 508 Build: 2001060506 CrashDate: 2001-06-06 UptimeMinutes: 66 Total: 66 OS: Windows NT 5.0 build 2195 Detailed : http://climate/reports/incidenttemplate.cfm?bbid=31382620 StackTrace: http://climate/reports/stackcommentemail.cfm?dynamicBBID=31382620 (31382620) URL: http://www.plenum.com/ (31382620) Comments: Mozilla crashed while downloading graphics HaveDecodedRow 715f7b31 http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/gif /nsGIFDecoder2.cpp line 470 Build: 2001052909 CrashDate: 2001-06-05 UptimeMinutes: 7358 Total: 8902 OS: Windows NT 5.0 build 2195 Detailed : http://climate/reports/incidenttemplate.cfm?bbid=31373609 StackTrace: http://climate/reports/stackcommentemail.cfm?dynamicBBID=31373609 (31373609) Comments: - www.iltalehti.fi -> crash HaveDecodedRow 2d25614d http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/gif /nsGIFDecoder2.cpp line 505 Build: 2001060122 CrashDate: 2001-06-05 UptimeMinutes: 99 Total: 99 OS: Windows NT 5.0 build 2195 Detailed : http://climate/reports/incidenttemplate.cfm?bbid=31348294 StackTrace: http://climate/reports/stackcommentemail.cfm?dynamicBBID=31348294 HaveDecodedRow c53ea1ed http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/gif /nsGIFDecoder2.cpp line 382 Build: 2001053106 CrashDate: 2001-06-04 UptimeMinutes: 6 Total: 6 OS: Windows NT 5.0 build 2195 Detailed : http://climate/reports/incidenttemplate.cfm?bbid=31304418 StackTrace: http://climate/reports/stackcommentemail.cfm?dynamicBBID=31304418 HaveDecodedRow 693fc419 http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/gif /nsGIFDecoder2.cpp line 505 Build: 2001060106 CrashDate: 2001-06-04 UptimeMinutes: 785 Total: 785 OS: Windows NT 5.0 build 2195 Detailed : http://climate/reports/incidenttemplate.cfm?bbid=31298908 StackTrace: http://climate/reports/stackcommentemail.cfm?dynamicBBID=31298908 HaveDecodedRow 693fc419 http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/gif /nsGIFDecoder2.cpp line 505 Build: 2001060222 CrashDate: 2001-06-04 UptimeMinutes: 399 Total: 399 OS: Windows NT 5.0 build 2195 Detailed : http://climate/reports/incidenttemplate.cfm?bbid=31294885 StackTrace: http://climate/reports/stackcommentemail.cfm?dynamicBBID=31294885 HaveDecodedRow 04bd77f4 http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/gif /nsGIFDecoder2.cpp line 470 Build: 2001053023 CrashDate: 2001-06-04 UptimeMinutes: 189 Total: 235 OS: Windows 98 4.90 build 73010104 Detailed : http://climate/reports/incidenttemplate.cfm?bbid=31294744 StackTrace: http://climate/reports/stackcommentemail.cfm?dynamicBBID=31294744 HaveDecodedRow 760e5353 http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/gif /nsGIFDecoder2.cpp line 470 Build: 2001053106 CrashDate: 2001-06-03 UptimeMinutes: 42 Total: 1053 OS: Windows 98 4.10 build 67766446 Detailed : http://climate/reports/incidenttemplate.cfm?bbid=31257752 StackTrace: http://climate/reports/stackcommentemail.cfm?dynamicBBID=31257752 (31257752) URL: www.netscape.com (31257752) Comments: Opening the Netscape home page. HaveDecodedRow 2d25614d http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/gif /nsGIFDecoder2.cpp line 505 Build: 2001060109 CrashDate: 2001-06-02 UptimeMinutes: 335 Total: 335 OS: Windows NT 5.0 build 2195 Detailed : http://climate/reports/incidenttemplate.cfm?bbid=31246127 StackTrace: http://climate/reports/stackcommentemail.cfm?dynamicBBID=31246127 (31246127) URL: www.askmen.com HaveDecodedRow ed4c2391 http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/gif /nsGIFDecoder2.cpp line 505 Build: 2001060109 CrashDate: 2001-06-02 UptimeMinutes: 157 Total: 157 OS: Windows NT 5.0 build 2195 Detailed : http://climate/reports/incidenttemplate.cfm?bbid=31234312 StackTrace: http://climate/reports/stackcommentemail.cfm?dynamicBBID=31234312 HaveDecodedRow 2d25614d http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/gif /nsGIFDecoder2.cpp line 505 Build: 2001060122 CrashDate: 2001-06-02 UptimeMinutes: 113 Total: 113 OS: Windows 98 4.10 build 67766222 Detailed : http://climate/reports/incidenttemplate.cfm?bbid=31225233 StackTrace: http://climate/reports/stackcommentemail.cfm?dynamicBBID=31225233 HaveDecodedRow e3604fff http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/gif /nsGIFDecoder2.cpp line 413 Build: 2001060109 CrashDate: 2001-06-01 UptimeMinutes: 3 Total: 3 OS: Windows 95 4.0 build 67306684 Detailed : http://climate/reports/incidenttemplate.cfm?bbid=31215925 StackTrace: http://climate/reports/stackcommentemail.cfm?dynamicBBID=31215925 HaveDecodedRow 8a923d83 http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/gif /nsGIFDecoder2.cpp line 470 Build: 2001052909 CrashDate: 2001-06-01 UptimeMinutes: 932 Total: 932 OS: Windows NT 5.0 build 2195 Detailed : http://climate/reports/incidenttemplate.cfm?bbid=31205085 StackTrace: http://climate/reports/stackcommentemail.cfm?dynamicBBID=31205085 HaveDecodedRow 6db4d511 http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/gif /nsGIFDecoder2.cpp line 470 Build: 2001053106 CrashDate: 2001-06-01 UptimeMinutes: 548 Total: 548 OS: Windows NT 5.0 build 2195 Detailed : http://climate/reports/incidenttemplate.cfm?bbid=31204963 StackTrace: http://climate/reports/stackcommentemail.cfm?dynamicBBID=31204963 HaveDecodedRow 2d25614d http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/gif /nsGIFDecoder2.cpp line 505 Build: 2001060109 CrashDate: 2001-06-01 UptimeMinutes: 41 Total: 41 OS: Windows 98 4.90 build 73010104 Detailed : http://climate/reports/incidenttemplate.cfm?bbid=31198359 StackTrace: http://climate/reports/stackcommentemail.cfm?dynamicBBID=31198359 HaveDecodedRow 12544336 http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/gif /nsGIFDecoder2.cpp line 470 Build: 2001053023 CrashDate: 2001-05-31 UptimeMinutes: 7 Total: 455 OS: Windows NT 4.0 build 1381 Detailed : http://climate/reports/incidenttemplate.cfm?bbid=31174628 StackTrace: http://climate/reports/stackcommentemail.cfm?dynamicBBID=31174628 (31174628) URL: http://linuxtoday.com (31174628) Comments: Scrolling through a webpage HaveDecodedRow 760e5353 http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/gif /nsGIFDecoder2.cpp line 470 Build: 2001053106 CrashDate: 2001-05-31 UptimeMinutes: 8 Total: 8 OS: Windows 98 4.10 build 67766446 Detailed : http://climate/reports/incidenttemplate.cfm?bbid=31163362 StackTrace: http://climate/reports/stackcommentemail.cfm?dynamicBBID=31163362 HaveDecodedRow 2d25614d http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/gif /nsGIFDecoder2.cpp line 505 Build: 2001053109 CrashDate: 2001-05-31 UptimeMinutes: 20 Total: 20 OS: Windows NT 4.0 build 1381 Detailed : http://climate/reports/incidenttemplate.cfm?bbid=31157659 StackTrace: http://climate/reports/stackcommentemail.cfm?dynamicBBID=31157659 (31157659) Comments: no clue where/why it crashed... HaveDecodedRow efbb1629 http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/gif /nsGIFDecoder2.cpp line 470 Build: 2001053023 CrashDate: 2001-05-31 UptimeMinutes: 19 Total: 19 OS: Windows NT 5.0 build 2195 Detailed : http://climate/reports/incidenttemplate.cfm?bbid=31146747 StackTrace: http://climate/reports/stackcommentemail.cfm?dynamicBBID=31146747 (31146747) Comments: crash loading a page HaveDecodedRow 6974c0fc http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/gif /nsGIFDecoder2.cpp line 382 Build: 2001053006 CrashDate: 2001-05-30 UptimeMinutes: 0 Total: 407 OS: Windows 98 4.90 build 73010104 Detailed : http://climate/reports/incidenttemplate.cfm?bbid=31114327 StackTrace: http://climate/reports/stackcommentemail.cfm?dynamicBBID=31114327 HaveDecodedRow 6974c0fc http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/gif /nsGIFDecoder2.cpp line 470 Build: 2001052922 CrashDate: 2001-05-30 UptimeMinutes: 3 Total: 3 OS: Windows NT 4.0 build 1381 Detailed : http://climate/reports/incidenttemplate.cfm?bbid=31092607 StackTrace: http://climate/reports/stackcommentemail.cfm?dynamicBBID=31092607 (31092607) URL: www.usatoday.com (31092607) Comments: Clicked on the tech link
Ok, think I've found the problem. Some invalid gifs have the transparency bit set, but the transparent index is larger than the colormap. In the case of http://www.elkhart.net/go.gif the colormap is 32 entries but the transparent index is 255. The following patch adds bullet proofing.
r=pavlov
For what it's worth, r=jesup (though I'd prefer to have less lines of indentation change than actual change)
In Windows NT 4.0, following URL did not crash for me. http://www.elkhart.net/go.gif
Should there be a respin, we would consider taking this. Please be ready, just in case :-) Thanks!
Whiteboard: hitchhiker
Target Milestone: --- → mozilla0.9.1
I've looked at the code and I'm pretty sure that's it isn't supposed to be a <= instead of a < but you might want to check to make sure. Assuming that's the case sr=blizzard.
a= asa@mozilla.org for checkin to the trunk. (on behalf of drivers)
Checked into trunk.
Keywords: crash
Status: REOPENED → RESOLVED
Closed: 24 years ago24 years ago
Resolution: --- → FIXED
From the talkback data this particular bug (~ line 508) appears fixed on the trunk. Resolving.
Verified, no crash on any of the links listed here w2k build 2001080904
Status: RESOLVED → VERIFIED
Reopening this bug since Netscape 6.10 RTM Talkback data is showing this as a topcrasher. The line numbers have changed on the stack, but otherwise the latest stack traces are the same as the one originally reported. Here's the latest data: HaveDecodedRow 318 83804 VERI FIXE tor@acm.org mozilla0.9.1 First BBID :33861002 Last BBID :34030690 Min Runtime :2 Max Runtime :519853 First Appearance Date : 2001-08-08 Last Appearance Date : 2001-08-13 First BuildID : 2001072623 Last BuildID : 2001072700 Stack Trace: HaveDecodedRow [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\nsGIFDecoder2.cpp line 416] output_row [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp line 210] do_lzw [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp line 399] gif_write [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp line 826] nsGIFDecoder2::ProcessData [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\nsGIFDecoder2.cpp line 208] ReadDataOut [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\nsGIFDecoder2.cpp line 156] nsInputStreamTee::WriteSegmentFun [d:\builds\seamonkey\mozilla\xpcom\io\nsInputStreamTee.cpp line 82] nsInputStreamTee::ReadSegments [d:\builds\seamonkey\mozilla\xpcom\io\nsInputStreamTee.cpp line 138] nsGIFDecoder2::WriteFrom [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\nsGIFDecoder2.cpp line 229] imgRequest::OnDataAvailable [d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgRequest.cpp line 741] ProxyListener::OnDataAvailable [d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgLoader.cpp line 387] nsStreamListenerTee::OnDataAvailable [d:\builds\seamonkey\mozilla\netwerk\base\src\nsStreamListenerTee.cpp line 57] nsHttpChannel::OnDataAvailable [d:\builds\seamonkey\mozilla\netwerk\protocol\http\src\nsHttpChannel.cpp line 2150] nsOnDataAvailableEvent::HandleEvent [d:\builds\seamonkey\mozilla\netwerk\base\src\nsStreamListenerProxy.cpp line 188] PL_HandleEvent [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c line 591] PL_ProcessPendingEvents [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c line 524] nsEventQueueImpl::ProcessPendingEvents [d:\builds\seamonkey\mozilla\xpcom\threads\nsEventQueue.cpp line 375] Source File : http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpr0n/decoders/gif/nsGIFDecoder2.cpp line : 416 I have attached all the user comments and urls submitted.
Status: VERIFIED → REOPENED
Resolution: FIXED → ---
Summary: crashes [@ HaveDecodedRow] → N610 crashes [@ HaveDecodedRow]
This also is a topcrasher for M093 (MozillaTrunk Win32 build 2001080112 and Linux build 2001080104). Recent MozillaTrunk builds are crashing too, here is the most recent incident: Incident ID 34994341 Stack Signature HaveDecodedRow() 37884bdc Bug ID Trigger Time 2001-09-05 15:23:31 Email Address User Comments Build ID 2001090508 Product ID MozillaTrunk Platform ID LinuxIntel Trigger Reason SIGSEGV: Segmentation Fault: (signal 11) Stack Trace HaveDecodedRow() output_row() do_lzw() gif_write() nsGIFDecoder2::ProcessData() ReadDataOut() ReadSegments() nsGIFDecoder2::WriteFrom() imgRequest::OnDataAvailable() ProxyListener::OnDataAvailable() nsJARChannel::OnDataAvailable() nsOnDataAvailableEvent::HandleEvent() nsARequestObserverEvent::HandlePLEvent() PL_HandleEvent() PL_ProcessPendingEvents() nsEventQueueImpl::ProcessPendingEvents() NS_ShutdownXPCOM() main() libc.so.6 + 0x18736 (0x2aede736) and a recent Win32 crash with line numbers: Incident ID 34652988 Stack Signature HaveDecodedRow 2d25614d Bug ID Trigger Time 2001-08-28 18:45:24 Email Address ssaux@netscape.com User Comments Build ID 2001082809 Product ID MozillaTrunk Platform ID Win32 Trigger Reason Access violation Stack Trace HaveDecodedRow [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\nsGIFDecoder2.cpp, line 416] output_row [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp, line 210] do_lzw [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp, line 399] gif_write [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp, line 826] nsGIFDecoder2::ProcessData [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\nsGIFDecoder2.cpp, line 208] ReadDataOut [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\nsGIFDecoder2.cpp, line 156] nsPipe::nsPipeInputStream::ReadSegments [d:\builds\seamonkey\mozilla\xpcom\io\nsPipe2.cpp, line 412]
Summary: N610 crashes [@ HaveDecodedRow] → N610, M093 & Trunk crashes [@ HaveDecodedRow]
From the disassembly and registers in the talkback (#34652988) it's pretty clear that the crash is on line 412 (the Windows talkback C++ next-line bias), where decoder->mImageFrame is null, and we attempt to call decoder->mImageFrame->Init(). The disassembly is the following. Talkback only shows *starting* with the line that we crashed on, so the crash is on the first of the following lines, with ECX null (comments are mine): 604e15a0 8b11 mov edx,[ecx] ; load vtable ptr. 604e15a2 ffb0ac000000 push dword ptr [eax+0xac] ; width 604e15a8 ffb0a4000000 push dword ptr [eax+0xa4] ; y_offset 604e15ae ffb0a0000000 push dword ptr [eax+0xa0] ; x_offset 604e15b4 51 push ecx ; this 604e15b5 ff520c call dword ptr [edx+0xc] ; call Init 604e15b8 8b4608 mov eax,[esi+0x8] 604e15bb ff37 push dword ptr [edi] 604e15bd 8b08 mov ecx,[eax] Is it possible for this CreateInstance to fail? It looks like a standard generic factory constructor.
added qawanted keyword
Keywords: qawanted
6 of todays 10 crash reports for this bug are at this offset: HaveDecodedRow 2d25614d The comments associated with those crashes are: (35485141) Comments: after having viewed an HTML page containing CSS I have Clicked File -> Exit. Mozilla seems to have frozen a couple of minutes then has generated an error log. (35412010) Comments: switch to modern theme.
updating summary. Could someone review the target milestone?
Summary: N610, M093 & Trunk crashes [@ HaveDecodedRow] → N610, M094 & Trunk crashes [@ HaveDecodedRow]
any 0.9.4 data on this one?
A quick scan of the M094 data shows 22 incidents, only these with comments: (36020424) - Windows 95 4.0 build 67109975 Comment: I was closing Mozilla Windows quickly in sucession as the pop'ed up continously (36061236) - Windows 98 4.10 build 67766446 Comment: Closing the browser. (36103703) - Windows NT 4.0 build 1381 Comment: Exiting Mozilla. URL: http://www.station.sony.com/ (36031057) - Linux 2.2.14 Comment: I went directly to this page through a bookmark. Then I clicked on the `close window' link at the bottom. There was only one window open and it closed quitting Mozilla and prompting the feedback agent. URL: http://www.anandtech.com/printarticle.html?i=1535 (36066237) - Linux 2.4.5 Comment: Closin down site that opened several javascript windows with the javascript console open
Today's M094 data shows this happening on Linux also. 3 Windows NT 5.0 build 2195 3 Windows 98 4.10 build 67766446 3 Windows 98 4.10 build 67766222 2 Windows NT 4.0 build 1381 1 Windows NT 5.1 build 2600 1 Windows 98 4.90 build 73010104 1 Windows 95 4.0 build 67109975 1 Linux 2.4.8-24mdk 1 Linux 2.4.8 1 Linux 2.4.5 1 Linux 2.4.2-2 1 Linux 2.4.10-xfs 1 Linux 2.4.10 1 Linux 2.2.16-22 1 Linux 2.2.1 Updating platform. Win98 -> All
OS: Windows 98 → All
Assignee: tor → pavlov
Status: REOPENED → NEW
From dbaron's comment on 2001-09-05, this appears to a pr0n/gfx2 container problem. Reassigning to pavlov.
The last crash in the talkback database for this stack sig was in build 2001101705 on N6.20. Other crashes on the Mozilla Branch and trunk are from even earlier builds. This has not shown up at all so far in M095.
Target Milestone: mozilla0.9.1 → ---
Topcrash in N620 Count Offset Real Signature [ 198 HaveDecodedRow db38fc36 - HaveDecodedRow ] Crash date range: 2001-11-05 to 2001-11-13 Min/Max Seconds since last crash: 23 - 109248 Min/Max Runtime: 23 - 152191 Keyword List : load(5), log(6), mail(5), netscape(10), shut(6), sign(5), browser(7), Count Platform List 81 Windows 98 4.10 build 67766446 57 Windows 98 4.90 build 73010104 32 Windows 98 4.10 build 67766222 23 Windows NT 5.0 build 2195 5 Windows 95 4.0 build 67306684 1 Windows 95 4.0 build 67109814 Count Build Id List 199 2001102218 No of Unique Users 197 Stack trace(Frame) HaveDecodedRow [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\nsGIFDecoder2.cpp line 416] output_row [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp line 210] do_lzw [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp line 399] gif_write [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp line 826] nsGIFDecoder2::ProcessData [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\nsGIFDecoder2.cpp line 208] ReadDataOut [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\nsGIFDecoder2.cpp line 156] nsInputStreamTee::WriteSegmentFun [d:\builds\seamonkey\mozilla\xpcom\io\nsInputStreamTee.cpp line 82] nsInputStreamTee::ReadSegments [d:\builds\seamonkey\mozilla\xpcom\io\nsInputStreamTee.cpp line 138] nsGIFDecoder2::WriteFrom [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\nsGIFDecoder2.cpp line 229] imgRequest::OnDataAvailable [d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgRequest.cpp line 795] ProxyListener::OnDataAvailable [d:\builds\seamonkey\mozilla\modules\libpr0n\src\imgLoader.cpp line 466] nsStreamListenerTee::OnDataAvailable [d:\builds\seamonkey\mozilla\netwerk\base\src\nsStreamListenerTee.cpp line 57] nsHttpChannel::OnDataAvailable [d:\builds\seamonkey\mozilla\netwerk\protocol\http\src\nsHttpChannel.cpp line 2226] nsOnDataAvailableEvent::HandleEvent [d:\builds\seamonkey\mozilla\netwerk\base\src\nsStreamListenerProxy.cpp line 188] PL_HandleEvent [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c line 591] PL_ProcessPendingEvents [d:\builds\seamonkey\mozilla\xpcom\threads\plevent.c line 524] nsEventQueueImpl::ProcessPendingEvents [d:\builds\seamonkey\mozilla\xpcom\threads\nsEventQueue.cpp line 375] COMMENTS/URLs: (37984704) URL: www.neopets.com (37982610) Comments: WHY do I always have trouble with netscape???????? (37981031) Comments: I am not able to open the taskbar and get to Email.I also need to reset the time I want to stay connected to my Internet. (37978915) Comments: going back to look a nother page (37970886) Comments: Iwas shuttingdown the browzer to see if could activate from my start buttons at bottom of the screen when I got the illegal operation screen. Also the 6.2 down load should have way of linking with the old browzers. Ie 4.7 so as to make the operation (37970886) Comments: transparent. (37968796) Comments: i was logging off (37962779) URL: netscape.com (37962779) Comments: exiting Netscape (37946895) Comments: signing on - this happened 2 X (37942208) URL: www.roxio.de (37942208) Comments: I load down www.roxio.de. It did'nt install.Rudi Witzke (37929187) URL: www.llbean.com (37929187) Comments: checking order (37927757) Comments: i don't know....this always happens (37924317) Comments: logging off (37919166) Comments: i was closing a with the X a light encrypted page from www.kpn.nl (37914088) Comments: Loading Java 1.3.1 (37913189) Comments: ...while browsing (37905330) Comments: signing off (37897930) Comments: shutting down 6.2 (37895875) URL: www.cnn.com (37895875) Comments: trying to leave cnn.com and move to www.drudgereport.com (37888277) Comments: doing a log-in to Netscape (37886634) Comments: shuting dowm my e-mail (37881572) Comments: I just opened it! (37877910) Comments: closing window (37858758) Comments: Only came up with stack dump after I closed the website. I was personalizing the site to fit my needs. (37853054) Comments: Closing the browser (37851517) Comments: signing off the net (37850781) Comments: closing it out. My O.S. here is Windows 2000. (37839139) Comments: logging off internet (37837648) Comments: trying to sign on. (37837028) Comments: I am trying to get into my Email at yahoo and your stupid product freezes out my keyboard. I wish I had never installed it. I give up on Netscape. I will just use explorer. (37836071) Comments: signing off netscape 6.2 (37830824) Comments: shutting down messenger. (37828055) Comments: navigating (37827470) Comments: shuting down browser (37825674) Comments: failed during startup (37820259) Comments: closing the browser (37815992) Comments: I used the - x - in top right corner to close netscape and it did close properly...(visually anyway)?? (37811874) Comments: nothing just connecting to internet & fault message came on (37787863) Comments: loading 6.2 (37786639) Comments: reading my email (37773722) Comments: Exiting Netscape (37765708) Comments: loggin off (37763930) Comments: I was just clicking the browser off when it happened (37712340) Comments: the program error thing popped up and said netscp6.exe. has generated errors and will be closed by windows...you will need to restart the program....an error log is being created (37710649) Comments: shutting netscape down. (37696407) URL: www.surnet.cl (37677600) Comments: closing the program (37672884) Comments: just exiting netscape (37666634) Comments: Closing browser with "X" button. (37637023) Comments: closing out from my mail and a new download from netscape (37610498) Comments: browsing go.com (37592996) Comments: was closing browser... (37589284) URL: www.worldnet.att.net (37589284) Comments: I closed the browser after having opened it to that URL. Upon closing the window it crashed.
Summary: N610, M094 & Trunk crashes [@ HaveDecodedRow] → N620, M094 & Trunk crashes [@ HaveDecodedRow]
Whiteboard: hitchhiker → hitchhiker [tucson]
Attached file Bug notes
Updated Bug Notes From Tucson Beta
here is another thats probably related http://www.harry.wp.pl/ the crashing pic is http://www.harry.wp.pl/i/p.gif which is a 37b file with what looks like a GIF89a header
*** Bug 121320 has been marked as a duplicate of this bug. ***
*** Bug 122164 has been marked as a duplicate of this bug. ***
Attached N621 talkback data...which contains A LOT user comments and urls to help with testing.
Updating summary with N621 (this is a topcrasher with Netscape 6.21) and M097 (this crash is still around with Mozilla 0.9.7). Any progress on this? It looks like we have a reproducible testcase but there isn't a target milestone yet!?
Summary: N620, M094 & Trunk crashes [@ HaveDecodedRow] → N621, M097 & Trunk crashes [@ HaveDecodedRow]
Target Milestone: --- → Future
Are you sure we should be futuring this? According to Talkback, it's showing up a bunch in Netscape 6.2 and Mozilla 0.9.8 builds. In addition, it's still showing up in the trunk as late as the 2/6 build. This is definitely a top crash. Adding nsbeta1 for reconsideration. If there's some info we don't have about why this should be futured, please update the bug.
Keywords: nsbeta1
This patch adds a check to prevent the crash, but I am not sure why at the first place the global_colormap is 0x0.
*** Bug 124719 has been marked as a duplicate of this bug. ***
Giving to nivedita
Assignee: pavlov → nivedita
Target Milestone: Future → ---
taking back
Assignee: nivedita → pavlov
Comment on attachment 68743 [details] [diff] [review] Patch for crash on http://www.harry.wp.pl/ r=pavlov
Attachment #68743 - Flags: review+
can someone please sr= this?
Adding testcase since we have a repro testcase...and a patch! It's been a week and Pav still hasn't gotten his sr= ! Are we going to get this into M099? We still don't have the priority or milestone set...perhaps that's why this has been overlooked?
Keywords: qawantedtestcase
Status: NEW → ASSIGNED
Keywords: patch
Target Milestone: --- → mozilla0.9.9
If that was causing a crash, wouldn't the loop just after that also have problems with the NULL cmap?
It does not crash because *rowBufIndex == decoder->mGIFStruct->tpixel, both are 0 in case of the crash gif. But it will be a good idea to have a check here too. But can someone who knows the gif portion of the code tell us why cmap is 0x0 for a transparent gif.
Keywords: nsbeta1nsbeta1+
This bug has a patch (with a review) that has been sitting around since 2/9. The bug is targeted for M099. This needs to happen quickly. Updating the summary and status. Currently crashing: N621 (HaveDecodedRow): 802 M097 (HaveDecodedRow): 2 M098 (HaveDecodedRow): 10 Trunk (HaveDecodedRow): 2
Keywords: topcrashtopcrash+
Summary: N621, M097 & Trunk crashes [@ HaveDecodedRow] → N621, M098 & Trunk crashes [@ HaveDecodedRow]
Whiteboard: hitchhiker [tucson] → hitchhiker [tucson], seeking sr=/a=
Setting priority to P1 to get some traction on this. It's targeted for M099, has a patch ready and is a nsbeta1+ and topcrash+...if this doesn't get into M099 we're gonna have to move up the target milestone to 1.0.
Priority: -- → P1
giving to nivedita for investigation. can you please find out why cmap is null in the transparent gif?
Assignee: pavlov → nivedita
Status: ASSIGNED → NEW
Attachment #68743 - Flags: needs-work+
Yeah, http://www.harry.wp.pl/i/p.gif definitely crashes for me: Incident ID 3966484 Stack Signature HaveDecodedRow 902cc80c Trigger Time 2002-03-12 16:14:09 Email Address jpatel@netscape.com URL visited mail/news Build ID 2002030710 Product ID MozillaTrunk Platform Operating System Win32 Module Trigger Reason Access violation User Comments reproducing bug 83804 Stack Trace HaveDecodedRow [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\nsGIFDecoder2.cpp, line 516] output_row [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp, line 234] do_lzw [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp, line 363] gif_write [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\GIF2.cpp, line 1126] nsGIFDecoder2::ProcessData [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\nsGIFDecoder2.cpp, line 251] ReadDataOut [d:\builds\seamonkey\mozilla\modules\libpr0n\decoders\gif\nsGIFDecoder2.cpp, line 196] nsInputStreamTee::WriteSegmentFun [d:\builds\seamonkey\mozilla\xpcom\io\nsInputStreamTee.cpp, line 97] And I also crashed running a fresh build under purify...not sure how helpful this is, but here's a section from the log: [E] NPR: NULL pointer read in nsCOMPtr_base::~nsCOMPtr_base(void) {1 occurrence} Reading 1 byte from 0x00000000 (1 byte at 0x00000000 illegal) Address 0x00000000 points into invalid memory Thread ID: 0x36c Error location nsCOMPtr_base::~nsCOMPtr_base(void) [imggif.dll] nsCOMPtr_base::~nsCOMPtr_base(void) [imggif.dll] nsCOMPtr_base::~nsCOMPtr_base(void) [imggif.dll] nsCOMPtr_base::~nsCOMPtr_base(void) [imggif.dll] nsCOMPtr_base::~nsCOMPtr_base(void) [imggif.dll] nsCOMPtr_base::~nsCOMPtr_base(void) [imggif.dll] NS_NewTypicalIOFileStream [xpcom.dll] TestSegmentedBuffer(void) [xpcom.dll] NS_NewTypicalIOFileStream [xpcom.dll] nsCOMPtr_base::~nsCOMPtr_base(void) [imggif.dll]
I peeked into headers of this image and found that the Global Color Table Flag is zero, that would mean this image would not provide Global Color Table and that the interpretation of Background Color Index would be meaning less. In the code we check if the globalcolorflag is 1 then set the state as gif_global_colormap and get data, which is fine I think. I think we should check for decoder->mGIFStruct->global_colormap or cmap being null in all the places it is referenced in nsGIFDecoder2.cpp that would avoid crash for all the cases when the globalcolortable flag is 0 . pavlov, please convey your thoughts on above.
nivedita: go ahead and create for the scenario you have just described and let us test it out. If it fixes the crash we can incorporate it into 1.0.
Target Milestone: mozilla0.9.9 → mozilla1.0
yes, this sounds fine.
Added a check for globalcolortable being null in nsGIFDecoder.
Whiteboard: hitchhiker [tucson], seeking sr=/a= → hitchhiker [tucson], seeking sr=/a=[needs r=/sr=]
The test case gif which was causing the crash.
Nivedita: Is it worth moving the cmap test outside of the for loop ? @@ -517,7 +522,7 @@ memset(decoder->mAlphaLine, 0, abpr); PRUint32 iwidth = (PRUint32)width; for (PRUint32 x=0; x<iwidth; x++) { - if (*rowBufIndex != decoder->mGIFStruct->tpixel) { + if (*rowBufIndex != decoder->mGIFStruct->tpixel && cmap) { #if defined(XP_PC) || defined(XP_BEOS) || defined(MOZ_WIDGET_PHOTON) *rgbRowIndex++ = cmap[PRUint8(*rowBufIndex)].blue; *rgbRowIndex++ = cmap[PRUint8(*rowBufIndex)].green;
patch file for avoiding the crash if the global color table flag is 0
Attachment #74053 - Attachment is obsolete: true
One thought - should we be filling in the non-cmap areas? Otherwise we'll just see whatever garbage was in memory. In the _A1 case the rows should be marked transparent (likely the intended effect of that small gif).
Incorporated comments given by Tor. Tor, In the _A1 case, setting the TransparentColor to default if cmap is null. we are already filling decoder->mRGBLine and decoder->mAlphaLine to 0. If this was what you intended in your first comment. If I am mistaken in understanding your first comment, can you please clarify it further.
Attachment #74070 - Attachment is obsolete: true
Looks good. The one thing I'd suggest is zeroing out the rgb line in the RGB and BGR cases if there isn't a cmap. Ie.: if (cmap) { ... } else { memset(decoder->mRGBLine, 0, bpr); }
Incorporated comments given by Tor. setting decoder->mRGBLine to zero for RGB and BGR cases if cmap is null.
Attachment #74496 - Attachment is obsolete: true
Comment on attachment 74513 [details] [diff] [review] Incorporated the comments given by Tor sr=tor
Attachment #74513 - Flags: superreview+
Whiteboard: hitchhiker [tucson], seeking sr=/a=[needs r=/sr=] → hitchhiker,[needs r=/sr=]
Comment on attachment 74513 [details] [diff] [review] Incorporated the comments given by Tor r=pavlov
Attachment #74513 - Flags: review+
Comment on attachment 74513 [details] [diff] [review] Incorporated the comments given by Tor a=dbaron for trunk checkin
Attachment #74513 - Flags: approval+
fixed with check in D:\mozilla_trunk\mozilla\modules\libpr0n\decoders\gif>cvs commit nsGIFDecoder2.c pp Checking in nsGIFDecoder2.cpp; /cvsroot/mozilla/modules/libpr0n/decoders/gif/nsGIFDecoder2.cpp,v <-- nsGIFDec oder2.cpp new revision: 1.34; previous revision: 1.33 done
Status: NEW → RESOLVED
Closed: 24 years ago23 years ago
Resolution: --- → FIXED
Verified Fix checked into lxr.mozilla.org
Status: RESOLVED → VERIFIED
Crashtest added as part of http://hg.mozilla.org/mozilla-central/rev/5a6def05ccbc
Flags: in-testsuite+
Crash Signature: [@ HaveDecodedRow]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: